Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
Key Takeaways
The video covers web app testing, including XSS, SQL injection, and broken access control, using tools like Burp Suite and Kali machine to demonstrate vulnerabilities and exploits.
Full Transcript
what up people what is up everybody what's up you woke up at 5:00 a.m. to be present you're crazy you're crazy Shalom Shalom Shalom what is up everybody how are we doing today your name's Lahari from Africa it's your first time here welcome welcome to a.m. thanks Maurice Maurice is French I'm assuming what's up Emiliano a PM here as well guys a p.m. here as well some of you guys live in the future like you know tomorrow's news before we do how am i doing I'm doing well guys what's up Samuel say our greetings get everybody in here what's up Portugal yes I did have Taco Bell today I did have Taco Bell I'm doing some ad placement here I should probably get that out but what's up burnt toast I'm pretty sure if you go back to every stream I do you will hear what's up burnt toast in some form or another it's up Demetrius it's up deadly what's up everybody what's up Austin what's up drumstick start here in about one more minute one more minute we've got eventful night it's still probably gonna be an hour long but I think we'll will learn a little bit of the good stuff we'll see how this goes but naughty see nobody's in the naughty see right now just you occasionally let's flip this real quick there we go what's up hell's fury South Africa represent Netherlands represent it's up guys you managed to get all but one of the second set of challenges you are a baller dude you're Dutch I tried I guessed and I guessed wrong I'm sorry audios poppin a bit let's turn that down just a tad then shall we all right guys we're gonna go ahead and get started what's up Pakistan okay let's switch to the other screen shall we welcome to week three of webapp pen testing in this week we are going to be covering let me take myself off the screen we're gonna be covering some web out fun we're gonna quickly talk about announcements I've got maybe five to ten minutes worth of announcements updates airs etc what we're gonna learn just as an overview and then we are going to do some web fun we're gonna cover a bunch of fun stuff so moving forward let's talk about announcements no class on 9/11 or 918 sad face sad face I have to travel on 9/11 and on 918 I have to be prepping for another course that's going live on Saturday so I will not be available we will resume on 9:25 now I may be able to stream an off stream but the time that goes into this in terms of lesson planning I probably put anywhere from I want to say eight to twelve hours to get a stream ready for a week so as of right now you know it's a lot of work with the time crunch I've got for forgetting this class completed so especially with traveling the week before so with that being said we will resume on 9:25 no stream on 9/11 for sure maybe a stream on 9et maybe we'll do like a hacking stream or a hack the box or something along those lines in terms of other things on the board we now have some upcoming sponsorships one of them will the product will be arriving in about a week it's very very very exciting I'm gonna be doing a review for a product of hacking product and if it goes well we're going to hopefully get some swag get some cool tools and do some good giveaways on top of that there are a couple other sponsorships that are coming up I put out an announcement for this there there's a one that is going to give away five small items but still five items and we'll talk about that as we get to it so I can't name any names yet but we will have some some cool sponsors coming through one of them being very hacking related the other one more swag or tech it's not really it's not really hacking related but still on top of that there are two talks that I got picked up for this week one I can officially announce one I cannot I will be speaking at besides Charleston so if you're in South Carolina I'll be at besides Charleston I will also be at Wild West hacking fest we should find out tomorrow about besides Charlotte and we will be announcing the other based sides or wherever that I got into is here and maybe a week or less so for now they've asked to keep it on the hush-hush so upcoming sponsorships of talks covered that we now have some merch you guys were begging for merch so I I just created a little channel on on teespring it's tied to the YouTube channel so if you ever come here you want to buy a shirt with a pink or a bluish greenish logo or a sticker or some dumb saying on a t-shirt you're more than welcome the store is now open so you know please if you want to support the channel this is a good way and get some swag as well so outside of all those announcements I have made a mistake Thank You CMOS for pointing this out so last week I said the secure flag prevented cross-site scripting and I lied to you guys I am a liar okay I I said it prevented cross-site scripting it does not prevent cross-site scripting the secure flag prevents a cookie from being seen in clear-text meaning that if you're using HTTP somebody cannot strip that HTTP out and show it in HTTP clear text I get these confused big time why the hell is a secure flag not called HTTPS only because that would make logical sense so the flag that we're talking about on the cookie is actually the HTTP only flag HTTP only means that the cookie cannot be accessed through the client-side script so we will not be able to steal a cookie client-side which with the HTTP only flag set only the server can interact with that so thank you again CMOS for pointing that out that was a mistake on my part so from here what are we going to learn tonight well we're going to work with some cross-site scripting we're going to talk a little bit about sanitization bypassing so we're going to talk about that and we're going to talk about stored cross-site scripting for the first time tonight so we covered dom-based and reflected last week tonight we'll talk about stored we were also going to talk about broken access control which is a lost number five on the top 10 list and one of my favorites we're gonna start covering sequel injection just the basics I'm not gonna overwhelm you if you've never seen sequel before this is a good good start so tonight are the easy challenges right before they were trivial tonight they're