WEBVTT 1 00:00:00.040 --> 00:00:02.080 What if you could get paid to break things, I 2 00:00:02.120 --> 00:00:07.080 mean legally and ethically find hidden weaknesses in the digital 3 00:00:07.200 --> 00:00:09.439 armor of some really big tech companies. 4 00:00:09.519 --> 00:00:11.960 Yeah, it sounds a bit counterintuitive, doesn't it. Yeah, but 5 00:00:12.000 --> 00:00:12.720 it's a real thing. 6 00:00:12.919 --> 00:00:16.719 We're diving into, well, a pretty fascinating field today where 7 00:00:16.760 --> 00:00:19.879 curiosity meets critical thinking and you know, the payout can 8 00:00:19.920 --> 00:00:21.199 actually be quite impressive. 9 00:00:21.359 --> 00:00:23.960 It's true. We're talking about the world of web security 10 00:00:24.079 --> 00:00:29.120 and bug bounty hunting. It's a really crucial front line 11 00:00:29.359 --> 00:00:32.200 in protecting well, pretty much everything we do online now. 12 00:00:32.280 --> 00:00:35.119 Absolutely, so today we're doing a deep dive into bug 13 00:00:35.159 --> 00:00:38.600 bounty hunting for web security. Our mission really is to 14 00:00:38.640 --> 00:00:43.079 cut through the jargon, understand the core ideas, the clever 15 00:00:43.159 --> 00:00:46.679 techniques and the essential tools that let security pros find 16 00:00:46.679 --> 00:00:48.920 these vulnerabilities in web apps, right. 17 00:00:48.759 --> 00:00:51.960 And how they help prevent malicious attacks and yeah, sometimes 18 00:00:52.039 --> 00:00:53.920 even or in a nice bounty for doing it. 19 00:00:54.039 --> 00:00:57.200 And this deep dive it pulls insights from a pretty 20 00:00:57.200 --> 00:01:00.439 comprehensive guide, right, an experts view on the let's say, 21 00:01:00.840 --> 00:01:03.240 offensive side of bug hunting exactly. 22 00:01:03.280 --> 00:01:06.879 We're going to unpack how ethical hackers think, what specific 23 00:01:06.879 --> 00:01:11.239 weaknesses they target, and the frankly powerful tools they use 24 00:01:11.239 --> 00:01:13.560 in this constant sort of digital chess match. 25 00:01:13.760 --> 00:01:16.400 Okay, let's get into it then. So the big question first, 26 00:01:16.680 --> 00:01:20.400 why why would someone actually dedicate their time to hunting 27 00:01:20.439 --> 00:01:22.640 for bugs? What's the real pull? 28 00:01:23.079 --> 00:01:26.480 Well, there are a few pretty strong motivations actually. First, 29 00:01:26.599 --> 00:01:29.239 it just makes you a better security professional, plain and simple. 30 00:01:29.480 --> 00:01:32.319 If you understand how attackers operate, you get way better 31 00:01:32.359 --> 00:01:32.879 at defending. 32 00:01:33.000 --> 00:01:35.000 That makes sense, know your enemy kind. 33 00:01:34.799 --> 00:01:39.760 Of thing precisely. Second, there's well a huge element of recognition, 34 00:01:40.000 --> 00:01:43.599 you know, respect within the cybersecurity community. Finding a critical 35 00:01:43.640 --> 00:01:46.840 bug in a major platform that really builds your credibility fast. 36 00:01:47.000 --> 00:01:49.120 And the money you mentioned bounties. 37 00:01:48.879 --> 00:01:52.239 Oh yeah, and of course the financial side can be significant. 38 00:01:52.280 --> 00:01:56.439 It's definitely not uncommon for top hunters to earn substantial 39 00:01:56.480 --> 00:01:59.640 sums for finding really high impact vulnerabilities. 40 00:02:00.239 --> 00:02:03.920 That's a key point. It's not some niche hobby anymore. 41 00:02:04.400 --> 00:02:09.280 Big names like Google, Facebook, Twitter, they aren't just putting 42 00:02:09.360 --> 00:02:12.319 up with this, They're actively encouraging it with their own 43 00:02:12.599 --> 00:02:13.840 bug bounty programs. 44 00:02:14.039 --> 00:02:16.759 Right, It's become a standard practice. It's a win win really. 45 00:02:17.159 --> 00:02:21.120 They get their security strengthened and skilled people get rewarded 46 00:02:21.400 --> 00:02:22.439 for finding the flaws. 47 00:02:22.599 --> 00:02:25.639 What's really interesting, though, is the ethical angle. The guide 48 00:02:26.159 --> 00:02:27.319 is clear on this, isn't it? 49 00:02:27.360 --> 00:02:31.759 Oh, absolutely crystal clear. You're learning these attacking techniques quote 50 00:02:31.840 --> 00:02:35.840 unquote specifically for defense. You're essentially becoming a white hat 51 00:02:35.840 --> 00:02:39.120 hacker or maybe a penetration tester to find those flaws 52 00:02:39.240 --> 00:02:41.759 before the h the actual bad guys do. 53 00:02:41.960 --> 00:02:44.360 So the knowledge is like a shield, not a weapon, 54 00:02:44.479 --> 00:02:45.759 for causing trouble. 