1
00:00:00,580 --> 00:00:01,360
Welcome back.

2
00:00:01,630 --> 00:00:10,240
In this video, I want to talk about the vulnerability called C SRF or also known as cross site request

3
00:00:10,240 --> 00:00:10,900
forgery.

4
00:00:11,470 --> 00:00:17,140
Now, this is something that you might remember from the scanning section of the course where we used

5
00:00:17,140 --> 00:00:19,090
and map to discover vulnerabilities.

6
00:00:19,270 --> 00:00:25,180
And on one of our targets, we got response that possible seats are affordability.

7
00:00:25,390 --> 00:00:25,990
Was there?

8
00:00:26,770 --> 00:00:32,140
Well, the time has come to finally see what is this vulnerability.

9
00:00:32,740 --> 00:00:39,220
Many people think that this is something similar or the same as access or crosseyed scripting, but

10
00:00:39,220 --> 00:00:43,000
that is not the case in cross site request forgery.

11
00:00:43,010 --> 00:00:48,700
The attacker makes the identified user executes something that they didn't want to execute.

12
00:00:49,540 --> 00:00:56,080
See, SRF attack can be used to exploit any web function that searches for one request inside of the

13
00:00:56,080 --> 00:01:01,210
identified session in case the security applied isn't efficient enough.

14
00:01:02,250 --> 00:01:07,500
Some of the things that you can do with cross site request forgery would be something like changing

15
00:01:07,500 --> 00:01:13,820
details about the specific user, like email addresses that when they were born and so on, so on.

16
00:01:14,370 --> 00:01:19,950
You can also perform fake banking transactions, adding items to buy on a certain page.

17
00:01:20,340 --> 00:01:25,110
But this is not something that we can accomplish easily for this attack.

18
00:01:25,140 --> 00:01:29,730
We need a victim that has active, identified session inside of the website.

19
00:01:30,090 --> 00:01:36,000
And they will also have to visit our link that Rycroft in order for this to work.

20
00:01:36,570 --> 00:01:42,290
Now, let's take a look at simple example of how to do this on our DV w8 page.

21
00:01:43,110 --> 00:01:46,830
So start your anticipatable visit the page, as usual.

22
00:01:47,580 --> 00:01:51,830
We want to go to the DV w a and we can log in right here.

23
00:01:52,050 --> 00:01:54,320
But remember that we did the injection.

24
00:01:54,510 --> 00:01:57,350
We no longer have to log in as admin user.

25
00:01:57,360 --> 00:02:02,600
We can log in as any other user from the data that we extracted with our ESKIL injection.

26
00:02:02,830 --> 00:02:09,270
See, if you remember, we had the user called Gordon who had the user name of Gordon B and his password

27
00:02:09,270 --> 00:02:10,800
was A, B, C, one, two, three.

28
00:02:10,860 --> 00:02:16,320
If you remember that we got his and the five hash, then we pasted it inside of the Google and we got

29
00:02:16,320 --> 00:02:16,620
that.

30
00:02:16,620 --> 00:02:20,880
His hash was equivalent to a string of A, B, C, one, two, three.

31
00:02:21,210 --> 00:02:26,940
So we can log in as Gordon and we can see down here you have logged in as Gordon B..

32
00:02:27,930 --> 00:02:29,640
Now, let's say the security Tylo.

33
00:02:31,990 --> 00:02:35,530
And let's navigate to see SRF right here.

34
00:02:36,490 --> 00:02:43,330
So we can see vulnerability, cross site request forgery, and the application requires us to change

35
00:02:43,330 --> 00:02:49,150
our admin password, so we got a new password and confirm new password.

36
00:02:50,000 --> 00:02:59,540
What we can do is we can, for example, type password one to three and confirm password to be password

37
00:02:59,930 --> 00:03:00,700
one to three.

38
00:03:00,950 --> 00:03:07,590
If I click on Change, it says password changed and let's see whether it indeed got changed.

39
00:03:07,610 --> 00:03:13,790
So if I log in as admin and then password, remember that before it was just password, now it is password

40
00:03:13,790 --> 00:03:14,480
one to three.