easy we're gonna cover pretty much all of them I might leave two or three for you to figure out on your own I might even give you a nudge or a hint if you need to one of them we really can't solve without doing other ones I don't know why they put it in here well honestly this application was built to be prodded in find different security flaws and then go back and find the other ones and get rewards that way but one of the challenges I don't think we can do in good faith we could do it but in good faith we should discover more information before we go into it so at this point we're gonna go ahead and dive in I've got more slides the rest of slides on cross-site scripting so let's go ahead and just get started on our app so I'm gonna get into my handy-dandy Kali machine and we are going to be working on the juice shop get to your juice shop if you have not already get to your juice shop from there make sure you're on your scoreboard if your scoreboard reset which mine did your smite reset as well make sure that you get to your scoreboard you'll get the points here whatever it's no big deal on top of this make sure you load your burp suite today we'll be using community I notice some of you would rather me use community than Pro and I completely understand and agree so we'll be doing everything as proof of concept that we can do in community as well so I've got my scoreboard loaded up tonight and if we calm down to the easy challenges let me see if I can tab off of this ok if we come down to the easy challenges again I have arranged these logically so logically I want to start with cross-site scripting because the last time we started or ended with cross-site scripting so again we should start here and then we'll move forward so let's go ahead and start with cross-site scripting we'll move in to broken access control and a little bit of security miss configuration and then we'll dive into all the sequel injection fun stuff so let's copy this down here the script alert XSS this is a very very common one right so we're going to copy this and let's go ahead and login because it says perform a cross-site scripting attack on a legacy page within the application now we provided the exterior ok in terms of like forms that we could fill out last week and what we could do we didn't go to details right but just to save a little time and not to poke around too much we're just gonna log in and your account probably got reset so I'm gonna go ahead and register if your account got reset go ahead and register as well it's gonna be test at test comm and what's our security question gonna be our mother's maiden name was Bob so let's register and let's go ahead and [Music] log into the application okay so we are logged into the application now from this area let's go ahead and go to our profile so you click on your little picture here and go to test at test comm this is an area that we did not explore in last episode so here we go we have user name input email input we've got a URL we can put here so we got some forms that we can put in one thing that's interesting let's say we want to give a user name of test and we set the username we see that the user name is actually being stored right here and it's being stored right here so maybe if we're lucky we can just paste this in right and set the username and see what happens well crap what is it doing here it is sanitizing our our script right and what's interesting about this is it took off it looks like what it's taking off is script a so it's taking off script a here now we could try to get around this maybe a little bit of bypassing so for example we could we could write script a and if we know that the a is there what if we write a second a and see if that changes anything maybe we can get it to finally say alert if we set the username here okay so that works so we added a double a and got that to work now can we can we take that farther at all can we I wonder if we could go something like script like this and maybe it'll take it out for us if we do this we get the little we get this in here but it's still taking out that script a so this is where cross-site scripting gets a little fun you can tell that there there are some flaws here right it's not taking out the closing of the script it's not taking out the alert it's only sanitizing on a little bit so we have the ability here to you know to try a bunch of different payloads and see see what works we can fuzz this and keep going and see how possibly we can break this and make this work in our favor another thing to be that should be noted if you go out to Google there are if this will work there are some proxy on it's not ok there are some things like if we say cross-site scripting payloads there's cheat sheets and stuff out there like this cross site scripting payloads payload techs if you come here you can look at all the different payloads look at all these different payloads here so this is something that maybe you can throw into burp intruder and play around with and see there's other tools like XSS sir I could type it out for you but XSS err you could play around these tools or you can do it manually for this lesson we're just gonna we're just gonna play with it manually and see how how we can actually get this to work so we realized that we put double in there it works right maybe we can do script something like this but let's see if that works nope still sanitizing it so it's picking up that the word script is in there even if we're doubling up so we can double up in some places and make it work how about we we break it how about we get it to sanitize something and then not sanitize the rest let's try using a what's called a bitwise we can use a bitwise and or or XOR here's an example we can say something like if you're following along here let's do it or let's just say or here okay this is going to get executed then the rest of it is going to stay the same and this is gonna stay the same this will get executed sanitized and the rest will go away and I just screwed that up a little bit let's try that now if I could get it correct so you're gonna want a a script I screw that up there you go something like this right we're gonna get the the script to execute here and then set the username and that should pop that should pop now this will work this will work with any of the bitwise operators here right so we could say we could say a xor like this