55 00:02:45.560 --> 00:02:47.759 Exactly, never from malpractice. 56 00:02:47.159 --> 00:02:49.759 Which naturally brings up the legal side. There's a very 57 00:02:49.759 --> 00:02:51.599 bright line here. You just cannot cross. 58 00:02:51.680 --> 00:02:55.000 Cannot stress this enough. You must never ever attack systems 59 00:02:55.080 --> 00:02:58.759 without the owner's explicit permission. Seriously, this is an. 60 00:02:58.680 --> 00:03:02.000 Optional and the consequence if you do they can be severe. 61 00:03:02.159 --> 00:03:04.520 It's against the law in many places, and it could 62 00:03:04.560 --> 00:03:08.599 easily end a potential career before he even gets off the ground. 63 00:03:08.639 --> 00:03:09.280 Just don't do it. 64 00:03:09.319 --> 00:03:12.680 Okay. So for someone starting out thinking this sounds interesting, 65 00:03:13.240 --> 00:03:16.000 how do they get that permission? How do they stay legal? 66 00:03:16.719 --> 00:03:21.400 The advice is pretty straightforward. Register with established bug bounty platforms, 67 00:03:21.879 --> 00:03:25.639 you know places like bug crowd Hacker, one, Cobalt, there's 68 00:03:25.680 --> 00:03:28.719 even the Japan bug bounty program Anti hack. 69 00:03:28.919 --> 00:03:31.240 These platforms provide the framework. 70 00:03:31.319 --> 00:03:34.479 Yeah, they act as the intermediary, They provide the legal sandbox. 71 00:03:34.560 --> 00:03:37.080 The rules of engagement are clear, so you know you're 72 00:03:37.080 --> 00:03:38.879 operating within legitimate boundaries. 73 00:03:38.919 --> 00:03:43.159 Got it. But finding these exploits, it's not like just 74 00:03:43.240 --> 00:03:45.800 running a quick scan is it sounds like it takes 75 00:03:45.960 --> 00:03:47.080 some serious effort. 76 00:03:47.120 --> 00:03:49.919 Oh. Absolutely, there's a steep learning curve involved, no doubt. 77 00:03:49.960 --> 00:03:53.199 You need a pretty deep understanding of how web applications 78 00:03:53.240 --> 00:03:57.000 are built, the HGTP protocol itself, different encoding schemes, all 79 00:03:57.039 --> 00:03:58.479 the different types of attacks out there. 80 00:03:58.479 --> 00:04:01.360 So it's less about just knowing the it's much. 81 00:04:01.159 --> 00:04:04.879 More about understanding the underlying logic. You know how the 82 00:04:04.919 --> 00:04:08.159 web actually works and where those fundamental building blocks can 83 00:04:08.199 --> 00:04:10.039 be well twisted or subverted. 84 00:04:10.280 --> 00:04:12.840 Okay, so if you had to boil it down, what 85 00:04:13.039 --> 00:04:15.360 is a bug bounty hunter? A simple definition? 86 00:04:15.479 --> 00:04:18.519 Sure, At its core, a bug bounty hunter is an 87 00:04:18.560 --> 00:04:22.279 ethical hacker who gets paid to find vulnerabilities in software 88 00:04:22.279 --> 00:04:26.279 and websites. Simple as that, really, but pretty powerful. 89 00:04:26.399 --> 00:04:29.800 That's a great summary. Now, Okay, someone's intrigued, they're thinking 90 00:04:29.800 --> 00:04:33.040 about trying this, But you can't just start poking around 91 00:04:33.079 --> 00:04:36.519 on say Google's live servers. Right, you need a safe space. 92 00:04:37.120 --> 00:04:40.360 Why is setting up a virtual lab so vital for beginners? 93 00:04:40.639 --> 00:04:44.680 It's absolutely crucial paramount even because it lets you practice 94 00:04:44.759 --> 00:04:48.439 using all these hacking tools legally and more importantly, safely 95 00:04:48.879 --> 00:04:50.199 on your own system. 96 00:04:49.959 --> 00:04:52.199 Like a digital sandbox exactly like that. 97 00:04:52.319 --> 00:04:55.639 Think of it as a controlled test chamber. If some 98 00:04:55.720 --> 00:04:58.079 malicious code gets loose, or maybe a tool doesn't behave 99 00:04:58.120 --> 00:05:01.439 as expected, it's all contained with in that simulated environment. 100 00:05:01.480 --> 00:05:03.000 It won't trash your main computer. 101 00:05:03.240 --> 00:05:05.759 Ah okay, so it protects your actual machine. 