1
00:00:01,320 --> 00:00:03,930
Hello, everyone, and welcome to this video.

2
00:00:04,830 --> 00:00:09,540
So in this video, you're going to see SRF, but interesting test case.

3
00:00:10,760 --> 00:00:19,760
We are going to see how when any developer blacklist or block certain characters into any application

4
00:00:20,390 --> 00:00:29,120
just to mitigate any one liability like SRF in this case, how are we going to bypass that and successfully

5
00:00:29,120 --> 00:00:30,090
perform the attack?

6
00:00:31,490 --> 00:00:38,630
So developers usually use blacklist filters, which is a very bad technique to block certain characters.

7
00:00:38,630 --> 00:00:46,940
As I input as many names, security researchers are able to bypass those blacklist filters by using

8
00:00:47,090 --> 00:00:50,810
a different versions which can bypass the blacklist.

9
00:00:52,560 --> 00:01:00,270
Many name application blocks whose name like 127 zero zero one or localhost.

10
00:01:01,670 --> 00:01:10,330
And also, time in Bloks Sensitive, you are in slike slash edman, slash BHP, my admin slash dashboard.

11
00:01:10,940 --> 00:01:12,950
So in that case, what should be done?

12
00:01:14,280 --> 00:01:21,470
Let's understand this, using a principle with the help of animation on the left hand side is the attacker

13
00:01:22,170 --> 00:01:26,890
and on the right hand side is the one rebel overapplication with this example dot com.

14
00:01:27,660 --> 00:01:34,320
So the attacker is going to send a request and the request is going to be a get request of slash admin

15
00:01:34,320 --> 00:01:40,680
dashboard, the hostess example, dot com and into the other parameter, which is the one rebel parameter

16
00:01:40,680 --> 00:01:41,430
into the body.

17
00:01:41,850 --> 00:01:44,980
The attacker put the localhost IP address.

18
00:01:45,360 --> 00:01:51,090
Now there is a proper blacklist filter which has been applied by the developer.

19
00:01:51,420 --> 00:01:57,550
And when the web application, which is the example dot com, sends the response to the attacker, it

20
00:01:57,550 --> 00:01:59,670
says four zero three for Britain.

21
00:02:00,510 --> 00:02:10,290
Now, the attacker forms a Newgate request in which he is going to put the you are as the integer version

22
00:02:10,320 --> 00:02:12,570
of the localhost IP address.

23
00:02:12,990 --> 00:02:14,820
And he also uses.

24
00:02:15,800 --> 00:02:21,970
The oral encoding version of Slash into the get barometer.

25
00:02:22,590 --> 00:02:26,380
Now, there are two things that the attacker has bypassed.

26
00:02:26,810 --> 00:02:35,240
First is a blacklist folder of Lubeck IP or localhost and a blacklist folder of slash you oral encoding

27
00:02:35,240 --> 00:02:35,480
it.

28
00:02:36,080 --> 00:02:40,390
And the wonderful application successfully gives a 200 OKing.

29
00:02:41,340 --> 00:02:44,690
I hope you guys understood that the impact remains the same.

30
00:02:45,630 --> 00:02:52,620
As we have seen in the previous videos, the steps for this would be so we are going to exploit a Web

31
00:02:52,620 --> 00:02:57,200
application to induce request to be interviewed by bypassing the access control.

32
00:02:57,960 --> 00:03:02,810
We will bypass the blacklist filters in order to perform a successful SRF.

33
00:03:03,330 --> 00:03:10,440
And once we have done that, we will perform some sensitive actions as an unauthenticated users and

34
00:03:10,440 --> 00:03:12,200
our attack will be successful.

35
00:03:13,320 --> 00:03:20,130
So let's jump onto the practical day and see how can we perform SRF to bypass the blacklist filters?

36
00:03:22,290 --> 00:03:29,700
All right, so you can see over here, this is the Web Security Academy is out of blacklist based input

37
00:03:29,700 --> 00:03:31,070
filter Web application.

38
00:03:31,530 --> 00:03:34,470
So let's quickly jump on to this product, let's say.

39
00:03:35,130 --> 00:03:41,460
And once we are onto this, let's click on check stock and you can see the stock which is available

40
00:03:42,090 --> 00:03:44,910
to go to, you'd intercept on.

41
00:03:46,810 --> 00:03:50,320
And again, click on tech stock guru Bob.

