1
00:00:00,590 --> 00:00:03,050
‫So let's talk about the most important feature of Zap.

2
00:00:03,140 --> 00:00:04,760
‫Of course it's scanning.

3
00:00:05,660 --> 00:00:08,990
‫We've already seen the quick scan feature of Zap, so.

4
00:00:10,010 --> 00:00:13,100
‫Now, let's have a look at scanning with Zap in depth.

5
00:00:15,790 --> 00:00:21,880
‫First, I want to scan Dam Vulnerable Web application DVD way without a valid user or session.

6
00:00:22,360 --> 00:00:27,820
‫So to start a new session from the file menu, select new session in Firefox, while the port eight

7
00:00:27,850 --> 00:00:30,580
‫zero eight zero of the local host is selected as proxy.

8
00:00:30,940 --> 00:00:33,640
‫Visit the OWASP BWR website.

9
00:00:34,920 --> 00:00:39,150
‫And click Dan Vulnerable Web application link and go back to the Zap window.

10
00:00:40,080 --> 00:00:46,800
‫So here a sub folder for DVD Ray is created as we expected, right click the folder.

11
00:00:47,310 --> 00:00:51,090
‫So in the Attack submenu, select Spider to crawl the application.

12
00:00:53,670 --> 00:00:59,550
‫And there it is, a spidering is finished in almost milliseconds, but as you know, DVD allows you

13
00:00:59,550 --> 00:01:03,900
‫to only visit the login page if you haven't logged into the application.

14
00:01:04,290 --> 00:01:09,810
‫So Zap can only crawl the login page and some images and cascading style sheets.

15
00:01:10,080 --> 00:01:12,000
‫And that's about it.

16
00:01:12,960 --> 00:01:18,750
‫So if you start the active scan in this situation, all the attack modules will run on the login page

17
00:01:18,750 --> 00:01:23,310
‫only, so you can only find out the vulnerabilities of the login page.

18
00:01:24,000 --> 00:01:30,030
‫So sure, the attack is completed in under a second, but only because a single page has been scanned.

19
00:01:31,020 --> 00:01:36,060
‫So when you look at the Alerts tab, you can only see a few medium and low alerts.

20
00:01:36,810 --> 00:01:43,200
‫But we know that the application is -- vulnerable and there are a lot of high severity vulnerabilities.

21
00:01:43,440 --> 00:01:49,710
‫So what we have to do is create a valid user or session so that we are able to scan more.

22
00:01:51,260 --> 00:01:52,990
‫So let's start over.

23
00:01:53,210 --> 00:01:56,690
‫Exit and reruns app for a brand new start.

24
00:01:57,790 --> 00:02:04,120
‫Now go to the browser, configure the proxy as the port eight zero eight zero of the local host and

25
00:02:04,120 --> 00:02:05,920
‫visit the DVD application.

26
00:02:06,550 --> 00:02:12,280
‫I log into the application using admin admin credentials and visit a few pages on the app.

27
00:02:13,700 --> 00:02:15,110
‫To go back to this app window.

28
00:02:17,530 --> 00:02:19,180
‫Here is a subfolder of DVDs.

29
00:02:19,660 --> 00:02:21,700
‫The login page and the visitor pages.

30
00:02:22,710 --> 00:02:25,740
‫Did you recognize the yellow flags next to the pages and folders?

31
00:02:26,520 --> 00:02:33,120
‫Remember, Zap runs the passive scan all the time you use it, so it's running now and reporting the

32
00:02:33,120 --> 00:02:33,630
‫findings.

33
00:02:34,320 --> 00:02:35,310
‫Look at the Alerts tab.

34
00:02:36,270 --> 00:02:41,790
‫So before creating a new context, it's better to talk about some of the context of Zap.

35
00:02:43,240 --> 00:02:51,850
‫Context are a way of relating a set of URLs together, so you can define any context you like, but

36
00:02:51,850 --> 00:02:56,410
‫it's expected that a context will correspond to a web application.