41
00:03:14,960 --> 00:03:17,330
If I log in, well now it will work.

42
00:03:17,540 --> 00:03:22,970
We successfully changed the password, but how can we use this to explain it.

43
00:03:24,030 --> 00:03:31,380
Well, if I go right click and go on View page source, there will be a vulnerable part of code inside

44
00:03:31,380 --> 00:03:35,010
of this page and that part of code will be the form.

45
00:03:35,010 --> 00:03:37,500
Will we submit the new password?

46
00:03:38,290 --> 00:03:43,360
If we scroll all the way down, here is the part of the code that is vulnerable, we got the form where

47
00:03:43,360 --> 00:03:49,390
we can submit the new password, where we can also reconfirm the new password, and you will notice

48
00:03:49,390 --> 00:03:52,730
that this is under the vulnerable code area.

49
00:03:53,320 --> 00:04:00,580
So what we can do with our F is we can copy this vulnerable form where we submit the user name and password

50
00:04:01,090 --> 00:04:06,330
and we are going to create our small HTML page that we are going to host a number of Pache to Webster.

51
00:04:06,610 --> 00:04:09,550
And you're going to see in just a second why we do it.

52
00:04:10,030 --> 00:04:16,320
So open a terminal and I will never get to the directory of our Web server.

53
00:04:16,330 --> 00:04:20,940
And if you remember, that is w HTML.

54
00:04:21,520 --> 00:04:27,100
Now, since we can't write files right here as a regular user, let us enter the root account.

55
00:04:28,420 --> 00:04:32,260
If I type, unless we got our tester the API, we can remove it.

56
00:04:32,470 --> 00:04:33,720
We no longer needed here.

57
00:04:33,730 --> 00:04:43,000
And once you got this directory clear and empty, let us now see srf dot html file, let's call it like

58
00:04:43,000 --> 00:04:43,320
that.

59
00:04:43,330 --> 00:04:45,490
Now feel free to call it anything that you want.

60
00:04:45,500 --> 00:04:49,630
Just make sure that you have this HDMI extension onto this file.

61
00:04:50,640 --> 00:04:56,310
Now that we opened it, we can pass the code that we copied front page and you will notice it is the

62
00:04:56,310 --> 00:04:58,240
form where we change our password.

63
00:04:58,920 --> 00:05:02,820
Now, there are a few things that we want to change right here.

64
00:05:03,510 --> 00:05:10,220
For example, this action, we want to change to the page link for we change our password on our TBWA

65
00:05:10,500 --> 00:05:13,470
and that page link is this link right here.

66
00:05:14,420 --> 00:05:20,840
Let's scope it, let's paste it right here and what this action simply refers to is once we change the

67
00:05:20,840 --> 00:05:26,270
password, it will redirect us to whatever page is inside of this action field.

68
00:05:26,570 --> 00:05:30,440
So it will just redirect us back to this page right here.

69
00:05:31,250 --> 00:05:37,580
Let's this and pasted now that we got the page right here, there are two more things that we need to

70
00:05:37,580 --> 00:05:42,100
add in order for this attack to work, and that is inside of these input fields.

71
00:05:42,650 --> 00:05:45,770
So we got the name of the field, which is password new.

72
00:05:46,040 --> 00:05:48,230
I believe it is this file right here.

73
00:05:48,440 --> 00:05:54,020
And the second field is confirmed new password, which is this field right here, password confirm.

74
00:05:55,150 --> 00:06:02,000
We want to automatically add value to those fields, and in this case, that value will be a new password.

75
00:06:02,290 --> 00:06:09,610
So what we can do is we can type space right after the password name and we can type value equals open

76
00:06:09,760 --> 00:06:10,630
double quotes.

77
00:06:10,630 --> 00:06:14,160
And in between the double quotes, we can type the new password.

78
00:06:14,320 --> 00:06:16,600
Let's say the new password is hacked.

79
00:06:17,230 --> 00:06:19,470
We must do that for the second field as well.

