 Alright folks, we've reached the end of the last class of the semester, right now it's sad and happy. So if you didn't get the email please, if you have a laptop, put your laptop out, download Docker and get that running on your computer because I'm going to go over probably 15 minutes of talking about web and web vulnerabilities and then we'll start playing with a realistic web application that has known vulnerabilities and we will try hacking as a group, it should be fun. So one key aspect we haven't discussed yet about HTTP, the protocol. So what were the elements of an HTTP request header? What were some of the things that were required there? The version, what else? Version, the type of request, the method, the host, and the host, so you have a host name? What else? The URL? The URL, like slash index.php, whatever you want to hit. The version number and then the header that we saw that was required is the host header. The question is, when you visit, let's say facebook.com or google.com, how does it actually know who you are? How does it know that you're the same person that made a request a week ago? So what information does the server have to identify you in what we just said based on the method, the URL, the host that you're accessing, and the version? A little bit more, they also have the IP and TCP information, so they know your IP address, the source IP, and the source port, but in a big network like ASU's network, we're all actually going behind a single NAT device. So our IP address would be the same, so if a website was using that to identify you, that would be very bad. They probably know what OS you're using and what you're using. Possibly depending on the user agent field, but that's an optional header, it doesn't have to be sent. The key problem is how can you make a complex, really cool web application if the web server acts like somebody with amnesia, or every time they see an HTTP request they go oh, new HTTP request, great, here's the page you're looking for, and then you click on a link and they go oh, a new person I've never seen before, here's that page you want, right, continually over and over again, and so this is actually a nice thing about HTTP because it is stateless, it's nice in the fact that it's simple. The downside here though is that well, if you want to actually, most applications you interact with, you want to create a session with them to interact multiple times, so you can log into the application and then they can give you access to different things based on who you are in that application, right, all the things we talked about about authorization and authentication and access control. But with HTTP there's actually no built-in mechanism to do that. So we need something that allows us to do authentication and there's three main ways this is done, you can kind of fake it by basically when you access my site I'll put some hidden information in every URL on that page I generate just for you, so that way when you click any of those links that will get sent back to me. The main way though is this is done using cookies, so what are cookies besides delicious? Yeah, so just like a little tip and go to the store like with the browser and everything. Yeah, so the idea is basically the website needs to have some way to ask the web browser, hey, store this little bit of information and next time you talk to me use that information so that I can identify you. So cookies are basically date value pairs, the server will add a set cookie header in order to ask the browser to save this information in the HTTP response so you can set a cookie of user equals foo and then the browser will on each further request add a cookie header that will have this cookie so that way I can say hey you're user right well like maybe like this I can say your user foo and that way every request that you make I can look at this cookie value to see what user you are. Servers can do multiple cookies, if you do something like curlgoogle.com you'll see that they actually ask you to set these really complicated cookies here and these are actually much actually pretty complicated there's all types of things you can do in here about setting how long the cookies are valid for what path of the web application they're valid for so on and so forth we're not going to go into all of these details. So the user agent is supposed to follow all these directives to expire cookies when they're expired restrict cookies but the browser can delete them anytime as anybody cleared out their cookies from the browser before never you've never done that you clearly never call the support line because that's like the first thing they tell you to do and you're like this is dumb this is no way this is gonna actually do anything this happened to me like last night. So but what's the key so when the web server gets an HTTP request with a cookie header what security guarantees does it have about that data so think about it this way I'm a web server you're a browser you send me an HTTP request and in my response I say hey set cookie user equals to food and then the next time you make a request you set a cookie you send this header cookie colon user equals food what security guarantees do I have about that data was that none what does that mean so break down with it so fundamentally I have absolutely no trust in this data right this cookie data you as a user could change it from food to admin still the same as it comes to me all I see is user equals admin and so I go cool you're an admin that's nice you could give this cookie to somebody else somebody else could inject these a malware into your computer to steal this cookie and so they can then log into the website as you so using cookies in real life is actually quite difficult and you need to use either encrypt encrypting some value here or using an h-mark or one of the other