37
00:02:56,950 --> 00:03:02,170
‫So it's recommended that you define a new context for each web application that makes up the system

38
00:03:02,170 --> 00:03:06,580
‫you were testing and set them in scope as you test each one.

39
00:03:06,940 --> 00:03:12,760
‫Now, right click the DVD, a subfolder from include in Context submenu.

40
00:03:13,810 --> 00:03:18,940
‫Select Default Context to add the application into the default context.

41
00:03:19,480 --> 00:03:24,400
‫The Session Properties panel opens by clicking the root node of the default context.

42
00:03:24,730 --> 00:03:27,340
‫You can change the name of the context with an appropriate one.

43
00:03:28,270 --> 00:03:31,540
‫Click OK to close the Session Properties panel for now.

44
00:03:31,780 --> 00:03:36,550
‫So as you see the DVD subfolder and the files in it are marked with a red sign.

45
00:03:37,420 --> 00:03:42,490
‫So you can open the Session Properties panel at any time using the button in the menu bar.

46
00:03:43,480 --> 00:03:45,190
‫Let's click the button to open the panel again.

47
00:03:45,820 --> 00:03:48,160
‫Here we have some details of the context.

48
00:03:48,610 --> 00:03:54,040
‫For example, click the session management option is either currently selected session management method

49
00:03:54,040 --> 00:03:57,010
‫for that context in the authentication option.

50
00:03:57,880 --> 00:04:00,400
‫We're supposed to select the authentication method.

51
00:04:01,350 --> 00:04:05,760
‫The authentication method of DVD air is form based authentication.

52
00:04:07,050 --> 00:04:11,940
‫So I leave it with the default values for now and click OK to close the panel again.

53
00:04:13,230 --> 00:04:15,870
‫Now, find the log in request on the left side.

54
00:04:16,710 --> 00:04:18,540
‫You see the parameters in the parentheses.

55
00:04:19,450 --> 00:04:28,060
‫Right click on it under the flag is Context submenu, select form based off login request option session

56
00:04:28,060 --> 00:04:29,530
‫properties panel appears.

57
00:04:30,640 --> 00:04:36,580
‫And as you see, the authentication method is selected as form based authentication and the configuration

58
00:04:36,580 --> 00:04:41,380
‫fields such as log in form target URL are filled automatically.

59
00:04:42,160 --> 00:04:43,000
‫Well done, zap.

60
00:04:43,780 --> 00:04:50,260
‫Here we should select the correct parameters username parameter for the username and password parameter

61
00:04:50,260 --> 00:04:51,010
‫for the password.

62
00:04:51,850 --> 00:04:53,610
‫Click OK to close the panel.

63
00:04:53,980 --> 00:04:56,350
‫Now reopen the Session Properties panel.

64
00:04:57,160 --> 00:05:03,730
‫So do you see either the log in request post data is prepared to be able to use it with different username

65
00:05:03,730 --> 00:05:04,660
‫and password pairs.

66
00:05:04,990 --> 00:05:09,790
‫But before closing the panel, let's enter one or more valid credentials of the application.

67
00:05:10,720 --> 00:05:14,320
‫So select the users option under the context note.

68
00:05:15,430 --> 00:05:17,760
‫The admin credential is already collected by this app.

69
00:05:18,550 --> 00:05:19,570
‫So once again, well done.

70
00:05:20,050 --> 00:05:21,250
‫Click the box to enable it.

71
00:05:22,120 --> 00:05:24,610
‫Click Add to add another credential.

72
00:05:25,390 --> 00:05:26,140
‫Give it a name.

73
00:05:26,590 --> 00:05:30,100
‫Enter the username and password values and click Add.

74
00:05:30,610 --> 00:05:32,830
‫So now two credentials are added in enabled.

75
00:05:33,790 --> 00:05:36,460
‫So just under the users option, there's another option.

76
00:05:36,730 --> 00:05:44,530
‫Forced user you can select a user here, which will be used for all the requests made for this context.

