1
00:00:01,110 --> 00:00:03,810
Hello, everyone, and welcome to this video.

2
00:00:04,620 --> 00:00:10,620
So in this video, we are going to see Estacada based attacks and to start with, we're going to see

3
00:00:10,640 --> 00:00:13,830
suicide attacks against the server itself.

4
00:00:14,730 --> 00:00:23,150
So as we already know, using SRF, we can scan any third party based Web application through the vulnerable

5
00:00:23,160 --> 00:00:23,640
server.

6
00:00:24,420 --> 00:00:34,110
Now let us see, how can you utilize SRF to scan the server itself and how you can exfiltrate sensitive

7
00:00:34,110 --> 00:00:36,680
data or information from the server.

8
00:00:37,500 --> 00:00:46,080
So many times the admin functionality is only accessible to the authenticated users of the target program

9
00:00:46,200 --> 00:00:47,380
or the application.

10
00:00:48,330 --> 00:00:54,840
So when any attacker could impersonate and makes a request through the local machine, he gets access

11
00:00:54,840 --> 00:00:56,220
to that functionality.

12
00:00:56,910 --> 00:00:58,350
What does this actually means?

13
00:00:59,040 --> 00:01:05,520
This actually means that the attacker is going to fool the application and make the application thing

14
00:01:05,520 --> 00:01:09,630
like the request is coming from the organization itself.

15
00:01:10,050 --> 00:01:15,900
And the application will allow the admin functionality to all its local users.

16
00:01:16,740 --> 00:01:22,920
To understand this, we are going to see a simple animation and get the principle.

17
00:01:23,910 --> 00:01:29,820
So onto the left hand side, you can see there is an attacker who is going to send the request to the

18
00:01:29,820 --> 00:01:32,460
vulnerable Web application on your right hand side.

19
00:01:33,090 --> 00:01:41,530
And the request is going to be let's get admin the hostess example, dot com as it is our vulnerable

20
00:01:41,550 --> 00:01:43,200
application example, dot com.

21
00:01:43,770 --> 00:01:50,730
And let's suppose there is a parameter you are called to into the body, which is again, example dot

22
00:01:50,730 --> 00:01:53,130
com, which is the name of the web application.

23
00:01:54,060 --> 00:02:00,570
The server is going to send a response to the attacker and the response is going to be for not three,

24
00:02:00,960 --> 00:02:07,530
because the attacker is not allowed to see the admin functionality of the vulnerable Web application,

25
00:02:07,890 --> 00:02:09,470
which is example, dot com.

26
00:02:10,170 --> 00:02:18,120
But if the attackers and again, I get request to slash admin with the same host example dot com, but

27
00:02:18,120 --> 00:02:19,090
this time in the U.

28
00:02:19,120 --> 00:02:24,690
All he impersonates himself as the request is coming from the localhost.

29
00:02:25,050 --> 00:02:27,420
As you can see, this is a Lubeck IP.

30
00:02:27,900 --> 00:02:34,140
The server quickly responds with two hundred, OK, thinking that the request is coming from the internal

31
00:02:34,140 --> 00:02:39,930
of the organization and gives the admin dashboard all the functionality.

32
00:02:41,410 --> 00:02:43,040
So what is the impact of this?

33
00:02:43,600 --> 00:02:51,610
The attacker is able to access the internal portal or any and which he or she is not allowed to, so

34
00:02:51,610 --> 00:02:58,150
SRF gives you the functionalities which are hidden from the public world and you can exist inside the

35
00:02:58,150 --> 00:02:59,020
organization.

36
00:02:59,830 --> 00:03:05,760
Attacker is also able to bypass the access, controls and authentications to access to protected resources.

37
00:03:06,730 --> 00:03:13,780
That we have already seen attacker can also perform sensitive actions under the targeted Web applications,

38
00:03:14,140 --> 00:03:20,620
like deleting account or modifying some data which are going to see in the practical in just a couple

39
00:03:20,620 --> 00:03:21,400
of few seconds.

40
00:03:22,930 --> 00:03:29,860
Also, the attacker is able to execute commands to scan the internal report and also the network to

41
00:03:29,860 --> 00:03:34,690
identify if any one of the services are been running and further exploit them.

42
00:03:36,700 --> 00:03:44,100
So what are the steps to perform this SRF onto a target web application?

43
00:03:45,130 --> 00:03:51,220
So I have listed down four steps to solve this practical or to perform this attack.

44
00:03:52,060 --> 00:03:52,930
The first one is.

45
00:03:54,190 --> 00:04:00,010
We will exploit a Web application to induce a request to the backend server by bypassing the access

46
00:04:00,010 --> 00:04:00,520
control.

