1 00:00:00,660 --> 00:00:01,493 ‫Instructor: Hi. 2 00:00:01,493 --> 00:00:06,120 ‫Within this lecture we're going to see a very simple flaw, 3 00:00:06,120 --> 00:00:08,160 ‫very simple error in code 4 00:00:08,160 --> 00:00:12,330 ‫that lets us log in with administrator account. 5 00:00:12,330 --> 00:00:17,330 ‫So basically when we do this decompiling thing with JADX, 6 00:00:18,210 --> 00:00:23,210 ‫we're gonna have to analyze and have it take a look 7 00:00:23,550 --> 00:00:27,360 ‫at every code that we can see over here. 8 00:00:27,360 --> 00:00:28,193 ‫For example, 9 00:00:28,193 --> 00:00:31,530 ‫if you come over here to do log in .java 10 00:00:31,530 --> 00:00:34,200 ‫and open it with any text editor 11 00:00:34,200 --> 00:00:37,770 ‫you can see the codes and you can try to see 12 00:00:37,770 --> 00:00:40,983 ‫if anything funny is going on over here. 13 00:00:42,060 --> 00:00:42,893 ‫For example, 14 00:00:42,893 --> 00:00:45,150 ‫let me browse a little bit. 15 00:00:45,150 --> 00:00:48,810 ‫We see some method called postData 16 00:00:48,810 --> 00:00:53,310 ‫and over here we see some HTTP requests. 17 00:00:53,310 --> 00:00:57,120 ‫But at this methods we have an if statement. 18 00:00:57,120 --> 00:00:58,680 ‫And as you can see, 19 00:00:58,680 --> 00:01:00,813 ‫there is something called devadmin. 20 00:01:02,010 --> 00:01:04,830 ‫So if we dig a little deeper over here 21 00:01:04,830 --> 00:01:07,440 ‫we see that it actually takes the username 22 00:01:07,440 --> 00:01:11,100 ‫and password from the login activity. 23 00:01:11,100 --> 00:01:11,933 ‫However, 24 00:01:11,933 --> 00:01:15,270 ‫if the username equals devadmin, 25 00:01:15,270 --> 00:01:17,493 ‫which is administrator username, 26 00:01:18,600 --> 00:01:21,963 ‫it doesn't do this login thing, 27 00:01:22,933 --> 00:01:26,880 ‫it rather takes us to this devlogin page. 28 00:01:26,880 --> 00:01:31,880 ‫And it means that we have found a loophole over here. 29 00:01:32,430 --> 00:01:35,280 ‫Even though we don't have any account, 30 00:01:35,280 --> 00:01:39,120 ‫we can try to log in with this devadmin username 31 00:01:39,120 --> 00:01:42,060 ‫and try to see if we can get in. 32 00:01:42,060 --> 00:01:43,680 ‫So I believe in this case 33 00:01:43,680 --> 00:01:46,320 ‫they didn't actually specify 34 00:01:46,320 --> 00:01:50,730 ‫any administrator rights regarding this account. 35 00:01:50,730 --> 00:01:54,390 ‫However, we can actually try and see what happens. 36 00:01:54,390 --> 00:01:57,330 ‫So I'm gonna come over here to username, 37 00:01:57,330 --> 00:02:00,330 ‫and rather than giving the instructions 38 00:02:00,330 --> 00:02:01,920 ‫like Dinesh over here, 39 00:02:01,920 --> 00:02:03,900 ‫I'm gonna go for devadmin 40 00:02:03,900 --> 00:02:07,350 ‫and I'm not going to give any password. 41 00:02:07,350 --> 00:02:09,990 ‫It asks me my server IP. 42 00:02:09,990 --> 00:02:13,920 ‫So I'm gonna give it like 192.168.121. 43 00:02:13,920 --> 00:02:17,490 ‫And if I submit and try one more time, 44 00:02:17,490 --> 00:02:20,490 ‫here you go, now I'm logged in. 45 00:02:20,490 --> 00:02:24,780 ‫Even though I don't see any administrator menus over here, 46 00:02:24,780 --> 00:02:26,400 ‫I'm still logged in. 47 00:02:26,400 --> 00:02:31,400 ‫So this is another way of going into the application 48 00:02:31,470 --> 00:02:34,530 ‫without having to know the username and password, 49 00:02:34,530 --> 00:02:38,130 ‫without having to create any new username. 50 00:02:38,130 --> 00:02:41,160 ‫So maybe you can think that this is way too easy, 51 00:02:41,160 --> 00:02:44,130 ‫this is a way too easy flaw for developers, 52 00:02:44,130 --> 00:02:46,170 ‫they don't generally do that. 53 00:02:46,170 --> 00:02:49,890 ‫But the main idea is that we have to check every Java file, 54 00:02:49,890 --> 00:02:52,050 ‫every CodeBin file that we see 55 00:02:52,050 --> 00:02:56,670 ‫in order to find some errors or bugs in the process. 56 00:02:56,670 --> 00:02:59,253 ‫So let's continue within the next lecture.