WEBVTT 1 00:00:00.160 --> 00:00:03.240 Welcome to the deep dive. You're here because you want 2 00:00:03.240 --> 00:00:05.719 to understand the important stuff. Maybe you get those light 3 00:00:05.719 --> 00:00:08.720 bulb moments, but without feeling like you're drowning in jargon. 4 00:00:09.000 --> 00:00:09.599 Exactly. 5 00:00:09.800 --> 00:00:13.519 Today we're tackling a subject that's well fascinating and also 6 00:00:13.919 --> 00:00:17.359 increasingly vital, web haacking and penetration testing. 7 00:00:17.640 --> 00:00:20.079 Think of it this way. We're going to explore how 8 00:00:20.120 --> 00:00:24.239 the security of web applications gets tested, kind of like 9 00:00:24.359 --> 00:00:29.079 understanding how a security consultant probes a building's defenses right. 10 00:00:29.000 --> 00:00:30.800 Not to break in, but to find the weak spots 11 00:00:30.800 --> 00:00:33.560 so they can actually be fixed precisely. And our guide 12 00:00:33.560 --> 00:00:36.759 for this, our source material is Rafe Block and his 13 00:00:36.840 --> 00:00:41.240 book Web Haackingarsenal dot pdf. Now this isn't just theory, 14 00:00:41.320 --> 00:00:44.439 is it. Blog has real hands on experience. 15 00:00:44.520 --> 00:00:48.560 He does real world security work, finding vulnerabilities, understanding the 16 00:00:48.640 --> 00:00:50.880 threats that are actually out there right now. So the 17 00:00:50.920 --> 00:00:53.200 book is a very practical look sort of under the 18 00:00:53.240 --> 00:00:55.920 hood of web security. Okay, And what's really key to 19 00:00:56.000 --> 00:00:58.560 grasp is that web security is always changing. I mean, 20 00:00:58.880 --> 00:01:02.320 new vulnerabilities pop up constantly, attackers find new tricks. 21 00:01:02.560 --> 00:01:04.680 Yeah, it never stands still not at all. 22 00:01:04.760 --> 00:01:07.760 So Block's work gives us a valuable, pretty up to 23 00:01:07.840 --> 00:01:09.239 date view on these challenges. 24 00:01:09.640 --> 00:01:12.079 So our mission today really is to pull out the 25 00:01:12.239 --> 00:01:16.200 essential ideas and techniques from Block's book. We want to 26 00:01:16.239 --> 00:01:19.879 give you the listener a clearer picture of these vulnerabilities 27 00:01:19.920 --> 00:01:24.599 and how security pros the ethical hackers actually find them. Yeah, okay, 28 00:01:24.719 --> 00:01:25.480 let's get into it. 29 00:01:25.599 --> 00:01:28.239 Let's do it. Let's maybe start with the absolute basics. 30 00:01:28.519 --> 00:01:33.079 How does the web actually work? Block begins there explaining HTTP. 31 00:01:33.319 --> 00:01:36.920 That's the foundation, right HGTP. You see it HTTP at 32 00:01:36.959 --> 00:01:40.439 the start of web addresses. Now, one fundamental thing Block 33 00:01:40.519 --> 00:01:44.319 points out is that HTTP is stateless. What does that 34 00:01:44.359 --> 00:01:45.079 mean exactly? 35 00:01:45.560 --> 00:01:48.439 Imagine you're talking to a waiter, but each time you speak, 36 00:01:48.480 --> 00:01:50.799 it's like they've never met you before. The server doesn't 37 00:01:50.799 --> 00:01:52.760 automatically remember your previous request. 38 00:01:52.879 --> 00:01:55.519 Ah okay, so each request is independent. 39 00:01:55.159 --> 00:01:57.439 Exactly, And because it's stateless, websites need a way to 40 00:01:57.480 --> 00:01:59.359 keep track of you, right, Like when you log in. 41 00:01:59.400 --> 00:02:02.719 That's where cookie. When you log in, the server sends 42 00:02:02.760 --> 00:02:05.359 this tiny piece of data, the cookie, to your browser. 43 00:02:05.760 --> 00:02:08.400 Your browser then sends it back with every request after that. 44 00:02:08.639 --> 00:02:10.919 So the server knows, ah, it's still. 45 00:02:10.719 --> 00:02:12.960 You exactly, it maintains that state. 46 00:02:13.319 --> 00:02:17.560 Belloch also stresses though that standard HTTP isn't encrypted. 47 00:02:17.759 --> 00:02:20.560 That's a huge point. It's like sending a postcard. Anyone 48 00:02:20.599 --> 00:02:23.240 who intercepts it can potentially read it. 49 00:02:23.479 --> 00:02:26.120 No ideal for logins or credit cards, definitely not. 50 00:02:26.439 --> 00:02:29.639 That's why we have HTTPS. The S means secure. It 51 00:02:29.680 --> 00:02:32.919 adds that layer of encryption, usually TLS or SSL, to 52 00:02:32.960 --> 00:02:34.199 make the communication private. 