80
00:06:19,600 --> 00:06:23,870
So value equals opened up quotes and then hacked.

81
00:06:24,670 --> 00:06:30,400
Now you will notice once we visit this page that in that case the fields will already be completed.

82
00:06:30,400 --> 00:06:34,130
They will have this hacked value inside of both of these fields.

83
00:06:34,990 --> 00:06:35,930
Let's give it a try.

84
00:06:35,950 --> 00:06:45,820
If I save this control oh, and I start my Apache Web server by typing service Apache to start.

85
00:06:47,780 --> 00:06:56,600
All we need to do right now is visit our local host and see as our effort HTML file, which is the only

86
00:06:56,600 --> 00:07:00,070
file inside of our Apache to Web server directly.

87
00:07:00,650 --> 00:07:06,470
So we got this right here and this is the link that we would want to send to our victim.

88
00:07:07,280 --> 00:07:12,050
Now, I know it doesn't nearly look as good as this page right here, but let's just give it a try to

89
00:07:12,050 --> 00:07:16,100
see if it works, if we did everything correctly.

90
00:07:16,280 --> 00:07:24,440
Once we click on this change button on our local CSR file, we will successfully change the password

91
00:07:24,440 --> 00:07:27,440
of the admin account on this page.

92
00:07:28,070 --> 00:07:30,140
So we send this to the target target.

93
00:07:30,140 --> 00:07:30,920
Click on Change.

94
00:07:32,720 --> 00:07:41,060
And we get redirected to our metastable WASC SRF page and it says password change.

95
00:07:41,870 --> 00:07:44,060
Let's see whether it indeed got changed.

96
00:07:44,090 --> 00:07:49,820
Remember, we typed the value of hacked and now if I go right here and type admin and hacked.

97
00:07:50,990 --> 00:07:58,970
Well, it worked, we logged in with new password that someone typed in while visiting our page on our

98
00:07:58,970 --> 00:08:02,540
localhost, but if you noticed on this page.

99
00:08:05,670 --> 00:08:11,340
We only copy the form, and if we were to choose just the form code on our Patriota server like we are

100
00:08:11,340 --> 00:08:18,810
doing right now, it would look suspicious because if we take a look at this page and this page, they

101
00:08:18,810 --> 00:08:20,640
don't look nearly the same.

102
00:08:21,150 --> 00:08:23,130
So how can we make it look the same?

103
00:08:23,760 --> 00:08:27,810
Well, first thing that we must do is we must go right here, right.

104
00:08:27,810 --> 00:08:33,360
Click View page source and we must copy the entire HTML code and not just the form.

105
00:08:33,420 --> 00:08:39,690
So what you can do is you can select the page type, control A, it will select all the code inside

106
00:08:39,690 --> 00:08:42,080
of this file and we can copy it.

107
00:08:42,840 --> 00:08:50,290
Then we can go to our Apache Web directory and we can remove the C as our file and we can Nannerl new

108
00:08:50,310 --> 00:08:52,560
one here.

109
00:08:52,560 --> 00:08:54,210
We will paste the entire code.

110
00:08:56,230 --> 00:09:01,770
And remember that we must do the same thing that we did inside the bubble form, so find the form code

111
00:09:01,780 --> 00:09:06,730
and here we want to put the link to our page, which is this link once again.

112
00:09:07,710 --> 00:09:09,510
Copied, pasted right here.

113
00:09:11,250 --> 00:09:14,160
We also want to add the value to our password fields.

114
00:09:15,320 --> 00:09:24,860
We can change right now the password back to password, just so we put it back as it was, and now that

115
00:09:24,860 --> 00:09:26,860
we did this, we can save this.

116
00:09:26,870 --> 00:09:33,410
And if I go and visit the page once again or I just reload this page, well, it looks a little bit

117
00:09:33,410 --> 00:09:35,810
better, but it is still not the same page.

118
00:09:36,110 --> 00:09:39,530
We're missing some decoration that this page has.