47
00:04:01,450 --> 00:04:07,510
So basically what we are going to do is they're going to send request to the localhost or through the

48
00:04:07,510 --> 00:04:14,800
Lubeck IP address to the Web application and print the Web application in thinking like the request

49
00:04:14,800 --> 00:04:17,460
is coming from the internal organization.

50
00:04:18,460 --> 00:04:25,570
Then we are going to perform some sensitive actions as unauthenticated users, which the application

51
00:04:25,570 --> 00:04:28,120
is believing us to be authenticated user.

52
00:04:28,970 --> 00:04:32,090
Hence our attack will be successful.

53
00:04:33,190 --> 00:04:35,240
So it is a practical line.

54
00:04:35,260 --> 00:04:41,050
And let's quickly jump onto the practical to understand how can we do this as a side of attack.

55
00:04:42,660 --> 00:04:49,690
So as you can see over here, I'm onto the ports with our Web Security Academy Lab, which is basic

56
00:04:49,690 --> 00:04:52,220
as orif against local server.

57
00:04:52,840 --> 00:04:59,830
So we are going to solve this lab based on the information that we have learned a lot.

58
00:05:00,700 --> 00:05:08,770
OK, so the question is to solve the of genes, the stock check, you are able to access the admin interface

59
00:05:09,040 --> 00:05:14,890
at localhost, slash admin and delete the user cardless.

60
00:05:15,280 --> 00:05:18,420
So we have this task to be performed.

61
00:05:21,170 --> 00:05:26,650
From this information, we understand this, that there is a Web application which gives us some stock

62
00:05:26,660 --> 00:05:35,310
information about the target and we need to delete a user by being an admin user.

63
00:05:36,800 --> 00:05:42,680
So first of all, we are going to configure Bob so quickly with our Web application, as you can see,

64
00:05:43,010 --> 00:05:45,340
and I'm going to intercept a request.

65
00:05:45,470 --> 00:05:48,500
So we are going to perform the attack from our books.

66
00:05:49,550 --> 00:05:55,020
Now, let me just increase the display size, the font so you could see it more better.

67
00:05:55,700 --> 00:05:56,210
Perfect.

68
00:05:56,660 --> 00:06:03,470
Now, over here, you can see I have got the request in my data and you can see it is working perfectly

69
00:06:03,470 --> 00:06:03,790
fine.

70
00:06:04,220 --> 00:06:08,480
So now it is the time to get the request off the stock.

71
00:06:09,260 --> 00:06:11,090
So let's come on to the space.

72
00:06:11,090 --> 00:06:13,490
And at the bottom, you can see tech stock.

73
00:06:13,620 --> 00:06:19,940
So I'm going to just click on that and I'm going to capture the request in Bob Suit on which we are

74
00:06:19,940 --> 00:06:22,640
going to perform this SRF based attacks.

75
00:06:24,070 --> 00:06:28,900
So as you can see, I have captured the request over here and now I'm going to send this to repeater,

76
00:06:29,500 --> 00:06:32,160
as you can see now, this request is in the repeater.

77
00:06:32,590 --> 00:06:38,830
And you can see we have got that there are 121 units in installed in London.

78
00:06:39,430 --> 00:06:39,940
All right.

79
00:06:40,330 --> 00:06:43,890
Let's get back to Bob and hit send.

80
00:06:44,650 --> 00:06:49,870
And you can see we are getting a response of the stock now.

81
00:06:50,380 --> 00:06:55,120
Let's go back to the question and see if we are able to see the stock check feature.

82
00:06:55,150 --> 00:06:57,460
Yes, we are absolutely able to replicate that.

83
00:06:57,910 --> 00:07:00,400
Not just all the love change, the stock check.

84
00:07:00,400 --> 00:07:05,740
You are able to access the admin interface at localhost slash edman.

85
00:07:06,130 --> 00:07:06,600
Perfect.

86
00:07:07,000 --> 00:07:10,840
So now we are going to send a request to localhost.

87
00:07:10,990 --> 00:07:17,330
So for that we will simply type htp cool and slash localhost and hit send.

88
00:07:17,920 --> 00:07:21,760
And let's see if it is able to communicate to localhost or not.

89
00:07:21,850 --> 00:07:25,740
And in this way able to see the output perfect.

90
00:07:25,750 --> 00:07:31,390
And you can see we are also able to see the admin panel as well, which we were not able to see previously.

91
00:07:32,230 --> 00:07:38,820
Now remember, if I put any other you are over here, it is going to behave in a different manner.

92
00:07:39,070 --> 00:07:41,920
So let's say I put something which does not exist.

93
00:07:42,040 --> 00:07:44,490
Let's say localhost does not exist, dot com.