53 00:02:34.439 --> 00:02:39.039 Okay, so HTTP is the basic protocol, maybe insecure HDPS 54 00:02:39.080 --> 00:02:43.639 adds the security layer. What about get, GETEE and post requests? 55 00:02:44.000 --> 00:02:45.520 Block clarifies those. 56 00:02:45.319 --> 00:02:47.360 Two right, So when you click a link or type 57 00:02:47.400 --> 00:02:51.360 a URL, your browser usually sends a GETTT request. Any 58 00:02:51.400 --> 00:02:54.000 extra bits of information like search terms often end up 59 00:02:54.039 --> 00:02:55.039 right in the URL. 60 00:02:54.840 --> 00:02:56.479 Itself visible in the address bar. 61 00:02:56.439 --> 00:03:00.479 Yep visible, potentially saved in your history server logs that 62 00:03:00.520 --> 00:03:03.439 can have privacy implications. Think about sharing a link that 63 00:03:03.520 --> 00:03:05.039 has sensitive search terms in it. 64 00:03:05.159 --> 00:03:08.039 Good point. You might share more than you intend. So 65 00:03:08.080 --> 00:03:09.120 what's post Then? 66 00:03:09.400 --> 00:03:13.159 PST sends data differently. It's in the background, in the 67 00:03:13.159 --> 00:03:16.080 body of the request, not usually visible in the URL. 68 00:03:16.599 --> 00:03:21.120 This is typically used for submitting forms, login details, comments, 69 00:03:21.159 --> 00:03:21.759 that kind of thing. 70 00:03:21.840 --> 00:03:26.280 Okay, So get shows parameters in the url PST hinds 71 00:03:26.319 --> 00:03:29.560 them in the request body makes sense. Now, you mentioned 72 00:03:29.599 --> 00:03:34.240 the tech behind websites is evolving beyond the classic LMP stack. 73 00:03:34.479 --> 00:03:39.560 Yeah. Absolutely, the traditional L ANDP stack, Linux, Apache, Myseql, PHP, 74 00:03:39.719 --> 00:03:43.319 it's still around, definitely, But Block points out the rise 75 00:03:43.360 --> 00:03:46.039 of newer things like micro services, breaking. 76 00:03:45.800 --> 00:03:47.639 Big applications into smaller. 77 00:03:47.280 --> 00:03:51.400 Pieces exactly, and serverlest computing where you don't manage servers directly. 78 00:03:51.479 --> 00:03:54.560 Plus different databases no suite types like Mango dB. 79 00:03:54.680 --> 00:03:57.159 And these new technologies bring new security challenges. 80 00:03:57.199 --> 00:04:00.560 They definitely change the landscape. Different potential weaknesses can emerge. 81 00:04:00.599 --> 00:04:03.039 Okay, so we've got a basic picture of web communication. 82 00:04:03.280 --> 00:04:05.840 Now how do people actually start looking for vulnerabilities? 83 00:04:05.879 --> 00:04:09.439 You mentioned reconnaissance, right, intelligence gathering and enumeration. It's the 84 00:04:09.479 --> 00:04:14.120 recon phase. Block really emphasizes how critical this is, especially. 85 00:04:13.719 --> 00:04:17.399 You said in things like bug bounty programs where speed matters. 86 00:04:17.439 --> 00:04:21.000 Absolutely, you need to map out the target thoroughly and quickly. 87 00:04:21.360 --> 00:04:25.000 He breaks it down into active and passive subdomain enumeration. 88 00:04:25.360 --> 00:04:27.759 Active versus passive. What's the difference there? 89 00:04:27.959 --> 00:04:32.519 Active means you're directly probing the target, sending requests, trying 90 00:04:32.519 --> 00:04:34.920 things out to see what subdomains exist. 91 00:04:34.759 --> 00:04:37.240 Like knocking on doors kind of Yeah. 92 00:04:37.600 --> 00:04:40.680 Passive is more about gathering info that's already out there, 93 00:04:40.720 --> 00:04:44.399 publicly available without directly touching the target systems. 94 00:04:44.199 --> 00:04:47.360 Like looking at public records or maps instead of knocking. 95 00:04:47.079 --> 00:04:49.800 Precisely, and blog runs through a whole toolkit for this. 96 00:04:50.240 --> 00:04:52.839 One of the first techniques is reverse IP lookup. 97 00:04:53.199 --> 00:04:55.720 So you have the server's IP address, and. 98 00:04:55.720 --> 00:04:58.480 This lookup tries to find all the domain names hosted 99 00:04:58.519 --> 00:05:02.399 on that same server uncover hidden parts of an organization's 100 00:05:02.480 --> 00:05:03.639 online footprint. 