and get this to execute that should work same thing with the and we can use and as well it's just pulling this operation out and then pushing the rest through and this is how you kind of start working through logically if you see sanitization how can you improve it and sometimes what it really what you see a lot of times is these script tags are removed so when you have these script tags removed how are you going to lurk the cross-site scripting well you might be able to come through and do something like an image I like they're doing here or this is a very very common one you load an image that doesn't exist and because that doesn't exist it creates an alert right so on air here's an alert so with that we actually have stored cross-site scripting here if we were to refresh you can see that the cross site scripting still exists even if we go back and we come back into the profile this cross-site scripting is stored it is stored on the server so this is uh this is no bueno right this is not good so this is what we're talking about when we can attack another user now say this was a low level account and some somehow someway the username interacts with the with the admin account in some way right if the admin account sees this and gets that cross-site scripting that's stored cross-site scripting maybe this steals a cookie or maybe this does key log E or injects a beef hook or something along those lines that is malicious this can get really bad when it comes to affecting other users so let's go ahead and cross that one off the list so we've completed one challenge we completed the the cross site scripting tier okay so from here let's talk about a couple other ones really quick most of our time tonight is going to be spent on sequel injection so these two should go by pretty quick so we're gonna talk about broken access control and the broken access control here is this basket access Tier one now we're going to view another user shopping basket we should not be able to do that if we can view somebody else's items that means we have broken access control right we are crossing against the access boundaries in getting access to things we shouldn't so if we come to the home page and we just add let's add some apple juice to our cart and it should say hey we place it into the basket so let's go to the basket and see what's up in here okay we've got apple juice perfect so from here we can do some constituent things let's let's inspect element and we really want to focus on what's in this cart right and what's in this cart is likely in this storage here now we've got different types of storage what we're likely interested in is a session storage here so if we go down into the session storage you can see that we have a bid value now our bid value at the moment is 6 if we were to change this bid value to a different number it's a possibility that we can access somebody else's right so we can go into 5 perhaps and if we go into 5 and refresh the page let's see if this is apple juice anymore there's nothing there let's go into let's try 1 refresh the page on that ok there's a new cart so you can see here we've accessed somebody's cart we're still under our account we're still under test at test comm which is what I set up however the the issue here is that we can delete these or we can even go and start checking out but we can really mess with somebody's cart we can delete the car items we can get malicious piss them off so all this somebody else what bidding stands for this is just a key value pair so if you've ever done programming this is key value right so this is your cart and your ID of your cart so your cart ID or this user's cart ID is one this users cart ID if we switch over is to buy our ID exactly you're probably right on the buyer ID and yes this is going to be on VOD it always on VOD guys so this is the this is the value that we're changing in this key value pair so our cart our cart lives at 6 but we're accessing other people's carts in a way that we shouldn't and this is a very very very basic example of broken access control basket ID is it basket ID I'm down for any of these basket ID works as well guys call whatever whatever we want so okay from here pretty easy if we go to your scoreboard you should have popped this and now we've got two out of ten so we'll cover more broken access-control in depth as we go these these easier challenges again very easy as we get into the medium and they get extensively more difficult and deeper you see we did nine and ten we're gonna end up doing nineteen twenty one 1611 so if you were to look through your your guide we are not even I mean we're not even a tenth of the way through the guy really what's up action thanks to the sub man I appreciate it okay so next one I want to talk about really quick is a security Miss configuration so this is the deprecated interface so if we talk about deprecated interface it says use a deprecated b2b interface that was not properly shut down now this one might have been difficult with the hint that was here too to solve this isn't really I don't know if this is the best description some of these don't have the best descriptions on what you're looking for and again I think that you're probably supposed to go through and just kind of Prada and see what you can get now where this issue lies is actually in the upload element right so if we go into a contact us and we say hey we want to complain in here it allows us to select a file now if we go and look at the file supported types we have the ability to upload a PDF in a zip if we were to upload anything else we're gonna run into an issue but maybe it is supporting other types and we just don't see it so a way we can tell is actually in our debugger here if we click on the debugger if you still have your console open or you're in you're open and you're on main make sure you make your main pretty and what we're gonna do is we're just gonna do a control F for find and we're gonna look for zip files let's try dragging this up so if we search for something like zip and we come through here right away the first thing that comes through in this in this Java Script is the allowed mime type and you can see that it says this uploader okay and this is the file uploader we're doing a file upload and what's happening here is it says hey we can upload application PDF application zip three different types of zips right but we can also