42
00:03:51,170 --> 00:03:59,780
And now I'm just going to send this to repeated and repeated, I hit send and you can see we are seeing

43
00:03:59,780 --> 00:04:00,430
a response.

44
00:04:01,070 --> 00:04:08,720
Now, let's just copy this and send this to Decoder and let's try to decode it and understand what actually

45
00:04:08,720 --> 00:04:09,670
it wants to say.

46
00:04:10,520 --> 00:04:14,350
And you can see there is a quarrel, but just stop, Dot.

47
00:04:14,420 --> 00:04:19,780
We like to shop dot net bought AT&amp;T product stock check productivity.

48
00:04:19,820 --> 00:04:28,680
And already now going back over here, we know that there is a blacklist based input filter.

49
00:04:28,850 --> 00:04:38,780
But still, let's give it a try and say we want to scan the localhost and hit send and we got error,

50
00:04:38,780 --> 00:04:45,320
which is external stock check blocked for security reasons, which was expected.

51
00:04:45,740 --> 00:04:46,310
All right.

52
00:04:46,310 --> 00:04:48,440
So now let's go back over here.

53
00:04:50,050 --> 00:04:56,520
And there are very awesome bypasses for SRF, as you can see one of it over here.

54
00:04:57,360 --> 00:05:06,580
Then we can just make the Lubeck IP address, which is 127 zero zero dot one to 127 dot one.

55
00:05:06,880 --> 00:05:07,630
And you can see.

56
00:05:08,550 --> 00:05:12,810
A lot of security researchers have posted this bypass.

57
00:05:13,140 --> 00:05:18,540
Now, let's just try if this works or not, into your browser itself, I'm just going to put it over

58
00:05:18,540 --> 00:05:23,580
here and hit enter and you can see it converts to a low back IP address automatically.

59
00:05:24,420 --> 00:05:32,700
So the behavior of the browser is also the similar in which it converts this IP address to a Lubeck

60
00:05:32,700 --> 00:05:33,060
IP.

61
00:05:35,890 --> 00:05:36,430
Perfect.

62
00:05:36,880 --> 00:05:43,240
Now, if you want to read more about how this works, you can read more about it.

63
00:05:43,360 --> 00:05:51,280
I'm going to give the reference of I need it on and you can just read about why this behaves in this

64
00:05:51,280 --> 00:05:51,760
manner.

65
00:05:52,690 --> 00:05:53,130
All right.

66
00:05:53,140 --> 00:05:58,600
So now as we know this, we are going to take use of this.

67
00:05:58,600 --> 00:06:07,120
And instead of localhost, let me show you what the Lubeck IP address as well as it is blocking.

68
00:06:07,390 --> 00:06:11,840
Let's remove this and just add one, as we have seen into the browser.

69
00:06:12,160 --> 00:06:19,380
This works as a local host or Lubeck IP as a Chrome browser is redirecting our request to the local

70
00:06:19,600 --> 00:06:20,800
IP address hit send.

71
00:06:21,400 --> 00:06:25,170
And again, we are successfully able to bypass our first mitigation.

72
00:06:25,780 --> 00:06:26,260
Perfect.

73
00:06:26,740 --> 00:06:36,310
Now we want the admin portal and hit send and you can see this is the second mitigation or the blacklist

74
00:06:36,310 --> 00:06:43,090
filter in which the developer has put a blacklist filter of the keyword, which is admin, and we are

75
00:06:43,090 --> 00:06:47,660
not able to send a successful request as it is getting blocked.

76
00:06:48,610 --> 00:06:49,410
Now what to do?

77
00:06:50,290 --> 00:06:57,500
So we are going to see one more awesome way to bypass this, which is you are encoding.

78
00:06:57,550 --> 00:07:01,180
So we are going to you are you are in code slash.

79
00:07:02,150 --> 00:07:06,760
As you can see, it includes two percent to.

80
00:07:07,460 --> 00:07:17,850
Let's try if we can bypass it, using percent to f hit send and you can see it still blocks no issues.

81
00:07:18,320 --> 00:07:19,790
Let's do a double encoding.

82
00:07:20,960 --> 00:07:25,280
So we are going to encode person to F again.

83
00:07:26,630 --> 00:07:30,310
And let's see, yeah, so now let's see if this works.

84
00:07:31,210 --> 00:07:38,060
So let's go to Bob again and pasted over here.