101 00:05:03.920 --> 00:05:05.759 Interesting, okay, what else? 102 00:05:05.959 --> 00:05:09.639 Port scanning yep n map is common, but Block mentions 103 00:05:09.680 --> 00:05:13.680 masscans specifically for its speed. It rapidly checks which communication 104 00:05:13.800 --> 00:05:14.800 ports are open on a. 105 00:05:14.759 --> 00:05:18.519 Server, and open ports might mean running services. 106 00:05:18.360 --> 00:05:22.120 Potentially vulnerable services. Yeah, things that might have been overlooked. 107 00:05:22.319 --> 00:05:24.480 But an open port isn't always a web server. 108 00:05:24.360 --> 00:05:27.720 Right, Good point. That's where a tool like httpx comes in. 109 00:05:28.040 --> 00:05:30.639 Block explains it takes the open ports found by masscan, 110 00:05:30.759 --> 00:05:33.680 for example, and checks which ones are actually running web 111 00:05:33.720 --> 00:05:36.319 services HTTP or HTTPS. 112 00:05:36.439 --> 00:05:39.839 Got it, So find open poorts quickly, then verify which 113 00:05:39.879 --> 00:05:43.240 are web related? What about finding subdomains specifically? 114 00:05:43.399 --> 00:05:47.120 He mentions shuffles. It uses big lists of common subdomain 115 00:05:47.199 --> 00:05:50.680 names like blog shop dev and checks if they exist 116 00:05:50.680 --> 00:05:53.480 for the target domain using various DNS servers. 117 00:05:53.519 --> 00:05:55.720 Okay, trying common names, Yeah, makes sense. 118 00:05:56.000 --> 00:05:58.920 Now here's where it gets really clever. I think passive 119 00:05:59.000 --> 00:06:00.480 enumeration using showdown. 120 00:06:00.839 --> 00:06:04.160 Showdown the search engine for Internet connected devices exactly. 121 00:06:04.560 --> 00:06:07.240 Block explains how you can use the unique hash of 122 00:06:07.279 --> 00:06:08.959 a website's fabcon. 123 00:06:08.680 --> 00:06:10.680 The little icon in the browser tab that's the. 124 00:06:10.639 --> 00:06:14.319 One it's unique identifier. It's hash can sometimes be used 125 00:06:14.319 --> 00:06:17.480 to find other related subdomains that use the same icon. 126 00:06:17.639 --> 00:06:20.560 Wow, like a digital fingerprint pretty much. 127 00:06:21.199 --> 00:06:24.959 If two sites share that specific fabcon hash, it's a 128 00:06:25.000 --> 00:06:28.399 decent clue they might be related. Block even shows how 129 00:06:28.399 --> 00:06:31.480 to automate finding this with tools like CURL and Showdown's 130 00:06:31.480 --> 00:06:32.519 own command line tool. 131 00:06:33.000 --> 00:06:35.120 That's neat. What other passive methods? 132 00:06:35.199 --> 00:06:39.959 Certificate transparency logs. These are public records of all SSLTLS 133 00:06:40.000 --> 00:06:43.680 certificates issued. They list domain and subdomain names, so they're 134 00:06:43.680 --> 00:06:45.279 a gold mine for passive discovery. 135 00:06:45.519 --> 00:06:49.319 Ah Okay, and web archives like the Wayback Machine YEP. 136 00:06:49.639 --> 00:06:52.759 Looking at historical versions of a site can reveal subdomains 137 00:06:52.800 --> 00:06:55.199 that existed in the past, even if they're not live now, 138 00:06:55.279 --> 00:06:58.199 sometimes they come back online or point to interesting things. 139 00:06:58.480 --> 00:07:01.720 So digging through history and then there's a mass. You 140 00:07:01.759 --> 00:07:02.680 said it's comprehensive. 141 00:07:02.800 --> 00:07:05.199 Yeah, a mass pulls together a lot of techniques, both 142 00:07:05.279 --> 00:07:09.720 active and passive. Block highlights its different modules, Intel for 143 00:07:09.800 --> 00:07:13.759 gathering initial info and for the actual subdomain, searching, dB 144 00:07:13.920 --> 00:07:15.319 for storing results. 145 00:07:15.079 --> 00:07:18.079 VIZ for visualizing, and track right viz helps you see 146 00:07:18.079 --> 00:07:21.199 the relationships, and track is great for monitoring changes over time. 147 00:07:21.639 --> 00:07:24.879 Did a new subdomain appear? Did one disappear? Very useful? 148 00:07:25.360 --> 00:07:27.839 What about finding hidden files or directories? 149 00:07:28.439 --> 00:07:33.439 That's directory fuzzing tools like FFUF or deerbuster use wordless 150 00:07:33.680 --> 00:07:36.399 lists of common directory and file names to guess paths 151 00:07:36.439 --> 00:07:37.199 on the server. 152 00:07:37.240 --> 00:07:39.680 Trying to find pages that aren't linked publicly exactly. 