1
00:00:12,410 --> 00:00:15,450
Hi and welcome back to another episode on How to Hack.

2
00:00:15,860 --> 00:00:19,450
So over here I have open Web application security project running.

3
00:00:19,760 --> 00:00:25,730
So this is, again, a vulnerable Web application server that we will be doing a penetration testing

4
00:00:25,730 --> 00:00:25,970
on.

5
00:00:26,660 --> 00:00:32,870
And what we are going to do today is really to understand all of the process and the logical steps that

6
00:00:32,870 --> 00:00:40,510
take place, doing a normal registration, doing a normal check to understand the entire customer journey.

7
00:00:41,030 --> 00:00:46,850
So when you are entering a website for the first time, you do not go ahead and start unloading all

8
00:00:46,850 --> 00:00:52,340
of your payloads and pushing all your payloads and using all those different security scripts that you

9
00:00:52,340 --> 00:00:57,190
have created and start injecting them onto a site that is not the first thing to do.

10
00:00:57,470 --> 00:01:01,030
The first thing you do is to map out the entire site.

11
00:01:01,310 --> 00:01:03,800
And how do you go about mapping out the entire site?

12
00:01:04,190 --> 00:01:11,510
How you do that is by going to what a normal user would do using a customer journey, perspective,

13
00:01:11,510 --> 00:01:18,470
understanding where are the places, the pages, the technology to check out process, the user registration

14
00:01:18,470 --> 00:01:19,070
process?

15
00:01:19,310 --> 00:01:20,180
What are the scripts?

16
00:01:20,180 --> 00:01:27,530
Are you trying to gather as much information as you can and understand and comprehend how the entire

17
00:01:27,530 --> 00:01:28,380
website was built?

18
00:01:28,520 --> 00:01:30,960
So what do I mean by that specifically?

19
00:01:31,250 --> 00:01:37,100
So, for example, if I go onto the top right corner and I click on a cow and I click a log in over

20
00:01:37,100 --> 00:01:42,200
here, I can say click on not yet a customer so I can zoom in a little so it's easier for you to see

21
00:01:42,380 --> 00:01:44,600
so I can register a email, for example.

22
00:01:45,590 --> 00:01:54,320
I can just enter a an email address and I can enter the password so I can go ahead and create the user.

23
00:01:54,350 --> 00:02:00,860
So what we're trying to do here is to understand the whole process for a normal user, a normal registration,

24
00:02:00,860 --> 00:02:02,750
a normal log in a normal checkout.

25
00:02:02,990 --> 00:02:08,870
And we can look, of course, and try to identify where are the areas where there could be some missing

26
00:02:08,870 --> 00:02:09,500
steps.

27
00:02:09,680 --> 00:02:15,290
There could be some places where they could have written to could poorly or incorrectly.

28
00:02:15,500 --> 00:02:18,260
OK, so let's choose the security question.

29
00:02:18,260 --> 00:02:22,070
And of course, we can enter the answer and we can click on register.

30
00:02:22,730 --> 00:02:25,970
So of course, this registration completed successfully.

31
00:02:25,970 --> 00:02:27,140
You can now log in.

32
00:02:27,170 --> 00:02:29,090
So let's go ahead and log in to the site.

33
00:02:30,680 --> 00:02:36,800
So again, we are logging into the site and we are just trying to have a look and feel of how the whole

34
00:02:36,800 --> 00:02:38,360
navigation process work.

35
00:02:38,540 --> 00:02:40,670
And I can click onto Add to Basket.

36
00:02:40,670 --> 00:02:46,820
So on the previous on a previous tutorial, we actually went into the web developer and we look at all

37
00:02:46,820 --> 00:02:49,700
the application programming interfaces that was being called.

38
00:02:50,120 --> 00:02:55,280
So over here we can just continue clicking at the basket and so on while we try to understand how it

39
00:02:55,280 --> 00:03:01,160
works so we can click onto your basket and we can see that we have two items so we can go in and click

40
00:03:01,160 --> 00:03:06,590
on checkout and we can add new address, for example, so I can enter, say, Singapore.

41
00:03:06,680 --> 00:03:10,310
I'm from Singapore and can enter my name mobile number.

42
00:03:10,310 --> 00:03:13,840
So I'm just going to give something, you know, whatever.

43
00:03:13,850 --> 00:03:18,590
So we're just trying to fill out the information since this is a task environment, but of course,

44
00:03:18,630 --> 00:03:20,090
an actual penetration testing.

45
00:03:20,090 --> 00:03:26,000
You want to fill in details as though you are a real client, as though you're real customer coming

46
00:03:26,000 --> 00:03:29,300
to the site, doing a checkout, trying to understand the whole process for the site.

47
00:03:29,630 --> 00:03:34,010
So City, again, I want to to Singapore, Singapore again and click on Submit.

48
00:03:34,470 --> 00:03:39,980
OK, so once we have added all this information in OK, I can click on to continue.

49
00:03:40,010 --> 00:03:45,170
OK, so we are seeing all this information being placed into the database, but of course we do not

50
00:03:45,170 --> 00:03:46,760
know what kind of database you're using.

51
00:03:46,910 --> 00:03:52,730
Could be on Microsoft SQL, could they be on Mongo DB, could they be on Pastorale sequel.

52
00:03:53,270 --> 00:03:59,990
We're thinking, we're analyzing, we're trying to go through that process to know what kind of database

53
00:04:00,200 --> 00:04:01,280
Dick could be using.

54
00:04:01,580 --> 00:04:06,470
OK, so we can identify based on certain behaviors coming from the Web page.

55
00:04:06,860 --> 00:04:07,190
All right.

56
00:04:07,190 --> 00:04:11,450
So let's say, for example, stand a delivery click and continue.

57
00:04:11,960 --> 00:04:14,870
And of course, we have a wallet balance.

58
00:04:14,870 --> 00:04:15,920
We have a coupon.

59
00:04:15,920 --> 00:04:17,840
We have at payment options.

60
00:04:17,840 --> 00:04:19,640
We can click on credit card, for example.

61
00:04:19,640 --> 00:04:21,350
We can click on all these different details.

62
00:04:21,770 --> 00:04:24,500
And again, we are seeing all these different data.

63
00:04:24,500 --> 00:04:27,970
So let's go ahead and see, for example, add on some credit card details.

64
00:04:27,980 --> 00:04:32,450
So, again, I want to add to sixteen digits.

65
00:04:32,450 --> 00:04:32,780
All right.

66
00:04:32,780 --> 00:04:33,980
A spot of credit card.

67
00:04:37,010 --> 00:04:37,280
All right.

68
00:04:37,280 --> 00:04:43,550
So we got sixteen digits so we can just select expiration date month and all those different details.

69
00:04:43,820 --> 00:04:44,780
Click on Submit.

70
00:04:44,780 --> 00:04:48,800
So we got a cut that is ending the five, six, seven, eight has been saved.

71
00:04:49,010 --> 00:04:49,370
All right.

72
00:04:49,370 --> 00:04:50,840
So we can see all those details.

73
00:04:50,840 --> 00:04:51,200
All right.

74
00:04:51,200 --> 00:04:57,380
So we got all this data, all this information so we can review this order before it is being finalized.

75
00:04:57,830 --> 00:04:58,400
Check on that.

76
00:04:58,400 --> 00:05:03,380
And the moment you click on this, we realize that the continue button is not enabled.

77
00:05:03,410 --> 00:05:07,400
So let's go ahead and click and continue so we can see the delivery address.

78
00:05:07,400 --> 00:05:09,470
We can see the payment method and we.

79
00:05:09,470 --> 00:05:14,720
You see all this data, so let's go ahead and click, place your order and pay.

80
00:05:15,680 --> 00:05:15,970
All right.

81
00:05:16,050 --> 00:05:18,040
Says thank you for your purchase.

82
00:05:18,290 --> 00:05:22,550
You can do a status update on track orders, your order be delivered.

83
00:05:23,000 --> 00:05:28,930
So we see all these details, all this data, and we can see there is a button over here.

84
00:05:28,940 --> 00:05:30,980
So this is for Twitter Tweeter sharing.

85
00:05:31,280 --> 00:05:35,450
And we have another button on between all their confirmation so we can actually click on that.

86
00:05:35,960 --> 00:05:38,570
And this creates a other form.

87
00:05:38,600 --> 00:05:44,650
So sometimes these order forms are being hosted inside the Web application server.

88
00:05:44,660 --> 00:05:50,620
So there is a Web application server could create files and it could create in a particular folder.

89
00:05:50,630 --> 00:05:55,170
And in this case, for example, if I go under the URL.

90
00:05:55,390 --> 00:05:55,640
All right.

91
00:05:55,730 --> 00:06:00,350
So we can see from the Eurail so I can actually go on a magnifier so it's easier for you to see.

92
00:06:01,170 --> 00:06:02,840
So let me turn on magnifier for you.

93
00:06:03,530 --> 00:06:07,080
And we can see over here we have the IP address, OK?

94
00:06:07,190 --> 00:06:10,880
And we have point number and we have to you URL.

95
00:06:10,880 --> 00:06:13,670
So we got FTP.

96
00:06:13,760 --> 00:06:17,810
So let's go ahead and go into this particular URL.

97
00:06:17,810 --> 00:06:18,130
Let's see.

98
00:06:18,150 --> 00:06:19,250
We can find anything.

99
00:06:19,670 --> 00:06:20,030
All right.

100
00:06:20,030 --> 00:06:28,970
So we backspace on it and hit enter and we realize we're in, we're inside a folder that is being used

101
00:06:29,240 --> 00:06:33,360
to store information and we can see this order over here.

102
00:06:33,360 --> 00:06:36,830
If we click on that, this was the order that we had.

103
00:06:37,370 --> 00:06:39,110
OK, this was the order that we had.

104
00:06:39,410 --> 00:06:48,230
And if I go back onto the Web page and I actually log out from this page, OK, if I go to log in and

105
00:06:48,230 --> 00:06:55,370
I can do a sequel injection that we have done before in one of the tutorials because I use a semicolon

106
00:06:55,370 --> 00:06:56,690
or one equal one.

107
00:06:57,080 --> 00:06:57,340
All right.

108
00:06:57,350 --> 00:07:01,880
So we use a single quote or one equal one for a semicolon and just enter anything for the password.

109
00:07:01,890 --> 00:07:02,800
Click log in.

110
00:07:03,530 --> 00:07:09,450
So now I'm logging in with the administrator account and likewise we were at FTP.

111
00:07:09,500 --> 00:07:09,760
Right.

112
00:07:09,790 --> 00:07:13,730
So let's go ahead and go back to FTP and are we still able to access it?

113
00:07:14,440 --> 00:07:15,710
And the answer is yes.

114
00:07:16,100 --> 00:07:16,970
The answer is yes.

115
00:07:16,970 --> 00:07:21,470
We can see someone else's order in site to site.

116
00:07:21,890 --> 00:07:22,190
All right.

117
00:07:22,190 --> 00:07:30,380
So without even beginning our discovery of the directories inside a site to map out the site, we already

118
00:07:30,380 --> 00:07:37,970
quickly identify one of the misconfiguration on the Web application server, and which is that they

119
00:07:37,970 --> 00:07:45,170
allow users to actually explore the directories inside the server.

120
00:07:45,230 --> 00:07:47,960
OK, so this is definitely a misconfiguration.

121
00:07:48,140 --> 00:07:48,430
All right.

122
00:07:48,450 --> 00:07:54,920
So anyone with access to this site will be able to access into this particular folder and FTP.

123
00:07:55,220 --> 00:08:01,130
So this, again, is going to be just one of the tutorials that we'll be going to expand further as

124
00:08:01,130 --> 00:08:03,800
part of a Web application penetration testing series.

125
00:08:04,370 --> 00:08:06,410
So, once again, I hope you've learned something valuable.

126
00:08:06,590 --> 00:08:10,880
And if you like what you've just watch, remember to like, share and subscribe to channel so that you

127
00:08:10,880 --> 00:08:12,650
can be kept abreast of the latest cybersecurity.

128
00:08:12,720 --> 00:08:14,660
Tara, thank you so much once again for watching.