102 00:05:05.959 --> 00:05:09.879 Right, it's your personal risk free playground. You can just experiment, 103 00:05:09.959 --> 00:05:12.720 try everything that comes into your head without worrying about 104 00:05:12.759 --> 00:05:16.639 breaking anything important or accidentally attacking someone else. 105 00:05:16.920 --> 00:05:19.399 Makes perfect sense, like a crash test dummy for your 106 00:05:19.439 --> 00:05:23.680 digital experiments. So what tools and setups do you recommend 107 00:05:23.759 --> 00:05:25.560 for building this virtual lab? 108 00:05:26.120 --> 00:05:30.000 For beginners? Virtual Box is usually the top recommendation. It's 109 00:05:30.040 --> 00:05:33.079 super versatile because it runs on pretty much any operating 110 00:05:33.079 --> 00:05:36.040 system Windows, Linux, Mac OS, so. 111 00:05:36.000 --> 00:05:37.040 It works wherever you are. 112 00:05:37.199 --> 00:05:40.199 Yeah, it's compatibility and relative ease of use make it 113 00:05:40.240 --> 00:05:42.839 a really good starting point for setting up a security lab. 114 00:05:43.120 --> 00:05:45.759 And once you have virtual Box running, what os should 115 00:05:45.759 --> 00:05:48.240 you install inside it for this kind of work. 116 00:05:48.480 --> 00:05:50.879 Colie Linux is definitely the go to choice for most 117 00:05:50.920 --> 00:05:52.399 people starting in ethical hacking. 118 00:05:52.600 --> 00:05:55.240 Why Collie specifically because. 119 00:05:54.839 --> 00:05:58.120 It comes preloaded with just a massive suite of essential 120 00:05:58.160 --> 00:06:01.319 security tools, hundreds of them. It just streamlines the setup 121 00:06:01.360 --> 00:06:04.399 process incredibly. You basically get a hacker's toolkit ready to 122 00:06:04.399 --> 00:06:06.079 go right out of the virtual box. 123 00:06:06.240 --> 00:06:09.920 Okay, that's convenient. So we've got Collie running inside virtual box. 124 00:06:10.639 --> 00:06:14.079 What are the first few core tools someone would likely 125 00:06:14.120 --> 00:06:16.720 start using to actually hunt for vulnerabilities. 126 00:06:17.240 --> 00:06:20.439 Well, you'll quickly become familiar with tools like burp suite 127 00:06:21.000 --> 00:06:25.480 and wasp bz ABP. These are what we call interception proxies. 128 00:06:25.600 --> 00:06:27.439 Interception proxies. How do they work? 129 00:06:27.720 --> 00:06:32.959 Imagine like a control tower for your web traffic. Every 130 00:06:33.040 --> 00:06:36.240 single piece of information your browser sends to a website 131 00:06:36.600 --> 00:06:39.199 or receives back passes through this tool. 132 00:06:38.959 --> 00:06:41.279 First, so you can see everything exactly. 133 00:06:41.560 --> 00:06:44.279 They capture all the traffic from the web application you're targeting, 134 00:06:44.680 --> 00:06:48.480 just less you inspect it, analyze it, even modify requests 135 00:06:48.519 --> 00:06:51.040 before they hit the server or responses before they reach 136 00:06:51.079 --> 00:06:52.000 your browser. 137 00:06:51.680 --> 00:06:53.920 Like being a man in the middle, but for ethical reasons. 138 00:06:53.959 --> 00:06:57.399 Precisely give you incredible control and visibility. But it's also 139 00:06:57.439 --> 00:07:00.240 really important to remember relying on just one tool that's 140 00:07:00.279 --> 00:07:02.360 usually a bad idea in this field. Why is that 141 00:07:02.720 --> 00:07:07.720 because no single tool catches everything. Different tools have different strengths, 142 00:07:07.920 --> 00:07:11.120 different ways of looking at things, So having a diverse 143 00:07:11.160 --> 00:07:15.959 toolkit is always always better for doing comprehensive testing. You'll 144 00:07:15.959 --> 00:07:17.240 miss things otherwise, right. 145 00:07:17.160 --> 00:07:19.600 So it's not about one magic bullet tool, but building 146 00:07:19.600 --> 00:07:22.360 an arsenal. And where do you practice with these tools 147 00:07:22.360 --> 00:07:24.279 if you can't just point them at live websites? 