upload XML files so that can get malicious very very quick especially if we're talking xxe which we haven't got to xxe yet hey thanks - awk appreciate that so we haven't got to X exceed but when we talk ecstasy as we will in this course you can see how XML can become malicious for now let's just try uploading a xxe for XML file I'll do one that's kind of semi malicious it's not gonna do anything because it's not complete thank-you pie tutor appreciate it man and I have this on copy and paste but I will actually use this opportunity to paste this let you guys copy this and take a quick drink break because my mouth is dried out already all right good time for a question as well so what does XX e mean x XE is XML external entities so what we can do is upload an XML file and this is very basic example I can show you a payload real quick let's go to Google shall we and we'll say X X EE payloads take a look at some payloads here let's click the first one so you can come through here and see what we can do and how we can use these attacks there's some in here that will just show you like the Etsy shadow file of a system or Etsy password and they're talking out of bounds meaning that it can talk back to us right so there's a lot of things that we can do here these are some good ones you can find a bunch of different payload types but as of right now we're not we're not focusing too much on ecstasy well we'll get there as we cross that bridge but here's one where it's just you know file Etsy password and if we're if we're able to we could pull out the Etsy password file so ok and if you guys ever want to see a a good video or two on xxe check out Stoke stok on YouTube that dude is his his passion is xxe he's a bug bounty hunter xxe is his passion I would trust him more than anybody else more than myself on this topic especially with xxe stuff so if you want to see some cool things that he's done before in the past very great Channel we'll check out so anyway so yes we are we are logged in here and we can now come through and somebody's going in and solving the the problems ahead of time that's absolutely fine so okay I've got this saved here we can just save this as an XML file what is call it test that XML and I'll put it on the desktop and we can just go browse home desktop oh we got to do all files and we'll grab this test the XML and then just say testing and submit it and you can see that use a deprecated b2b interface that was not properly shut down we have solved this problem so what is happened here is they meant to disable XML but they left XML as an application type in for the uploads and now we bypassed it right so we can get malicious with this in the future as of right now we just want to make sure that we can actually upload this file and that is that is it for this so from here we're gonna go ahead and get into we're gonna get into sequel injection so let me bring up the handy-dandy PowerPoint and let's talk sequel injection okay so what is sequel injection sequel injection is an attack in which malicious sequel statements are injected into a sequel database okay so sequel injection is easy to avoid but still happens quite often if we're successful we can do a lot of malicious things you can read sensitive databases we can extract that information that we read we can modify delete databases and we can even get a shell out of this okay so potentially we can get a a reverse shell or any subtype of shell and access the machine as a user sometimes what you'll find is that you get a shell on a sequel machine or a database and you're not you might be the sequel user but that sequel user has admin or domain and have been privileges and it gets really bad really quick so bad permissions on users like this happens very very often as well okay so let's talk about some common sequel verbs and we're gonna put this all to use here in just a minute so sequel statements begin with verbs the most common one that you're going to ever see is select ok select means that we're retrieving data from a table we can also insert data into a table delete data update data we could be all the old drops here right and do a drop which deletes the table and we've got Union statements as well which we'll run into in the future and that just combines multiple queries right more data from multiple queries so these are very very very common these aren't all-inclusive by any means but very common as to what you're going to see every language is a little bit different depending on the sequel database that you're in but these are pretty common across the board so from here we need to talk a couple other common terms that we're gonna see one is where so we're filters records based on a specific condition and you're gonna see an example of this in a minute we have and or or not they sound exactly like they are they are conditional statements and it filters records based on multiple conditions then we have order by which sorts in ascending naturally or descending order if you specify ok so I have typed up a little table here we've got five users in this sequel database okay we've got users IDs of one through five got a user name I got their full name and their email address and then their country code now this table here this table is called the users table that's what I have named it for this demonstration so let's talk a few statements and talk about what would happen if we were to execute these statements now the first statement this is very common select asterisks from users okay remember select we're selecting we're selecting all data when we do a wild card here okay this is a wild card as we're gonna see in a minute this is just a wild card Asterix means everything from and then we're gonna grab it from the users table so if we ran this statement we're returning every single thing that's in this table so if we've got sequel injection and we run this statement we can we can get all the data out of an entire table right just from this one little statement okay so now let's talk about more specific things let's say we wanted to select user ID and username from this users table okay we will select user ID user name all we're gonna grab are these two columns right here we'll grab all the data that's in here and that's it okay let's add on to these let's say we want to grab everything from users but only where the country is equal to Russia okay if we only pull from Russia then