1
00:00:00,530 --> 00:00:06,110
So attack surfaces, well, they can be described best during development.

2
00:00:07,290 --> 00:00:13,830
So in other words, while developing threats can be modeled and then the vulnerabilities will be prevented

3
00:00:14,100 --> 00:00:15,660
before coding is finished.

4
00:00:16,500 --> 00:00:18,690
Hmm, that's not always possible.

5
00:00:19,760 --> 00:00:26,300
So one of the things that I want to touch on here is just a little different than modeling threats.

6
00:00:27,630 --> 00:00:34,350
So before diving into Web application attacks, I want to make it clear and help you to understand the

7
00:00:34,350 --> 00:00:35,360
nature of attacks.

8
00:00:35,760 --> 00:00:41,550
So I'll define three logical surfaces that are typically hit by attacks.

9
00:00:44,190 --> 00:00:49,420
OK, so hacking an application doesn't always happen through the application interface.

10
00:00:49,980 --> 00:00:50,610
What?

11
00:00:51,520 --> 00:00:51,890
Right.

12
00:00:51,910 --> 00:00:57,880
So as a protester, you really need to focus on all surfaces while testing.

13
00:00:59,270 --> 00:01:00,500
So the user service.

14
00:01:01,620 --> 00:01:09,060
Users, of course, or maybe not, of course, but they certainly are the most important threat.

15
00:01:10,730 --> 00:01:17,360
Or you could also look at them as the weakest point in the security process so the application itself

16
00:01:17,360 --> 00:01:19,430
can be very secure and work great.

17
00:01:20,410 --> 00:01:23,660
But if the users administrators are careless.

18
00:01:24,380 --> 00:01:25,780
Well, think about it.

19
00:01:26,110 --> 00:01:29,830
It's going to break the application consistency into.

20
00:01:30,750 --> 00:01:31,830
Server service.

21
00:01:32,810 --> 00:01:38,010
So remember that applications need server software and a server computer.

22
00:01:38,690 --> 00:01:45,290
So if there are any vulnerabilities in these components, this can also break the consistency of Web

23
00:01:45,290 --> 00:01:46,040
applications.

24
00:01:47,440 --> 00:01:56,260
Think of a vulnerability in the server software such as a vulnerability in Apache or ISIS can also bring

25
00:01:56,260 --> 00:01:57,850
down your application security.

26
00:01:58,800 --> 00:02:00,120
Application service.

27
00:02:01,670 --> 00:02:04,460
This service is the application itself.

28
00:02:05,620 --> 00:02:13,360
So the problems on the surface will generally be caused by bad cohabits and vulnerable libraries, let's

29
00:02:13,360 --> 00:02:15,400
take, for example, school injection.

30
00:02:16,180 --> 00:02:20,800
So it's caused due to lack of proper input validation.

31
00:02:21,830 --> 00:02:28,340
So I'm not going to categorize everything and just, you know, make it difficult to grasp, but when

32
00:02:28,340 --> 00:02:32,570
you're testing, these services are going to guide you to shape an attack.