148 00:07:24.399 --> 00:07:27.720 Ah, that's where applications like webgoat come in. It's deliberately 149 00:07:27.800 --> 00:07:30.720 designed to be insecure, built to be broken pretty much. 150 00:07:31.000 --> 00:07:34.600 It's made by OAS, the Open Web Application Security Project, 151 00:07:35.040 --> 00:07:38.680 specifically for learning and testing common web app vulnerabilities. You 152 00:07:38.759 --> 00:07:41.079 run it locally, usually on your own machine, at an 153 00:07:41.079 --> 00:07:44.560 address like http dot localhost dot a zero a zero web. 154 00:07:44.360 --> 00:07:47.120 Gooat, and because it's local and designed for testing, you. 155 00:07:47.040 --> 00:07:49.399 Can experiment as much as you want, try all sorts 156 00:07:49.439 --> 00:07:52.399 of attacks without any legal risk whatsoever. It's the perfect 157 00:07:52.399 --> 00:07:53.040 training ground. 158 00:07:53.439 --> 00:07:57.800 Are there other Linux distributions besides Collie that ethical hackers 159 00:07:57.839 --> 00:07:59.839 sometimes use? Maybe for more specialized. 160 00:08:00.600 --> 00:08:03.279 Oh sure, Kalli is the most popular, but there are others. 161 00:08:03.639 --> 00:08:07.040 Black Arts, linuxes well a behemoth. It boasts something like 162 00:08:07.079 --> 00:08:09.360 over nineteen hundred tools pre installed. 163 00:08:09.480 --> 00:08:09.839 Wow. 164 00:08:10.000 --> 00:08:13.759 Yeah. Then for users who want extreme security through isolation, 165 00:08:13.959 --> 00:08:19.360 there's quebsos. It compartmentalizes everything into separate, isolated virtual machines. Interesting, 166 00:08:19.480 --> 00:08:21.480 and you also have things like in pre doos which 167 00:08:21.560 --> 00:08:25.040 uses the anonymous IP network and hunix, which leverages the 168 00:08:25.079 --> 00:08:28.279 tour network for you know, enhance privacy and anonymity. Each 169 00:08:28.279 --> 00:08:29.079 has its niche. 170 00:08:29.240 --> 00:08:32.679 Okay, so we've covered the why and the how to 171 00:08:32.759 --> 00:08:35.639 set up our ethical hacking playground. Now for the really 172 00:08:35.720 --> 00:08:40.240 juicy stuff, let's dive into some specific web vulnerabilities. Often 173 00:08:40.320 --> 00:08:43.000 ethical hackers start by looking for subtle tricks, right like 174 00:08:43.279 --> 00:08:45.639 cross site requests forgery or CSRF. 175 00:08:45.679 --> 00:08:48.399 What exactly is that CSRF? Yeah, often pronounced sea surf. 176 00:08:48.960 --> 00:08:51.200 It's an attack where a malicious request gets sent from 177 00:08:51.200 --> 00:08:53.840 a user's browser without them even knowing it or intending it. 178 00:08:53.960 --> 00:08:56.159 How does that work? How can my browser send something 179 00:08:56.159 --> 00:08:57.000 I didn't ask it to? 180 00:08:57.320 --> 00:09:01.159 Think of it like this? Your already logged into your bank, 181 00:09:01.840 --> 00:09:05.879 right your browser has a valid session cookie. The attacker 182 00:09:05.919 --> 00:09:08.960 tricks your browser into submitting another request to your bank, 183 00:09:09.080 --> 00:09:12.519 say to transfer money, leveraging that existing logged in session. 184 00:09:13.039 --> 00:09:16.000 Your browser just does what it's told, thinking the request 185 00:09:16.039 --> 00:09:17.559 is legitimate because. 186 00:09:17.519 --> 00:09:20.320 While you're logged in, so the users logged in, everything 187 00:09:20.360 --> 00:09:24.519 seems normal. How does the attacker actually trigger that unwanted request? 188 00:09:24.679 --> 00:09:27.360 They can create a seemingly harmless web page, maybe with 189 00:09:27.440 --> 00:09:29.759 just an image or a link on it. Hidden on 190 00:09:29.799 --> 00:09:32.759 that page is an HTML form. When your browser lows 191 00:09:32.799 --> 00:09:35.600 that page, maybe even just the hidden image pixel, some 192 00:09:35.720 --> 00:09:39.200 JavaScript in the background like document dot form zero dot submit, 193 00:09:39.720 --> 00:09:41.399 automatically submits that hit en form. 194 00:09:41.519 --> 00:09:44.360 And because my browser is already logged into the vulnerable. 195 00:09:43.919 --> 00:09:47.519 Site exactly, that malicious request often just sails right through 196 00:09:47.559 --> 00:09:50.879 the defenses because it includes your valid session cookies, the 197 00:09:50.919 --> 00:09:51.919 server thinks you sent it. 198 00:09:52.080 --> 00:09:55.240 Wow, So it's less about injecting bad code and more 199 00:09:55.240 --> 00:09:58.039 about tricking the browser into being an unwitting accomplice. 