things that we talked about at least so that that way users can't forge their own cookies and create their own cookie values so now that we have this now we can actually build web applications so previously when we talked about we have this client in the browser we have some web server and then the client makes an HTTP request to the web server but now instead of the web server just sending back static HTML content we have some backend web application that the web server talks to and says hey here's this request and the web application's job is to generate html which the web server will then send back in an HTTP response so how do you rob a bank I don't need guns and use guns then you're looking to help your sentence when you get caught how do you rob a bank does anybody watch the movie ever stick up the teller stick up the teller that's the first thing you do yeah so you've performed some kind of reconnaissance right you say who works at the bank you try to identify every single person who works in that bank what's their role who's the bank manager who has keys at the bank to the fault if you just stick up the teller the teller gonna be like I have a hundred dollars in what do you care take this money and then go to jail like they don't care what you want is that money that's in the fall they need to know who has keys to that ball and even more so when are they working because if you rob the bank when the manager's not there doesn't have the keys you're not gonna have a well you're not gonna at least your reward is gonna be much smaller what's the guard schedule like when do they take a break when do the guards change why is this important is useful information in your bank robbery well you try to find a time when you're gonna have the least amount of resistance to what you're doing so if it's during the guard changes it could be a time you're kissing up yeah or maybe one maybe you have some of the guards in your payroll and so you know that one the other one always takes a break in a certain time of day so you can target that time what is the layout of the bank look like I guess seeing the ocean's 11 they like build a replica vault that's exactly what they're doing here is building the layout of the bank so they know it like the back of my hands don't know where everything is right what does the vault look like what kind of lock does the bank use what kind of security mechanisms are in place how does the banks alarm system alert the alert the police when they're being robbed how does that work can you cut off that communication all kinds of stuff and this is actually even the movies you know they show it as like a montage sequence but they're like sitting across the street at a coffee shop with like sunglasses and a newspaper seeing who works there but it's a very critical part because if you don't understand the bank you won't actually be able to successfully infiltrate it right and the other steps kind of vary off you build some kind of crazy library plan everything goes wrong and you probably end up in jail as most of the movies or somebody turns you in or something like usually you don't get the step forward so don't cut things but the question is can we use that mentality to rob a web application so when we think about that we're thinking about penetration testing and how can I find vulnerabilities in a remote website and the steps are actually almost identical where you first perform reconnaissance you want to understand as much as you can about what that application does and how it functions how does the application work are their user accounts do those user accounts have different privileges how are the privileges enforced maybe you can get around the privilege enforcement what is the layout of the web application look like in terms of URLs does the URL structure have something does it have like a slash users or slash home and maybe think like oh what if there's a slash admin that happens to be world open what URLs should only be accessible by a certain privilege so this is actually a pen testing I did a while back was on a website that handle credit card transactions and so you could see your history of all the credit card transactions that happen for your business and what they use is it was a PDF and there was just an integer number in the URL for whatever 1000.pdf so we're like hey what happens if we put in 1001 and it showed us somebody else's bank statements and credit card transactions and so we were able to enumerate that to get all the transactions from the last like six months to a year for that that company had ever processed yeah they're not I mean they're happy that we found that but they were a little bit sad that that happened but if you don't know understand the application you won't understand what happens when you mess with mess with things this is why I think in the one of the first time I did like a a challenge type thing where you have access to the server and I say you get a room you get a bunch of extra credit points I had some students that didn't quite understand what that meant and so they did like LS slash LA slash and showed me like look I can see the roof of the file system that's where you need more reconnaissance to understand the application like should you be able to see the root of the file system yes otherwise you won't be able to do it what's the input what's the output and actually a thing that you're trying to do is understand how is this web application probably written so this is why oftentimes some of the best pen testers are former web application developers they develop applications they understand what are the things that I would be lazy about doing when I wrote this web application so you can kind of think of like oh did they check this thing because I know that's always a problem then your next step is to develop some kind of vulnerability