77
00:05:44,620 --> 00:05:50,950
‫Only if the forest user mode is enabled, click OK and close the panel.

78
00:05:51,760 --> 00:05:56,050
‫So looking back at the menu bar here, there's a button to enable forced user mode.

79
00:05:56,350 --> 00:06:00,910
‫It's disabled by default, but click the button to enable the force user mode.

80
00:06:01,780 --> 00:06:06,940
‫Now, let's go to the Session Properties panel once again and select the authentication option.

81
00:06:07,690 --> 00:06:14,290
‫There are two other options at the bottom of the page while crawling or active scanning, Zap will try

82
00:06:14,290 --> 00:06:20,140
‫every single link and feel, and during these tries it will probably log out the application.

83
00:06:20,950 --> 00:06:27,460
‫And in these cases, the application will understand the logout and then reload again to the application

84
00:06:27,460 --> 00:06:28,570
‫to be able to keep going.

85
00:06:29,200 --> 00:06:34,930
‫So that means we have to teach the application when it's logged in or not.

86
00:06:36,010 --> 00:06:41,890
‫And for this purpose, we should find something which can only be seen in the private pages.

87
00:06:42,610 --> 00:06:47,500
‫And by that, I mean the pages you can only access if you're logged in.

88
00:06:48,510 --> 00:06:55,010
‫So close a panel, find a page which is accessible only if you're logged in, for instance, indexed

89
00:06:55,020 --> 00:06:55,890
‫at BHP.

90
00:06:57,210 --> 00:06:59,970
‫Go to the Response tab and look at the body.

91
00:07:01,010 --> 00:07:02,360
‫Select a part of the body.

92
00:07:04,610 --> 00:07:11,600
‫This part looks good, so like the pattern, right click from Flag is Content submenu, select authentication

93
00:07:11,600 --> 00:07:12,920
‫logged in indicator.

94
00:07:12,950 --> 00:07:20,150
‫So this Session Properties panel appears again and this time rejects pattern identified in logged in

95
00:07:20,150 --> 00:07:23,630
‫response message is filled in with our selection.

96
00:07:23,930 --> 00:07:28,160
‫So close the panel now we're ready to attack the app.

97
00:07:29,460 --> 00:07:32,730
‫Select the DVD sub folder, right click on it.

98
00:07:33,330 --> 00:07:35,670
‫There are several options under the attack menu.

99
00:07:36,420 --> 00:07:38,580
‫Of course, we should spider the first.

100
00:07:38,880 --> 00:07:45,780
‫So when the Spider panel select, the user context is already selected and click the Start Scan button

101
00:07:45,780 --> 00:07:47,280
‫to start the spidering phase.

102
00:07:52,590 --> 00:07:54,480
‫And spidering is finished in second.

103
00:07:54,780 --> 00:07:59,320
‫So now we have some alerts in the Alerts tab, which have been collected by the passive scan module

104
00:07:59,340 --> 00:07:59,820
‫of Zap.

105
00:08:01,900 --> 00:08:04,930
‫And we have some new pages in the left hand side of the app Tree.

106
00:08:07,010 --> 00:08:11,750
‫You're there's a sub folder named Vulnerabilities, and there are more pages inside the folder.

107
00:08:11,810 --> 00:08:13,220
‫So go to the History tab.

108
00:08:13,700 --> 00:08:16,400
‫We see a lot of consecutive authentication attempts.

109
00:08:16,460 --> 00:08:19,970
‫It seems that something went wrong but never give up.

110
00:08:20,630 --> 00:08:24,110
‫One of the most important things have penetration testing is being patient.

111
00:08:24,710 --> 00:08:30,710
‫You'll encounter a lot of different problems in a test and you should fix them or find other ways.

112
00:08:31,040 --> 00:08:31,980
‫So let's have a look.

113
00:08:32,000 --> 00:08:38,330
‫We may have made mistakes when assigning input values log in URL logged in pattern or credentials.