85
00:07:38,080 --> 00:07:41,330
Hit send and you can see it, it's still blocking.

86
00:07:41,980 --> 00:07:42,490
All right.

87
00:07:43,000 --> 00:07:48,970
So it may be a case that they are just blocking the key word, which is admon.

88
00:07:49,630 --> 00:07:56,380
So let's just make it capital and see if we are able to bypass it and hit send.

89
00:07:57,310 --> 00:08:04,450
And again, see, we are successfully able to bypass the SRF blacklist based input filter.

90
00:08:05,300 --> 00:08:14,260
A Web application, so let's see if we are able to see our panel and we are able to see the successful

91
00:08:14,530 --> 00:08:15,860
admin panel.

92
00:08:16,180 --> 00:08:16,600
Perfect.

93
00:08:16,840 --> 00:08:18,250
Let me just render this for you.

94
00:08:22,460 --> 00:08:26,660
And you can see we have the access to admin panel now.

95
00:08:27,800 --> 00:08:32,060
As you can see, you here, so we are able to bypass the first mediation.

96
00:08:32,150 --> 00:08:33,980
Now let's see for the second one.

97
00:08:34,100 --> 00:08:40,730
So when I hit send, you can see we get blocked for security reasons because this has been blocked as

98
00:08:40,730 --> 00:08:42,570
an blacklist filter.

99
00:08:42,590 --> 00:08:47,720
So let's just make this capital and let's see if you are able to bypass this and hit send.

100
00:08:48,080 --> 00:08:50,680
And you can see we are able to successfully bypass this.

101
00:08:51,050 --> 00:08:55,280
Let's set for admin and you can see we are able to delete two users.

102
00:08:55,640 --> 00:08:57,470
Let us just simply copy this.

103
00:08:57,470 --> 00:09:00,760
Go here and add it over here and hit send.

104
00:09:01,160 --> 00:09:04,600
And again, we have successfully able to solve the lab.

105
00:09:05,360 --> 00:09:07,280
There is another way to do it as well.

106
00:09:08,600 --> 00:09:09,050
Perfect.

107
00:09:10,580 --> 00:09:12,980
Now, one more thing that you should know.

108
00:09:12,980 --> 00:09:17,540
This is you can also use this as a bypass.

109
00:09:18,080 --> 00:09:26,030
Also, if you go to the IP refought converter and you put your localhost or Lubeck IP over here and

110
00:09:26,030 --> 00:09:29,670
you hit and convert, there are different formats that you can see here.

111
00:09:29,870 --> 00:09:39,740
One of the format is the digital format and you can also use the integer format to bypass a lot of SRF

112
00:09:39,740 --> 00:09:41,120
based filters.

113
00:09:41,540 --> 00:09:48,290
For instance, you can see we have successfully able to get our results and it looks perfectly fine.

114
00:09:50,610 --> 00:10:00,330
So now let's move ahead and let's perform a sensitive action in which we are going to delete a user.

115
00:10:03,570 --> 00:10:11,130
So now we are also going to you all in the E parameter into this, as we saw it was not working.

116
00:10:11,880 --> 00:10:14,160
So now do you want to include this?

117
00:10:14,160 --> 00:10:17,970
We can use any free you all encoder available online.

118
00:10:18,330 --> 00:10:20,760
So I have already you all encoded it.

119
00:10:20,760 --> 00:10:24,180
And let me put it over here and show you how does it looks like.

120
00:10:24,780 --> 00:10:31,620
Let me click on my decode and you can see finally it looks something like this, which is the bypass

121
00:10:31,620 --> 00:10:35,440
for the localhost or the Lubeck I.P. address slash admin.

122
00:10:36,210 --> 00:10:42,020
This part is the same that we have been to now in all our Estacada videos.

123
00:10:42,030 --> 00:10:43,910
So we are using the same endpoint.

124
00:10:44,640 --> 00:10:46,490
So let's see if we are able to complete it.

125
00:10:46,500 --> 00:10:50,700
So let's just hit send and you can see three zero two phone.

126
00:10:50,880 --> 00:10:55,810
Let's go to our application and you can see congratulations, you have solved the lab.

127
00:10:56,340 --> 00:11:01,830
So I hope you guys understood how we are able to successfully solve this blacklist for the lab.

128
00:11:01,830 --> 00:11:03,210
Officer Zarif, thank you.