WEBVTT 1 00:00:00.040 --> 00:00:03.480 Hey everyone, and welcome back for another deep dive. Today, 2 00:00:04.080 --> 00:00:06.240 we're going to be cracking open the world of web 3 00:00:06.280 --> 00:00:07.400 penetration testing. 4 00:00:07.559 --> 00:00:08.519 Ooh exciting. 5 00:00:08.800 --> 00:00:14.119 Yeah, so you're curious about how to you know, find 6 00:00:14.199 --> 00:00:18.359 vulnerabilities and websites, right, like everybody is. So to guide 7 00:00:18.399 --> 00:00:22.120 us today, we have excerpts from Practical Web Penetration Testing 8 00:00:22.280 --> 00:00:23.079 by Gus. 9 00:00:22.839 --> 00:00:24.239 Kawaja excellent source. 10 00:00:24.359 --> 00:00:28.480 Yeah, and it's published by Packed Publishing. Okay, so this 11 00:00:28.600 --> 00:00:31.039 might sound a little intimidating, but don't worry it can be. 12 00:00:31.239 --> 00:00:33.439 We are here to make it fun and easy to understand. 13 00:00:33.600 --> 00:00:34.039 That's us. 14 00:00:34.200 --> 00:00:37.000 We'll even touch on some pretty cool tools like burp sweet, 15 00:00:37.159 --> 00:00:40.039 which is like having X ray vision for web traffic ooh, 16 00:00:40.399 --> 00:00:44.880 and even metasploit, which is like a hackers Swiss army knife. 17 00:00:45.119 --> 00:00:49.119 Nice. So yeah, it's a fascinating journey, yeah, from building 18 00:00:49.119 --> 00:00:51.759 your own hacking lab, oh yeah, to actually thinking like 19 00:00:51.799 --> 00:00:53.960 a hacker. Yeah. And the book it lays it all 20 00:00:53.960 --> 00:00:56.759 out in the way that really anyone can grasp. 21 00:00:56.840 --> 00:00:59.640 Yeah for sure. So let's start with the basics. You know, 22 00:00:59.759 --> 00:01:02.439 to practice hacking, you need a safe space to play, right, 23 00:01:02.960 --> 00:01:06.280 So this book it walks you through setting up your 24 00:01:06.319 --> 00:01:07.719 own virtual hacking lab. 25 00:01:07.959 --> 00:01:10.760 It's like building your own digital playground. And this book 26 00:01:11.239 --> 00:01:16.799 it uses this vulnerable web application called Mutiliday mutildy. Yeah, 27 00:01:16.799 --> 00:01:18.760 it's kind of a weird name, I know. Yeah, it's 28 00:01:18.760 --> 00:01:22.439 a type of ant, but the name kind of fits 29 00:01:22.640 --> 00:01:25.159 I think because it lets you poke around, okay and 30 00:01:25.200 --> 00:01:27.040 dissect it and you can set it up on either 31 00:01:27.040 --> 00:01:28.400 Windows or open to Linux. 32 00:01:28.599 --> 00:01:32.840 Okay. So like most major operating systems, yeah, exactly, and 33 00:01:32.879 --> 00:01:36.040 the book makes it surprisingly easy even if you're not, 34 00:01:36.480 --> 00:01:39.359 you know, a tech whiz. It really does installing things 35 00:01:39.359 --> 00:01:43.120 like XMPP, which might sound a little intimidating, right, it's 36 00:01:43.159 --> 00:01:45.400 a breeze with the step by step instructions. 37 00:01:45.480 --> 00:01:48.079 The book really does hold your hand through that whole setup. Yeah. 38 00:01:48.120 --> 00:01:49.680 But once you have your lab up and running, it's 39 00:01:49.680 --> 00:01:53.120 time to meet your new best friend, Collie Linux. 40 00:01:53.159 --> 00:01:56.640 Ah, Callie Linux. Yeah, the go to operating system for 41 00:01:56.760 --> 00:02:00.760 penetration testers. Absolutely, it's like this toolbox act with everything 42 00:02:00.799 --> 00:02:03.079 you need for like digital detective work. Right. 43 00:02:03.280 --> 00:02:03.640 Yeah. 44 00:02:03.680 --> 00:02:07.799 So the book it covers installation and configuration and even 45 00:02:07.840 --> 00:02:11.919 how to navigate that command line which mandline Yeah can 46 00:02:11.960 --> 00:02:14.599 seem a little scary at first, right, but it's where 47 00:02:14.639 --> 00:02:16.039 the real magic happens. 