200 00:09:58.440 --> 00:10:00.799 That's a great way to put it. Bloids the trust 201 00:10:00.879 --> 00:10:03.679 between a user's browser and the site they're logged into. 202 00:10:04.000 --> 00:10:07.399 So how do developers stop this? What's the key defense 203 00:10:07.440 --> 00:10:08.360 against CSRF? 204 00:10:08.759 --> 00:10:12.360 The core defense is using CSRF tokens for every action 205 00:10:12.440 --> 00:10:15.440 the user takes that changes something like changing a password 206 00:10:15.519 --> 00:10:19.679 or sending money, the server should require a secret, unique, 207 00:10:19.960 --> 00:10:23.440 unpredictable token to be submitted along with the request, and 208 00:10:23.480 --> 00:10:26.799 this token proves it proves that the request really originated 209 00:10:26.799 --> 00:10:30.159 from the legitimate user interface on the site itself and 210 00:10:30.240 --> 00:10:33.240 not from some malicious third party page. Yeah, credit for 211 00:10:33.399 --> 00:10:36.120 is a request. If the token is missing or invalid, 212 00:10:36.320 --> 00:10:37.840 the server just rejects the action. 213 00:10:38.200 --> 00:10:42.679 Fascinating. Okay, Next up, cross site scripting XSS. This one 214 00:10:42.679 --> 00:10:44.840 feels like it's been around forever, but it's still a 215 00:10:45.000 --> 00:10:45.919 huge problem, right. 216 00:10:45.919 --> 00:10:50.080 Oh, absolutely, EXSS is still incredibly common. It involves injecting 217 00:10:50.120 --> 00:10:53.639 malicious browser site scripts, usually it's JavaScript, into a web application. 218 00:10:53.799 --> 00:10:55.080 How does that injection happen? 219 00:10:55.399 --> 00:10:59.639 Typically it's because user input fields aren't properly sanitized or validated. 220 00:11:00.320 --> 00:11:02.320 Think about a comment section on a blog or a 221 00:11:02.360 --> 00:11:06.960 search bar. If I can type something like scriptrol create 222 00:11:07.120 --> 00:11:09.600 been hacked script into that field and. 223 00:11:09.559 --> 00:11:12.879 The website just displays it as raw HTML. 224 00:11:12.480 --> 00:11:17.039 Exactly, then every single user who views that page or 225 00:11:17.080 --> 00:11:20.679 maybe sees that search result will have my malicious script 226 00:11:20.799 --> 00:11:24.399 run in their browser within the context of the trusted website. 227 00:11:24.679 --> 00:11:27.440 So attackers are basically probing every place a user can 228 00:11:27.440 --> 00:11:30.519 type something in looking for a spot where raw HTML 229 00:11:30.600 --> 00:11:32.159 or jobscript might slip through. 230 00:11:32.000 --> 00:11:34.679 The cracks precisely. And the reason it's so hard to 231 00:11:34.679 --> 00:11:38.759 prevent entirely, especially on huge complex applications like say Google 232 00:11:38.840 --> 00:11:42.080 or Facebook, is just the sheer scale. You have thousands 233 00:11:42.120 --> 00:11:45.639 of developers, millions of lines of code ensuring every single 234 00:11:45.639 --> 00:11:49.120 input fuel everywhere perfectly strips out every potentially harmful tag 235 00:11:49.200 --> 00:11:51.080 or script. It's a monumental challenge. 236 00:11:51.159 --> 00:11:54.120 Just one little oversight can open a huge door. 237 00:11:53.879 --> 00:11:56.720 A massive door. That's why EXSS remains one of the 238 00:11:56.759 --> 00:11:59.120 most prevalent vulnerabilities found by bug hunters. 239 00:11:59.279 --> 00:12:02.360 So the core insight here isn't just about the script itself, 240 00:12:02.440 --> 00:12:06.000 is it. It's about how absolutely critical every single point 241 00:12:06.039 --> 00:12:10.919 of user input becomes. A tiny mistake can compromise potentially 242 00:12:11.039 --> 00:12:12.320 everyone using the site. 243 00:12:12.360 --> 00:12:14.759 That's exactly it. The impact can be widespread. 244 00:12:14.960 --> 00:12:17.919 How would a hacker approach finding EXSS in a safe 245 00:12:18.000 --> 00:12:21.120 test environment like one of those deliberately vulnerable. 246 00:12:20.600 --> 00:12:25.000 Apps, Well, using something like o WASP, Broken Web Application 247 00:12:25.399 --> 00:12:29.759 or BWPP. You'd start by systematically trying to inject simple 248 00:12:29.879 --> 00:12:33.120 jobscript snippets into various input fields. You know, like that 249 00:12:33.279 --> 00:12:36.120 basic alert Hello, this is reflected XSS. 250 00:12:36.399 --> 00:12:38.320 Payload, just to see if anything executes. 