1
00:00:12,610 --> 00:00:15,730
Hey, guys, welcome back to another episode on How to Hack.

2
00:00:16,300 --> 00:00:21,900
So over here, we're back to the ASPE Open Web Application Security Project, Juice Shop.

3
00:00:21,910 --> 00:00:29,410
So this is a vulnerable Web application server in which we can test all our different ways of injection

4
00:00:29,440 --> 00:00:35,250
to gain access into the site, looking at different ways of manipulating and controlling the site.

5
00:00:35,740 --> 00:00:42,970
So we have gone through a lot of demonstration tutorials on this e-commerce web application penetration

6
00:00:42,970 --> 00:00:43,810
testing series.

7
00:00:44,170 --> 00:00:50,360
So quickly join as a member so that you gain access to full flash videos on practicals, as well as

8
00:00:50,380 --> 00:00:54,370
lectures about how you can do web application penetration testing.

9
00:00:55,300 --> 00:00:58,090
So back to the demonstration and Gitari for you today.

10
00:00:58,780 --> 00:01:00,550
We can go ahead and click under a.

11
00:01:01,000 --> 00:01:06,250
OK, so I'm going to introduce to you a couple of things that is going to be very important as part

12
00:01:06,250 --> 00:01:08,740
of learning Web application penetration testing.

13
00:01:09,490 --> 00:01:13,900
So the first thing you want to do is you want to examine the site and how do you do that?

14
00:01:14,140 --> 00:01:16,440
How you could do that is go to the top right corner.

15
00:01:16,480 --> 00:01:19,970
So better on Firefox or better Chrome or any browser.

16
00:01:20,020 --> 00:01:27,220
So what we want to do is to be able to inspect what is going on as we navigate across the entire Web

17
00:01:27,220 --> 00:01:28,020
application server.

18
00:01:28,030 --> 00:01:32,740
So go to top right corner, click on the web developer, OK?

19
00:01:33,310 --> 00:01:36,400
And then you click on, say, for example, under network.

20
00:01:36,410 --> 00:01:40,870
So I'm going to click on Network and I'm going to zoom in a little more so it's easier for you to see.

21
00:01:41,140 --> 00:01:49,180
OK, so we click on Not Yet a customer and over here will be presented with a user registration page.

22
00:01:49,180 --> 00:01:56,950
And of course we can immediately see that we get API application programming interfaces running as part

23
00:01:57,130 --> 00:01:59,110
of the Web application server.

24
00:01:59,710 --> 00:02:00,070
All right.

25
00:02:00,080 --> 00:02:01,620
So we can go ahead and do a registration.

26
00:02:01,630 --> 00:02:01,860
All right.

27
00:02:01,880 --> 00:02:04,040
So please provide an email address.

28
00:02:04,090 --> 00:02:07,530
Let me enter, say, for example, a user email address.

29
00:02:07,530 --> 00:02:12,460
So I'm just going to Keun some email address so you can just go ahead and test it out and we will enter

30
00:02:12,460 --> 00:02:15,580
the password as a particular password.

31
00:02:15,610 --> 00:02:20,770
I'm going to tell the password so that you can make a guess about what we are entering and then you

32
00:02:20,770 --> 00:02:25,510
begin to appreciate how we are monitoring the network.

33
00:02:25,510 --> 00:02:28,620
Data is being sent in and out of the Web application server.

34
00:02:29,140 --> 00:02:30,340
And as we scroll down further.

35
00:02:30,460 --> 00:02:30,760
All right.

36
00:02:30,760 --> 00:02:32,040
So do you have security questions?

37
00:02:32,050 --> 00:02:34,240
I'm going to click on say Modarres made his name.

38
00:02:34,250 --> 00:02:34,560
All right.

39
00:02:35,080 --> 00:02:37,020
So I'll just enter, for example, Lioy.

40
00:02:37,090 --> 00:02:42,380
OK, so once we're done, go ahead and click on register.

41
00:02:42,700 --> 00:02:42,960
All right.

42
00:02:42,980 --> 00:02:46,930
So once we click on register, is is registration completed successfully?

43
00:02:47,500 --> 00:02:48,510
You can now log in.

44
00:02:48,550 --> 00:02:50,200
OK, so we got all of that done.

45
00:02:50,410 --> 00:02:54,070
And of course, you can see over here that we have different kind of methods.

46
00:02:54,070 --> 00:02:56,860
So we got get as well as post.

47
00:02:56,860 --> 00:03:03,370
So we've posted information or data into the server and get meaning that we pull information out directly

48
00:03:03,370 --> 00:03:04,010
from the system.

49
00:03:04,030 --> 00:03:08,950
OK, so click on, say, API users and we can click under the requests.

50
00:03:09,490 --> 00:03:13,480
So requests is the information that we are actually sending over.

51
00:03:13,510 --> 00:03:15,410
And of course we can see the response.

52
00:03:15,460 --> 00:03:18,250
All right, so he says ID number 18.

53
00:03:18,250 --> 00:03:20,340
So this is an interesting role.

