1
00:00:01,430 --> 00:00:08,600
CAPTCHA problems, so capture stands for completely automated public Turing Test to tell computers and

2
00:00:08,600 --> 00:00:09,440
humans apart.

3
00:00:10,300 --> 00:00:11,510
But you didn't know that, did you?

4
00:00:12,280 --> 00:00:18,760
So basically it's implemented to distinguish users and any entity that makes automated requests.

5
00:00:19,890 --> 00:00:25,960
So there are several capture types, such as visual aural, arithmetic and so forth and so on, but

6
00:00:26,070 --> 00:00:30,240
the most known ones of these is the visual one.

7
00:00:31,250 --> 00:00:38,180
So many times capture is an image, it contains a human readable text or maybe some numbers or recognizable

8
00:00:38,180 --> 00:00:43,700
image the user must solve in order to prove he is not a bot.

9
00:00:44,560 --> 00:00:52,240
And boy, doesn't it feel good to know that you're not a bot, so capture is not in authentication control,

10
00:00:53,140 --> 00:01:00,700
but by using a captcha can be a very efficient way to mitigate against the enumeration of attacks and

11
00:01:00,700 --> 00:01:07,020
any process that submitting that can be automated within Web application.

12
00:01:08,260 --> 00:01:15,760
So capture images don't protect against a pure brute force thing and just put a layer of complexity

13
00:01:16,120 --> 00:01:18,640
over the form on which they are added.

14
00:01:19,770 --> 00:01:26,010
So that means that you can generally see Captive's implemented and log in registration as well as reset

15
00:01:26,010 --> 00:01:34,260
and forgot forms, so this will barely protect against account takeover, username enumeration and fake

16
00:01:34,260 --> 00:01:35,310
accounts creation.

17
00:01:36,210 --> 00:01:37,110
But let me show you this.

18
00:01:39,210 --> 00:01:42,240
So open up Caleigh and login to be web.

19
00:01:42,930 --> 00:01:46,530
And from the drop down menu, open captcha bypassing.

20
00:01:48,120 --> 00:01:51,030
And this is a capture contained authentication form.

21
00:01:52,250 --> 00:01:57,110
So this time I'm going to do only high level, so change the level of high.

22
00:01:58,010 --> 00:01:59,900
And there's no difference in The View.

23
00:02:02,680 --> 00:02:05,950
OK, so let's see the page source and see if there's anything interesting.

24
00:02:07,210 --> 00:02:12,760
So this is the form that contains a capture and the capture image is included in an iFrame.

25
00:02:14,110 --> 00:02:20,530
The source page is a capture box, and this page contains the produced capture image.

26
00:02:21,810 --> 00:02:22,380
OK.

27
00:02:23,420 --> 00:02:26,860
So now open burp in interception mode.

28
00:02:28,160 --> 00:02:36,480
And I will make the browser have a better view of the screen, and now we can enable Foxe proxy.

29
00:02:37,130 --> 00:02:41,430
So now we need to understand the behavior of the form and capture.

30
00:02:42,200 --> 00:02:45,440
So there may be an implementation problem here.

31
00:02:45,890 --> 00:02:53,840
OK, so I'm going to enter the right values into input fields, B bug and the capture text.

32
00:02:55,160 --> 00:02:59,030
And while the request is in you so forward it.

33
00:03:00,420 --> 00:03:06,390
And here's the response now, let's have a look at the response, it contains a successful Log-in message.

34
00:03:07,270 --> 00:03:13,160
All right, so this message comes up when everything is correct, so forward it.

35
00:03:14,700 --> 00:03:21,350
Now, after we get the response or capture contained, iFrame sends the request to get a new capture

36
00:03:21,350 --> 00:03:21,800
image.

37
00:03:23,000 --> 00:03:27,110
And a source of the iFrame sends a new request to the image page.

38
00:03:28,270 --> 00:03:30,670
And the new image is presented on the page.

39
00:03:31,850 --> 00:03:36,530
So this new CAPTA image request will always perform the exact same way.

40
00:03:37,310 --> 00:03:40,430
So now let's try the wrong log in information.

41
00:03:41,490 --> 00:03:42,870
Right, capture text.

42
00:03:44,690 --> 00:03:45,770
Forward the request.

43
00:03:47,940 --> 00:03:49,200
Now, look at what we have.

44
00:03:50,740 --> 00:03:54,930
A new message, and this time only the capture was true.

45
00:03:56,100 --> 00:03:58,050
OK, so forward it and the rest.

46
00:03:59,490 --> 00:04:04,080
And now the true login information and type of wrong captcha text.

47
00:04:07,200 --> 00:04:10,710
And a new message appears and says, incorrect capture.

48
00:04:12,050 --> 00:04:13,550
And forward the rest.

49
00:04:15,600 --> 00:04:22,470
Now, this time, I'm going to fill in all of the fields with wrong values and forward the request.

