WEBVTT 1 00:00:00.080 --> 00:00:03.680 You know how news reports about cyber attacks often feel 2 00:00:03.720 --> 00:00:06.400 a bit distant, like this super technical spectacle. 3 00:00:06.480 --> 00:00:09.000 Yeah, you see the headlines here about breaches, right. 4 00:00:08.880 --> 00:00:12.400 But the actual mechanics it can seem well shrouded in mystery, 5 00:00:12.560 --> 00:00:15.679 almost too complex unless you're deep in that security bubble exactly. 6 00:00:15.679 --> 00:00:18.760 But what if understanding the you know, the real ingenuity 7 00:00:18.800 --> 00:00:22.160 behind these attacks and the defenses too, actually starts with 8 00:00:22.519 --> 00:00:25.039 something simpler, something like well, curiosity. 9 00:00:25.920 --> 00:00:29.120 And today that's what we're diving into the evolving world 10 00:00:29.199 --> 00:00:32.880 of web hacking and IT security. Okay, and our mission 11 00:00:32.960 --> 00:00:37.000 isn't just rehashing the basics. We want to explore the subtleties, 12 00:00:37.119 --> 00:00:40.200 the sophisticated techniques, you know, the constant cat and mouse 13 00:00:40.240 --> 00:00:42.520 game that really defines digital defense. 14 00:00:43.039 --> 00:00:46.280 So arming our listeners with some genuinely valuable insights, that's 15 00:00:46.320 --> 00:00:48.520 the plan, all right. And our main guide for this 16 00:00:48.719 --> 00:00:52.159 is hack Log Volume two, web hacking handbook on IT 17 00:00:52.479 --> 00:00:56.320 security and ethical hacking, which sounds pretty comprehensive. 18 00:00:56.560 --> 00:01:00.280 It is. Think of it like a detailed playbook. It's 19 00:01:00.320 --> 00:01:01.840 not just listing attack methods. 20 00:01:01.880 --> 00:01:03.479 It's more about the mindset. 21 00:01:03.119 --> 00:01:06.519 Precisely, the mindset needed to really grasp and secure this 22 00:01:06.599 --> 00:01:07.680 digital landscape. 23 00:01:07.760 --> 00:01:11.840 We're looking for those aha moments giving you that shortcut 24 00:01:12.040 --> 00:01:16.040 to being genuinely informed about where web security stands today 25 00:01:16.519 --> 00:01:19.200 and what it really means to operate in this space. 26 00:01:20.079 --> 00:01:23.439 So let's unpack this idea of a hacker, because we 27 00:01:23.519 --> 00:01:26.680 often get these characters, right, hoodies, green tags. Yeah, the stereotypes, 28 00:01:26.719 --> 00:01:28.840 but the spirit, like the one captured way back in 29 00:01:28.879 --> 00:01:33.079 eighty six by the mentor in the Hacker manifesto, it's 30 00:01:33.560 --> 00:01:37.159 actually kind of profound. My crime is curiosity. 31 00:01:37.400 --> 00:01:40.760 It's a powerful statement. It reframes hacking as this drive 32 00:01:40.840 --> 00:01:45.079 to explore systems, understand their limits, question assumptions. 33 00:01:44.519 --> 00:01:46.319 A mindset we could probably all use more of. 34 00:01:46.400 --> 00:01:49.680 Frankly, absolutely, and just to be crystal clear, this deep 35 00:01:49.760 --> 00:01:54.920 dive is purely educational, illustrative, informative. You're discussing techniques, but 36 00:01:54.959 --> 00:01:57.680 it's crucial to remember only use these on devices you 37 00:01:57.719 --> 00:02:01.200 own or in controlled test environments. Understanding is one thing. 38 00:02:01.400 --> 00:02:04.359 The list of access is totally different. Serious legal consequences 39 00:02:04.359 --> 00:02:05.480 there exactly. 40 00:02:05.599 --> 00:02:08.840 And this ethos also separates a true hacker, someone committed 41 00:02:08.879 --> 00:02:11.960 to deep continuous learning, from well what the book calls 42 00:02:11.960 --> 00:02:12.800 a lamer. 43 00:02:12.840 --> 00:02:14.919 Someone who talks the talk but hasn't done. 44 00:02:14.759 --> 00:02:18.080 The work, pretty much lacks the foundational curiosity and skill. 45 00:02:18.319 --> 00:02:21.360 And for you listening, this just highlights how important continuous 46 00:02:21.400 --> 00:02:25.360 learning and critical thinking are, especially in IT security because 47 00:02:25.360 --> 00:02:29.520 things are always changing, always shifting, and that constantly shifting landscape. 