we're only pulling out Natasha here right so cuz she's the only Russian in this group of five so if we ran that query we would pull out Natasha and then the last one if we're going to select star from users where country equals US well if we just do this we'll pull out four right and username equals Frank then we're just gonna pull out anybody with the username of Frank which hopefully hopefully the user names aren't reused so we'll just pull out Frank Castle here and all of his information so maybe we can pull everything from users where username equals admin so yes yes I will share my slides all right so from here let's talk special characters really quick so special characters these are some important things that you're gonna see you're gonna see something like this apostrophe or a single quote or double quote right these are string delimiter so we'll talk about these in a second you'll see why they're important we have these comment delimiters here we've got wildcards you just saw a wild card and this is also a wild card the percentage sign you saw if you looked in the back one that we were if you look back one slide let's see if I can go back a slide we're ending our sequel statements with the semicolon right so that ends a sequel statement and then the rest that you're gonna see here they follow programmatic logic so if you can think of what an equal sign or plus sign greater than less than etc if you know what these do and this does functions right here if you know any programming at all this this follows that logic so that is I believe it yes that's it for the little sequel overview that is this where we're at here okay now one of our objectives before we log out is to gain access to the administrator right so we are gonna do admin login now for this we're going to use sequel injection so let's talk about how this is gonna work so if we log out and we go to log back in and let me pull up actually this will be fine this XML doc let's talk about what we're doing let's say I've got an email address here and I say I say the email that I'm gonna provide I'll just say the user's test in the passwords test and we say ok login it's not gonna work right we have no idea what the administrator is what's happening here what's going on though is we can let's see what's going on possibly behind the scenes right so what we're doing is we are going to say we're gonna say the input that we just did was test right and the sequel that's going beyond behind that what might look something like this select from users where email is equal to test something like that right so we put in we put in test and in goes tests to this situation now I'm gonna copy this and paste this now what happens if we were to put a single quote at the end here so if we put a single quote that puts a single quote here and now logically this doesn't make sense the statement is not complete right the statement is is incomplete and we could test that by putting a quote here and you can see the object object we're getting that error and if we come back and we actually we can intercept this request in verb suite and send this over to repeater and see the response you can see we get the sequel light air and this is one of the the issues from last time right was to generate an error this is what we're doing we're generating an error here so we've generated this error because this logically doesn't make sense and this sequel injection lucky for us is not blind we're getting a response back so actually look I didn't I wrote this out and this is exactly what's happening I didn't realize that this is what's going on but we got the statement pretty spot-on so the sequel query that it's doing is select from users where email is equal to okay test and pass or is equal to this and deleted at is a is null so we don't know what the rest of this is but we're grabbing different columns here right and doing a statement here so okay well how can we take this and get malicious with it let's copy this one more time I'm going to show you a very very common way that this is done so say we have tests and we've got this test here and our statements incomplete right we've got this let's delete this for now let's say we're back at tests what if we did something like this we put the single quote we say or one equals one finish that statement out and then end it with a comment okay now let's take a look at what this looks like we put into here okay we got tests this is now broken and we say or one equals one like that okay so now we are finishing out where we started and this is a so we've got a complete statement here right and this is perfect so what we're doing is we're saying hey this condition which is not true or this condition one equals one which is true that's a conditional statement right false or true is true so because this is true this is going to log us in as the first item in the database the first item in the database for us just happens to be the administrator so we can insert this in we can do we don't even have to put tests in there you could literally just do that and you can put in whatever password ooh you want and attempt to log in I might need to refresh here oh I've got the proxy intercept it is the issue okay and now you should be able to login you come over here you see that we are admin at juice sh o P okay so we are the administrator account you can see I was playing around in here earlier so okay we're the administrator account and now we have a few other things that we need to do as the administrator one of those is to find the administration page we can try typing in admin and seeing if that works let's refresh okay we could try typing in administration and seeing if that works let me copy this and you might have to actually new tab it and then go see if that works okay so you see in here that we access the administration page the other way to really do this now this is just me saying hey from experience I know most admin areas are called admin and/or administration and that's just experience right typically is how this works so maybe it's not you could the other way would be to inspect the element and go into your debugger go to your main and go to your pretty main and start searching I want you just say admin or administration and look for that right and then we look for the page that is titled with so that's another way to find that is to search in the pages here in the the