48 00:02:16.520 --> 00:02:18.800 It is. It's like learning a secret language that lets 49 00:02:18.840 --> 00:02:21.560 you talk directly to the computer's core. Okay, you know. 50 00:02:22.039 --> 00:02:25.680 And the book dives into some essential concepts for setting 51 00:02:25.759 --> 00:02:30.280 up your virtual Collie machine, like the difference between bridged 52 00:02:30.840 --> 00:02:35.599 net and internal network configurations. Ah okay, These determine how 53 00:02:35.639 --> 00:02:39.560 your virtual machine interacts with your actual network. Okay, and 54 00:02:39.719 --> 00:02:42.719 understanding that is key to making sure you're playing safely 55 00:02:43.000 --> 00:02:44.840 yeah in your little digital sandbox. 56 00:02:44.960 --> 00:02:46.759 Right, so you don't want to don't want to mess 57 00:02:46.800 --> 00:02:49.840 up your break anything your actual computer, right right. It's 58 00:02:49.879 --> 00:02:52.080 like learning the rules of the road before you start 59 00:02:52.120 --> 00:02:54.479 like driving your virtual hacking machine around. 60 00:02:55.639 --> 00:02:56.400 Good analogy. 61 00:02:56.680 --> 00:02:59.000 So, speaking of secrets, did you know that the shadow 62 00:02:59.039 --> 00:03:03.080 file and call is where like those hashed passwords are stored. 63 00:03:03.280 --> 00:03:05.479 Oh yeah, it's like a little digital vault, and we'll 64 00:03:05.520 --> 00:03:07.919 learn how to peek inside and see how those passwords 65 00:03:07.960 --> 00:03:08.400 are protected. 66 00:03:08.439 --> 00:03:10.520 Okay, so we get to see how the sausage is made. 67 00:03:10.400 --> 00:03:15.039 Exactly how it's made. EO. Now onto another powerful tool, 68 00:03:15.879 --> 00:03:19.680 burp suite. Oh yeah, this is where things get really 69 00:03:19.759 --> 00:03:23.879 really interesting because burp suite is like having X ray vision. Yeah, 70 00:03:23.919 --> 00:03:24.840 for web traffic. 71 00:03:25.159 --> 00:03:25.800 It's true. 72 00:03:26.000 --> 00:03:26.560 It's amazing. 73 00:03:26.639 --> 00:03:30.759 Burpsweet acts like a web proxy sitting between your browser 74 00:03:31.120 --> 00:03:33.159 and the website you're visiting, right, so you can see 75 00:03:33.159 --> 00:03:35.719 all the requests and responses going back and forth. 76 00:03:35.840 --> 00:03:39.039 It's like watching a secret conversation unfold. Yeah, right in 77 00:03:39.039 --> 00:03:39.400 front of you. 78 00:03:39.400 --> 00:03:42.719 You're spying on them. So what's really fascinating is that 79 00:03:42.840 --> 00:03:47.360 you can actually modify those requests and responses in real time. 80 00:03:47.639 --> 00:03:50.400 Yes, you can. Wow. So you can use Burke Suite 81 00:03:50.439 --> 00:03:54.879 to crawl an entire website, poking and prodding for vulnerabilities, 82 00:03:55.240 --> 00:03:58.280 and you can even craft your own custom attacks. Really, 83 00:03:58.360 --> 00:03:59.159 it's incredible. 84 00:03:59.240 --> 00:04:00.599 So it's like a hacker toolkit. 85 00:04:01.080 --> 00:04:05.039 Yes, at your Fingertipszy and Burps. 86 00:04:05.039 --> 00:04:08.120 We can also analyze a website structure to help you 87 00:04:08.199 --> 00:04:12.080 pinpoint weaknesses. It can, so it's like a bloodhound sniffing 88 00:04:12.120 --> 00:04:13.120 out vulnerabilities. 89 00:04:13.199 --> 00:04:13.840 It really is. 90 00:04:14.000 --> 00:04:18.360 That's really cool. Yeah, so let's talk about the vulnerabilities themselves. Okay, 91 00:04:18.519 --> 00:04:21.839 the book it breaks down common web vulnerabilities in a 92 00:04:21.879 --> 00:04:24.920 way that's really easy to understand, even if you don't code. 93 00:04:25.079 --> 00:04:26.120 It does. It does. 94 00:04:26.240 --> 00:04:29.720 For example, let's talk about file inclusion vulnerabilities. 95 00:04:29.839 --> 00:04:33.000 So imagine an attacker finding a way to exploit a 96 00:04:33.000 --> 00:04:37.399 website's code and access sensitive files on the server. Okay, 97 00:04:37.680 --> 00:04:41.120 things like configuration files or even password databases. Oh wow, 98 00:04:41.160 --> 00:04:44.279 in a worst case scenario. Right, So that's a file 99 00:04:44.319 --> 00:04:46.120 inclusion vulnerability in a nutshell. 100 00:04:46.240 --> 00:04:48.920 Okay, so like getting access to things that you shouldn't 101 00:04:48.920 --> 00:04:49.639 have access. 102 00:04:49.319 --> 00:04:50.240 To, exactly, got it? 103 00:04:50.360 --> 00:04:52.959 Yeah, and what about cross site scripting. I've heard that 104 00:04:53.079 --> 00:04:55.360 term thrown around, but I'm not entirely sure what it means. 105 00:04:55.560 --> 00:04:59.240 Yes, So, cross site scripting or EXSS is basically when 106 00:04:59.279 --> 00:05:05.439 an attacker injects malicious scripts, usually JavaScript, into a website. Okay, 107 00:05:05.519 --> 00:05:08.160 it's like planting a little trap that can steal user 108 00:05:08.240 --> 00:05:11.800 data okay, hijack their accounts oh wow, or even take 109 00:05:11.800 --> 00:05:12.879 control of their browser. 110 00:05:13.439 --> 00:05:14.519 That's really scary. 111 00:05:14.920 --> 00:05:15.680 Yeah it can be. 112 00:05:15.800 --> 00:05:18.560 So it's like slipping a secret note into a message 113 00:05:18.600 --> 00:05:21.959 and tricking the recipient into doing something that they didn't intend. 114 00:05:22.240 --> 00:05:23.319 That's a great analogy. 115 00:05:23.560 --> 00:05:27.560 Thanks. So the book dives into different types of EXSS attacks, 116 00:05:27.720 --> 00:05:31.680 like stored, reflected, and dom based, each with their own 117 00:05:31.759 --> 00:05:35.439 little quirks and dangers they do. So lots of variety there, Yeah, 118 00:05:35.519 --> 00:05:37.680 lots of variety. Okay. Starting to make sense. 119 00:05:37.759 --> 00:05:38.279 Now good. 120 00:05:38.439 --> 00:05:41.439 Another term I've heard is CSRF. 121 00:05:40.839 --> 00:05:45.160 Right, Cross site request forgery or CSRF is another sneaky one. 122 00:05:45.319 --> 00:05:45.680 Okay. 123 00:05:45.920 --> 00:05:50.319 It tricks users into performing actions they didn't intend to do. Okay, 124 00:05:50.639 --> 00:05:53.519 like unknowingly making a post on their social media or 125 00:05:53.680 --> 00:05:56.959 even transferring money from their bank account. Oh wow, so 126 00:05:57.519 --> 00:05:58.199 that's a bad one. 127 00:05:58.240 --> 00:06:03.639 It's like really devious, it is? It is anything else 128 00:06:03.680 --> 00:06:05.879 we should be aware of on our vulnerability watch lists. 129 00:06:06.319 --> 00:06:10.319 Yes, you can't forget the classic sequel injection. This was 130 00:06:10.319 --> 00:06:14.480 a favorite among attackers because databases hold a treasure trove 131 00:06:14.639 --> 00:06:15.839 of sensitive information. 132 00:06:16.079 --> 00:06:17.079 Oh yeah, for sure. 133 00:06:17.160 --> 00:06:18.519 Yeah, so it's a popular one. 134 00:06:18.759 --> 00:06:20.360 So how does SQL injection work? 135 00:06:20.600 --> 00:06:25.079 Well, it involves manipulating the way a website talks to 136 00:06:25.120 --> 00:06:28.639 its database. Okay, So imagine being able to slip in 137 00:06:29.120 --> 00:06:32.800 a secret command that forces the database to spill all 138 00:06:32.839 --> 00:06:36.240 of its secrets. Okay, or even give you control over 139 00:06:36.279 --> 00:06:40.759 the entire system. Oh wow, that's the power of SEQL injection. 140 00:06:40.959 --> 00:06:42.160 That sounds pretty scary. 141 00:06:42.240 --> 00:06:44.800 It can be, Yeah, it really can be. And the 142 00:06:44.839 --> 00:06:48.319 book uses utiliday our vulnerable web app to show you 143 00:06:48.360 --> 00:06:51.000 exactly how this attack works. You actually get to see 144 00:06:51.040 --> 00:06:55.920 how in SQL injection can completely bypass logins and expose 145 00:06:56.000 --> 00:06:57.319 all sorts of sensitive data. 146 00:06:57.959 --> 00:07:00.319 That's pretty cool it is. Now that's what I call 147 00:07:00.360 --> 00:07:02.959 hands on learning. Yeah, so we've got our lab set up, 148 00:07:03.000 --> 00:07:06.160 we're getting cozy with Callie Linux and yes, burp Suite, 149 00:07:06.920 --> 00:07:09.480 and we're starting to get a handle on some common 150 00:07:09.639 --> 00:07:12.959 web vulnerabilities. So what's next in our journey to becoming 151 00:07:12.959 --> 00:07:13.839 an ethical hacker? 152 00:07:14.040 --> 00:07:15.759 Okay? So now we're going to step into the world 153 00:07:15.800 --> 00:07:18.439 of professional penetration testing. 154 00:07:18.519 --> 00:07:20.959 Professional so like people get paid to do this. 155 00:07:21.120 --> 00:07:25.959 They do they do. Really, companies hire ethical hackers also 156 00:07:26.000 --> 00:07:31.000 known as penetration testers okay, to find vulnerabilities okay, before 157 00:07:31.040 --> 00:07:33.240 the bad guys do. Okay, And the book kind of 158 00:07:33.279 --> 00:07:36.959 walks us through how a real world engagement unfolds. 159 00:07:37.000 --> 00:07:40.000 So it's not just randomly like hacking into websites. No, 160 00:07:40.240 --> 00:07:42.519 there's an actual strategy involved. 161 00:07:42.600 --> 00:07:46.000 There is a very deliberate process, okay, and it starts 162 00:07:46.040 --> 00:07:48.480 with what's called the pre engagement phase. 163 00:07:48.639 --> 00:07:50.319 Pre engagement okay, tell me more. 164 00:07:50.519 --> 00:07:53.199 So it's all about preparation okay, and planning. 165 00:07:53.360 --> 00:07:53.680 Okay. 166 00:07:53.759 --> 00:07:57.639 So penetration testers they gather information about the target, the company, 167 00:07:57.879 --> 00:08:01.680 their systems, their web applications define the scope of the engagement. 168 00:08:01.759 --> 00:08:02.879 Okay, So they do their homework. 169 00:08:02.920 --> 00:08:05.360 They do their homework before they even touch a keyboard. 170 00:08:06.040 --> 00:08:10.079 And a crucial part of this phase is communication. Ah. 171 00:08:10.360 --> 00:08:13.560 Penetration testers need to be upfront with the client about 172 00:08:13.560 --> 00:08:14.079 what they'll be. 173 00:08:14.040 --> 00:08:17.639 Doing, how they'll be doing it, what the expected outcomes are. 174 00:08:18.160 --> 00:08:20.920 So it's not just about the technical skills, no, it's 175 00:08:20.920 --> 00:08:24.040 about communication, yes, and professionalism as well. 176 00:08:24.240 --> 00:08:24.560 It is. 177 00:08:24.920 --> 00:08:27.879 I'm guessing there are different approaches to penetration testing. 178 00:08:28.000 --> 00:08:31.759 There are There are three main types, black box, gray 179 00:08:31.800 --> 00:08:35.320 box and white box testing. Okay, so imagine it like this. 180 00:08:36.519 --> 00:08:40.519 Black box testing is like going into a maze blindfolded. 181 00:08:40.840 --> 00:08:42.080 Oh wow, you have. 182 00:08:42.080 --> 00:08:44.399 No knowledge of the layout. Yeah, you have to rely 183 00:08:44.519 --> 00:08:46.399 on your senses to find your way through. 184 00:08:46.600 --> 00:08:48.759 Sounds challenging, it can be okay. 185 00:08:48.879 --> 00:08:51.360 Then there's grey box testing okay, and that's more like 186 00:08:51.399 --> 00:08:54.919 having a map of the maze. Okay, but some areas 187 00:08:54.960 --> 00:08:57.799 are blurred out. You have some knowledge, but not the 188 00:08:57.840 --> 00:08:59.600 complete picture, so you have a little bit of a 189 00:08:59.639 --> 00:09:02.000 headste a little bit of a headstart. Ok And then 190 00:09:02.000 --> 00:09:06.360 there's white box testing okay, and that's like having the 191 00:09:06.559 --> 00:09:09.840 complete map of the maze, including all the secret passages 192 00:09:09.879 --> 00:09:10.639 and shortcuts. 193 00:09:10.720 --> 00:09:13.200 So it's like having insider information. 194 00:09:13.600 --> 00:09:14.360 You could say that. 195 00:09:14.440 --> 00:09:19.120 Okay, and each approach has its own advantages and disadvantages. Yeah, 196 00:09:19.159 --> 00:09:21.879 and the choice really depends on the client's needs and 197 00:09:21.919 --> 00:09:23.840 the goals of the penetration test. 198 00:09:24.000 --> 00:09:29.799 Got it. So black box, blindfolded, gray box, a little 199 00:09:29.840 --> 00:09:32.039 bit of a map, and white box you have the 200 00:09:32.080 --> 00:09:32.759 full blueprint. 201 00:09:32.840 --> 00:09:33.320 You got it? 202 00:09:33.440 --> 00:09:36.000 Okay. What happens after the pre engagement phase? 203 00:09:36.039 --> 00:09:38.000 Okay, this is where we actually put on our hacker 204 00:09:38.080 --> 00:09:41.879 hats ooh and start thinking like the bad guys. Okay, 205 00:09:41.960 --> 00:09:45.120 but before we could dive into the technical stuff. Professional 206 00:09:45.159 --> 00:09:49.600 penetration testers, they engage in something called threat modeling. 207 00:09:49.919 --> 00:09:51.799 Threat modeling, Okay, break that down for me. 208 00:09:51.919 --> 00:09:57.200 So it's all about systematically analyzing the application to identify 209 00:09:57.320 --> 00:09:58.799 potential vulnerabilities. 210 00:09:59.000 --> 00:09:59.240 Okay. 211 00:09:59.440 --> 00:10:02.559 Imagine a hacker trying to break into a building. You'd 212 00:10:02.600 --> 00:10:06.720 scout it out, look for weak points, plan your attack Accordingly, 213 00:10:07.279 --> 00:10:09.960 threat modeling is basically doing that for a web application. 214 00:10:10.320 --> 00:10:13.000 So they're trying to anticipate how a hacker might target 215 00:10:13.039 --> 00:10:13.960 the system. 216 00:10:13.759 --> 00:10:17.000 Exactly, got it. It's a very proactive approach to secure 217 00:10:17.120 --> 00:10:17.679 so it's not. 218 00:10:17.639 --> 00:10:22.080 Just about finding existing vulnerabilities. It's about predicting where future 219 00:10:22.200 --> 00:10:23.559 vulnerabilities might arise. 220 00:10:23.679 --> 00:10:24.759 That's a great way to put it. 221 00:10:24.799 --> 00:10:25.080 Thanks. 222 00:10:25.200 --> 00:10:29.840 It's about understanding the application's attack surface okay, and identifying 223 00:10:29.879 --> 00:10:31.519 potential points of failure, so. 224 00:10:31.559 --> 00:10:33.480 Like a weak spot, yes, okay. 225 00:10:33.600 --> 00:10:37.039 And a key part of threat modeling is actually creating 226 00:10:37.080 --> 00:10:41.639 a visual representation of how data moves through the application, okay. 227 00:10:42.159 --> 00:10:45.039 And that's called a data flow diagram or DFD. 228 00:10:44.879 --> 00:10:46.000 Data flow diagram Okay. 229 00:10:46.000 --> 00:10:48.240 Taking that so it's like a map of the application's 230 00:10:48.240 --> 00:10:52.080 nervous system. It shows how data enters and exits the system, 231 00:10:52.440 --> 00:10:56.039 the processes it goes through, and where it's stored. And 232 00:10:56.120 --> 00:11:01.200 this helps penetration testers identify potential weak pointoints where data 233 00:11:01.279 --> 00:11:03.080 might be exposed or even tampered with. 234 00:11:03.279 --> 00:11:06.679 So it's like creating a blueprint for hacking, but in reverse. 235 00:11:06.960 --> 00:11:10.679 Yes, exactly. And once they have this map, they use 236 00:11:10.720 --> 00:11:14.919 it to identify potential threats okay. They consider things like spoofing, 237 00:11:15.080 --> 00:11:20.320 which is like faking identities, tampering with data, repudiation which 238 00:11:20.360 --> 00:11:26.159 is like denying actions, information disclosure, leaking sensitive data, denial 239 00:11:26.200 --> 00:11:30.799 of service, making the application unavailable, and elevation of privilege, 240 00:11:31.120 --> 00:11:32.639 gaining unauthorized access. 241 00:11:32.799 --> 00:11:35.639 Wow, that's a lot to consider. It is, so it 242 00:11:35.679 --> 00:11:38.559 sounds like they're trying to think of every possible way 243 00:11:38.600 --> 00:11:40.360 that a hacker could attack the system. 244 00:11:40.799 --> 00:11:43.279 That is the goal is to be as thorough as 245 00:11:43.320 --> 00:11:47.720 possible and to help categorize and assess these threats. They 246 00:11:47.799 --> 00:11:50.120 use frameworks like Stride and dread. 247 00:11:50.720 --> 00:11:54.559 Stride and dread, they'll sound like a superhero duo fighting cybercrime. 248 00:11:54.679 --> 00:11:58.320 They do, they do. They actually help penetration testers fight 249 00:11:58.360 --> 00:12:02.840 the bad guys. Okay, Stride it's actually an acronym for 250 00:12:02.919 --> 00:12:07.159 the different types of threats we just talked about spoofing, tampering, repudiation, 251 00:12:07.320 --> 00:12:10.960 information disclosure, denial of service, and elevation of privilege. 252 00:12:11.080 --> 00:12:13.039 So it's a handy way to remember all those. 253 00:12:13.159 --> 00:12:13.480 It is. 254 00:12:13.519 --> 00:12:15.679 It is different ways an attacker might try to exploit 255 00:12:15.679 --> 00:12:16.200 the system. 256 00:12:16.360 --> 00:12:19.519 Absolutely got it, and then dread. It's a framework for 257 00:12:19.679 --> 00:12:26.559 ranking the severity of those threats based on their potential damage, reproducibility, exploitability, 258 00:12:26.600 --> 00:12:29.279 affected users, and discoverability. 259 00:12:29.360 --> 00:12:32.120 Wow. Okay, so a whole bunch of factors, a lot 260 00:12:32.159 --> 00:12:35.879 of factors. So by using these frameworks, penetration testers can 261 00:12:35.919 --> 00:12:40.519 really prioritize which threats pose the most significant risk they 262 00:12:40.559 --> 00:12:43.639 can and need to be addressed first exactly. Okay, And 263 00:12:43.720 --> 00:12:46.840 the book provides a practical example of a completed threat 264 00:12:46.879 --> 00:12:49.480 modeling document showing how it all comes together. It does, 265 00:12:49.600 --> 00:12:52.440 so you can see an example, you can. Awesome. So 266 00:12:52.759 --> 00:12:56.240 we've covered pre engagement and threat modeling. Yes, what's the 267 00:12:56.279 --> 00:12:57.639 next step in this process? 268 00:12:57.679 --> 00:13:02.200 Okay? So once penetration testers they understand the application and 269 00:13:02.240 --> 00:13:05.960 its potential vulnerabilities, they can start digging into the code itself. 270 00:13:06.120 --> 00:13:08.120 Ah. So this is where it gets really technical. 271 00:13:08.320 --> 00:13:10.960 It can be, but it's a crucial part of the process, 272 00:13:11.639 --> 00:13:13.240 and that's where source code review comes in. 273 00:13:13.360 --> 00:13:16.279 Source code review okay, so break that down for me. 274 00:13:16.600 --> 00:13:19.120 What exactly are they looking for in this phase? 275 00:13:19.679 --> 00:13:22.279 So the goal of source code review is to find 276 00:13:22.320 --> 00:13:26.240 those hilly security flaws in the application's code. So it's 277 00:13:26.279 --> 00:13:28.840 like being a detective, right searching for clues at a 278 00:13:28.879 --> 00:13:32.639 crime scene, except the crime scene is lines of code. 279 00:13:32.840 --> 00:13:36.200 It could be a very meticulous process. Yeah, but but 280 00:13:36.519 --> 00:13:40.879 it can reveal vulnerabilities that other testing methods might miss. 281 00:13:41.159 --> 00:13:44.279 So they're reading through the code line by line sometimes 282 00:13:44.279 --> 00:13:46.720 looking for mistakes that could be exploited exactly. 283 00:13:46.919 --> 00:13:49.480 And there are two main approaches to source code review, 284 00:13:50.320 --> 00:13:55.279 manual and automated. So manual code review is like having 285 00:13:55.320 --> 00:13:59.159 a human detective carefully examine every piece of evidence, okay, 286 00:13:59.480 --> 00:14:02.759 whereas automated code review is more like using forensic tools 287 00:14:02.799 --> 00:14:06.759 to scan for specific patterns or anomalies. So it's kind 288 00:14:06.759 --> 00:14:11.320 of combining the power of human intuition and experience with 289 00:14:11.399 --> 00:14:14.519 the efficiency of these automated tools. Best of both worlds, 290 00:14:14.639 --> 00:14:15.399 Best of both worlds. 291 00:14:15.919 --> 00:14:19.320 The book provides a checklist of common secure coding practices, 292 00:14:19.720 --> 00:14:25.360 covering everything from authentication and authorization to session management and 293 00:14:25.480 --> 00:14:29.440 data validation. It does so it's like having a guidebook 294 00:14:29.519 --> 00:14:33.840 for building secure applications. It is, but in reverse, it 295 00:14:33.879 --> 00:14:36.279 helps you spot where things might have gone wrong exactly, 296 00:14:36.639 --> 00:14:39.759 got it. So, once they've completed the source code review, 297 00:14:40.279 --> 00:14:40.960 are they done? 298 00:14:41.440 --> 00:14:42.039 Not quite? 299 00:14:42.279 --> 00:14:42.600 Okay? 300 00:14:42.799 --> 00:14:46.879 Because web applications they don't exist in isolation. They rely 301 00:14:47.000 --> 00:14:51.080 on a whole network of supporting systems like servers, firewalls, 302 00:14:51.120 --> 00:14:54.639 and routers, and if those systems are vulnerable, the whole 303 00:14:54.639 --> 00:14:55.679 applications at risk. 304 00:14:56.000 --> 00:14:57.679 So it's like a chain reaction, it is. 305 00:14:57.799 --> 00:14:58.120 It is? 306 00:14:58.279 --> 00:15:01.799 Yeah, a single week link, Yes, can compromise. 307 00:15:01.279 --> 00:15:03.080 The whole thing, the whole system. 308 00:15:03.159 --> 00:15:05.279 So that's where network penetration testing comes in. 309 00:15:05.399 --> 00:15:06.320 That is where it comes in. 310 00:15:06.440 --> 00:15:08.840 Okay, this sounds like we're going deeper down the rabbit hole. 311 00:15:08.919 --> 00:15:09.799 We are going deeper. 312 00:15:09.879 --> 00:15:10.480 Okay, I'm ready. 313 00:15:10.519 --> 00:15:12.559 So it's an essential part of the process, yeah, because 314 00:15:12.600 --> 00:15:16.679 it focuses on attacking the underlying infrastructure that supports that 315 00:15:16.759 --> 00:15:20.159 web application. Right. So it's a multi phase process that 316 00:15:20.240 --> 00:15:22.879 starts with information gathering okay, kind of like a spy 317 00:15:22.960 --> 00:15:24.600 gathering intel before emission. 318 00:15:24.879 --> 00:15:28.240 Okay, So information gathering, like they're doing reconnaissance. They're trying 319 00:15:28.279 --> 00:15:31.159 to learn as much as possible about the network they 320 00:15:31.159 --> 00:15:31.840 are Okay. 321 00:15:31.919 --> 00:15:36.480 They use a variety of techniques, including something called OSENT ohsent, yes, 322 00:15:36.639 --> 00:15:40.519 open source intelligence okay. And this involves collecting information from 323 00:15:40.559 --> 00:15:45.639 publicly available sources like where like company websites, social media profiles, 324 00:15:46.120 --> 00:15:50.039 public databases, news articles, blog posts, you name it. 325 00:15:50.519 --> 00:15:54.240 So they're piecing together a puzzle using publicly available information 326 00:15:54.399 --> 00:15:58.240 to try to build a picture of the target network exactly. Okay. 327 00:15:58.519 --> 00:16:00.600 And once they have a good understanding of the network, 328 00:16:00.720 --> 00:16:01.360 what do they do? 329 00:16:01.559 --> 00:16:03.480 Then they move on to vulnerability scanning. 330 00:16:03.720 --> 00:16:06.360 Vulnerability scanning so pretty self explanatory. 331 00:16:06.440 --> 00:16:08.600 Yeah, pretty much. Okay, so this is where they actually 332 00:16:08.759 --> 00:16:13.039 use tools like endmap to scan the network for those 333 00:16:13.080 --> 00:16:14.879 potential weaknesses end map. 334 00:16:14.919 --> 00:16:16.000 Remind me what that does again? 335 00:16:16.120 --> 00:16:19.559 Okay, So think of end map as a very powerful 336 00:16:19.679 --> 00:16:23.559 radar system for your network. So it sends out signals 337 00:16:23.720 --> 00:16:27.399 to identify open ports, determine what services are running on 338 00:16:27.440 --> 00:16:31.240 those ports, and even guess the operating system of the 339 00:16:31.240 --> 00:16:31.960 target machine. 340 00:16:32.039 --> 00:16:35.039 So it's like getting a detailed map of the network's terrain. 341 00:16:35.279 --> 00:16:39.279 It is highlighting all the potential points of entry exactly. Okay, 342 00:16:39.440 --> 00:16:42.919 And once they've identified these potential vulnerabilities, what happens then? 343 00:16:43.399 --> 00:16:45.279 Then the real fund begins? 344 00:16:45.399 --> 00:16:46.559 Ooh, tell me more. 345 00:16:46.720 --> 00:16:48.200 It's the exploitation phase. 346 00:16:48.840 --> 00:16:51.960 Exploitation that sounds a little ominous. 347 00:16:51.720 --> 00:16:54.039 It can be. Yeah, So this is where they actually 348 00:16:54.080 --> 00:16:57.480 try to exploit the vulnerabilities they've found. They might use 349 00:16:57.519 --> 00:17:02.399 a tool like metasploit to gain access to systems, escalate 350 00:17:02.480 --> 00:17:07.000 their privileges, or even take control of the entire network. Wow, 351 00:17:07.960 --> 00:17:09.440 so it's pretty. 352 00:17:09.160 --> 00:17:11.440 Powerful metasploid didn't we mention that earlier? 353 00:17:11.440 --> 00:17:15.519 Well, it's a framework for developing and executing exploits. It's 354 00:17:15.599 --> 00:17:18.599 kind of like a hacker's toolbox filled with these pre 355 00:17:18.680 --> 00:17:22.119 made tools and the ability to create custom ones. 356 00:17:22.559 --> 00:17:25.880 So they're not just identifying vulnerabilities, they're actually trying to 357 00:17:25.960 --> 00:17:29.960 break in. They are, but it's all done ethically, ethically 358 00:17:30.240 --> 00:17:31.519 with the client's permission. 359 00:17:31.680 --> 00:17:33.440 Yes, always with permission. 360 00:17:33.599 --> 00:17:36.559 Okay, So they've exploited the vulnerabilities. Are they done now? 361 00:17:37.039 --> 00:17:41.279 Almost? There's one more phase. It's called the post exploitation phase. 362 00:17:41.440 --> 00:17:43.440 Post exploitation, so what happens there? 363 00:17:43.559 --> 00:17:46.119 This is where they assess the damage? Okay, So they 364 00:17:46.119 --> 00:17:49.640 figure out what an attacker could actually do, okay, once 365 00:17:49.640 --> 00:17:51.079 they've gained access, So they're. 366 00:17:50.880 --> 00:17:52.680 Not just breaking in, they're seeing what they can get 367 00:17:52.680 --> 00:17:53.799 away with exactly. 368 00:17:53.920 --> 00:17:58.200 Okay. They might try to steal sensitive data, install backdoors 369 00:17:58.279 --> 00:18:02.720 for future access, or even use the compromise system to 370 00:18:03.039 --> 00:18:04.799 attack other systems on the network. 371 00:18:05.000 --> 00:18:07.079 That's a lot, it is. So it's not just about 372 00:18:07.119 --> 00:18:10.640 finding vulnerabilities, it's about understanding the potential impact it is 373 00:18:10.759 --> 00:18:12.960 and demonstrating the real world risks. 374 00:18:13.200 --> 00:18:14.519 Absolutely, this is. 375 00:18:14.519 --> 00:18:18.559 Really intense stuff. So we've covered pre engagement, threat modeling, 376 00:18:18.799 --> 00:18:21.640 source code review, and network penetration testing. 377 00:18:21.759 --> 00:18:22.279 Yes we have. 378 00:18:22.880 --> 00:18:26.200 I'm guessing the next step is to actually start testing 379 00:18:26.519 --> 00:18:27.960 the web application itself. 380 00:18:28.039 --> 00:18:31.799 You are correct, Okay, we've laid all the groundwork and 381 00:18:31.880 --> 00:18:34.960 now it's time to put everything together and perform those 382 00:18:35.000 --> 00:18:36.160 web intrusion tests. 383 00:18:36.279 --> 00:18:38.640 This is what we've been building up to, it is okay. 384 00:18:38.680 --> 00:18:42.000 So how did they actually go about testing the web application. 385 00:18:42.359 --> 00:18:46.440 It's a structured process. It starts with crawling the web 386 00:18:46.480 --> 00:18:50.640 application to actually map out its structure. Okay, So imagine 387 00:18:50.640 --> 00:18:53.920 those digital spiders we talked about earlier, but this time 388 00:18:53.920 --> 00:18:56.920 they're exploring every nook and cranny of the web app. 389 00:18:57.279 --> 00:19:00.319 So they're building a detailed map of the web apption 390 00:19:00.799 --> 00:19:04.279 identifying all the pages and features exactly. And while they're 391 00:19:04.319 --> 00:19:08.359 doing that, they're also looking for hidden content they are right, 392 00:19:08.480 --> 00:19:12.400 that might reveal sensitive information exactly, like secret files or 393 00:19:12.440 --> 00:19:16.240 directories that aren't meant to be publicly accessible. So it's 394 00:19:16.240 --> 00:19:18.960 like playing a digital detective game. It is searching for 395 00:19:19.039 --> 00:19:23.440 clues and piecing together information exactly. Okay. So once they 396 00:19:23.480 --> 00:19:26.119 have a good understanding of the web apps structure and 397 00:19:26.160 --> 00:19:29.519 potential weaknesses, what do they do Then they. 398 00:19:29.400 --> 00:19:31.640 Start actually testing for vulnerabilities. 399 00:19:31.720 --> 00:19:33.640 Okay, So this is where they put all their tools 400 00:19:33.680 --> 00:19:34.720 and techniques to the test. 401 00:19:34.960 --> 00:19:40.079