119
00:09:40,040 --> 00:09:46,380
And if you have some experience in Web development, you will know that we are missing the access file.

120
00:09:47,120 --> 00:09:54,950
So what we can do to add the access file is we can go to this page source of our page that we got open

121
00:09:55,550 --> 00:09:57,920
and we can navigate to the access file.

122
00:09:57,960 --> 00:10:01,600
So just search for any file type that ends with dot c.

123
00:10:01,610 --> 00:10:01,860
S.

124
00:10:01,880 --> 00:10:02,240
S.

125
00:10:03,270 --> 00:10:09,810
And if I go up here, here is one of them, and it is called Main DOCSIS, and by looking at this page,

126
00:10:09,810 --> 00:10:12,850
it seems that this is the only access file that this page has.

127
00:10:13,290 --> 00:10:14,660
So let's click on that.

128
00:10:14,670 --> 00:10:20,310
And here is the access code that we also must save in the same directory as our HTML file.

129
00:10:20,490 --> 00:10:22,050
So let's select everything.

130
00:10:22,260 --> 00:10:23,130
Copy this.

131
00:10:24,290 --> 00:10:31,970
And let's go back to our Web directory right here, we are going to Nannerl main DOCSIS and let's just

132
00:10:31,970 --> 00:10:39,260
paste all of this code now that we have the access code right here, we can save this, but it will

133
00:10:39,260 --> 00:10:44,390
still not work if we don't change the location inside of our code.

134
00:10:44,790 --> 00:10:46,700
Because if you take a look at right here.

135
00:10:47,790 --> 00:10:54,030
Where we add the fall, it is still the location on other matters, political machine, and since we

136
00:10:54,030 --> 00:10:59,310
have it in the same directory as our HTML file on our patch to Web server, what we can do is we can

137
00:10:59,310 --> 00:11:06,390
just remove the entire path and leave just the name of the file because they're both located in the

138
00:11:06,390 --> 00:11:07,140
same directory.

139
00:11:07,140 --> 00:11:08,790
So we can just leave it like this.

140
00:11:09,710 --> 00:11:19,450
Then we can save this and now if we refresh our localhost page, well, now it looks the same.

141
00:11:20,150 --> 00:11:26,340
Just this page isn't so and so what we can do is we can zoom this in and they look exactly the same.

142
00:11:27,110 --> 00:11:30,400
So the past for this, remember, right now, just password.

143
00:11:30,410 --> 00:11:31,880
And if we click on change.

144
00:11:32,840 --> 00:11:36,890
It will redirect us to the real page and it will say the password has changed.

145
00:11:37,490 --> 00:11:40,960
Let's give it a try once again and see whether it indeed got changed.

146
00:11:41,050 --> 00:11:47,570
I would just go to my eight page log out and type admin and then password.

147
00:11:50,650 --> 00:11:55,270
And we did it again just this time, we made our page

148
00:11:59,350 --> 00:12:02,420
look exactly the same as we can see right here.

149
00:12:03,130 --> 00:12:03,540
Great.

150
00:12:04,000 --> 00:12:08,170
This is the SRF attack or cross site request.

151
00:12:08,170 --> 00:12:09,130
Forgery, attack.

152
00:12:09,990 --> 00:12:15,420
As you can see, it requires to open a building, otherwise this will not work, but if you manage to

153
00:12:15,420 --> 00:12:21,660
trick them by making the page look identical, then this attack will work and you will successfully

154
00:12:21,660 --> 00:12:22,620
change that password.

155
00:12:23,310 --> 00:12:28,810
Now, this can be performed on other stuff and not just the password fields, as we remembered.

156
00:12:28,860 --> 00:12:33,380
You can use this to change emails, to change dates and many other things as well.

157
00:12:34,560 --> 00:12:40,650
Now that we covered this in the next video, we're going to cover brute force attack and we're going

158
00:12:40,650 --> 00:12:44,020
to see how we can perform the brute force attack in two different ways.

159
00:12:44,730 --> 00:12:48,300
So thank you for watching and will see you in the next lecture by.