main JavaScript exactly so somebody asked about why it logged in as the admin because it's pulling that first account let me pull over let me put up the slides again so the admin account sorry say it was Frank here write it whatever account was the FIR in that that database it's typically an admin not always but you run into the issue where it's an admin and the first user ID here or whatever the first account is that's who gets logged in okay so we're at the admin page from the admin page we have a mission that was tasked to us which was to delete all five-star reviews we can take care of that real quick screw the customers screw their five-star feedback we're a malicious person right so we got rid of all five-star reviews as well and what else do we have to do here ah last one it wants us to log in as the as the admin user so we know the email address let's copy this email address and once it's log in is the admin user but without using sequel injection so let's log out let's ponder how we might do this okay we can sit here and brute formula but why do something that can be done for us by a machine right so let's intercept this request let's go to login might need to work up forward okay so we've got this let's sit right click now and send this over to intruder your intruder tab should light up and if we go into positions it's all green we don't want all that so let's go ahead and see it clear okay so from here we have set our email address which we want to be constant so we're gonna leave that alone but the password we want to brute force on this password here so let's highlight the password typed in I typed in admin it could be whatever you want and let's just go ahead and hit add for this so this is going to set a position here position one now as of right now and what we've done this entire time is use the sniper attack we're gonna continue using the sniper attack it is a one off on one payload right so we're sniping we're right on one so we're gonna we're gonna parse through a password list on the constant of an email but a variable here of password so if we go into payloads now we can paste in the list that we find we can go out to sec lists or anything like that what's up black sheep thanks for the raid buddy how's it going man so we can come into here and an intruder and we could paste the list now there are great lists out there if we go to google and we say one of the best lists out there is sec lists now intruder is going to be very slow and I've got my proxy on cuz I'm dumb so intruder is going to be slow on the free edition and what we can do is we could say SEC list and we'll just do github SEC list is a great resource this first link here right click on this and look at all the different lists that are coming through here so discovery fuzzing passwords look at passwords all different kinds of passwords in here top 10 top 100 top 1,000 you can just pull from one of these lists and kind of go from there I did check through a couple of these lists and while the password that we're gonna find is going to be weak it wasn't in some of the easy ones like top 10 top 100 or even top 1000 I don't think was in top 10,000 and because intruder is slow for us on on burp free edition what we're gonna do instead is we're going to do a proof of concept on how you could use it in Pro and I'm just going to type out a few passwords here and then one of them is going to pop we'll see why it pops or how it pops so how we can identify that so we can say from this we can just say admin you can see all my old ones let's do admin admin one admin to admin three oops admin one two three admin one two three four well let's try all these right and all we have to do you can see we only have one payload to set we're using a simple list it's fine hit start attack it's gonna say hey you suck for not having the Pro Edition we're gonna slow you down ok what stands out more than anything here there's a few things that we can sort on when we're looking for we're looking for successful brute-force logins one of them is status code we can click status code ok admin 1 2 3 has logged in at a 200 200 means okay right on top of this length is a big one it's not always the status code status code might be a 302 a redirect it could be something completely different right but the length might be different significantly I have seen that happen before I've seen an instance where I was attacking a client and I was getting a redirect back to the home page with valid credentials but the length was different the length was different and it was giving me a session token I wasn't getting a session token with anything else so because it was setting a cookie in the response and the length was different than the rest of them I could tell that I was actually getting a successful login even though it was taking me back to a home page login screen so I knew from there I had valid credentials so if you don't know your status codes probably good to learn those the the common ones the 200 300 400 series and just what those mean even 500s are important as well but here we go we got 200 200 means ok right the length is longer than the rest that's good as well another thing that we could do is say this admin login right and look let's look at the response in the admin login we could see that we had invalid email or password which by the way this is good this is good security practice so you don't want to disclose you don't want to say invalid password or invalid email if you see that on the finding that's enumeration we could tell if a user is invalid or not or a password is invalid or not and that's just bad right so here we're seeing invalid email or password this is the correct way to word these things but you would be surprised and the assessment I had a week ago ice I had invalid email only on there so a user name enumeration is still very real so we've got admin one two three coming through but we can also copy this invalid email or password and we can come in we can actually grep on that we can do options down here and I don't know if it lets us grep and free it does so we could paste in a grep exact match we could just take that we can remove all these right here if we wanted to just copy this and paste it in and then the next time we run this it should grep on those when it finds those in the response see here okay see the checkbox that did not come up so you know when you sort by