1
00:00:00,610 --> 00:00:02,890
Hello, everyone, and welcome to this video.

2
00:00:03,700 --> 00:00:09,870
So in this video, we're going to discuss about Estacada attacks with the help of MBG.

3
00:00:10,750 --> 00:00:19,940
So what is it actually so we can also perform SRF attacks using a specific format for video files.

4
00:00:20,590 --> 00:00:28,210
So how are we going to do this so we can induce a society using the MPEG video payload embedded inside

5
00:00:28,210 --> 00:00:28,570
of it?

6
00:00:29,620 --> 00:00:35,190
Many times application doesn't validate sensitive input or even special characters.

7
00:00:35,830 --> 00:00:44,320
So we will use this and perform of on the line of application and exfiltrate some of the sensitive information

8
00:00:44,470 --> 00:00:45,760
from that website.

9
00:00:47,490 --> 00:00:53,790
I don't understand this, let's quickly jump into this principle, so you're I'm going to explain you

10
00:00:53,790 --> 00:00:55,200
with the help of animation.

11
00:00:55,440 --> 00:00:58,350
So on the left hand side is the attacker machine.

12
00:00:58,680 --> 00:01:03,260
On the right hand side, there's the wonderful Web application, which is example, dot com.

13
00:01:04,050 --> 00:01:08,310
So the attacker is going to send a request, which is a post request.

14
00:01:08,310 --> 00:01:13,830
Let's say the request is to convert the video file from one format to the format.

15
00:01:14,400 --> 00:01:21,150
As you can see, the request is a post request to an endpoint, which is candidate PSP, the host example,

16
00:01:21,150 --> 00:01:21,690
dot com.

17
00:01:21,930 --> 00:01:31,560
And the content is, for instance, we have put ADC slash past W.T. When this request goes to the application,

18
00:01:31,860 --> 00:01:38,480
the Web application in turn send the response to the attack ad in which it says two hundred, okay.

19
00:01:39,000 --> 00:01:47,970
And attacker is able to successfully get the sensitive content of past W.T. from the vulnerable application

20
00:01:47,970 --> 00:01:48,410
server.

21
00:01:49,530 --> 00:01:51,000
But what is the impact of this?

22
00:01:51,730 --> 00:01:58,080
The attacker is able to bypass the access control and authentication mechanism to get access to the

23
00:01:58,080 --> 00:01:59,370
protected resources.

24
00:02:00,180 --> 00:02:06,270
In this animation, we have understood how the attacker is able to get hold of the past W.T. file.

25
00:02:06,840 --> 00:02:12,950
But if he knows the internal structure, he can also get access to any other sensitive file as well.

26
00:02:14,620 --> 00:02:20,950
The attacker can similarly perform sensitive actions onto the target web application, and he or she

27
00:02:20,950 --> 00:02:26,230
may also be able to execute commands to scan the internal borders and the network.

28
00:02:27,250 --> 00:02:30,940
Now, what are the steps we are going to perform to achieve this as SRF?

29
00:02:31,690 --> 00:02:37,520
So we will exploit a Web app to induce a request to the server and retrieve sensitive information.

30
00:02:38,680 --> 00:02:44,680
In this video, we are going to perform a sensitive action as an unauthenticated user and we are going

31
00:02:44,680 --> 00:02:46,800
to download sensitive files from the machine.

32
00:02:46,930 --> 00:02:54,820
For instance, EDC possibly fail and if our attack is successful, then we will have SRF on impact on

33
00:02:54,820 --> 00:02:56,230
one of the application.

34
00:02:57,750 --> 00:03:04,260
So it is a practical time and let really jump on to the practical to see to see how are we going to

35
00:03:04,260 --> 00:03:05,070
perform this?

36
00:03:06,800 --> 00:03:13,130
Yes, so first you need to come to this GitHub repository, and after you are to this GitHub repository,

37
00:03:13,130 --> 00:03:19,560
we have to download this so you can choose an option to download or also you can perform a clone.

38
00:03:20,000 --> 00:03:23,570
So I'm going to get clone into my terminal.

39
00:03:23,780 --> 00:03:27,740
So I'm just going to try and get clone and the link that we have copied.

40
00:03:28,760 --> 00:03:35,630
So it gives the error, which is already exist and is not empty directly, which means I already have

41
00:03:35,630 --> 00:03:41,830
this downloaded into my computer now for you, I'm going to delete it and I'm going to read downloaded.

42
00:03:41,870 --> 00:03:47,050
So let me just perform Orham hyphen Ariff to remove it forcefully.

43
00:03:47,060 --> 00:03:50,160
And now it has been gone from my computer.

44
00:03:51,140 --> 00:03:54,430
Now I'm just going to get down again to download it.

45
00:03:54,440 --> 00:03:57,200
As you can see, the download has successfully completed.

46
00:03:57,830 --> 00:04:06,910
Let me just go inside the directory and you can see your is the file which is Generate Expen Avodart

47
00:04:06,920 --> 00:04:08,690
by which is a Python script.

48
00:04:09,140 --> 00:04:10,760
So I'm going to just run it.

49
00:04:11,000 --> 00:04:18,860
And the format to generate your payload is give Philco lendable, slash, slash, ADC positive ludi,

50
00:04:19,100 --> 00:04:23,150
which is the file that we need to download from the target server.

51
00:04:23,750 --> 00:04:29,210
Let's give the name of the output file that we want to get generated and let's say we give the name

52
00:04:29,210 --> 00:04:31,920
as it is out of Todavía.

53
00:04:32,030 --> 00:04:35,360
For instance, you can give any name that you want.

54
00:04:35,750 --> 00:04:37,730
Just remember to give the extension.

55
00:04:37,730 --> 00:04:43,180
As Evy, I know you can see the file has been successfully generated.

56
00:04:43,910 --> 00:04:50,690
Now we are going to use this file to upload onto target of our application so you can see this is alive

57
00:04:50,690 --> 00:04:53,690
website, which is files hyphen conversion dot com.

58
00:04:54,140 --> 00:04:59,000
And you're this website convert the video file into other file formats.

59
00:04:59,570 --> 00:05:05,450
So we have generated our malicious file in the format, which is evea, and we are going to generate

60
00:05:05,450 --> 00:05:07,250
it to a format which is DOT.

61
00:05:07,250 --> 00:05:11,020
And before you can select a file option is there.

62
00:05:11,030 --> 00:05:16,600
So I'm just going to click on that and it is going to ask me that which file you want to upload.

63
00:05:17,300 --> 00:05:20,450
Let's quickly give the directory part of the file.

64
00:05:20,450 --> 00:05:26,000
As you can see, the file that we generated was Estacada after EVA and hit Dunwood.

65
00:05:26,000 --> 00:05:29,620
Now Button, as you can see, it has been processing.

66
00:05:30,320 --> 00:05:37,730
So what is happening in the background is the file has been successfully uploaded, which contains our

67
00:05:37,730 --> 00:05:40,900
payload, which is slash ADC slash possibility.

68
00:05:41,420 --> 00:05:50,240
The back end engine is rendering that filename and the part from the file and it is going to give us

69
00:05:50,450 --> 00:05:55,880
the file data into the new render or converted file.

70
00:05:55,880 --> 00:06:01,790
As you can see, the result file is as a sort of dot com before which are successfully generated.

71
00:06:02,330 --> 00:06:05,420
But on Firefox it says video can be played.

72
00:06:05,450 --> 00:06:07,400
Let's go onto Chrome and see.

73
00:06:08,000 --> 00:06:13,790
And when I pasted over here, we can successfully see the file is rendering and it is going to play

74
00:06:14,210 --> 00:06:15,170
and perfect.

75
00:06:15,440 --> 00:06:23,420
We are able to see the content of ABC past W.T. file into our newly converted output file, which is

76
00:06:23,900 --> 00:06:24,710
of drawn before.

77
00:06:25,340 --> 00:06:26,980
So I hope you guys understood this.

78
00:06:27,260 --> 00:06:34,520
So what has happened into the back end is the file got uploaded which contained the malicious payload,

79
00:06:34,520 --> 00:06:40,940
which is file colon, double slash, slash EDC possibly it got red by the back end engine.

80
00:06:40,940 --> 00:06:47,750
It got rendered and we are able to see the output of that file through the same as of DOT and before

81
00:06:47,750 --> 00:06:49,340
converted output file.

82
00:06:50,000 --> 00:06:51,530
I hope you guys understand this.

83
00:06:52,190 --> 00:06:56,450
If not, you can ask it into the Q&amp;A section and I would love to help you guys.

84
00:06:56,640 --> 00:06:57,560
Thank you so much.