153 00:07:39.720 --> 00:07:44.480 Maybe configuration files, old backups, adamin interfaces, things that could 154 00:07:44.480 --> 00:07:46.639 hold sensitive info or vulnerabilities. 155 00:07:46.720 --> 00:07:50.079 Okay, and you mentioned gaffer finding known URLs. 156 00:07:50.360 --> 00:07:53.279 Yeah, gaff etches URLs for a domain from various public 157 00:07:53.319 --> 00:07:57.399 sources like the Wayback Machine, Common crawl, etc. It's passive 158 00:07:57.439 --> 00:07:59.240 gathering of known paths. 159 00:07:59.000 --> 00:08:01.279 And JavaScript files. You said they can leak. 160 00:08:01.120 --> 00:08:06.120 Info, Oh, definitely. Block stresses looking inside JavaScript developers sometimes 161 00:08:06.160 --> 00:08:10.199 accidentally leave comments, internal API en points, maybe even secret 162 00:08:10.240 --> 00:08:13.040 keys or subdomain names in the code. He uses a 163 00:08:13.040 --> 00:08:15.160 PayPal example to show how this can happen. 164 00:08:15.240 --> 00:08:17.160 Wow, just hiding in plain sight in the code. 165 00:08:17.199 --> 00:08:21.160 Sometimes Yeah, then there's crawling or spidering. Tools like gospeitter 166 00:08:21.160 --> 00:08:24.480 automatically follow links on a website to map out its structure. 167 00:08:24.160 --> 00:08:25.759 Building a site map automatically. 168 00:08:26.120 --> 00:08:29.680 Right and Bolock notes gospitter is good at parsing JavaScript too, 169 00:08:30.120 --> 00:08:33.879 and even finding things like AWSS three buckets mentioned in the. 170 00:08:33.840 --> 00:08:36.960 Code, which brings us to cloud stuff s three. 171 00:08:36.840 --> 00:08:41.480 Buckets, Yeah, Amazon s three storage buckets. Block discusses how 172 00:08:41.519 --> 00:08:45.159 misconfigured cloud storage is a common problem. If a bucket 173 00:08:45.200 --> 00:08:48.799 is accidentally made public, it can expose huge amounts of data. 174 00:08:49.200 --> 00:08:53.279 He points to resources like buckets dot grayhtwarfare dot com 175 00:08:53.279 --> 00:08:56.440 for finding these leaky buckets across different cloud providers. 176 00:08:56.519 --> 00:08:58.679 Okay, so that's the recon A lot goes into just 177 00:08:58.759 --> 00:09:02.039 mapping things out. Now, what weaknesses are they actually looking 178 00:09:02.039 --> 00:09:05.360 for once they have this map? Server side injection attacks. 179 00:09:05.200 --> 00:09:08.039 Right, These are really serious because they let an attacker 180 00:09:08.159 --> 00:09:11.080 inject code that runs on the web server itself. SQL 181 00:09:11.120 --> 00:09:13.039 injection is the classic example. 182 00:09:12.720 --> 00:09:16.080 SQL injection heard of. It seems bad. How does it work? 183 00:09:16.120 --> 00:09:20.000 Basically, you inject malicious SQL database commands into input fields, 184 00:09:20.080 --> 00:09:24.039 search boxes, log informs, even URL parameter. Sometimes, if the 185 00:09:24.080 --> 00:09:27.320 application doesn't clean that input properly, the database might run 186 00:09:27.360 --> 00:09:28.559 your malicious command. 187 00:09:28.360 --> 00:09:31.200 And that lets you do what steal data. 188 00:09:30.879 --> 00:09:34.679 Steal data, modify data, sometimes even take control of the database. 189 00:09:34.720 --> 00:09:38.159 Server block covers different ways to exploit it. Error based, 190 00:09:38.200 --> 00:09:41.639 where you cause errors that leak info, boolean base asking 191 00:09:41.679 --> 00:09:46.399 true false questions, time based, making the database pause to infer. 192 00:09:46.240 --> 00:09:50.559 Things clever, and tools like sql map help automate this massively. 193 00:09:50.679 --> 00:09:53.519 Sql map is a powerful tool for finding and exploiting 194 00:09:53.519 --> 00:09:57.679 sqal injection. Block also mentions an interesting angle SQL injection 195 00:09:57.919 --> 00:09:59.879 via jawts JWTs. 196 00:10:00.080 --> 00:10:02.639 Yeah, those json web tokens for sessions. Yeah. 197 00:10:02.759 --> 00:10:05.600 Sometimes if the application decodes a GENWT and uses a 198 00:10:05.679 --> 00:10:08.440 value from it directly in a database query without proper checks, 199 00:10:08.679 --> 00:10:11.039 you could inject SQL through the jatabt payload. 