94
00:07:44,800 --> 00:07:51,220
Then it is going to throw error into the response, which means it is not able to successfully load

95
00:07:51,220 --> 00:07:54,400
the resource that we are trying it to fetch.

96
00:07:54,790 --> 00:07:55,320
Perfect.

97
00:07:55,660 --> 00:07:59,360
So let's click on Render and let's see if we are able to render this.

98
00:07:59,470 --> 00:08:07,360
And you can see I have got a successful admin panel functionality which was not present before, as

99
00:08:07,360 --> 00:08:08,890
you can see over here to conform.

100
00:08:09,700 --> 00:08:10,130
Perfect.

101
00:08:10,130 --> 00:08:16,810
So we are in the right direction that we are able to get the admin functionality because the Web application

102
00:08:16,810 --> 00:08:22,760
now thinks that the request is coming from the internal organization or the localhost.

103
00:08:23,440 --> 00:08:28,500
Now, the second part of the question is we need to delete the user, which is Scarless.

104
00:08:28,900 --> 00:08:29,400
All right.

105
00:08:29,410 --> 00:08:32,520
So let's see if we have any information about Carlos.

106
00:08:32,530 --> 00:08:37,810
No, because we are not still on to the slash admin.

107
00:08:37,810 --> 00:08:38,270
You are.

108
00:08:38,950 --> 00:08:44,950
So now you can see if I had this and find we are going to get some information and you can see delete

109
00:08:45,190 --> 00:08:48,680
Carlos and delete Vinyard, as you can see over here.

110
00:08:49,150 --> 00:08:49,580
Perfect.

111
00:08:49,870 --> 00:08:57,760
So we have got more sensitive information from the targeted application in which when we hit the admin

112
00:08:57,760 --> 00:09:01,540
dashboard, we get the list of all the users from the application.

113
00:09:01,900 --> 00:09:04,810
The first user is admin, Carlos and Vinyard.

114
00:09:05,410 --> 00:09:05,870
Perfect.

115
00:09:05,890 --> 00:09:07,880
Now we want to delete one of the user.

116
00:09:08,140 --> 00:09:08,500
So what?

117
00:09:08,500 --> 00:09:09,100
We can do it.

118
00:09:09,100 --> 00:09:15,540
We can delete it from our boxwood as well as well as we can delete it from our browser as well.

119
00:09:16,750 --> 00:09:23,670
Let me just copy paste this over here and here, you can see I can just simply hit on delete and it

120
00:09:23,670 --> 00:09:29,280
says admin interface only available if logged in as admin or if requested from lookback.

121
00:09:29,440 --> 00:09:35,820
OK, so it basically means that your request should be coming from admin portal only.

122
00:09:36,490 --> 00:09:36,990
All right.

123
00:09:37,000 --> 00:09:41,900
So let's hit the request from Boxwood to delete the user.

124
00:09:41,920 --> 00:09:43,300
So let me just copy this.

125
00:09:43,300 --> 00:09:50,680
And pasted over here for this basically means that we want to delete a user, which is Karolos and you

126
00:09:50,680 --> 00:09:52,990
can see three or two phone perfect.

127
00:09:52,990 --> 00:09:55,360
So we have successfully solved the lab.

128
00:09:55,900 --> 00:09:57,670
So what are the key takeaways from this?

129
00:09:58,420 --> 00:10:07,930
The first is that we took a vulnerable endpoint that was stuck and we ended up entering the localhost

130
00:10:08,170 --> 00:10:09,880
to see if it successfully lowered.

131
00:10:10,360 --> 00:10:15,550
If you put something which does not exist dot com, then it is going to throw error through which we

132
00:10:15,550 --> 00:10:19,540
can confirm that it is interacting with the target that we are giving.

133
00:10:19,930 --> 00:10:24,520
In this case, we wanted to interact it with its own server.

134
00:10:25,000 --> 00:10:26,770
That's why you are given the localhost.

135
00:10:27,100 --> 00:10:33,510
Also have given the port, for example, localhost Colen 22 to do a potkin as well.

136
00:10:33,760 --> 00:10:36,120
But that was not required in this case.

137
00:10:37,000 --> 00:10:43,930
So later on we identified when we give localhost we are able to get admin functionality and then we

138
00:10:43,930 --> 00:10:48,610
are able to see three users when we hit the endpoint, which is localhost slash.

139
00:10:48,610 --> 00:10:55,930
And then we deleted one of the user and we successfully solved the lab in which we are able to perform

140
00:10:56,230 --> 00:11:01,500
an admin feature on admin action, which was an authenticated user.

141
00:11:02,080 --> 00:11:06,790
So I hope you guys understood how to perform this and how you can do this attack.

142
00:11:06,820 --> 00:11:07,330
Thank you.