1
00:00:12,370 --> 00:00:15,000
Hey, guys, welcome back to another episode on How to Hack.

2
00:00:15,460 --> 00:00:16,830
So here we have web good running.

3
00:00:16,840 --> 00:00:22,990
So we've got as a deliberate, vulnerable Web application system that we can try our hands on to break

4
00:00:22,990 --> 00:00:23,680
into the system.

5
00:00:24,070 --> 00:00:30,400
So today we're going to explore on broken authentication as part of our Web application penetration

6
00:00:30,400 --> 00:00:34,000
testing series so we can go in and click on authentication bypasses.

7
00:00:34,420 --> 00:00:36,960
So authentication bypasses is pretty straightforward.

8
00:00:37,120 --> 00:00:43,810
The whole idea is you are going to log in page and you need to access into different segments of the

9
00:00:43,810 --> 00:00:44,320
website.

10
00:00:44,500 --> 00:00:48,480
But what you need is actually to authenticate yourself into the site.

11
00:00:48,730 --> 00:00:53,590
So you may not have to use a name, you may not have the password, you may not have any form of data

12
00:00:53,590 --> 00:00:57,690
or details for you to access different parts of the website.

13
00:00:58,090 --> 00:01:02,890
So here again, we have different ways of bypassing authentication.

14
00:01:03,070 --> 00:01:08,500
So firstly, we can try to look out for hidden inputs and we can remove certain parameters or change

15
00:01:08,500 --> 00:01:12,340
certain parameters and what kind of data we are sending into the site.

16
00:01:12,670 --> 00:01:18,790
Or we can look at some of the false browsing to look at different parts of the site that could have

17
00:01:19,060 --> 00:01:24,550
been opened up, but it's not available directly as a link into other parts of the site.

18
00:01:24,940 --> 00:01:31,630
So, again, we have seen this earlier during the or waps juice shop where we look into all these authentication

19
00:01:31,630 --> 00:01:36,060
bypasses and we follow demonstrative page in part of the Web site.

20
00:01:36,640 --> 00:01:42,520
So here we can go in and go to lesson number two, which is two factor authentication bypass.

21
00:01:43,090 --> 00:01:43,450
All right.

22
00:01:43,460 --> 00:01:48,340
So over here, what happened is that whenever you try to login into a website, they could actually

23
00:01:48,340 --> 00:01:51,040
challenge you even though you got a username and password.

24
00:01:51,280 --> 00:01:54,970
So you could a username, you get a password and a asthmas.

25
00:01:55,000 --> 00:02:01,180
One time password is sent to the person's device in order for us to get six digit pin or four digit

26
00:02:01,180 --> 00:02:03,040
pin in order to access Innosight.

27
00:02:03,070 --> 00:02:07,250
So multifactor authentication can be very, very challenging to bypass.

28
00:02:07,570 --> 00:02:12,790
So over here we have an example over here on the PayPal two factor authentication bypass.

29
00:02:13,180 --> 00:02:20,740
And what happened is that a hacker actually moved to what's the security questions rather than supplying

30
00:02:20,740 --> 00:02:22,200
the SMS one time password.

31
00:02:22,210 --> 00:02:22,540
So.

32
00:02:23,230 --> 00:02:23,670
All right.

33
00:02:23,680 --> 00:02:26,720
So this is, of course, a case of logical error.

34
00:02:26,720 --> 00:02:27,970
It is happening in the system.

35
00:02:27,970 --> 00:02:29,140
So we have multiple steps.

36
00:02:29,530 --> 00:02:31,270
And, of course, we can look at the proxy.

37
00:02:31,300 --> 00:02:36,280
All right, when we can remove certain questions or update certain questions as we submit them into

38
00:02:36,280 --> 00:02:36,710
the system.

39
00:02:37,210 --> 00:02:43,180
So the first thing in a scenario where resetting our password, but we have no idea, OK, what we can

40
00:02:43,180 --> 00:02:47,340
do in order to reset it and of course, we have these security questions has really been set up.

41
00:02:47,710 --> 00:02:50,230
And of course, we have no idea what is the password.

42
00:02:50,230 --> 00:02:52,730
And we're trying to gain access into the site again.