200 00:10:11.240 --> 00:10:13.879 Wow. Okay, And it's not just secle databases right no. 201 00:10:13.919 --> 00:10:17.120 Sql right Block covers no seqal injection too, using Mango 202 00:10:17.200 --> 00:10:19.679 dB as an example. You can use special operators like 203 00:10:19.840 --> 00:10:22.519 two dollars for greater than in your input to trick 204 00:10:22.519 --> 00:10:24.759 the database logic, maybe bypass a log. 205 00:10:24.559 --> 00:10:27.679 In okay, beyond databases. Command injection. 206 00:10:27.879 --> 00:10:31.039 This is injecting operating system commands if an application takes 207 00:10:31.120 --> 00:10:34.200 user input and passes it directly to a system function. 208 00:10:34.039 --> 00:10:35.879 Like exec like in no JS you mentioned. 209 00:10:36.039 --> 00:10:39.000 Yeah, no JS exec is a common example if that 210 00:10:39.080 --> 00:10:42.559 input isn't sanitized and to tacker could run commands directly 211 00:10:42.600 --> 00:10:46.159 on the server's operating system. Block even quotes the official 212 00:10:46.200 --> 00:10:48.360 no JS stocks warning against this. 213 00:10:48.720 --> 00:10:51.960 That sounds really dangerous full server takeover. 214 00:10:51.559 --> 00:10:55.960 Potential potentially Yes. Then there's SSTI server side. 215 00:10:55.720 --> 00:10:57.320 Template injection gumplet injection. 216 00:10:57.440 --> 00:11:01.919 Web frameworks often use template engines to generate HTML dynamically. 217 00:11:02.240 --> 00:11:05.240 Think of placeholders filled with data. If an attacker can 218 00:11:05.279 --> 00:11:07.639 inject template syntax itself. 219 00:11:07.279 --> 00:11:09.399 Like the special characters the template engine. 220 00:11:09.200 --> 00:11:12.320 Uses exactly, they might be able to escape the intended 221 00:11:12.360 --> 00:11:15.840 context and run code. Block gives examples for ginga TOO 222 00:11:15.879 --> 00:11:18.919 and MECO templates showing how you can achieve remote code 223 00:11:18.919 --> 00:11:20.399 execution RCE. 224 00:11:20.919 --> 00:11:23.399 RCE again seems like the ultimate goal. 225 00:11:23.480 --> 00:11:25.799 Often it's definitely a high impact finding. 226 00:11:25.559 --> 00:11:27.519 Okay, so those are server side. What about attacks that 227 00:11:27.519 --> 00:11:30.360 happened in my browser? Cross site SCRIPTINGXSS. Right. 228 00:11:30.519 --> 00:11:34.559 XSS is about injecting malicious client side scripts, usually JavaScript, 229 00:11:34.600 --> 00:11:37.200 into a web page, which then gets executed by other 230 00:11:37.360 --> 00:11:38.399 users browsers, so. 231 00:11:38.399 --> 00:11:41.360 The bad code runs in the victims browser, not the server. 232 00:11:41.759 --> 00:11:46.279 Correct block explains DOM based XSS, where the vulnerability lies 233 00:11:46.480 --> 00:11:49.639 in the page's own JavaScript code rather than the server code. 234 00:11:49.720 --> 00:11:52.440 He talked about sources where malicious data comes from, like 235 00:11:52.480 --> 00:11:54.879 the URL and syncs where that data is used on 236 00:11:55.000 --> 00:11:56.879 safely causing script execution. 237 00:11:57.240 --> 00:11:59.799 Okay, sources and sinks in the browser's dom. 238 00:12:00.240 --> 00:12:03.840 He also touches on client side template injections similar to SSTI, 239 00:12:03.960 --> 00:12:06.679 but happening in JavaScript frameworks in the browser, and he 240 00:12:06.840 --> 00:12:11.240 details XSS risks in frameworks like Angular JS and React JS. 241 00:12:11.440 --> 00:12:14.159 Seems like XSS can pop up in unexpected places too. 242 00:12:14.360 --> 00:12:18.480 File uploads, yeah, block mentions uploading files like SVG scalable 243 00:12:18.559 --> 00:12:21.879 vector graphics. They look like images, but they're XML based 244 00:12:21.919 --> 00:12:25.720 and can contain executable script content or even hiding scripts 245 00:12:25.720 --> 00:12:26.759 and image metadata. 246 00:12:27.080 --> 00:12:30.080 Sneaky and what can attackers do with EXSS? 247 00:12:30.200 --> 00:12:33.840 A lot? Unfortunately, steal session cookies to hijack accounts, readerupt 248 00:12:33.879 --> 00:12:37.480 users to fit login pages, phishing, capture keystrokes. 249 00:12:36.960 --> 00:12:39.159 To pretty serious consequences. Are their defenses. 250 00:12:39.639 --> 00:12:43.320 CSP Content Security policy. Yes, CSP is a browser mechanism 251 00:12:43.320 --> 00:12:46.679 to control what resources, scripts, styles, etc. Page is allowed 252 00:12:46.679 --> 00:12:47.799 to load. It's a major. 