114
00:08:38,450 --> 00:08:40,430
‫Let's go back and look at the application tree again.

115
00:08:40,790 --> 00:08:41,840
‫Oh, wait a second.

116
00:08:42,840 --> 00:08:45,750
‫Are these requests to change a password?

117
00:08:47,130 --> 00:08:53,220
‫While crawling the application, Zap tries zap word in every field.

118
00:08:53,610 --> 00:09:01,110
‫Unfortunately, in the DVD application, there are a few pages to change the password, and these pages

119
00:09:01,110 --> 00:09:05,040
‫only ask the new password and confirmation of the new password.

120
00:09:05,610 --> 00:09:07,800
‫They should have asked the current password.

121
00:09:08,690 --> 00:09:11,960
‫But, you know, this is a -- vulnerable application.

122
00:09:13,810 --> 00:09:21,460
‫So the password change attempt looks like it's unsuccessful on capture page because it also needs the

123
00:09:21,460 --> 00:09:29,890
‫capture to be validated, and when we look at the request for the CSF page, we see that Zap sends zap

124
00:09:29,890 --> 00:09:34,390
‫word for both the new password and confirmation of the new password.

125
00:09:34,900 --> 00:09:38,290
‫So it seems like a valid password change request.

126
00:09:38,800 --> 00:09:41,020
‫So now let's look at the body of the response now.

127
00:09:43,660 --> 00:09:45,610
‫Here is the password changed message.

128
00:09:46,000 --> 00:09:49,900
‫It looks like Zepp has changed the password of the admin user accidentally.

129
00:09:50,350 --> 00:09:51,460
‫Well, is it true?

130
00:09:52,000 --> 00:09:55,030
‫Did the password of the admin user really change?

131
00:09:55,330 --> 00:09:57,490
‫So I go back to the browser.

132
00:09:57,910 --> 00:10:03,250
‫Log out of the app and try to log in again using the admin admin credential.

133
00:10:04,710 --> 00:10:06,390
‫Nope, no chance.

134
00:10:06,900 --> 00:10:10,320
‫Just as we guessed, Zap has changed the password.

135
00:10:10,800 --> 00:10:13,350
‫So let's try to log in with this our password.

136
00:10:13,470 --> 00:10:17,340
‫And to show you the password I enter, I'll use a small trick.

137
00:10:17,490 --> 00:10:21,150
‫Right click on the password field, select Inspect Element.

138
00:10:22,570 --> 00:10:25,270
‫Changed the type of field as text.

139
00:10:26,440 --> 00:10:29,740
‫Now, Ed, tap into the password field and click Login.

140
00:10:30,070 --> 00:10:30,400
‫Yup.

141
00:10:30,520 --> 00:10:32,830
‫Password of the admin user is app.

142
00:10:33,910 --> 00:10:35,170
‫So how about a little summary?

143
00:10:36,040 --> 00:10:44,110
‫What the heck happened during the spidering phase on the CSR page, Zab filled in the fields with Zaf

144
00:10:44,140 --> 00:10:44,650
‫keyword.

145
00:10:45,760 --> 00:10:53,680
‫There are two input fields on the CSR page new password and the confirmation of the new password since

146
00:10:53,680 --> 00:10:54,520
‫they are the same.

147
00:10:55,000 --> 00:11:00,220
‫It was a valid password changing request when Zap clicked submit on the page.

148
00:11:00,730 --> 00:11:07,210
‫The password of the current user admin has changed when Zapp logged out of the app, for example, by

149
00:11:07,210 --> 00:11:10,630
‫clicking the log out link, it tried to log in again.

150
00:11:10,630 --> 00:11:19,750
‫But because the password is no longer admin, it failed to re log in and it was the end of the spidering

151
00:11:19,750 --> 00:11:21,400
‫phase for authorized pages.

152
00:11:22,540 --> 00:11:24,730
‫So a huge warning comes in here.