43
00:02:53,080 --> 00:02:55,190
So you ask, what is the name of your favorite teacher?

44
00:02:55,210 --> 00:02:58,450
So we have no idea what is the name of the street you grew up on?

45
00:02:58,510 --> 00:03:01,450
OK, so we can enter test and enter test again.

46
00:03:01,480 --> 00:03:04,840
So what we are doing here is what we call the normal journey map.

47
00:03:05,290 --> 00:03:09,880
So we're trying to find out what happens, what kind of feedback is provided from the website when we

48
00:03:09,880 --> 00:03:12,160
provide normal inputs as expected.

49
00:03:12,190 --> 00:03:12,420
All right.

50
00:03:12,460 --> 00:03:15,220
So go ahead and click on Submit and you see.

51
00:03:15,220 --> 00:03:15,820
Not quite.

52
00:03:15,970 --> 00:03:17,330
Please try again.

53
00:03:17,710 --> 00:03:19,900
So let's go to the top right corner, OK?

54
00:03:20,010 --> 00:03:25,330
And we can go ahead and go on to the web developer, Tepp, and we can look under network.

55
00:03:25,480 --> 00:03:29,360
So we want to see what kind of data is being sent into the site.

56
00:03:29,380 --> 00:03:30,550
So go ahead and click submit.

57
00:03:31,090 --> 00:03:33,350
And over here we have a verify account.

58
00:03:33,550 --> 00:03:33,880
All right.

59
00:03:33,880 --> 00:03:35,000
So go ahead and click on it.

60
00:03:35,590 --> 00:03:39,010
So this is a JSON and we can see over here we have to request you here.

61
00:03:39,280 --> 00:03:41,260
And this is the request method of post.

62
00:03:41,980 --> 00:03:42,730
We have to respond.

63
00:03:42,730 --> 00:03:43,630
Hate is OK.

64
00:03:43,630 --> 00:03:47,860
We have all this different data and we can click under parameters, parameters.

65
00:03:48,160 --> 00:03:54,070
So we can see over here we have security questions, zero security question, one J as an able one,

66
00:03:54,490 --> 00:03:57,190
verify Medhat security question and a user ID.

67
00:03:57,220 --> 00:04:00,670
So else we got the user ID as part of understanding what's going on.

68
00:04:01,300 --> 00:04:03,460
So we also have the response from the site.

69
00:04:03,460 --> 00:04:04,930
So we have the feedback.

70
00:04:04,930 --> 00:04:09,430
Not quite and we have the assignment is verifying income and it was made is true.

71
00:04:10,150 --> 00:04:11,610
So we have all these different details.

72
00:04:11,950 --> 00:04:14,590
So what we can do next is to actually go back.

73
00:04:14,620 --> 00:04:15,000
All right.

74
00:04:15,310 --> 00:04:19,420
And we can actually go ahead and write, click, click on edit and recent.

75
00:04:19,450 --> 00:04:22,120
So we are going to edit what we want to send system.

76
00:04:22,660 --> 00:04:24,430
And over here we have to request body.

77
00:04:24,730 --> 00:04:29,650
So what we are trying to find out and understand here is look for some kind of structure or logical

78
00:04:29,650 --> 00:04:36,820
structure of how it works and think about what's happening behind the scenes as part of the database

79
00:04:36,820 --> 00:04:42,340
as we do the verification process, as they pull records from the database table and trying to validate

80
00:04:42,340 --> 00:04:46,510
on those columns that has already been heart set into the database table.

81
00:04:47,170 --> 00:04:53,170
So in this case, we have security questions, zero equal tests and security question equal one is test

82
00:04:53,560 --> 00:04:56,200
and then we have dogs and able and so on, so forth.

83
00:04:56,890 --> 00:05:04,810
So we can see this information here from the request body and we can from here identify a few important

84
00:05:04,810 --> 00:05:05,800
areas to look out for.

85
00:05:06,160 --> 00:05:09,580
Firstly, there is incremental, this incremental.

86
00:05:10,010 --> 00:05:10,880
Just in question.

87
00:05:10,910 --> 00:05:17,270
So we are moving from security questions zero to security question one, so there is a plus one is going

88
00:05:17,270 --> 00:05:17,440
on.

