1
00:00:00,150 --> 00:00:06,140
So I think this what we're going to see this either or neither stands for in the tool object reference.

2
00:00:06,480 --> 00:00:14,300
So if you can modify some of your components and you can access the object and the observer that free

3
00:00:14,670 --> 00:00:15,140
samples.

4
00:00:15,180 --> 00:00:17,280
Let's take a look at this one.

5
00:00:18,780 --> 00:00:19,970
So I'm just saying.

6
00:00:21,210 --> 00:00:29,470
So this is let's consider this website as a panel so I don't have a set.

7
00:00:29,490 --> 00:00:30,880
I'm just showing an example.

8
00:00:31,920 --> 00:00:34,570
So if you look at here one on one.

9
00:00:35,580 --> 00:00:38,490
So it will give you the right.

10
00:00:38,910 --> 00:00:42,960
So if Edwin has logged in, it will have the dashboard.

11
00:00:44,950 --> 00:00:53,530
So Dashboard can modify the values and not the values, etc., so if a normal user asks for directory

12
00:00:53,530 --> 00:01:01,990
dashboard, then if your observer has been confirmed, um, configure and this dashboard can be accessed

13
00:01:01,990 --> 00:01:06,770
by any user, the only user antagonistically.

14
00:01:07,120 --> 00:01:11,040
You need to ask this dashboard, just the tip.

15
00:01:11,260 --> 00:01:17,730
So there is some security in this object reference we are referencing to this dashboard and the Web

16
00:01:17,770 --> 00:01:20,650
service providing to whomever it's been asking.

17
00:01:21,100 --> 00:01:22,660
So that's another example.

18
00:01:24,160 --> 00:01:30,800
So it start BHP questionmark idea is equal to say, 100.

19
00:01:31,720 --> 00:01:37,500
So we will not get any page rate because of the troubles.

20
00:01:37,540 --> 00:01:38,800
We are the data user.

21
00:01:39,250 --> 00:01:45,130
So, no, I cannot excuse the idea of the one not one user supposed.

22
00:01:45,130 --> 00:01:46,630
There are one hundred ninety members.

23
00:01:46,630 --> 00:01:49,180
I am 100 member and there is one, not one member.

24
00:01:49,450 --> 00:01:51,850
So if I just say it goes to one, not one.

25
00:01:51,850 --> 00:02:00,040
And if I ask this or next year BHP account for this one, not one user, then if your observer has been

26
00:02:00,670 --> 00:02:05,330
mis configured, then this relates to this either vulnerability.

27
00:02:05,350 --> 00:02:10,900
So I that is not a vulnerability, but it's like a security risk.

28
00:02:11,140 --> 00:02:14,080
You know, we get the one not one page.

29
00:02:14,080 --> 00:02:16,360
That is one page for the one, not one member.

30
00:02:16,630 --> 00:02:24,190
So in this way you can just change these ideas in the world and you can check whether it's you are getting

31
00:02:24,190 --> 00:02:29,650
the response or if you are not getting any response, it's what it's actually configured as if you are

32
00:02:29,650 --> 00:02:34,690
getting any response, like a valid response from this website.

33
00:02:34,820 --> 00:02:41,250
Then it's how this either one or so we are going to try and we do and we are going to do this now.

34
00:02:41,800 --> 00:02:50,620
It's also called Broken Access Control, because there is no, uh, a security check for this, uh,

35
00:02:51,830 --> 00:02:52,570
authentication.

36
00:02:53,760 --> 00:02:58,390
Are we going to compare this to this one parameter of account?

37
00:02:58,630 --> 00:03:04,020
So in this account, if you put anything and it would be, uh, several better Web server.

38
00:03:04,420 --> 00:03:08,890
So this is just the theory you can read here and here.

39
00:03:08,890 --> 00:03:14,230
You can see that happen for any future admin and the time that happened for the good that we that had

40
00:03:14,230 --> 00:03:14,950
been dashboard.

41
00:03:16,630 --> 00:03:19,720
So let me just click on this computer.

42
00:03:19,720 --> 00:03:21,500
So that is the theory I have expanded.

43
00:03:21,820 --> 00:03:28,990
You need to, uh, modify or tamper these, uh, parameter values to check if you can get a valid response

44
00:03:28,990 --> 00:03:29,350
or not.

45
00:03:30,340 --> 00:03:33,930
So now we are going to do this starting so as you can see the example.

46
00:03:34,390 --> 00:03:40,490
So this is my I am the user and I'm the user Thomson and I'm asking for the document, which is no posted

47
00:03:40,720 --> 00:03:42,350
and Web server services.

48
00:03:42,640 --> 00:03:50,470
So if I change these thousand two one thousand one and still we get the page because it has this in

49
00:03:50,470 --> 00:03:53,310
there to indicate the of the for for.

50
00:03:53,890 --> 00:03:59,290
So this leads to this accessing documents of this another user.

51
00:04:00,640 --> 00:04:05,920
So I have already run this, uh, Web browser, so I run this machine and it has a browser.

52
00:04:06,190 --> 00:04:09,540
So it is a web server running on the server.

53
00:04:10,240 --> 00:04:12,880
I now really understand how that works.