153
00:11:25,480 --> 00:11:32,500
‫If you're testing the real application, you're always a potential threat to change or delete some important

154
00:11:32,500 --> 00:11:33,130
‫values.

155
00:11:33,580 --> 00:11:35,620
‫You have to be very careful.

156
00:11:35,650 --> 00:11:40,870
‫And beyond that, you should include the critical pages from the automatic scans.

157
00:11:41,920 --> 00:11:49,840
‫So let's reset the database of DV W-A so that the password of admin user will be admin again.

158
00:11:50,740 --> 00:11:57,000
‫Click set up button and then click the Create Reset database button to recreate the database tables

159
00:11:57,040 --> 00:12:00,130
‫of the DVD application with the default values.

160
00:12:00,550 --> 00:12:03,430
‫Now, the password, if he had been user, is admin again.

161
00:12:04,030 --> 00:12:08,650
‫So a log out of the app and re log in using admin had been values.

162
00:12:09,740 --> 00:12:16,460
‫So to avoid the password changes on the next phases, I'll exclude the page which changes the password.

163
00:12:17,090 --> 00:12:20,150
‫So find the XREF page, right click on it.

164
00:12:21,490 --> 00:12:25,810
‫And even the exclude from submenu select scanner.

165
00:12:26,890 --> 00:12:30,190
‫The URL is added to the exclude from scanner list.

166
00:12:30,730 --> 00:12:36,190
‫So the scanner module will not visit this SRF page and is not changed the password.

167
00:12:37,180 --> 00:12:39,510
‫So now we're ready for the active scan phase.

168
00:12:42,100 --> 00:12:49,900
‫Right click the DVD subfolder from the Attack submenu, select active scan option for this time in the

169
00:12:49,900 --> 00:12:57,940
‫Active Scan panel, select the user, which will be used during the scan context is already selected.

170
00:12:58,600 --> 00:13:02,110
‫Click, Start, Scan and let the show begin.

171
00:13:10,420 --> 00:13:12,640
‫So that scan took longer than an hour.

172
00:13:13,560 --> 00:13:18,750
‫And depending on the network speed and the size of the application, this gear may take several hours.

173
00:13:19,230 --> 00:13:22,830
‫So go to the Alerts tab you see the vulnerabilities found.

174
00:13:23,730 --> 00:13:30,120
‫And as expected, there are several high severity vulnerabilities, such as path traversal as Q well

175
00:13:30,120 --> 00:13:34,650
‫injection excess, but don't worry, we'll see them in detail.

176
00:13:35,460 --> 00:13:39,000
‫Let's first analyze the path traversal alert.

177
00:13:40,020 --> 00:13:47,340
‫As we said before, automated tools generate some false positives, so we should verify the findings

178
00:13:47,340 --> 00:13:50,100
‫to see if the vulnerability really exists.

179
00:13:51,460 --> 00:13:58,060
‫The request used to find the past reversal vulnerability is a get request here as a payload.

180
00:13:58,690 --> 00:14:04,210
‫Now it seems out, tried to reach the password file under the, et cetera, folder.

181
00:14:04,660 --> 00:14:07,950
‫And let's look at the response by clicking the Response tab.

182
00:14:07,960 --> 00:14:12,580
‫And there you see, the body of the response contains the content of the password file.

183
00:14:13,600 --> 00:14:18,310
‫And here are the users of the system which hosts the DVD application.

184
00:14:19,240 --> 00:14:25,450
‫So if you double click an alert in the Alerts tab, you see the details of the finding here.

185
00:14:25,570 --> 00:14:27,880
‫There's a long description of the vulnerability.

186
00:14:28,660 --> 00:14:30,820
‫And here is a solution.

187
00:14:32,040 --> 00:14:37,530
‫And these are the references to learn more about path traversal, and this is the attack parameter.

188
00:14:37,920 --> 00:14:39,420
‫It's called payload.

189
00:14:39,990 --> 00:14:43,350
‫This is the evidence of the finding found in the response body.