hypothesis so you want to think like a scientist right not like a robber you're trying to think oh what so for instance going back to the example huh what would happen if I change this ID number would it show me somebody else's credit card statement or not and so then you want to test that hypothesis and so actually the first time we did this so we have like a URL like an ID of a thousand and you tried a thousand and one and it gave you a 404 error message and so you know the hypothesis was oh that would give us somebody else's credit card statement but it gave us a 404 and now the question is okay what do we actually derive from that hypothesis well it could be either that it's not vulnerable or it could be that there exists no report with the ID 1001 so we tried up to I think like 10010 it took like five or ten and then we hit some PDFs that were not ours and so we're like yes this is awesome this definitely works so you develop some exploit and then you profit because you need to not only be able to say hey I you know there's a big difference saying I think there's a vulnerability here versus saying there is a vulnerability here and here's an exploit like what we showed them was hey here's all your credit card processing reports of all these different companies for the last six months they're like okay that's a good thing my advisor tells the story they were doing pen testing for a bank a web application for a bank in Brazil and they were hired by kind of like a middle manager like not a super hire up because the company didn't really care about computer security but this person who hired them did and so what they did is they went into this meeting and basically knew who was going to be at the meeting and told each of them their bank account information like how much money they had in their account to the bank and that definitely woke them up to the fact like oh not like oh you have a sequel injection in your application blah blah blah technical jargon blah blah blah they were like no these are your bank accounts and by the way if we wanted to we could transfer that money to our accounts and so that's why developing an exploit is incredibly important part and then the profit is mostly in terms of if you're doing this for as a profession that's part of your job if you're doing it on the side you should only be testing websites that have about mounting programs so you can do so successfully without actually going to jail well I suppose I'm missing a slide there should be a slide about how to do this without going to jail so you don't want to end up like these people and go to jail you want to actually make the world a better place by fixing security or abilities and getting rewarded for that so the short version is don't hack anything that you don't have permission to hack so you can hack into my server because I gave you access and I gave you all the okay to do so if you're pen testing you need a letter from the company with a sign with like which called your get out of jail free card that says that you that they hired you for this in case anything happens that's kind of your ticket out the bug bounty programs now are awesome there's hacker one there's bug crowd many popular websites have bug bounty programs and say hey if you abide by these rules will pay you if you find something as long as you tell us about it and don't violate these rules so Facebook has that Facebook will even give you an entire fake Facebook network to work on like a fake test network so you can create accounts and try different kinds of attacks out to do that so we're thinking about reconnaissance we need to think about in terms of injection vectors thinking about what are all the ways that attack or controlled input can make its way into the web application and so any place where user input goes in the application so from what we've looked at what are some examples what was that login so form data so any data coming from a form what else the URL itself we can attacker can make this actually one of the key things that's different from a web application versus a traditional binary is you can access any URL at any time right it's up to the web application to stop you whether whereas with let's say like an Android app you can't just force it to go to some page that's not currently up in the GUI right it doesn't make sense to think about but a web application you could try to request any possible URL so query parameters the path post parameters anything else cookies yeah we just saw cookies literally any header data so all the header data that we send we didn't talk about the refer her header which if you look very closely as misspelled but this is a header that tells you what site you came from so that a web application knows and websites now kind of where you came from sometimes this data goes into logs that are viewed by admins which could have secret action or cross-excripting vulnerabilities with them so this is another place any files you can upload maybe even other websites so this is part of that reconnaissance phase is understanding what does the web application touch and where where to get data from right so you see oh this web application is using some tweets and wow it's not using like an eye frame looks like it's pulling those tweets in from a back-end somewhere what happens I might try getting tweets into there that are malicious somehow and I couldn't change the data emails all this kind of stuff so we're gonna start playing with Waco Pico so Waco Pico is an intentionally vulnerable web application that I run for my master's project at Santa Barbara and the idea is it has got actually I don't know I think it's 16 different vulnerabilities inside of it spread throughout in different types of vulnerabilities and also behind different types of crawling challenges the idea was to test well how good our automated