54
00:04:12,890 --> 00:04:15,460
OK, let me think on this and go to this machine.

55
00:04:15,790 --> 00:04:17,590
Login with user note and test.

56
00:04:17,590 --> 00:04:18,240
One, two, three, four.

57
00:04:18,850 --> 00:04:21,070
So that's where this system.

58
00:04:22,760 --> 00:04:23,870
So let me call this.

59
00:04:27,640 --> 00:04:29,520
So test.

60
00:04:30,990 --> 00:04:38,200
And pass, one, two, three, four, right, let me submit this, and it's saying I am not.

61
00:04:38,550 --> 00:04:42,450
So there is one parameter that is not equal to one.

62
00:04:42,720 --> 00:04:43,930
Let me change it to two.

63
00:04:45,900 --> 00:04:47,330
So we do not get any response.

64
00:04:47,340 --> 00:04:50,100
Maybe we have the response in comments.

65
00:04:51,470 --> 00:04:51,700
OK.

66
00:04:51,860 --> 00:04:52,960
Still, we do not have it.

67
00:04:53,370 --> 00:04:57,120
We try to change it to three so we still don't have it.

68
00:04:57,130 --> 00:05:02,790
So you can change these parameters from zero to a hundred thousand or anything like that.

69
00:05:03,180 --> 00:05:10,890
And you can see the response so far, this brute force thing, we used to automate this task.

70
00:05:12,120 --> 00:05:15,400
So let me say one, since we lost some output.

71
00:05:16,860 --> 00:05:24,320
Let me change this to Barb and my purpose are running on an intercept is on this one.

72
00:05:25,160 --> 00:05:29,360
Now, Republicans could consent to drooler and farro this better.

73
00:05:30,210 --> 00:05:39,020
And in addition to the Republican positions they can see has already identified this one as a placeholder.

74
00:05:39,150 --> 00:05:41,180
Let me clear this already out again.

75
00:05:41,700 --> 00:05:44,430
So click on one and click on Adara.

76
00:05:45,810 --> 00:05:47,340
Now we need to set the ballot.

77
00:05:47,550 --> 00:05:51,360
So from zero onwards, zero, one, two, three, four.

78
00:05:51,360 --> 00:05:51,710
And so.

79
00:06:02,710 --> 00:06:10,810
So I'm just adding one to file and click on these positions, and I'm saluting this sniper attack as

80
00:06:10,810 --> 00:06:12,580
usual, because there is only one person, right?

81
00:06:13,000 --> 00:06:15,130
Click started the.

82
00:06:18,770 --> 00:06:28,430
Now, this is a general 190 and we have got 198 Renford zero option and for one option, we got one

83
00:06:28,790 --> 00:06:32,690
that is the default one and four to three and so on.

84
00:06:32,690 --> 00:06:34,350
We got the 178 responses.

85
00:06:34,400 --> 00:06:35,780
So let's see what this is.

86
00:06:36,020 --> 00:06:37,970
So we have seen these two previously.

87
00:06:37,970 --> 00:06:38,240
Right.

88
00:06:38,630 --> 00:06:39,620
And see the response.

89
00:06:40,670 --> 00:06:41,300
There is no.

90
00:06:41,450 --> 00:06:46,820
So let's go click on zero zero payroll because the rent is different than others.

91
00:06:46,820 --> 00:06:47,930
So we might get some.

92
00:06:48,560 --> 00:06:49,810
So we have got the flag.

93
00:06:50,960 --> 00:06:51,440
All right.

94
00:06:51,680 --> 00:06:52,980
The zero is the answer.

95
00:06:54,440 --> 00:06:54,770
So.

96
00:06:55,650 --> 00:06:56,030
So.

97
00:07:01,520 --> 00:07:12,740
So zero users have the, uh, file that contains the content for that 540 copy this.

98
00:07:14,390 --> 00:07:20,950
So we have successfully changed, modified the not parameter and we have successfully got the right.

99
00:07:22,400 --> 00:07:24,140
And it's also significant.

100
00:07:27,700 --> 00:07:29,860
So it's telling that we need to take this not bad.

101
00:07:30,220 --> 00:07:30,790
So that's.

102
00:07:33,160 --> 00:07:40,080
So we actually completed this, uh, I don't challenge so one thing you need to remember is whenever

103
00:07:40,090 --> 00:07:48,660
you see these, uh, whenever you see, like these, uh, parameters, like with the value and the,

104
00:07:49,210 --> 00:07:54,490
uh, value, like zero numbers are one, two, three and so on, then you try to change these values

105
00:07:54,490 --> 00:07:58,280
and see if you are getting access to those results or not.

106
00:07:59,980 --> 00:08:05,230
So you can also use the, uh, barbital for this to automate this task.

107
00:08:06,310 --> 00:08:11,950
So that's all this video either challenge, I hope you have understood this is simply manipulating the

108
00:08:11,950 --> 00:08:12,600
contents.

109
00:08:12,730 --> 00:08:17,450
Sometimes you need to manipulate the text of this also.

110
00:08:17,800 --> 00:08:26,260
So it's, uh, in rare cases, but in general, you can modify these or tamper these, uh, parameter

111
00:08:26,260 --> 00:08:29,940
values to get the access to the results of another user.