253 00:12:47.559 --> 00:12:50.279 Defense, but attackers try to bypass it. 254 00:12:50.480 --> 00:12:55.799 Always block lists, common bypasses, exploiting unsafe inline or unsafe 255 00:12:55.840 --> 00:12:59.519 evil directives, finding vulnerable third party end points allowed by 256 00:12:59.559 --> 00:13:03.960 the CSP, using data ris if allowed XSS via JavaScript 257 00:13:03.960 --> 00:13:07.600 file uploads again, even exploiting browser bugs. Sometimes it's a 258 00:13:07.639 --> 00:13:08.399 cat and mouse game. 259 00:13:08.480 --> 00:13:10.639 He also mentions the same Origin policy SOP. 260 00:13:10.960 --> 00:13:14.759 SOP is fundamental. It stops scripts from one website accessing 261 00:13:14.840 --> 00:13:18.000 data or properties of another website a different origin, but 262 00:13:18.039 --> 00:13:21.159 block notes ways. It can sometimes be relapsed or bypassed, 263 00:13:21.399 --> 00:13:23.000 like using document dot domain. 264 00:13:23.399 --> 00:13:26.320 Okay, now this next one sounds really interesting dom clobbering. 265 00:13:26.559 --> 00:13:30.039 Yeah, this is clever. You use HTML elements, specifically their 266 00:13:30.039 --> 00:13:33.440 ID or name attributes, to create global JavaScript variables on 267 00:13:33.480 --> 00:13:36.960 the page that can overwrite existing legitimate variables or functions. 268 00:13:36.960 --> 00:13:37.639 How does that work? 269 00:13:37.919 --> 00:13:40.519 If you have an element like input eyed some variable 270 00:13:40.600 --> 00:13:43.799 and some browsers window dot some variable might now refer 271 00:13:43.879 --> 00:13:46.879 to that input element. Attackers use this to break security 272 00:13:46.960 --> 00:13:50.480 checks or manipulate page logic Block gives examples of bypassing 273 00:13:50.480 --> 00:13:53.480 filters or even changing document dot cookie. 274 00:13:53.080 --> 00:13:58.000 Wow overwriting variables with HTML tags and mutation. 275 00:13:58.080 --> 00:14:02.039 XSS MXSS is another advanced one. It happens when the 276 00:14:02.039 --> 00:14:05.480 browser tries to fix broken or weird HTML, and in 277 00:14:05.519 --> 00:14:09.759 the process of mutating it accidentally creates an EXSS vulnerability 278 00:14:09.879 --> 00:14:13.039 that wasn't in the original markup. He mentions Mozilla's Bleach 279 00:14:13.159 --> 00:14:15.320 library for sanitizing HTML to prevent this. 280 00:14:15.679 --> 00:14:18.120 Okay, lots of ways to attack the client side. What 281 00:14:18.200 --> 00:14:21.039 about CSRF Cross site request forgery. 282 00:14:21.440 --> 00:14:24.519 CSRF tricks your logged in browser into sending a request 283 00:14:24.600 --> 00:14:27.480 to a website you're authenticated to, but without your intention, 284 00:14:27.759 --> 00:14:31.600 like making you unknowingly change your email address or transfer funds. 285 00:14:31.759 --> 00:14:32.519 How did that happen? 286 00:14:32.559 --> 00:14:35.080 An attacker might embed a hidden image, tag or form 287 00:14:35.120 --> 00:14:37.480 on a malicious site or in an email that points 288 00:14:37.519 --> 00:14:39.840 to an action you arel on the target site. When 289 00:14:39.840 --> 00:14:42.879 your browser loads it, it automatically includes your cookies, making the 290 00:14:42.919 --> 00:14:44.120 request seem legitimate. 291 00:14:44.200 --> 00:14:46.039 Yikes, so the site thinks I wanted to do that 292 00:14:46.080 --> 00:14:47.080 action exactly. 293 00:14:47.440 --> 00:14:50.240 Bollock mentions tools like oh ask, ZAPPP which can help 294 00:14:50.320 --> 00:14:53.120 generate proof of concepts CSRF attacks for testing. 295 00:14:53.240 --> 00:14:54.720 Are the defenses tokens. 296 00:14:55.000 --> 00:14:58.840 Yes, the main defense is using unpredictable unique tokens. For 297 00:14:58.919 --> 00:15:02.480 each session or request, the server checks for this token 298 00:15:02.559 --> 00:15:05.879 to ensure the request was intentionally initiated by the user 299 00:15:06.000 --> 00:15:07.039 on the site itself. 300 00:15:07.320 --> 00:15:09.440 But attackers try to bypass these tokens too. 301 00:15:09.519 --> 00:15:12.360 He do maybe by exploiting how the site checks the 302 00:15:12.440 --> 00:15:16.360 referra or origin headers, or if token validation is inconsistent. 