vulnerability analysis tools so there exists a whole category of tools that you point them to our URL you click go and they'll try to find all vulnerabilities in that URL so once you have now this test site with this with known data you have ground truth and so you can we can test and see how well the scanners did so the scanners did horribly they not let's see total they didn't find more than 50% of the vulnerabilities and that's group so like all scanners union together and a single scanner didn't find more than 40% of the vulnerabilities so it was very interesting results so we're gonna play with this so if you've got Docker you can run this Docker command and then access it here how many people successfully are able to install and run Docker on their system and then you can run this command and then can access the URL to just look at those cool alright just like is anybody been able to do it on Windows there's like weird steps on Windows where the forwarding so I think it's probably enough of you that it's nice so the problem is I stood up one instance that's publicly available but basically you'll all have access to that one instance and so when one of you messes it up it's gonna be messed up for everyone and I have to reset it so it's super annoying to do that so this is great because when you can get this to run you can just run it locally and test to your heart's content on this nice yeah so it's the website so if you get up and running and you can access it here you should play with the application because we're gonna take about 10-15 minutes play with the application then come back together and talk about what does it do right so think about that reconnaissance step we want to do that for everyone else you can use this URL I stood up I didn't I didn't give it a domain name but make sure you can go here to get to this page and start playing around. Do you need the Docker stuff too? These are the Docker commands. The top one is the Docker command and the bottom one is where you go. I'll show you here it's basically there and you can see the whale and like quick question if I've got the Docker run then I would be using my the LL right look back a little that would be the local host yes yes yes if you want to see the traffic yeah the Docker thing won't like tell you that it's ready but it does something like this it's like hey I've started this actually a supervisor it doesn't matter but it's running that I I I I I All right, this means the reactors been breached Okay, so Let's discuss, okay, so what do we know about black out pico it's a php application How'd you find that out? Could be a php application we actually didn't talk about it, but you can Basically move URLs around so it's not actually php, but yes, that would be a definitely a good indication That's executing anybody else application Let's wait on that we'll separate functionalities from vulnerabilities, but we know as part of functionality that there's an admin Console right the different part of the application Yes Interesting okay, so we definitely know it's php on which page If you go Okay, so we have this admin link here, so we see there's an admin area what else do we know about this application? What did it do? Images what about images? You have to log in so how do you create an account? Register I can say foo bar password foo Create an account So upload pictures. I can look at pictures. I can what else can I do? What was that? You can buy pictures you can add them to your cart and then you can remove them You can continue to confirmation You can purchase them Look at all this. I'm so rich What else anything else? We're in which oh, you're uploaded here. Yeah, interesting Let's so yeah, it's more. Yeah, the reconnaissance. Yeah, you're trying to think about like URL structure So we'd want to verify somehow that this is our user ID, right? But well who's our user ID that we just created? Purchase does not have that which is kind of interesting. That's something that's a guestbook cart Has a log out functionality. Thanks. You can log out log back log in foo a search All right the Definitely So there's two main web vulnerabilities. We're going to learn about today one is sequel injection the other one's cross-site scripting SQL injection is More serious in terms of when you have a sequel injection as we'll see the capabilities and allows the attacker to do are Pretty significant, but they're not necessarily as prevalent cross-site scripting is much more prevalent The idea is actually sequel injection comes back to what we talked about about altering parsing So it's all about so web applications store usually state instead of in the file system in some kind of database It can sequel injection can allow somebody to steal all the data in your database alter your database and and Change the contents of your database or bypass the log in so you can see here really I mean confidentiality Integrity with altering the database there's actually a third one where sometimes they can delete your data So that would be availability really really bad vulnerability and The problem is fundamentally that web application So we saw that component in our diagram this php code is Generating sequel queries to send to a sequel server using some code that looks like this So we didn't go through all the syntax of php, but everything in double quotes is a constant string So it's This is your php Combination is with a dot operator, which is super annoying But you have select start from users where IV equals and then a single quote and then concatenate that with whatever is in an ID parameter and Concatenate that with a single quote and then a semi-colon. So what's this used for let's say for instance like in our nice The example we found of our purchase pictures, right? Maybe trying to figure out what are all the pictures that this user has purchased