1
00:00:00,650 --> 00:00:07,160
All right, so we have opened our terminal, so in the terminal now, we are going to enumerate the

2
00:00:07,160 --> 00:00:08,840
subdomains of our target.

3
00:00:08,930 --> 00:00:15,590
For that, we are going to use the tool, which is a fine domain, to find the main hyphen, hyphen

4
00:00:15,590 --> 00:00:17,560
D, which stands for Domain Name.

5
00:00:17,750 --> 00:00:23,990
And I'm going to copy the domain name from here and I'm going to paste it over here, which is intellect,

6
00:00:23,990 --> 00:00:26,390
design, dot com and I'm going to hit enter.

7
00:00:26,690 --> 00:00:27,100
All right.

8
00:00:27,350 --> 00:00:31,070
So it is hyphen P, which stands for Target Hyphen D.

9
00:00:31,100 --> 00:00:36,980
We use this flag in sub finder, which is another tool, which is again a very good tool, which is

10
00:00:36,980 --> 00:00:39,500
used for identification of subdomains.

11
00:00:39,500 --> 00:00:41,090
You can use either of the tool.

12
00:00:41,360 --> 00:00:43,810
Both works pretty fast and fine.

13
00:00:45,020 --> 00:00:52,430
So now it has started enumerating the subdomains of the target and it was very quick to identify subdomains.

14
00:00:52,430 --> 00:00:57,380
And you can see we have a total of 76 subdomains in just three seconds.

15
00:00:57,770 --> 00:00:58,280
Perfect.

16
00:00:58,520 --> 00:01:03,650
So out of these subdomains, we are going to choose one of the subdomain, which is JIRA, dot intellect,

17
00:01:03,650 --> 00:01:04,580
design, dot com.

18
00:01:05,180 --> 00:01:06,920
Now, why specifically JIRA?

19
00:01:06,920 --> 00:01:14,960
Because guys that SRF that we are going to find is only working on a vulnerable instance of Jidda,

20
00:01:14,960 --> 00:01:16,820
which means any domain.

21
00:01:16,830 --> 00:01:22,190
The subdomains right now, anywhere in the world which are running on the one level version or the software

22
00:01:22,190 --> 00:01:27,560
of Jita can easily be exploited through this practical.

23
00:01:27,890 --> 00:01:28,310
All right.

24
00:01:28,320 --> 00:01:29,800
So let's just copy this.

25
00:01:30,230 --> 00:01:32,750
So go to our browser and paste it over here.

26
00:01:33,350 --> 00:01:35,600
And now let's wait for this to open.

27
00:01:36,200 --> 00:01:41,810
Once it gets open, we are going to see if this target is vulnerable or not.

28
00:01:43,540 --> 00:01:48,460
All right, so it has successfully opened the way here, as you can see, Girot in leg design, dot

29
00:01:48,460 --> 00:01:52,560
com slash dashboard dot GSB perfect.

30
00:01:52,900 --> 00:01:56,230
So now we have our target for application running over here.

31
00:01:56,680 --> 00:02:05,200
Now, this is the end point that we need to hit to identify the vulnerable version of Jita and we will

32
00:02:05,200 --> 00:02:06,910
perform SRF over there.

33
00:02:06,940 --> 00:02:13,060
So less so let's just based our end point over here and you can see the consumer.

34
00:02:13,060 --> 00:02:14,380
You are a barometer.

35
00:02:14,380 --> 00:02:17,780
Is the inflection point into this one level version of software?

36
00:02:18,230 --> 00:02:20,310
Yeah, we are going to paste Google dot com.

37
00:02:20,920 --> 00:02:28,240
So basically we are issuing some of the request to a third party domain from Girot or intellect design

38
00:02:28,240 --> 00:02:30,530
dot com and let's see if it works or not.

39
00:02:30,700 --> 00:02:34,990
And you can see it has successfully loaded Google dot com over here.

40
00:02:35,020 --> 00:02:35,530
Perfect.

41
00:02:35,770 --> 00:02:40,120
Now, this proves that this target is vulnerable to SRF.

42
00:02:40,780 --> 00:02:47,500
Now to change it with Exercice, what we are going to do is you need to come to a secure dot x, y,

43
00:02:47,500 --> 00:02:50,340
z, slash Estacada legitimate.

44
00:02:50,830 --> 00:02:56,680
So you're I have blusterer exercise payload, so I'm going to be a lawyer and I'm going to load it.

45
00:02:57,130 --> 00:03:01,330
So I'm making a request to my attacker control domain.

46
00:03:01,660 --> 00:03:04,710
And you can see geraud intellect, design, dot com is vulnerable.

47
00:03:04,720 --> 00:03:12,910
We have got exercise a lot over here and when we hit OK, we will also get the cookie over here, as

48
00:03:12,910 --> 00:03:13,410
you can see.

49
00:03:13,630 --> 00:03:21,650
So this way the attacker can get hold of the cookies of the user if he or she is logged in.

50
00:03:22,360 --> 00:03:30,700
So now this way we have escalated our SRF to exercise as well to steal the cookies.

51
00:03:30,850 --> 00:03:37,480
Now let me go to the pizzas and show you your very simply little document or domain.

52
00:03:37,480 --> 00:03:41,300
Plus, the domain is vulnerable and we are alerting document that cookie.

53
00:03:41,830 --> 00:03:48,400
Of course, this payload can be modified in which the cookie should be sent to the attackers control

54
00:03:48,400 --> 00:03:48,820
domain.

55
00:03:49,540 --> 00:03:55,990
Now this is enough to prove the SRF and Exercice, so I hope you guys understood this.

56
00:03:56,650 --> 00:03:59,920
If you have any doubts or questions, you can post it into the.

57
00:04:00,700 --> 00:04:01,240
Thank you.