the checkbox that this response here is at least different it doesn't mean it has to be valid for sure but it's at least different than the rest of these where you know it's invalid so this is a cool feature to use as well I use it all the time so we know the password is admin one two three I've gone on a little rant about that but hopefully that was okay all right let's delete this do I have I don't what is this stupid there it is okay and we have logged in successfully extending allows anyone on network to see all connected devices when you visit the router page just give the enumeration yeah yep you can see all devices and plus some IP addresses sometimes in a lot of routers are that way a lot of home routers are that way okay so let's see we have gotten one two three four five six seven of these all these are good okay so we're through the sequel injection we're through the admin stuff now there are three other ones I want to talk about we come through down here there's three that we have left this weird crypto I don't think we can do tonight so it's telling us to do something about informing the shop with a contact form but when you look at it it's not solvable without knowing about the crypto that's going behind the scenes and a lot of those come in the later challenges we could do it but it feel a little bit like cheating so there are two that we talk about now this one here actually I'm gonna leave these Bowl to you but I'm going to give you hints on both of these this one this login MC say search now there is a youtube video out there we go here I'm not gonna play this because YouTube is very particular and I don't want to get a ding for a copyright or anything you go to college humor rapper who's very concerned with his password security or with password security listen to the rap song okay and then find his email address with the admin panel and log in with the user okay figure out what his password is he tells you in the song and login that's one item number two security policy behave like any white hat should this is very vague in this corresponds to this here so if you go to security txt org this is a proposed standard they are trying to put out there to put a security text file on on applications so that way if you were to find something malicious you could report it to somebody without being concerned if you you know like he's still okay let's let's put this back a little bit you still can't go around hacking people or being malicious without permission but if you were to stumble across something and you were concerned that reporting it might lead to jail time or something like that you could look for this file I'm going to show you something else in a second there's a very very famous case out there where somebody changed a number let's just say say it was equals one they were able to change to two to three to four right indirect object referencing and pull data for other people now when they reported this they went to jail so be very very very careful now there's a website out there for disclosed IO disclosed that IO is a great website okay so this is for safe harbor where you can actually do research and submit you know submit things here we you can search on different vendors and see if they exist in the the disclosed IO and hopefully they're on that list hopefully we get more people on this list but this is super super important you can't just go hacking around so this is what this is about so I will I will leave this to you too the instructions on this website to find this flag here and also got a youtube user to block for asking for blackhat stuff anyway okay so it is 855 we finished a little early but hopefully this was informative for you I think next week will be another good week but I mean we got to we got to cover again cross-site scripting got to see what stored really looks like and we got to see sequel injection as well and start talking about it there's going to be plenty more sequel injection and it's going to get way more rigorous than what you saw tonight you saw the base example of the one equals one conditional statement okay so I'm gonna come back and come to the screen and chat with all of you beautiful people you're welcome guys I will open up Q&A for anybody that has questions except MTX are [Music] is this considered part of zero to hero this is not zero to hero this is his own course zero to hero focused on network pentesting this is a web app pentesting completely different beast completely different any chance I could devote a session fully I'm not sure what's in store so like I said it takes me 8 to 12 hours to put together a lesson plan and I think that we're going to be breaking down the lesson plans even further like I don't think that we're gonna get through 1919 solutions in one day like when it comes to the medium or hard challenges because they're gonna be so more difficult than what we're doing now unless we do a marathon stream but there are there are still I there's got to be at least seven or eight more cross-site scripting x' to go over and those combined should keep us pretty busy does web app pentesting require a different skill set can you be one without being the other yes completely different skill sets similar methodologies in terms of the hacking methodology but completely different tools and skill sets for the most part there's some overlap but the they're they're vastly different you can absolutely be one without being the other it's easier in my opinion to be a web a pen tester without being a network if you be a network pen tester they're probably gonna want you to do web app as well if you tell me about your band the black cats of that results in a van no I will promote your band the black cats do you use intruder a lot yes quite a bit I use intruder for most of my brute-forcing the hacker that changed the numbers are we talking about we are talking about leave yes we are thoughts on relying on polygons relying I think it's there okay to fuzz with I don't know if you rely on them they can they can cause some bypassing I know somebody who really likes them but I feel like it's a mixed bag many programming languages do I know probably zero for being honest do you use a particular clipboard manager I don't just use whatever is built into Windows we're asking blackhat questions in boom on the block Jesus Christ Oh what's up with the sub coming through it's up Greensboro thank