251 00:12:38.399 --> 00:12:40.120 Yeah, just to see if you get that pop up box. 252 00:12:40.519 --> 00:12:43.679 And tools like burp suite and o wasp ZAPPI are 253 00:12:43.759 --> 00:12:47.639 indispensable here. Zapip, for instance, is really helpful because it 254 00:12:47.639 --> 00:12:51.240 doesn't just flag potential vulnerabilities with those colored alerts red 255 00:12:51.240 --> 00:12:53.879 for high risk, orange for medium, yellow for low. 256 00:12:54.000 --> 00:12:54.919 It tells you how to fix it. 257 00:12:54.960 --> 00:12:58.519 Too often, yes, it'll suggest concrete solutions, like maybe adding 258 00:12:58.519 --> 00:13:01.759 the x frame options ny header to prevent certain types 259 00:13:01.759 --> 00:13:03.720 of attacks like clickjacking, which is related. 260 00:13:03.960 --> 00:13:05.960 So z adp gives you a bit of a roadmap 261 00:13:05.960 --> 00:13:07.879 for both finding and fixing the issue. 262 00:13:08.080 --> 00:13:12.200 It definitely can and for more systematic testing, maybe trying 263 00:13:12.240 --> 00:13:16.080 lots of different EXSS variations. Burp Suite's intruder tool is 264 00:13:16.120 --> 00:13:18.679 incredibly powerful. You can feed it a whole list of 265 00:13:18.759 --> 00:13:22.279 known EXSS payloads and just automate the process of sending 266 00:13:22.320 --> 00:13:25.320 them to various input fields looking for responses that indicate 267 00:13:25.360 --> 00:13:27.279 your script actually executed successfully. 268 00:13:27.360 --> 00:13:30.679 Okay, let's switch gears to header injection and URL redirection. 269 00:13:31.440 --> 00:13:34.600 What's the basic weakness here what allows this kind of attack? 270 00:13:34.960 --> 00:13:38.600 This vulnerability pops up when an application takes user input, 271 00:13:38.759 --> 00:13:41.519 maybe from a URL parameter, and uses it directly to 272 00:13:41.639 --> 00:13:45.279 decide where to redirect the user's browser without properly checking 273 00:13:45.360 --> 00:13:46.799 or validating that input first. 274 00:13:46.960 --> 00:13:49.480 So instead of sending you to a safe fixed. 275 00:13:49.120 --> 00:13:53.080 Location right, instead of having SAFECode like header location dot https, 276 00:13:53.120 --> 00:13:56.799 do wwwang dot site hard coded, the vulnerable code might 277 00:13:56.799 --> 00:13:59.679 look more like response dot send, redirect, request dot get parameter, 278 00:13:59.799 --> 00:14:03.759 or just blindly trust whatever URL the user or attacker 279 00:14:03.840 --> 00:14:05.360 provides in that parameter, and. 280 00:14:05.240 --> 00:14:07.799 That opens the door to what's the main risk for 281 00:14:07.879 --> 00:14:08.320 the user. 282 00:14:08.679 --> 00:14:12.879 The biggest risk is usually very convincing phishing attacks. An 283 00:14:12.919 --> 00:14:15.720 attacker can craft a special URL that looks like it 284 00:14:15.759 --> 00:14:18.720 belongs to the legitimate website, but when you click it, 285 00:14:19.039 --> 00:14:22.919 that vulnerable redirect parameter sends your browser seamlessly to a 286 00:14:22.960 --> 00:14:26.639 malicious site designed to steal your credentials or drop malware. 287 00:14:27.080 --> 00:14:30.279 Because it came from the trusted site initially, the user 288 00:14:30.360 --> 00:14:32.360 might not notice the switch exactly. 289 00:14:32.759 --> 00:14:35.480 It makes the fish much harder to spot. It really 290 00:14:35.519 --> 00:14:37.679 exploits that user trust in the original domain. 291 00:14:38.200 --> 00:14:42.600 So how do ethical hackers track down these hidden potentially 292 00:14:42.720 --> 00:14:43.879 malicious redirects. 293 00:14:44.080 --> 00:14:47.919 Again, Bripsweet's proxy and spider tools are key. As you 294 00:14:48.000 --> 00:14:50.720 browse the target application, you're keeping an eye out for 295 00:14:50.720 --> 00:14:53.600 any HTTP responses that come back with a three xx 296 00:14:53.639 --> 00:14:56.799 status code that three to one means a redirect is happening. 