48 00:02:29.719 --> 00:02:32.319 That's precisely why the Worldwide Web is still such an 49 00:02:32.319 --> 00:02:35.680 attractive target, almost deceptively easy. 50 00:02:35.439 --> 00:02:37.280 In some ways, also easy. 51 00:02:37.360 --> 00:02:39.879 Well, think about it. It's the single biggest container of 52 00:02:39.960 --> 00:02:43.960 data we have, right, and it's architecture built for accessibility, 53 00:02:44.080 --> 00:02:47.919 for speed that creates vulnerabilities it can't. Yeah, the ease 54 00:02:48.039 --> 00:02:52.479 of developing web apps, browsers being universal clients, lightweight protocols 55 00:02:52.479 --> 00:02:56.319 like HTTP, even with SSL, it fostered this culture where 56 00:02:56.400 --> 00:03:00.080 speeds sometimes one out over let's say security rigger. 57 00:03:00.120 --> 00:03:04.159 So common frameworks, rapid deployment that could mean the same 58 00:03:04.199 --> 00:03:05.240 flaws crop up. 59 00:03:05.159 --> 00:03:10.719 Everywhere, exactly identical exploitable flaws across potentially millions of sites. 60 00:03:11.400 --> 00:03:16.560 And the critical thing here, attackers aren't just loan operators anymore. 61 00:03:16.319 --> 00:03:19.759 Right, We're talking organized groups, state sponsored actors. 62 00:03:19.439 --> 00:03:24.360 Yes, highly organized, well funded groups actively looking for these 63 00:03:24.360 --> 00:03:28.000 systemic weaknesses. Think about Gianni, the Pizzerio owner you mentioned Yeah, 64 00:03:28.039 --> 00:03:30.919 his website may be built on work press or something common. 65 00:03:31.319 --> 00:03:35.479 It's not immune. He could face advanced phishing targeting his customers, 66 00:03:36.120 --> 00:03:38.759 or his site could get hijacked for Adidas attack. 67 00:03:38.879 --> 00:03:41.479 Wow, so even small players are vulnerable. 68 00:03:41.520 --> 00:03:45.719 Absolutely, this scale of vulnerability it affects everyone, individuals, small businesses, 69 00:03:45.840 --> 00:03:49.840 huge corporations. That makes understanding these concepts relevant to well 70 00:03:49.919 --> 00:03:51.599 basically everyone online, which. 71 00:03:51.439 --> 00:03:54.479 Brings us to that first crucial phase of any sophisticated 72 00:03:54.479 --> 00:03:57.400 attack reconnaissance gathering information. 73 00:03:57.479 --> 00:03:59.800 I know your enemy part sun Zoo exactly. 74 00:04:00.039 --> 00:04:02.919 If you know the enemy and yourself in cybersecurity, it 75 00:04:02.919 --> 00:04:06.039 means knowing your target inside out, finding info they might 76 00:04:06.039 --> 00:04:07.319 not even realize as public. 77 00:04:07.639 --> 00:04:11.639 And we're not just talking basic whois lookups anymore. That 78 00:04:11.800 --> 00:04:14.759 data is often hidden behind privacy services. 79 00:04:14.800 --> 00:04:16.680 So where's the real tactical advantage. 80 00:04:16.759 --> 00:04:20.839 It's often in the less obvious data points like DNS history. 81 00:04:21.199 --> 00:04:25.720 Services like Netcraft or dnstrails they archive pass DNS records. 82 00:04:25.800 --> 00:04:26.800 Okay, how does that help? 83 00:04:26.839 --> 00:04:30.279 Well, Imagine a company moves its site behind cloud flare 84 00:04:30.399 --> 00:04:34.120 right hides its real server IP standard practice, but an 85 00:04:34.160 --> 00:04:37.720 attacker checks the DNS history finds an old record pointing 86 00:04:37.800 --> 00:04:41.160 directly to the server's actual IP address from before cloud 87 00:04:41.160 --> 00:04:43.680 Flare was set up. If that old path is still 88 00:04:43.720 --> 00:04:48.839 accessible instant bypass wow exactly, or even sneakier manual IP extraction. 89 00:04:49.079 --> 00:04:52.600 What's that subtle interactions? Maybe a web appsence, a confirmation 90 00:04:52.720 --> 00:04:55.360 email and the real server IP is hidden in the 91 00:04:55.360 --> 00:04:56.160 email headers? 92 00:04:56.240 --> 00:04:58.240 Oh like the received lines. 93 00:04:57.879 --> 00:05:01.199 Sometimes yes, or an image of l process that under 94 00:05:01.199 --> 00:05:04.720 certain conditions might leak an internal IP address. It's about 95 00:05:04.759 --> 00:05:07.240 piecing together these digital breadcrumbs. 96 00:05:06.720 --> 00:05:10.800 Creating a surprisingly clear picture from seemingly random bits of info. 97 00:05:11.079 --> 00:05:13.199 That's the goal of good recon Okay, so. 98 00:05:13.160 --> 00:05:16.519 They've gathered this intelligence. Now they move from passive looking 99 00:05:16.560 --> 00:05:17.920 to active probing. 100 00:05:18.079 --> 00:05:21.240 Right now they start knocking on digital doors, seeing what's 101 00:05:21.319 --> 00:05:24.639 unlocked or maybe easily forced open. This is where port scanning. 102 00:05:24.279 --> 00:05:26.079 Comes in, using tools like MP Yeah. 103 00:05:26.160 --> 00:05:28.240 En map is the classic. It doesn't just find open 104 00:05:28.279 --> 00:05:31.240 ports like port eighty for web traffic or twenty two 105 00:05:31.279 --> 00:05:35.000 for SSH. It fingerprints the services running on those. 106 00:05:34.879 --> 00:05:38.879 Ports, tells you the specific software like apatche version X 107 00:05:38.959 --> 00:05:40.839 on Linux kernel y Exactly. 108 00:05:40.920 --> 00:05:44.240 It builds this detailed profile of the victim machine, and 109 00:05:44.319 --> 00:05:47.600 knowing that level of detail, it lets attackers tailor their 110 00:05:47.639 --> 00:05:49.319 exploits with surgical precision. 111 00:05:49.439 --> 00:05:53.000 Okay, and then there's getting past the front door authentication 112 00:05:53.399 --> 00:05:55.639 use your name's passwords. 113 00:05:55.160 --> 00:05:57.839 The usual suspects. But the real insight here is in 114 00:05:57.879 --> 00:06:00.120 password hashing. You know how passwords are. 115 00:06:00.079 --> 00:06:02.560 Stored, right, You don't store the actual password hopefully not. 116 00:06:02.680 --> 00:06:05.720 But the older methods like M five or SAHA one, 117 00:06:06.319 --> 00:06:10.560 they were considered secure once, now their liabilities. They're just 118 00:06:10.600 --> 00:06:15.120 too fast. Modern graphics cards GPUs can crunch through billions 119 00:06:15.120 --> 00:06:18.160 of MD five or SAHA one hashes per second using 120 00:06:18.199 --> 00:06:20.040 things like Rainbow tables. 121 00:06:20.000 --> 00:06:23.800 Billions, so they can basically reverse engineer passwords. 122 00:06:23.319 --> 00:06:27.240 Effectively, yes, for simpler passwords or ones found in previous breaches. 123 00:06:27.240 --> 00:06:31.120 That's why the current standard b crypt is so interesting. 124 00:06:31.160 --> 00:06:32.560 It's like a counter evolution. 125 00:06:32.839 --> 00:06:33.600 How is it better? 126 00:06:33.879 --> 00:06:38.199 It's intentionally slow, It uses a unique salt for each password, hash, 127 00:06:38.560 --> 00:06:42.240 forces multiple rounds of computation, and it's designed to resist 128 00:06:42.319 --> 00:06:44.079 GPU acceleration, so. 129 00:06:44.079 --> 00:06:46.480 It dramatically slows down those brute force. 130 00:06:46.319 --> 00:06:51.040 Attempts exactly buys valuable time. But even with b crypt, 131 00:06:51.079 --> 00:06:55.279 weaknesses persist. The biggest one today probably credential stuffing. 132 00:06:55.480 --> 00:06:59.040 That's where attackers use login details leaked from other website breaches. 133 00:06:59.079 --> 00:07:02.439 Precisely, they just take massive lists of known user named 134 00:07:02.439 --> 00:07:05.879 password pairs and try them everywhere. People reuse passwords. 135 00:07:05.439 --> 00:07:07.360 Right, guilty is charged. Sometimes we all are. 136 00:07:07.560 --> 00:07:10.240 Combine that with clever, brute force and dictionary attacks often 137 00:07:10.240 --> 00:07:13.319 informed by information gathered during reconnaissance. 138 00:07:12.800 --> 00:07:15.439 And weak or reuse passwords become a huge. 139 00:07:15.240 --> 00:07:19.120 Risk, absolutely huge, which is why strong unique passwords and 140 00:07:19.199 --> 00:07:22.680 multi factor authentication MFA are just non negotiable. 141 00:07:22.680 --> 00:07:26.240 Now your own password habits the security of the services 142 00:07:26.279 --> 00:07:29.920 you use, it's all constantly being tested constantly. Okay, let's 143 00:07:29.920 --> 00:07:35.439 shift to some really insidious stuff, injecting malicious code into 144 00:07:35.519 --> 00:07:40.920 legitimate website functions, tuning the site against itself, like cross 145 00:07:40.920 --> 00:07:44.480 site scripting xss ah xss. 146 00:07:45.199 --> 00:07:48.000 Yeah, we hear the term a lot, but the danger 147 00:07:48.079 --> 00:07:51.920 is its versatility. How so, imagine visiting a site you trust, 148 00:07:52.279 --> 00:07:57.319 completely legitimate site, but unknown to you, there's a hidden bit. 149 00:07:57.199 --> 00:07:59.439 Of JavaScript running, and what can that script to. 150 00:08:00.040 --> 00:08:02.160 Sorts of things? It could steal your session. 151 00:08:01.800 --> 00:08:04.040 Cookies, letting an attacker log in as. 152 00:08:04.000 --> 00:08:08.600 Me YEP, or fingerprint your browser for future attacks, redirect 153 00:08:08.600 --> 00:08:11.360 you to a perfect replica fishing site, even install a 154 00:08:11.399 --> 00:08:12.839 key lugger right there in your browser. 155 00:08:12.920 --> 00:08:16.839 Whoa, It leverages the browser's trust in the website itself exactly. 156 00:08:17.199 --> 00:08:20.279 Your browser becomes the attack vector. And there are variations 157 00:08:20.319 --> 00:08:23.680 like STOREDXSS store for the malicious script gets permanently saved 158 00:08:23.680 --> 00:08:25.480 on the site, maybe in a comment section or a 159 00:08:25.600 --> 00:08:26.720 user profile. 160 00:08:26.399 --> 00:08:28.519 So in effect everyone who visits that page. 161 00:08:28.279 --> 00:08:31.920 Later right, making it really hard to detect. Sometimes then 162 00:08:31.959 --> 00:08:36.240 there's command execution. Okay, this is where an attacker piggybacks 163 00:08:36.320 --> 00:08:40.360 on legitimate server commands. Say a website has a tool 164 00:08:40.559 --> 00:08:43.720 to let you ping an IP address to check connectivity. 165 00:08:43.879 --> 00:08:45.600 Yeah, I've seen those network tools pages. 166 00:08:45.759 --> 00:08:48.639 An attacker might enter something like ten point zero point 167 00:08:48.720 --> 00:08:51.039 two and in cat et cetera, pass. 168 00:08:50.919 --> 00:08:53.519 Route uh oh be an end means, and then do 169 00:08:53.600 --> 00:08:54.480 this exactly. 170 00:08:54.919 --> 00:08:58.720 The server pings the address dutifully. Then it executes the 171 00:08:58.720 --> 00:09:02.559 second command et cetera a password, which typically lists system users. 172 00:09:02.720 --> 00:09:05.320 So they've just opened a back door to the service operating. 173 00:09:04.960 --> 00:09:10.559 System potentially yes. And then the infamous SEQL injection squeala the. 174 00:09:10.559 --> 00:09:13.039 Classic manipulating database queries. 175 00:09:13.240 --> 00:09:15.279 We know, the basic idea like using r R one 176 00:09:15.240 --> 00:09:17.960 one one tack to bypass a log in, but modern 177 00:09:18.000 --> 00:09:22.200 seagly gets much more sophisticated, especially blind SQL injection. 178 00:09:22.080 --> 00:09:25.240 Blind meaning they don't get direct error messages. 179 00:09:24.759 --> 00:09:28.399 Back right, there's no obvious sign it worked. Instead, attackers 180 00:09:28.440 --> 00:09:31.639 infer the database structure or extract data bit by bit 181 00:09:31.840 --> 00:09:34.080 by watching for tiny differences. 182 00:09:33.559 --> 00:09:34.879 Like how long a page takes to. 183 00:09:34.840 --> 00:09:39.320 Load exactly, or using database functions like sleep to introduce 184 00:09:39.399 --> 00:09:42.759 measurable delays based on whether a condition is true or false. 185 00:09:43.240 --> 00:09:45.720 It's slow, meticulous. 186 00:09:45.120 --> 00:09:46.639 But automated tools can handle that. 187 00:09:46.759 --> 00:09:49.840 Oh yeah, tools like sql map can automate this process 188 00:09:49.879 --> 00:09:51.440 with devastating efficiency. 189 00:09:51.679 --> 00:09:54.440 So the defense against all this input validation. 190 00:09:54.879 --> 00:09:59.919 Rigorous input validation is key and crucially using parameterized queries 191 00:10:00.080 --> 00:10:03.120 or prepared statements for database interactions. 192 00:10:02.480 --> 00:10:06.039 That separates the user input from the actual SQL command completely. 193 00:10:06.200 --> 00:10:10.080 It treats the input as data only, never as executable code. 194 00:10:10.399 --> 00:10:14.919 Plus limiting web server user permissions the principle of least privilege. 195 00:10:14.960 --> 00:10:17.320 These aren't just theoretical risks, are they. This is how 196 00:10:17.360 --> 00:10:18.639 major data breaches. 197 00:10:18.320 --> 00:10:22.120 Happen very often. Yes, these vulnerabilities are constantly being exploited 198 00:10:22.159 --> 00:10:24.960 in the wild, affecting your online security directly. 199 00:10:25.279 --> 00:10:27.919 Okay, building on that, let's talk about how web applications 200 00:10:27.919 --> 00:10:30.720 handle files inclusion and upload features. 201 00:10:30.799 --> 00:10:34.600 Right, web apps often include common files, headers, footers, men 202 00:10:34.720 --> 00:10:36.240 used to avoid repeating code. 203 00:10:36.519 --> 00:10:39.279 Seems efficient, but attackers can exploit this. 204 00:10:39.879 --> 00:10:44.519 Yes, through local file inclusion or LFI. They trick the 205 00:10:44.600 --> 00:10:47.360 web app into including a file it wasn't supposed to, 206 00:10:47.519 --> 00:10:50.080 but one that exists locally on the server, like. 207 00:10:50.039 --> 00:10:52.720 It's senturpassed you again to see system users. 208 00:10:52.840 --> 00:10:55.559 That's a common proof of concept, but it can get 209 00:10:55.679 --> 00:11:00.000 much worse. This can escalate using techniques like PHP wrappers. 210 00:11:00.279 --> 00:11:03.480 These are special protocols like PHP dot filter that can 211 00:11:03.519 --> 00:11:06.399 allow an attacker not just to read arbitrary files, but 212 00:11:06.440 --> 00:11:08.480 potentially to execute code within them. 213 00:11:08.600 --> 00:11:11.399 Execute code so full server control. 214 00:11:11.159 --> 00:11:15.080 Potentially leading to something like a interpreter session, basically an 215 00:11:15.120 --> 00:11:18.759 advanced remote access toolkit giving deep control over the machine. 216 00:11:18.840 --> 00:11:21.000 Wow, and that's just local file inclusion. 217 00:11:21.080 --> 00:11:24.519 Then there's remote file inclusion RFI even more dangerous. 218 00:11:24.679 --> 00:11:26.320 Why more dangerous. 219 00:11:26.000 --> 00:11:29.519 Because it allows the web application to include and execute 220 00:11:29.559 --> 00:11:33.000 a file from an external server, an attackers server. 221 00:11:32.879 --> 00:11:34.720 So they can just point it to their own malicious 222 00:11:34.759 --> 00:11:36.200 script like shell dot. 223 00:11:36.080 --> 00:11:39.159 Php Exactly, it pulls that script from their server and 224 00:11:39.240 --> 00:11:41.840 runs it on the victim server bypasses a lot of 225 00:11:41.879 --> 00:11:42.720 local defenses. 226 00:11:42.919 --> 00:11:47.240 That sounds incredibly risky. What about file uploads like profile pictures. 227 00:11:47.559 --> 00:11:51.159 Yeah, another seemingly innocent future. If we connect this to 228 00:11:51.200 --> 00:11:54.519 the bigger picture, that photo upload can become a direct 229 00:11:54.639 --> 00:11:55.639 route to compromise. 230 00:11:56.200 --> 00:11:58.759 How don't sites check the file type? 231 00:11:58.879 --> 00:12:02.159 They try? But it attackers can often bypass simple checks. 232 00:12:02.320 --> 00:12:04.320 For example, a site might just look at the content 233 00:12:04.360 --> 00:12:07.000 type header sent by the browser, like image peg. Would 234 00:12:07.080 --> 00:12:10.200 you be faked easily? So the attacker uploads a file 235 00:12:10.240 --> 00:12:12.720 that claims to be a jpeg, but it actually contains 236 00:12:12.879 --> 00:12:15.720 malicious PHP code a webshell and. 237 00:12:15.679 --> 00:12:18.720 If the upload folder allows code execution, dingo. 238 00:12:19.000 --> 00:12:21.960 The attacker now has a persistent backdoor. They can browse 239 00:12:21.960 --> 00:12:24.679 to that uploaded file and it executes their commands on 240 00:12:24.720 --> 00:12:25.080 the server. 241 00:12:25.240 --> 00:12:26.679 So defenses here need to be. 242 00:12:26.720 --> 00:12:31.919 Robust, absolutely strict whitelisting of allowed files and directories for inclusion, 243 00:12:32.360 --> 00:12:35.639 exhaustive validation of uploads, checking the actual file content, not 244 00:12:35.720 --> 00:12:40.080 just metadata, and critically disabling code execution in upload folders. 245 00:12:40.200 --> 00:12:43.080 That's huge, plus limiting web server permissions. 246 00:12:42.639 --> 00:12:47.000 Again always least privilege vital for protecting data on dynamic 247 00:12:47.039 --> 00:12:47.879 sites Okay. 248 00:12:47.679 --> 00:12:51.360 Let's shift gears a bit away from pure code towards 249 00:12:51.399 --> 00:12:53.480 the human element social engineering. 250 00:12:53.720 --> 00:12:57.159 The human factor often the weakest link, right. 251 00:12:57.240 --> 00:12:59.919 Seems like it. Phishing is the classic example. 252 00:13:00.080 --> 00:13:02.440 Yeah, and it's more than just a dodgy email. It's 253 00:13:02.519 --> 00:13:07.720 psychological manipulation, urgent calls to action, fear tactics. 254 00:13:07.320 --> 00:13:10.120 Leading to fake login pages that look identical to the. 255 00:13:10.080 --> 00:13:14.320 Real thing, meticulously crafted replicas. You enter your username and 256 00:13:14.360 --> 00:13:16.879 password and boom, they've got your credentials. 257 00:13:17.080 --> 00:13:19.600 But even scarier is spearfishing. 258 00:13:19.000 --> 00:13:23.440 Right, Oh, definitely highly targeted. They use info gathered during reconnaissance, 259 00:13:23.519 --> 00:13:27.360 your company, your job title, maybe names of colleagues. 260 00:13:27.000 --> 00:13:29.639 To make the email incredibly convincing and personal. 261 00:13:29.759 --> 00:13:31.519 Exactly it looks like it came from someone you know 262 00:13:31.559 --> 00:13:34.559 about something relevant to you. The success rate is alarming, 263 00:13:34.639 --> 00:13:37.080 like ninety one percent reported in some studies. 264 00:13:37.159 --> 00:13:39.639 Ninety one percent. That's staggering, it really is. 265 00:13:39.799 --> 00:13:42.679 And deception extends to domain names too, type. 266 00:13:42.440 --> 00:13:46.679 Of squadding, registering commonnesspellings like Google dot com instead of 267 00:13:46.720 --> 00:13:47.840 Google dot com. 268 00:13:47.720 --> 00:13:51.080 Or different extensions example dot org instead of dot com, 269 00:13:51.320 --> 00:13:54.120 catching people who make a small typo clever and even 270 00:13:54.159 --> 00:13:58.639 more subtle homograph attacks homograph using characters from different alphabets 271 00:13:58.639 --> 00:14:01.960 that look identical, like a cyrillic A and a latina. 272 00:14:02.320 --> 00:14:05.480 So the domain looks exactly right, but it's actually completely 273 00:14:05.559 --> 00:14:06.600 different precisely. 274 00:14:06.759 --> 00:14:10.279 You glance at it looks legit, you click. Thankfully, modern 275 00:14:10.320 --> 00:14:13.080 browsers have gotten better at detecting this. They convert these 276 00:14:13.120 --> 00:14:15.720 domains into something called poony code, which. 277 00:14:15.559 --> 00:14:19.240 Makes them look obviously different, like XM something exactly. 278 00:14:19.399 --> 00:14:23.080 It exposes the trick, but vigilance is still key. 279 00:14:23.320 --> 00:14:28.480 So defense is about skepticism, checking domains carefully looking for 280 00:14:28.519 --> 00:14:29.159 that lock. 281 00:14:29.240 --> 00:14:33.759 Icon, healthy skepticism, yes, meticulously checking domain names and the 282 00:14:33.799 --> 00:14:37.000 legitimacy of the SSL certificate that greenlock needs to belong 283 00:14:37.039 --> 00:14:40.799 to the actual site. Plus good anti malware helps, but 284 00:14:40.919 --> 00:14:43.639 really your awareness is the first best defense. 285 00:14:43.759 --> 00:14:46.879 Absolutely okay. So what happens if an attack does succeed? 286 00:14:47.320 --> 00:14:49.360 What are the next steps for the attacker and how 287 00:14:49.399 --> 00:14:50.519 could defenders detect it? 288 00:14:50.639 --> 00:14:53.399 Well? Sophisticated attackers try to cover their tracks, but they 289 00:14:53.399 --> 00:14:55.480 often leave traces of an attack, and they usually want 290 00:14:55.559 --> 00:14:56.840 to establish persistence. 291 00:14:56.919 --> 00:14:59.960 Okay, traces first, like server locks exactly. 292 00:15:00.200 --> 00:15:03.559 Apache web server logs for example, often in varlogapatches to 293 00:15:03.639 --> 00:15:08.320 access dot log. They record every single HTTP request. 294 00:15:08.039 --> 00:15:10.080 A gold mine for forensics can. 295 00:15:09.879 --> 00:15:13.799 Be Admins can hunt for suspicious patterns keywords like union 296 00:15:14.000 --> 00:15:17.320 suggesting schoolly a MS, or unusual requests for files that 297 00:15:17.320 --> 00:15:18.279 shouldn't be accessed. 298 00:15:18.440 --> 00:15:20.919 Are there tools to help sift through massive logs? 299 00:15:21.039 --> 00:15:25.000 Oh? Yeah, Tools like SCALP or Anathema can automate log analysis. 300 00:15:25.120 --> 00:15:28.279 Looking for known attack signatures or anomalies makes it much 301 00:15:28.279 --> 00:15:29.919 more manageable and persistence. 302 00:15:30.279 --> 00:15:32.399 How do attacker stay in once they're in? 303 00:15:32.440 --> 00:15:35.159 A very common way is deploying webshells. 304 00:15:34.799 --> 00:15:36.960 Those malicious scripts uploaded earlier. 305 00:15:36.759 --> 00:15:40.240 Often yes, or they might inject one through another vulnerability. 306 00:15:40.639 --> 00:15:44.360 These shells are left behind specifically for persistent access and control, 307 00:15:44.679 --> 00:15:46.679 not usually part of the initial breach. 308 00:15:46.440 --> 00:15:48.919 Itself, and they try to hide these shells. 309 00:15:48.519 --> 00:15:52.320 Definitely using evasion techniques. They might inject the shell's commands 310 00:15:52.399 --> 00:15:56.159 via HTTP headers, which might bypass some intrusion detection systems 311 00:15:56.360 --> 00:15:58.639 or not show up as obviously in standard logs NIKI, 312 00:15:58.879 --> 00:16:01.600 or they use off fuse skates encoding the shells code 313 00:16:01.679 --> 00:16:04.679 using Base sixty four, g zip, maybe RT thirteen or 314 00:16:04.840 --> 00:16:06.120 HX encoding. 315 00:16:05.960 --> 00:16:10.120 Making it unreadable to simple scanners. Looking for keywords exactly. 316 00:16:10.440 --> 00:16:12.360 Just looks like random junk unless you know how to 317 00:16:12.399 --> 00:16:12.960 decode it. 318 00:16:13.279 --> 00:16:16.960 Beyond server side shells. What about attacking visitors to the site. 319 00:16:17.000 --> 00:16:23.039 That's client code injection. Attackers modify existing client side files html, CSS, 320 00:16:23.159 --> 00:16:25.000 JavaScript on the compromise. 321 00:16:24.600 --> 00:16:26.360 Server, injecting their own JavaScript. 322 00:16:26.440 --> 00:16:29.879 Right, so now anyone visiting the compromise site runs the 323 00:16:29.960 --> 00:16:32.080 attackers script in their browser. 324 00:16:32.279 --> 00:16:33.240 What could that script do? 325 00:16:33.639 --> 00:16:38.440 Lots of things, Silently use the visitor's CPU to mine cryptocurrency, 326 00:16:38.600 --> 00:16:41.960 crypto jacking, yep or read, direct them to phishing pages, 327 00:16:42.000 --> 00:16:45.240 steel form data. And sometimes the motive isn't complex. It's 328 00:16:45.320 --> 00:16:48.080 just vandalism, deface. 329 00:16:48.039 --> 00:16:51.000 Changing the website's appearance, putting up their own. 330 00:16:50.840 --> 00:16:55.039 Message exactly, often by modifying the main index dot HTML file. 331 00:16:55.360 --> 00:16:58.360 Less about data theft, more about making a statement, however crude. 332 00:16:58.399 --> 00:17:01.519 So defending against this post breach activity. 333 00:17:01.240 --> 00:17:05.519 It's multi layered. Regular proactive log analysis is crucial, disabling 334 00:17:05.519 --> 00:17:08.599 code execution and upload folders, as we said, strict user 335 00:17:08.640 --> 00:17:11.880 permissions and specialized tools that check file integrity or scan 336 00:17:11.960 --> 00:17:13.440 code for suspicious functions. 337 00:17:13.799 --> 00:17:16.759 Understanding these signs helps identify and clean up a breach. 338 00:17:17.039 --> 00:17:18.319 Essential for incident response. 339 00:17:18.400 --> 00:17:22.680 Absolutely, Okay, we've covered a lot of ground recon injection files, 340 00:17:22.759 --> 00:17:25.880 social engineering, post breach. Let's touch on the tools of 341 00:17:25.920 --> 00:17:28.400 the trade, but maybe with a word of caution. 342 00:17:28.759 --> 00:17:32.160 Definitely a word of caution needed. There are automated tools 343 00:17:32.440 --> 00:17:37.839 web application security scanners WASS like Vega, Arachne nikto two. 344 00:17:37.960 --> 00:17:41.240 They can help find potential vulnerabilities. 345 00:17:40.480 --> 00:17:41.880 And frameworks like OPENVS. 346 00:17:42.000 --> 00:17:46.400 Yeah, OPENVS and others offer more structured penetration testing capabilities. 347 00:17:47.039 --> 00:17:50.240 But here's the crucial thing, the big takeaway, don't. 348 00:17:50.000 --> 00:17:51.640 Just run the tool and think you're done. 349 00:17:51.720 --> 00:17:55.240 Exactly For anyone listening, especially if you're learning, just launching 350 00:17:55.279 --> 00:17:57.319 a scanner is kind of useless if you can't interpret 351 00:17:57.400 --> 00:18:00.359 the results. Can you tell a false positive from a 352 00:18:00.400 --> 00:18:03.640 real threat? Do you actually understand the vulnerability it found? 353 00:18:03.880 --> 00:18:06.319 So the tool is only as good as the user's understanding. 354 00:18:06.480 --> 00:18:10.400 Precisely, my advice focus on understanding the how and the why. 355 00:18:10.400 --> 00:18:14.079 First learn the principles. The tools are powerful extensions of 356 00:18:14.119 --> 00:18:15.839 that knowledge, not a replacement for it. 357 00:18:16.039 --> 00:18:20.839 Good advice, and maybe avoid crack software versions of these tools. 358 00:18:20.480 --> 00:18:24.839 Oh absolutely please. They're almost always outdated, won't find the 359 00:18:24.920 --> 00:18:30.079 latest vulnerabilities, and very often they're bundled with malware themselves, 360 00:18:30.200 --> 00:18:31.480 you end up hacking yourself. 361 00:18:31.880 --> 00:18:34.759 Right. So even if you never use these tools, just 362 00:18:34.880 --> 00:18:38.519 knowing they exist and how they work deepens your understanding 363 00:18:38.559 --> 00:18:39.799 of the whole security picture. 364 00:18:40.119 --> 00:18:42.200 Incredibly valuable perspective for anyone. 365 00:18:42.279 --> 00:18:46.160 Yeah, So, wrapping this up, we've really peeled back the 366 00:18:46.240 --> 00:18:47.359 layers today we have. 367 00:18:47.640 --> 00:18:51.640 It highlights the immense complexity, right, and the constant rapid 368 00:18:51.640 --> 00:18:53.480 evolution in IT security. 369 00:18:53.680 --> 00:18:56.440 It really reinforces that core message from the start. 370 00:18:56.599 --> 00:18:59.519 Yeah, that no single book, no single course, no tool 371 00:18:59.720 --> 00:19:03.079 makes you a guru. Here. It's about continuous study, getting 372 00:19:03.079 --> 00:19:05.440 your hands dirty, staying curious. 373 00:19:05.000 --> 00:19:11.200 Connecting the dots. Web security isn't just code. It's programming, logic, os, details, networking, 374 00:19:11.440 --> 00:19:12.400 even psychology. 375 00:19:12.480 --> 00:19:15.400 It touches everything, which leave us with a thought. Maybe 376 00:19:15.400 --> 00:19:18.480 for you listening in this world where tech changes daily, 377 00:19:18.920 --> 00:19:22.160 often opening new security gaps faster than we can close 378 00:19:22.200 --> 00:19:25.359 the old ones, how will you use your own curiosity 379 00:19:25.960 --> 00:19:29.400 to stay informed, to adapt, maybe even to help make 380 00:19:29.440 --> 00:19:31.880 our shared digital world a bit more resilient. 381 00:19:32.160 --> 00:19:35.599 That's a great question to ponder. What an incredible journey 382 00:19:35.680 --> 00:19:39.640 through these hidden complexities from that hacker ethos of curiosity 383 00:19:40.160 --> 00:19:44.200 to the ingenious attack vectors and the equally clever defenses. 384 00:19:44.480 --> 00:19:46.799 Hopefully it gives a new appreciation for what's going on 385 00:19:46.920 --> 00:19:47.839 under the hood of the web. 386 00:19:47.960 --> 00:19:50.759 Absolutely, we hope this deep diet has armed you with 387 00:19:50.839 --> 00:19:53.119 some valuable, actionable insights. 388 00:19:53.400 --> 00:19:56.880 Remember, knowledge really is your best asset here. Keep learning, 389 00:19:57.079 --> 00:19:58.640 keep asking questions, keep. 390 00:19:58.480 --> 00:20:01.240 Exploring, because the only cons than this change right. 391 00:20:01.200 --> 00:20:04.440 And the pursuit of understanding is truly endless in this field. 392 00:20:04.680 --> 00:20:07.359 Couldn't agree more. That's all for this deep dive. Thanks 393 00:20:07.400 --> 00:20:09.680 so much for joining us. Thank you, and we look 394 00:20:09.720 --> 00:20:12.440 forward to next time we unpack something truly fascinating together