89
00:05:17,630 --> 00:05:23,660
So think of it as a follow up as to those programs and systems that would indicate multiple security

90
00:05:23,660 --> 00:05:25,150
questions that a user can choose from.

91
00:05:25,520 --> 00:05:29,270
In this case, the user chose security questions zero as well.

92
00:05:29,290 --> 00:05:35,250
Security question one as part of their recovery efforts when it comes to assessing the economy.

93
00:05:36,050 --> 00:05:42,200
So in this case, whenever you have such ways of structuring the security questions, it makes it very

94
00:05:42,200 --> 00:05:48,830
easy for hackers to guess how they could actually bypass the security questions so there could be more

95
00:05:48,830 --> 00:05:49,640
security questions.

96
00:05:49,640 --> 00:05:54,740
For example, security questions, two security questions, three, four or five.

97
00:05:55,070 --> 00:05:57,020
And likewise, if we look at user ID.

98
00:05:57,680 --> 00:06:02,240
All right, just to change a little bit of our topics is that whenever you assessing a website, you're

99
00:06:02,240 --> 00:06:03,830
assigned a user ID.

100
00:06:03,980 --> 00:06:06,410
And again, a lot of use ideas could be incremental.

101
00:06:06,440 --> 00:06:08,270
They could be just purely on digits.

102
00:06:08,540 --> 00:06:09,790
And it's incremental.

103
00:06:09,830 --> 00:06:13,730
There could be ways for us to access other people's shopping cart.

104
00:06:14,000 --> 00:06:16,940
Your personal information by changing the user ID.

105
00:06:17,360 --> 00:06:22,340
OK, so going back into the tutorial, we can easily change the security question.

106
00:06:22,370 --> 00:06:27,860
So I can change this to security question too, and I can change the second one security question tree.

107
00:06:28,250 --> 00:06:30,380
And in these cases there could be empty.

108
00:06:30,890 --> 00:06:36,980
These security questions could be empty in a sense that they have not been set as part of the card recovery

109
00:06:36,980 --> 00:06:37,580
process.

110
00:06:38,110 --> 00:06:42,620
So once you have the details in place, you can go ahead and click on send.

111
00:06:43,100 --> 00:06:46,210
And once you said, all right, we can go to the end, all right.

112
00:06:46,250 --> 00:06:48,650
And we can go ahead and play the information.

113
00:06:48,950 --> 00:06:49,280
All right.

114
00:06:49,580 --> 00:06:55,100
And we'll be able to send the details and we can actually complete the progress of this so I can go

115
00:06:55,100 --> 00:06:56,080
in and reset.

116
00:06:56,570 --> 00:06:57,980
OK, so go in and change it again.

117
00:07:05,060 --> 00:07:06,870
OK, so now let's go ahead and click on CNN.

118
00:07:07,820 --> 00:07:10,730
All right, so once it said, all right, we can see the details.

119
00:07:11,060 --> 00:07:11,360
All right.

120
00:07:11,360 --> 00:07:13,910
To see what kind of responses we can get from the system.

121
00:07:41,800 --> 00:07:45,720
All right, so let's see what kind of results we get from the system and you see over here, congrats,

122
00:07:46,000 --> 00:07:49,270
you have successfully verified your account without actually verifying it.

123
00:07:49,480 --> 00:07:51,630
You can now change your password easily.

124
00:07:51,760 --> 00:07:58,540
So that's how we can actually manipulate what is being sent into the database system by amending the

125
00:07:58,540 --> 00:08:01,110
kind of perimeters to kind of options that we have.

126
00:08:01,330 --> 00:08:06,760
And of course, one of those fundamentally is in terms of incremental changes, which is why when you

127
00:08:06,760 --> 00:08:12,370
say security questions, range settings and in columns in a system, they should also be hidden from

128
00:08:12,370 --> 00:08:14,600
the users who are assessing into your site.

129
00:08:14,950 --> 00:08:17,100
So once again, I hope you've learned something valuable.

130
00:08:17,110 --> 00:08:21,160
And if you like, what if just watch remotely like share and subscribe to the channel so that you can

131
00:08:21,160 --> 00:08:23,860
be kept abreast of the latest cyber security tutorial.

132
00:08:23,890 --> 00:08:25,600
Thank you so much once again for watching.