297 00:14:56.960 --> 00:14:59.720 And once you spot a three xx redirect, then you. 298 00:14:59.600 --> 00:15:02.720 Take that request over to Burp's repeater tool. There you 299 00:15:02.720 --> 00:15:05.080 can manually tamper with the parameter that seems to be 300 00:15:05.080 --> 00:15:08.240 controlling the redirect destination. If you can change it to 301 00:15:08.320 --> 00:15:10.960 point to an external site you control, and the browser 302 00:15:11.000 --> 00:15:14.480 successfully redirects there, you've confirmed the vulnerability, and. 303 00:15:14.440 --> 00:15:16.879 If you find one, what's the fix you'd recommend? 304 00:15:17.080 --> 00:15:19.840 Well, the best fix is usually to just avoid using 305 00:15:19.960 --> 00:15:24.320 user controlled data in redirection logical together if possible. If 306 00:15:24.360 --> 00:15:27.720 a redirect is necessary based on input, then use direct 307 00:15:27.840 --> 00:15:32.000 hard coded links mapped to save values, or maintain a 308 00:15:32.120 --> 00:15:35.600 very strict server side whitelist of allowed destination ur else. 309 00:15:35.759 --> 00:15:37.440 Whitelisting sounds safer. 310 00:15:37.480 --> 00:15:41.480 Definitely and absolutely crucial. Any user input that might influence 311 00:15:41.480 --> 00:15:45.080 a redirect destination must be strongly validated. Check that it 312 00:15:45.120 --> 00:15:48.240 starts with an expected trusted prefix like http dot your 313 00:15:48.279 --> 00:15:50.879 site dot com and doesn't contain characters that could trick 314 00:15:50.919 --> 00:15:51.399 the browser. 315 00:15:51.639 --> 00:15:55.519 Okay, next up a real classic malicious file uploads. What's 316 00:15:55.559 --> 00:15:58.440 the immediate danger if an attacker can successfully upload a 317 00:15:58.440 --> 00:15:59.000 bad file? 318 00:15:59.279 --> 00:16:02.200 Oh, the danger is huge. If an attacker can upload 319 00:16:02.200 --> 00:16:05.360 a malicious file, especially something like a PHP script or 320 00:16:05.399 --> 00:16:07.519 another executable file type, and then get the server to 321 00:16:07.559 --> 00:16:09.919 run it, that can give them a significant foothold on 322 00:16:09.960 --> 00:16:12.200 the system, leading to what It could lead to them 323 00:16:12.200 --> 00:16:15.320 completely owning the system, as they say, getting full control, 324 00:16:15.679 --> 00:16:18.360 or at the very least, maybe defacing the website changing 325 00:16:18.360 --> 00:16:21.600 its content. It's basically a form of remote code execution. 326 00:16:22.200 --> 00:16:25.200 You're potentially letting the attacker run their own programs directly 327 00:16:25.200 --> 00:16:25.840 on your server. 328 00:16:26.120 --> 00:16:29.960 Yikes. How does a poorly secured file upload form look 329 00:16:30.080 --> 00:16:31.200 compared to a safe one? 330 00:16:31.279 --> 00:16:34.000 An insecure one might be just a basic HTML form 331 00:16:34.080 --> 00:16:39.080 form action upload, PHP method, posting type, multipart from data, 332 00:16:39.519 --> 00:16:41.879 maybe with little or no checking happening on the server side. 333 00:16:41.919 --> 00:16:44.399 It just sort of trusts whatever file the user sends. 334 00:16:44.159 --> 00:16:45.320 It as a secure one. 335 00:16:45.440 --> 00:16:48.440 A secure site implements robust validation on the server after 336 00:16:48.480 --> 00:16:51.320 the file arrives. It would check the file extension sure, 337 00:16:51.519 --> 00:16:53.679 But more importantly, it would check the actual file type 338 00:16:53.679 --> 00:16:56.399 based on its content, not just the name. Maybe scan 339 00:16:56.519 --> 00:16:59.080 it from malware and sure it matches an allowed list 340 00:16:59.080 --> 00:17:02.879 of types like only accepting JPEGs or PDFs, and reject 341 00:17:03.000 --> 00:17:06.240 anything suspicious, especially executable scripts like PHP. 342 00:17:06.640 --> 00:17:09.400 So how would an attacker try to bypass these checks? 343 00:17:09.400 --> 00:17:11.759 In a test lab like DVWA. 344 00:17:12.119 --> 00:17:15.839 They often rely on tricks and misconfigurations. For example, you 345 00:17:15.920 --> 00:17:19.519 might try uploading a malicious PHP file containing commands like 346 00:17:19.640 --> 00:17:24.200 slixick elsli to list files or mk to hacker to 347 00:17:24.240 --> 00:17:25.039 create a directory. 348 00:17:25.160 --> 00:17:27.720 But the server might block dot php files. 