you for the sub I appreciate it the real root beer subscribe thank you thank you thank you have I gone through all of juice shop I have not gone through all juice shop I realized I'm missing questions I'm gonna bring this over here so that way I can see more of these do I think this course combined with zero to hero is enough for the pwk I think zero to hero is enough for the pwk you don't really need this the pwk is enough for the pwk like it's it's meant to help you pass without much other needs or external resources other than Google I realized that YouTube wasn't coming through one of these channels so sorry about that guys I'm a why it wasn't relaying relays broken apparently is it better to know the language and fuzz by hand I think knowing the language and fuzzing helps I will be honest with you that I sir am a trucker I will Chuck and see what sticks there are much better people out there than me that will find the the complicated the complicated way through by fuzzing but I am typically not that smart I'm not I'm not trying to be funny I'm being serious like on terms of knowing programming languages I know I know zero it comfortably to say zero I can Google my way through writing code or writing a script or anything that I need to do I understand the logic behind a lot of program programming concepts I can think logically how I want to program to be but if you would ask me to like sit down and write from scratch a program without having any other resources can do it is it a good idea to specialize in some sort of specialized attack or a particular attack that's what all the bug bounty guys say the bug funny guys say that they like to focus in one area as to not you know you know not get too concerned with other areas be a master in one location and just look for those types of bugs you know so I think that might be beneficial and then maybe if you're getting good at one start looking for other ones as well any tip or book for bypassing laughs so bypassing laughs there is a good Oh God allure insecurity is wack X is designed solely around laughs laughs bypassing and advanced injections thank you the lobe I appreciate that the hardest thing for me in a in a pen test somebody's making a custom overlay I'm excited the hardest thing for me to pen test ID so my my networking concept of pivoting always blows my mind I don't know why it just always blows my mind it's something that I can do I can I can do it successfully done especially plenty of times but the concepts and the reasons as to why it's happening very very difficult for me to understand some people get it like that but that's the one thing I struggle with from a theoretical aspect I'm so stupid when it comes to it I promise I don't know anything about getting around the limits on community edition I agree I think this user is a bot and blocked oh you're drafting in a couple hours don't draft and your luck whatever you do my draft is my drafts this weekend actually I preferred network to Web Apps and there's a couple reasons for that one I'm way more comfortable in the network side of things I've got better experience it's more entertaining it's just my thing to the web app side of the house is much more I don't know a lot more people there you if you don't come from a dev background you're gonna struggle a little bit and the the devs when you go to debrief devs on a web app pen test they are more combative right and I've said this before but they're more combative because you're tearing apart their baby possibly their jobs on the line if they've just been shitty you are sitting there and you know possibly destroying them for how bad or you know they've done and they get really combative over the littlest things but the you know like the network people for the most part they're just chill they're like you're like you need to patch that go do this and they're like okay that's that's great whose Ireson allen iverson that is correct outcast you are not blocked sir yeah we're talking about practice practice if you knew to pentesting start with zero to hero it's a very comfortable shirt man I love this inaccurate is there any way to escalate privileges to admin from sequel do you have a shell on your sequel server check out the leaked in link what why are you sending me links Oh a developer copying code from Stack Overflow nice oh I did see this the other day that's actually hilarious now I have seemed to have lost my wedding ring which is not gonna be good if I don't find it before the wife comes home so I don't know where that slipped off apparently I've lost that much weight that it just falls off my finger so that's not good I hope the dog didn't need it by Jay Delta you have a matter Peter shell but not as admin look into Windows presque or Windows local exploit suggester see if you can run through that and you're gonna have to start searching try to run like Sherlock on the on the machine see if you can do any progress there can you do token impersonation if they h
Original Description
❓Info❓
___________________________________________
Hire me: https://tcm-sec.com
Contact (professional inquiries only, please): info@thecybermentor.com
📱Social Media📱
___________________________________________
Website: https://thecybermentor.com
Twitter: https://twitter.com/thecybermentor
Twitch: https://www.twitch.tv/thecybermentor
Discord: https://discord.gg/REfpPJB
LinkedIn: https://www.linkedin.com/in/heathadams
💸Donate💸
___________________________________________
Like the channel? Please consider supporting me on Patreon:
https://www.patreon.com/thecybermentor
Support the stream (one-time): https://streamlabs.com/thecybermentor
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from The Cyber Mentor · The Cyber Mentor · 54 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
▶
55
56
57
58
59
60
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
Writing a Pentest Report
The Cyber Mentor
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
Top 5 Internal Pentesting Methods
The Cyber Mentor
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
The Complete Web Application Penetration Testing Guide (2026)— Part 2
Medium · Cybersecurity
The Networking Problem Nobody Talks About (Until It’s Too Late)
Medium · Cybersecurity
Built an AI-Powered WAF for PHP/Laravel Apps in Africa — Here’s What It Catches
Medium · Programming
eCPPTv3 Review
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI