1
00:00:02,330 --> 00:00:07,150
Let's see if we can do the same when we increase the security level.

2
00:00:07,190 --> 00:00:13,640
So as you can see here the security level is set to zero so it's the least secure right now.

3
00:00:13,640 --> 00:00:19,790
So I'm going to do is I'm going to click on top of security and that will increase our security level

4
00:00:19,940 --> 00:00:26,390
to number one which will basically make the Web site more secure so that the attacks will not work the

5
00:00:26,390 --> 00:00:28,010
same way that it used to be.

6
00:00:28,430 --> 00:00:33,470
So again we're still on the same page we're at the log in page and we're going to try to bypass the

7
00:00:33,470 --> 00:00:37,360
log in use in the exact same way that we did in the previous lecture.

8
00:00:37,370 --> 00:00:44,340
So I'm going to put Agyeman followed by a comment and then we can put any password we want right here.

9
00:00:44,760 --> 00:00:51,330
And when I hit enter and as you can see we get an error message saying that some illegal characters

10
00:00:51,330 --> 00:00:54,360
got detected.

11
00:00:54,440 --> 00:01:01,490
So let's try the other exploited exploit that we found which was we put the user name normally and then

12
00:01:01,490 --> 00:01:08,360
we put the password as anything we closed the code and we use or one equal to one which is correct.

13
00:01:08,360 --> 00:01:13,940
So again I'm going to just keep the user name as admin normally and then I'll paste this exploit right

14
00:01:13,940 --> 00:01:14,490
here.

15
00:01:16,690 --> 00:01:22,750
Hit enter and again we get the same error saying that some illegal characters got detected.

16
00:01:22,750 --> 00:01:29,700
Now this filtering could be happening at the client side or it could be happening on the server side.

17
00:01:29,710 --> 00:01:36,310
What I mean is if it's happening on the client side it's the stuff is being filtered before it gets

18
00:01:36,310 --> 00:01:38,390
sent to the server.

19
00:01:38,440 --> 00:01:44,350
The other way the server side me is these characters are being detected and filtered out the server

20
00:01:44,350 --> 00:01:47,680
site after they get sent to the server.

21
00:01:47,680 --> 00:01:55,770
Now if it's happening on the client side then it's very easy to bypass using burb proxy verb can also

22
00:01:55,770 --> 00:02:01,950
help us identify whether this is happening at our site at the client side or if it's happening at the

23
00:02:01,950 --> 00:02:05,830
server side.

24
00:02:05,880 --> 00:02:12,720
So as you are going to go to the proxy and I'm going to set up the proxy settings again for Firefox

25
00:02:12,720 --> 00:02:17,000
just like we did in previous videos so that it uses burb.

26
00:02:17,220 --> 00:02:24,900
So we're going to go in advanced settings and we're going to use manual configuration and set to port

27
00:02:24,920 --> 00:02:25,740
80 80.

28
00:02:25,800 --> 00:02:26,940
So that's all good.

29
00:02:26,940 --> 00:02:30,480
Now everything we do as we said before should go through a burp.

30
00:02:30,480 --> 00:02:34,470
So if we go to home you'll see that packets are coming here.

31
00:02:35,370 --> 00:02:37,900
If we forward them they go to the server.

32
00:02:37,950 --> 00:02:44,050
So again when I go to the log in the packets come here we forward them from birth.

33
00:02:44,190 --> 00:02:45,660
And then they go here.

34
00:02:45,810 --> 00:02:46,770
Now watch this.

35
00:02:46,770 --> 00:02:52,710
Now I'm going to try to put in the user name as admin and I'm going to put this exploitation right here.

36
00:02:54,920 --> 00:03:01,760
And when I pasted notice that the package will not be sent so I'm going to click on log in and see that

37
00:03:01,760 --> 00:03:04,260
nothing was sent to burp.

38
00:03:04,340 --> 00:03:11,230
So this request was stopped before it even reaches the Internet before it even reached the server.

39
00:03:11,330 --> 00:03:16,870
So it was stopped by some code loaded on the browser or in this web page itself.

40
00:03:16,880 --> 00:03:23,450
So the filtering is happening on the client side on our side before it even goes to the website and

41
00:03:23,450 --> 00:03:27,190
still must have some dangerous characters were detected.