349 00:17:27.880 --> 00:17:30.240 Right, so if the server only checks the last part 350 00:17:30.240 --> 00:17:32.440 of the file name, you might try naming your file 351 00:17:32.559 --> 00:17:36.839 something like shell dot php dot jpg. You hope the 352 00:17:36.839 --> 00:17:39.759 server sees dot jpg and allows it, but maybe later 353 00:17:39.839 --> 00:17:42.480 another part of the system interprets it as dot php 354 00:17:42.759 --> 00:17:44.119 and executes it clever. 355 00:17:44.359 --> 00:17:44.839 What else? 356 00:17:45.119 --> 00:17:47.960 You'd also use burp Suite's repeater tool to modify the 357 00:17:48.000 --> 00:17:50.559 request on the fly. You can change the content type 358 00:17:50.599 --> 00:17:53.519 heater that the browser sends, maybe setting it to image jpg. 359 00:17:53.599 --> 00:17:55.839 Even though you're uploading PHP code. You're trying to fool 360 00:17:55.880 --> 00:17:58.880 the server side validation logic and if it works. If 361 00:17:58.880 --> 00:18:02.400 it works, you might send see visible changes like website defacement, 362 00:18:02.680 --> 00:18:04.680 or maybe you can navigate to a new directory like 363 00:18:04.759 --> 00:18:08.599 hacker that your malicious script created that confirms your code executed. 364 00:18:09.079 --> 00:18:11.079 It's definitely a game of cat mouse with the servers 365 00:18:11.160 --> 00:18:11.920 validation rules. 366 00:18:12.160 --> 00:18:16.640 Okay, let's shift slightly towards email security poisoning Sender Policy 367 00:18:16.680 --> 00:18:20.400 Framework or SBF. Most of us just send and receive 368 00:18:20.440 --> 00:18:23.960 emails without thinking much about this. What does SBF actually do? 369 00:18:24.640 --> 00:18:28.440 SBF is a technical standard for email authentication. Its main 370 00:18:28.559 --> 00:18:31.680 job is to help protect both email senders and recipients 371 00:18:31.799 --> 00:18:34.960 from spam, from email spoofing where someone pretends to be 372 00:18:35.000 --> 00:18:37.160 someone else, and from phishing attacks. 373 00:18:37.200 --> 00:18:38.000 How does it do that? 374 00:18:38.400 --> 00:18:42.039 It works by allowing a domain owner, like say, your company, 375 00:18:42.359 --> 00:18:44.960 to publish a list of mail servers that are authorized 376 00:18:44.960 --> 00:18:47.920 to send email on behalf of that domain. When an 377 00:18:47.960 --> 00:18:51.519 email arrives, the receiving server checks the sender's IP address 378 00:18:51.839 --> 00:18:54.640 against this published SBF record for the domain. 379 00:18:54.440 --> 00:18:56.559 Sort of like a bouncer checking an ID against a 380 00:18:56.599 --> 00:18:57.119 guest list. 381 00:18:57.200 --> 00:18:59.880 That's a great analogy. Yeah, if the sending server isn't 382 00:18:59.880 --> 00:19:02.960 all list, the receiving server can be suspicious and might 383 00:19:03.000 --> 00:19:05.759 mark the email as spam or even rejected outright. 384 00:19:05.880 --> 00:19:08.839 Why do we need this extra layer? Doesn't basic email 385 00:19:08.920 --> 00:19:09.839 handle authentication? 386 00:19:10.240 --> 00:19:14.519 That's good question. The fundamental email protocol SMTP is actually 387 00:19:14.599 --> 00:19:19.440 quite old and well surprisingly trusting. It doesn't have strong 388 00:19:19.480 --> 00:19:23.000 authentication built in. It's relatively easy for someone to forge 389 00:19:23.000 --> 00:19:24.440 the from address on an email. 390 00:19:24.480 --> 00:19:26.680 So SPF plugs that gap exactly. 391 00:19:26.920 --> 00:19:29.480 It adds a much needed layer of verification on top 392 00:19:29.559 --> 00:19:31.279 of the basic SMTP process. 393 00:19:31.359 --> 00:19:34.680 Okay, so it's important, but does it have limitations? And 394 00:19:34.720 --> 00:19:36.559 I hear about DMRC too, what's that about. 395 00:19:36.880 --> 00:19:40.319 Yes, SPF definitely has limitations. Yeah. One major one is 396 00:19:40.319 --> 00:19:43.480 that it doesn't actually validate the frumheader the address the 397 00:19:43.480 --> 00:19:46.839 recipient ces and their email client. It checks the envelope from, 398 00:19:47.039 --> 00:19:49.119 which is used more for routing behind the scenes. 399 00:19:49.359 --> 00:19:51.920 Ah, so it might not stop spoofing of the visible 400 00:19:51.960 --> 00:19:53.000 address correct. 401 00:19:53.279 --> 00:19:56.759