54
00:03:20,560 --> 00:03:26,860
So behind every Web application server, behind every mobile application, they have a huge database.

55
00:03:26,860 --> 00:03:28,210
So it's like an Excel sheet.

56
00:03:28,300 --> 00:03:28,590
All right.

57
00:03:28,610 --> 00:03:33,080
So it is a D column and row structure for them to store data.

58
00:03:33,550 --> 00:03:39,920
So data like text format are very, very easy to be stored on MySQL, Pastorale Squirrelled, Microsoft

59
00:03:40,120 --> 00:03:40,560
and so on.

60
00:03:40,570 --> 00:03:47,650
So those already relational databases that help us store all this data, all this information in a very

61
00:03:47,650 --> 00:03:51,520
structured format, especially for tax base information.

62
00:03:51,520 --> 00:03:58,660
So that's why we are moving a lot of big enterprises, big Web application servers and moving all those

63
00:03:58,660 --> 00:04:04,090
into not only SQL databases like Mongo DB that we have done a demonstration on earlier.

64
00:04:04,960 --> 00:04:07,920
So overstressing information about ID.

65
00:04:08,350 --> 00:04:14,470
So again, this could be one of those information that could help us understand about the structure

66
00:04:14,470 --> 00:04:15,190
of the database.

67
00:04:15,190 --> 00:04:24,130
So we have ID 18 and most of the time IDs are primary key to their unique identifier in a table, in

68
00:04:24,130 --> 00:04:25,000
site, a table.

69
00:04:25,660 --> 00:04:32,130
So in this case there is a very high chance that we have one seven more uses before this account.

70
00:04:32,440 --> 00:04:39,340
OK, so we may have one several more uses before this account, even create another account on the registration

71
00:04:39,340 --> 00:04:39,730
page.

72
00:04:40,000 --> 00:04:44,800
We may look at ID 19 and that would validate our assumption.

73
00:04:44,990 --> 00:04:52,930
OK, so moving back, we can go under account and we can try to log in to the website with a newly created

74
00:04:52,930 --> 00:04:53,380
account.

75
00:04:53,410 --> 00:04:54,250
OK, so let's go ahead.

76
00:04:54,250 --> 00:05:03,850
Entered today, Loy Yang, Young at heart, Milkha and of course I entered a password and I can go ahead

77
00:05:03,850 --> 00:05:06,100
and click on Remember Me and I can click on login.

78
00:05:07,400 --> 00:05:08,470
OK, so once we're in.

79
00:05:08,860 --> 00:05:13,480
Of course, we can see a lot more information coming from the network tap on the web developer, so

80
00:05:13,480 --> 00:05:15,170
we have like who am I?

81
00:05:15,190 --> 00:05:16,240
We got Log-in.

82
00:05:16,240 --> 00:05:18,350
We could all these different information.

83
00:05:18,370 --> 00:05:20,470
OK, so we see again beat.

84
00:05:20,740 --> 00:05:20,950
All right.

85
00:05:20,980 --> 00:05:26,630
So you see a bit number six and we have to you mail and of course I can click on Who am I.

86
00:05:26,680 --> 00:05:28,380
Again, we are looking at 18.

87
00:05:29,050 --> 00:05:35,740
So this is the primary key of the table, helping us uniquely identify the user who is logged in now

88
00:05:36,100 --> 00:05:43,390
and also as a way for the table to uniquely identify users who are logging in and out of the system.

89
00:05:43,580 --> 00:05:48,130
OK, so we also got as separate application programming, interface quantities.

90
00:05:48,790 --> 00:05:54,040
And of course we can see the idea of the quantities or we can look at all this different information

91
00:05:54,040 --> 00:06:00,370
and this could be information directly available being pulled out from a table that actually stores

92
00:06:00,370 --> 00:06:02,110
all these different products.

93
00:06:02,570 --> 00:06:07,610
OK, so we are seeing all those different information coming out directly from the Web application.

94
00:06:08,260 --> 00:06:11,800
So, for example, if I click on, say, one of the items, right.

95
00:06:11,800 --> 00:06:16,720
So let's say I click on a couple of the items I click on, say, APJ click ET to basket.

96
00:06:17,140 --> 00:06:17,540
All right.

97
00:06:17,740 --> 00:06:20,110
And of course, we can see information being sent again.

98
00:06:20,920 --> 00:06:23,890
I could click a separate item, add to basket again.

99
00:06:24,460 --> 00:06:27,540
We're seeing all those details being sent over.

100
00:06:27,880 --> 00:06:31,250
So here we can see these requests and a response.

101
00:06:31,250 --> 00:06:33,640
So in response case, we can see success.

102
00:06:33,640 --> 00:06:39,700
So we successfully added the item onto the system and we could see coupon, we could see use ID and

103
00:06:39,700 --> 00:06:40,960
all those different information.

104
00:06:41,710 --> 00:06:44,230
And again, we are able to see all these different details.

105
00:06:44,230 --> 00:06:49,420
And we got API game application programming interface for basket items.

106
00:06:49,450 --> 00:06:49,690
All right.