42
00:03:27,230 --> 00:03:29,390
So let's go back to our diagram here.

43
00:03:29,630 --> 00:03:33,960
So we have our history a web site with client side filtering.

44
00:03:34,010 --> 00:03:40,850
So when it detects special characters the client side code will remove these characters or it will display

45
00:03:40,850 --> 00:03:41,900
an error.

46
00:03:41,900 --> 00:03:48,590
So what we're doing is we're going to write a username and password without any special dangerous characters.

47
00:03:48,590 --> 00:03:53,990
We're just going to write it normally send the request which will bypass the filtering that's happening

48
00:03:54,170 --> 00:03:56,360
on the same page on the client side.

49
00:03:56,390 --> 00:04:03,890
It's going to go to a proxy then right here when it comes to here we'll get to modify it and our dangerous

50
00:04:03,890 --> 00:04:10,610
special characters that will allow us to bypass authentication or run code on the target website.

51
00:04:10,730 --> 00:04:12,830
Once we do that we're going to send it to the server.

52
00:04:12,840 --> 00:04:15,450
The server will execute and send it to us.

53
00:04:15,650 --> 00:04:16,820
So use unberth.

54
00:04:16,910 --> 00:04:20,730
We're going to be able to bypass client side filtering.

55
00:04:20,930 --> 00:04:24,170
So let's go back and see how we're going to do this.

56
00:04:26,880 --> 00:04:32,580
So we're going to use a normal user name as admin and I'm glad I'm going to put a random password so

57
00:04:32,580 --> 00:04:33,560
it doesn't have to be right.

58
00:04:33,570 --> 00:04:35,910
I'm just going to put a.

59
00:04:35,970 --> 00:04:37,680
Doesn't really matter.

60
00:04:37,680 --> 00:04:39,140
And I'm going to click on logon.

61
00:04:39,240 --> 00:04:41,150
Now this is a valid request.

62
00:04:41,280 --> 00:04:43,310
So it will be sent to the Internet.

63
00:04:43,320 --> 00:04:47,450
It won't be stopped by the filter which works on the client side.

64
00:04:47,610 --> 00:04:49,110
So I'm going to click and log in.

65
00:04:49,440 --> 00:04:53,050
And as you can see the request has came here and there are costs.

66
00:04:53,070 --> 00:05:01,100
And here we can see that the user name is a it is admin and the password is a.

67
00:05:01,110 --> 00:05:07,470
So we're going to do now we're going to actually modify the user name and the password values right

68
00:05:07,470 --> 00:05:09,680
here instead of modifying them.

69
00:05:09,740 --> 00:05:10,960
The web browser.

70
00:05:11,280 --> 00:05:17,880
Because at this stage we've bypassed the filter so the username and password were valid at the client

71
00:05:17,880 --> 00:05:18,380
side.

72
00:05:18,480 --> 00:05:21,560
They got sent to the Internet before they got into the Internet.

73
00:05:21,560 --> 00:05:28,320
We captured them by birth proxy and we're going to modify this password exactly the same way that we

74
00:05:28,320 --> 00:05:31,730
wrote our exploitation and the previous video.

75
00:05:31,740 --> 00:05:33,210
So this is going to be

76
00:05:35,760 --> 00:05:36,450
a.

77
00:05:36,630 --> 00:05:38,910
Or one is equal to one.

78
00:05:38,970 --> 00:05:42,680
And then we close it with the comment here.

79
00:05:42,770 --> 00:05:44,420
OK so I'm just going to repeat this.

80
00:05:44,450 --> 00:05:51,050
So the filtering is happening at the client side by javascript code which gets executed on the page

81
00:05:51,050 --> 00:05:52,140
itself.

82
00:05:52,220 --> 00:05:56,060
So the request is being stopped before it even reaches the server.

83
00:05:56,060 --> 00:06:03,140
When we run burp we actually used a good username and password that are not considered to be dangerous.

84
00:06:03,170 --> 00:06:09,380
They pass through the filter and before they go to the Internet we have burp proxy work in which capture

85
00:06:09,380 --> 00:06:13,760
that we're going to modify it in here because we've already bypassed the filter.

86
00:06:13,760 --> 00:06:15,170
And when I click on forward

87
00:06:17,860 --> 00:06:21,130
you'll see that I managed to log in as the admin.