303 00:15:16.960 --> 00:15:21.120 Block also discusses the same site cookie attribute another defense layer, 304 00:15:21.480 --> 00:15:24.399 in ways it might be bypassed, perhaps through XSS or 305 00:15:24.440 --> 00:15:25.759 clever subdomain tricks. 306 00:15:25.879 --> 00:15:30.080 Okay, let's move to attacking the file system itself directory traversal. 307 00:15:30.360 --> 00:15:33.720 This is about accessing files outside of the intended web 308 00:15:33.799 --> 00:15:38.720 route directory by manipulating filepaths, often using sequences. 309 00:15:38.159 --> 00:15:40.080 The go up one directory command right. 310 00:15:40.320 --> 00:15:42.840 An attacker might try to read sensitive files like EXCTA 311 00:15:42.879 --> 00:15:46.600 pass on Linux or configuration files. Block mentions using curl 312 00:15:46.639 --> 00:15:49.440 path as is to make sure the debt isn't normalized 313 00:15:49.480 --> 00:15:52.080 away by the tool itself and it's much worse if 314 00:15:52.080 --> 00:15:53.799 the web app runs with high privileges. 315 00:15:53.919 --> 00:15:56.399 Okay, reading files, what about creating files? 316 00:15:56.799 --> 00:16:00.279 Arbitrary file creation? If a vulnerability allows an attack to 317 00:16:00.279 --> 00:16:02.480 specify the name and content of a file that gets 318 00:16:02.480 --> 00:16:05.200 saved on the server, that's really bad. They could write 319 00:16:05.200 --> 00:16:07.159 webshells or other malicious code. 320 00:16:07.240 --> 00:16:09.879 And local file inclusion LFI. 321 00:16:09.720 --> 00:16:12.279 LiFi is similar to traversal, but instead of just reading 322 00:16:12.279 --> 00:16:15.799 a file, the attacker tricks the application into including and 323 00:16:15.840 --> 00:16:20.200 potentially executing a local files content block uses PHP's read 324 00:16:20.240 --> 00:16:23.480 file function as an example, but include a require functions 325 00:16:23.519 --> 00:16:25.559 can sometimes lead to code execution too. 326 00:16:25.759 --> 00:16:29.720 Okay, filesystem access is clearly bad. What about file uploads? 327 00:16:29.919 --> 00:16:32.240 We touched on SPGs, but are there other risks? 328 00:16:32.519 --> 00:16:35.759 Huge risks. Applications often try to restrict uploads to certain 329 00:16:35.759 --> 00:16:38.919 file types like images only, but attackers try to bypass 330 00:16:38.960 --> 00:16:42.279 these checks by manipulating the mie type reported by the 331 00:16:42.279 --> 00:16:45.039 browser or the magic bytes, the first few bytes that 332 00:16:45.080 --> 00:16:47.759 identify a file type. The block gives a great example 333 00:16:48.039 --> 00:16:51.919 embedding PHP code into an image's metadata using exit tool. 334 00:16:52.080 --> 00:16:54.600 So if file looks like a normal jpeg, passes. 335 00:16:54.279 --> 00:16:57.000 The checks exactly, but if the attacker can later get 336 00:16:57.000 --> 00:16:59.919 the server to execute that file somehow, maybe through a 337 00:17:00.279 --> 00:17:03.879 LFI vulnerability, or if the server misconfigures how it handles 338 00:17:03.879 --> 00:17:06.960 certain image types, the embedded PHP code. 339 00:17:06.839 --> 00:17:11.680 Runs GOTE execution via image upload clever. Okay, let's switch 340 00:17:11.680 --> 00:17:13.240 to authentication and authorization. 341 00:17:13.759 --> 00:17:18.119 Big area, absolutely critical. Authentication is who are you? Authorization 342 00:17:18.359 --> 00:17:19.559 is what are you allowed to do? 343 00:17:20.000 --> 00:17:24.240 So? Authentication attacks first username enumeration, trying. 344 00:17:23.960 --> 00:17:27.680 To figure out valid usernames. Sometimes applications give slightly different 345 00:17:27.720 --> 00:17:31.359 error messages for user not found versus wrong password, or 346 00:17:31.400 --> 00:17:34.440 maybe the response time is subtly different. Attackers use these clues. 347 00:17:34.519 --> 00:17:36.799 Okay, then brute force and dictionary. 348 00:17:36.359 --> 00:17:40.480 Attacks just trying lots of passwords against known or guest usernames. 