107
00:06:49,690 --> 00:06:51,130
So we got ID number 10.

108
00:06:51,610 --> 00:06:51,910
All right.

109
00:06:51,910 --> 00:06:55,590
We got product ID, we got a quantity, OK?

110
00:06:56,020 --> 00:06:58,420
And we got two separate basket items.

111
00:06:58,420 --> 00:06:59,910
So again, it's 11.

112
00:07:00,160 --> 00:07:00,490
All right.

113
00:07:00,490 --> 00:07:05,500
And we have product ID, we have basket ID, we have quantity and all those different data and information.

114
00:07:05,830 --> 00:07:09,930
So moving to the top right corner, we go back to your basket.

115
00:07:09,940 --> 00:07:11,320
OK, let's go ahead and click on that.

116
00:07:12,940 --> 00:07:21,250
And we see a retrieval, we see retrieval of the ID, all right, and we can see the structure or we

117
00:07:21,250 --> 00:07:22,980
can see the structure of a shopping cart.

118
00:07:23,380 --> 00:07:29,740
So we see all this different information, the description, the data, the pricing, the quantity and

119
00:07:29,740 --> 00:07:30,670
all this different data.

120
00:07:30,670 --> 00:07:37,090
So we can, in a way, map out how the tables operate for shopping cart, how the tables look like in

121
00:07:37,090 --> 00:07:38,620
holidae or interlinked.

122
00:07:38,890 --> 00:07:44,830
OK, so the next thing I want to demonstrate to you to share with you is to click under storage inspector.

123
00:07:44,950 --> 00:07:46,240
So go ahead and click on that.

124
00:07:46,600 --> 00:07:48,370
And we have storage inspector over here.

125
00:07:49,210 --> 00:07:55,690
So, of course, we have cookies, information, and we can actually go under SACHEEN Storage and we

126
00:07:55,690 --> 00:07:57,250
have the specific IP address.

127
00:07:57,250 --> 00:08:03,520
And in this case, I'm hosting the IP address internally on one or two one six eight zero one zero on

128
00:08:03,520 --> 00:08:05,370
point three thousand.

129
00:08:05,380 --> 00:08:08,500
So click on that and we can see the bit number.

130
00:08:09,080 --> 00:08:15,810
OK, so the bit number could be the shopping cart ID that is being stored in the server.

131
00:08:16,000 --> 00:08:18,820
So if I change this, for example, to a lower number.

132
00:08:19,150 --> 00:08:19,480
All right.

133
00:08:19,480 --> 00:08:25,390
Because it seems like they're using additional of one every time there is a new user, every time there

134
00:08:25,390 --> 00:08:26,740
is a new shopping cart.

135
00:08:27,040 --> 00:08:28,240
That could be the case.

136
00:08:28,270 --> 00:08:30,490
That could be the logic behind the scene.

137
00:08:30,670 --> 00:08:36,850
So if I go ahead and click on, say, five and I hit enter on that, I go back to the Web page.

138
00:08:36,900 --> 00:08:40,510
OK, so in this case, we have to produce one quantity.

139
00:08:40,510 --> 00:08:43,420
We have Apple, Pomi said one quantity.

140
00:08:43,420 --> 00:08:49,840
So if I do a refresh and I would see over here we have two quantity.

141
00:08:50,110 --> 00:08:53,570
OK, so what if we change the value of this to one?

142
00:08:53,590 --> 00:08:55,550
So one could be the first shopping cart.

143
00:08:55,870 --> 00:08:57,940
OK, so if I do a refresh again.

144
00:08:59,390 --> 00:09:06,200
And we can see somebody else's shopping cart, so this shopping cart is the first on the list of someone

145
00:09:06,200 --> 00:09:06,980
else's account.

146
00:09:07,520 --> 00:09:14,300
OK, so this could be one of those ways in which we can access other people's personal information out

147
00:09:14,300 --> 00:09:17,570
of people to profile their shopping cart and many others.

148
00:09:17,750 --> 00:09:24,050
So by understanding the basic structure of how we could manipulate the sash and storage information,

149
00:09:24,380 --> 00:09:30,440
how we could look at the data is coming in and out, we'll be able to change those data change tools,

150
00:09:30,440 --> 00:09:35,030
value giving us access to personal information, sensitive data.

151
00:09:35,300 --> 00:09:38,750
And those information could be critical details.

152
00:09:39,080 --> 00:09:44,150
There could be date of birth of the person, your home address and all this different data could be

153
00:09:44,150 --> 00:09:48,500
accessed on and truly Web applications of it.

154
00:09:48,770 --> 00:09:51,830
So with that, I hope you learned something valuable in today's tutorial.

155
00:09:52,070 --> 00:09:55,850
And if I have any questions, feel free to leave a comment below and I'll try my best to answer any

156
00:09:55,850 --> 00:09:56,510
of your questions.

157
00:09:56,990 --> 00:10:01,610
So stay tuned for many more Web application penetration testing series.

158
00:10:01,790 --> 00:10:06,350
And we'll try our best to share as much as we can because thank you so much once again for watching.