50
00:04:24,090 --> 00:04:27,300
Let's look at the message it comes back in correct capture.

51
00:04:29,100 --> 00:04:35,360
So we can understand that at first checks capture then the login information, right?

52
00:04:37,170 --> 00:04:38,490
And for the rest.

53
00:04:39,820 --> 00:04:46,360
All right, so now we're ready to shape our attack, so I'm going to perform a replay attack and I'm

54
00:04:46,360 --> 00:04:51,880
going to get a capture image and then I will try further requests with it.

55
00:04:53,270 --> 00:04:59,810
So I will assume that I don't know, login credentials and created a dictionary file before.

56
00:05:01,240 --> 00:05:04,450
And I fill the form with a correct capture and send.

57
00:05:05,670 --> 00:05:07,080
Now the request is in burb.

58
00:05:08,150 --> 00:05:13,070
And before forwarding it, send it to reporter and intruder.

59
00:05:14,300 --> 00:05:14,900
Then for.

60
00:05:16,250 --> 00:05:21,850
And look at the response, so the application checks the capture, but the credentials fail.

61
00:05:22,870 --> 00:05:24,280
So forward it to the browser.

62
00:05:25,860 --> 00:05:27,720
OK, so now we're at the critical point.

63
00:05:28,770 --> 00:05:31,410
I'm going to drop this new cap to request.

64
00:05:32,300 --> 00:05:34,700
So there are no more requests after this.

65
00:05:36,140 --> 00:05:37,820
Now open the repeater tab.

66
00:05:39,460 --> 00:05:40,540
And send it again.

67
00:05:42,280 --> 00:05:44,920
And the response still says invalid credentials.

68
00:05:46,020 --> 00:05:48,420
That means that the capture is still valid.

69
00:05:49,650 --> 00:05:52,320
So let's prove it one more time with false credentials.

70
00:05:55,210 --> 00:05:56,680
And sure enough, still the same.

71
00:05:58,100 --> 00:06:00,470
OK, so now go to the intruder tab.

72
00:06:01,660 --> 00:06:03,340
I've already told you about these tabs, right?

73
00:06:03,370 --> 00:06:10,240
So go to the positions tab, clear the parameters and add username and password as parameters.

74
00:06:11,750 --> 00:06:14,570
Then the attack type is cluster bomb.

75
00:06:16,850 --> 00:06:21,770
And here we have just a two payload said one for username and one for password.

76
00:06:23,100 --> 00:06:25,590
Payloads set one is a simple test.

77
00:06:26,930 --> 00:06:32,090
Quick to load the word list that we created in a previous lesson, and she was it.

78
00:06:33,610 --> 00:06:36,630
And do it for the payloads, too, as well.

79
00:06:38,870 --> 00:06:41,690
So now open the options tab.

80
00:06:43,650 --> 00:06:48,900
You don't need to change anything here and scroll down to grep match section.

81
00:06:50,450 --> 00:06:51,710
Now, clear these input's.

82
00:06:53,330 --> 00:06:58,070
Now we need to provide a message to differentiate the successful Longines.

83
00:06:59,340 --> 00:07:03,090
And that message happens to be here, so copy that.

84
00:07:04,840 --> 00:07:05,980
Then added here.

85
00:07:08,760 --> 00:07:13,050
And Casey, give me a second to have a look, see if we missed anything.

86
00:07:14,070 --> 00:07:19,530
No, I don't think there's anything that we need to configure anymore, so if you're ready, I'm ready.

87
00:07:19,530 --> 00:07:20,670
Let's start the attack.

88
00:07:22,600 --> 00:07:26,670
And the requests start to list in the attack window.

89
00:07:27,620 --> 00:07:29,150
Let's wait for it to finish.

90
00:07:31,220 --> 00:07:37,730
All right, so our base request is just like that and the associated response.

91
00:07:38,910 --> 00:07:42,150
As you can see, so now let's go to this line.

92
00:07:43,160 --> 00:07:44,200
Look at the response.

93
00:07:45,590 --> 00:07:48,050
And sure enough, we are successfully logged in.

94
00:07:49,580 --> 00:07:57,980
OK, so now let's see, because we can quickly check the code, so let's open up your terminal and Vukovich

95
00:07:57,980 --> 00:07:59,840
bypass at all page.

96
00:08:01,890 --> 00:08:07,950
So this line checks the security level, if the level is high or medium, then it will execute the following

97
00:08:07,950 --> 00:08:08,340
lines.

98
00:08:09,660 --> 00:08:15,540
Which compares the capture value sent by the user and the value in the session variable capture.

99
00:08:17,810 --> 00:08:23,000
And as you can see, there is no code to assign a new value to the capture variable in session.

100
00:08:24,590 --> 00:08:26,230
So you see, this is the main problem.

101
00:08:27,740 --> 00:08:31,550
This new value adds in a separate request.

102
00:08:33,520 --> 00:08:39,130
And that's what helps us to replay the correct capture in the session variable.