349 00:17:40.920 --> 00:17:44.359 Block mentions using tools like wifas, especially against things like 350 00:17:44.519 --> 00:17:46.440 HTTP basic authentication pop. 351 00:17:46.359 --> 00:17:50.400 Up boxes, and bypassing log informs like using PUT instead 352 00:17:50.440 --> 00:17:50.880 of PSD. 353 00:17:51.319 --> 00:17:55.400 Yeah, sometimes developers only protect against the expected post request, 354 00:17:55.680 --> 00:17:59.880 leaving other HTTP methods like put potentially vulnerable to bypass 355 00:18:00.039 --> 00:18:03.920 log in checks. He also mentions attacking account lockout policies, 356 00:18:03.960 --> 00:18:06.240 trying to bypass them or maybe even use them to 357 00:18:06.359 --> 00:18:08.119 lock out legitimate users. 358 00:18:08.039 --> 00:18:11.160 And kpchas those prove your human. 359 00:18:10.920 --> 00:18:13.880 Tests they can sometimes be beaten. A lock provides a 360 00:18:13.920 --> 00:18:18.240 whole process using ocr optical character recognition with Tesseract. He 361 00:18:18.319 --> 00:18:21.960 shows how to use Selenium to automate grabbing the keytcch 362 00:18:22.079 --> 00:18:25.039 image and feeding it to Tesseract to read the characters. 363 00:18:25.359 --> 00:18:29.799 So automating the kptchase solving. Wow. What about password resets? 364 00:18:30.039 --> 00:18:34.079 Abusing forgot password functionality is common? Maybe the reset tokens 365 00:18:34.079 --> 00:18:37.640 sent via email are predictable or password reset link poisoning 366 00:18:37.680 --> 00:18:40.440 tricking the application into generating a reset link that points 367 00:18:40.480 --> 00:18:43.359 to an attacker controlled server by manipulating the host header 368 00:18:43.359 --> 00:18:44.039 in the request. 369 00:18:44.160 --> 00:18:46.319 Okay, so lots of ways to attack the login process. 370 00:18:46.319 --> 00:18:48.599 What about after log in authorization attacks? 371 00:18:48.799 --> 00:18:51.000 This is about doing things you shouldn't be allowed to do. 372 00:18:51.279 --> 00:18:54.039 Privileged escalation is the big one. A normal user gaining 373 00:18:54.079 --> 00:18:56.680 admin power is due to weak access controls. 374 00:18:56.519 --> 00:18:58.839 Or idoor insecure direct object. 375 00:18:58.559 --> 00:19:01.160 References right where you can act as someone else's data 376 00:19:01.200 --> 00:19:03.559 just by changing an ID number in the URL like 377 00:19:03.799 --> 00:19:06.400 viewprofile dot PHP, dot user AD one two three to 378 00:19:06.480 --> 00:19:10.000 user AD one to four. Also general web parameter tampering, 379 00:19:10.160 --> 00:19:14.000 changing hidden form fields or other parameters to gain advantages. 380 00:19:13.480 --> 00:19:17.000 You mentioned attacking JWTs earlier with c clay, but other 381 00:19:17.119 --> 00:19:17.720 attacks too. 382 00:19:17.920 --> 00:19:20.920 Yes, trying to crack the secret key used to sign 383 00:19:20.920 --> 00:19:25.559 the JWT using tools like hashcat or the alg none attack, 384 00:19:25.680 --> 00:19:29.119 changing the algorithm header to none and removing the signature, 385 00:19:29.400 --> 00:19:32.440 hoping the server blindly trusts the payload if it sees none. 386 00:19:32.559 --> 00:19:33.599 This seems like a bad oversight. 387 00:19:33.640 --> 00:19:36.400 If that works, it definitely is. He also covers attacking 388 00:19:36.480 --> 00:19:38.720 o F two point zero, often used for login with 389 00:19:38.759 --> 00:19:42.279 Google Facebook. Attackers might try to steal access tokens by 390 00:19:42.319 --> 00:19:45.079 manipulating the redirectory parameter to send the token to their 391 00:19:45.119 --> 00:19:45.720 own site. 392 00:19:45.799 --> 00:19:49.279 Okay and salmonel another login standard. 393 00:19:49.359 --> 00:19:52.440 Similar issues tampering with the samuel response sent from the 394 00:19:52.480 --> 00:19:55.960 identity provider back to the application, or signature exclusion attacks 395 00:19:56.119 --> 00:19:58.039 similar to the JWT nun attack. 396 00:19:58.200 --> 00:20:01.240 What about multi factor authentication MFA. 397 00:20:00.799 --> 00:20:04.119 Can sometimes be bypassed, maybe the one time password OTP 398 00:20:04.279 --> 00:20:07.720 system doesn't have rate limiting, allowing an attacker to quickly 399 00:20:07.759 --> 00:20:12.480 brute force the code. And webcache deception is another interesting one, 400 00:20:12.720 --> 00:20:16.440 tricking a webcache like a CDN into storing a sensitive 401 00:20:16.680 --> 00:20:20.559