So if the ID is let's say 10 Right the php application is just concatenating strength, right? This is what you've been doing since learning Java and see and everything. It's literally just putting bytes together, right? So the result from this from php side is going to be select star from users where IV is equal to 10 Now when the sequel server sees these bytes it has to interpret this and say What sequel query did the Developer want me to execute? Well, and so it parses it right it parses it according to the syntax of a sequel query and it interprets it based on the semantics So that's what this coloring is. It's it's gonna basically say oh, it's the select keyword So select all columns from the users table where the ID column is equal to 10 And so the sequel sort of be like great I know how to do this. This is a valid sequel query I'll query the users table and return everything and that's IV is equal to 10 and what did the Developer based on this first line. What did the developer? What's the intention here of this query? Yeah, or to I mean if you look at it at a high level what it's looking for is give me everything in the users table Where the ID column matches the specific value and if we assume that IDs are unique This should always ever return one value or one row right Now what happens if we put something else in here what happens if let's say we put in the ID is negative one or one equals one So what's gonna happen in the php code this fake php code do anything different than it did in the previous case No, it's just concatenating bites The idea is it's concatenating this constant string with whatever this ID is with this final constant string So we'll get the we'll get this value which is going to be select everything from users where ID is equal to negative one or one equals one So what then a sequel server it looks at this parses it is the valid sequel query for people who Don't sequel. Yeah, it's a valid sequel query. It's a hundred percent valid. What is this probably going to return? Nothing. Those are two very different answers So we want to go in the middle like half of the things every hot thing So why which one's correct? Where I need was true How do people know our sys so select is a keyword the star is the columns From is a key word users is a table name where is the key word Equal sign is part of the wear clause. And then what's this? Yeah, so just like in your programming language if you have a Characters enclosed by single quotes It's going to treat all the fights in between those single quotes as a string So would you expect let's say if you had a single quote in like a Java code that if you had negative one or one equals one that would somehow value true. No, right? These are just bites Right, it's tricky because it looks like it should evaluate to something the problem is that syntactically sequel will treat everything that's inside of single quotes as one string value So it's going to say are there any eye are there any rows in this user's table where the ID column is equal to the string negative one space for space one equals one that will probably return what Nothing it'll probably return no no results But now what if we put in IV equals negative one single quote or one equals one So again, right the key thing keep in mind is the php side is just concatenating strings together So it's going to be cabinet strings together and go select star from users where IV is equal to this or one equals one And so how is it going to parse this? Yes, I would Your intuition is correct because it's going to be just like a programming language if you on a line have three single quotes It's things the first two capture, right? So you have negative one or One equals one and then a tick, but we can see here before that point The color of this war has changed. Why is that? It's a keyword and it's outside of single quotes, right? so now The sequel server is interpreting that differently and where did this final single quote and semicolon come from? It came from the php code exactly this last part. So can we influence that? magically get rid of it Yes, we can deal with it, but the question is can we just eliminate it somehow No, because we can't magically get php to execute some different code Then can kind of make these three things together, right? So no matter what we put in for ID The first part will always be select star from users where ID is equal to this with a single quote And the final thing appended will always be a single quote and a semicolon But yes, we can do all types of all kinds of fun things one fun thing is we can use the comment character in sequel so sequel has a comment character either dash dash or a hash mark and so now when the string is then passed to the sequel engine Strings concatenated together Interpreted now everything after the hash is interpreted as a comment which means we don't care about it for parsing purposes So now how many rows is this one return this IV equals negative one will probably fail But we have or one equals one so that will return true that clause will value true for everything in the database and we can even do super fun stuff so we can put something like drop table users after here and Depending on the settings of the sequel server the primary language Both of these sequel statements can be executed so we can do a select and then delete your entire users table So I really hope you have backups because otherwise you are gonna have a bad time We can even insert so we can inject new queries to insert into the admin table a new username and password and so the way to look for this is and The key concept here is that our input in a sequel query should never influence the structure of the query right the problem is our Inputs going inside of single quotes, which means it should never be possible for the sequel server to interpret our data We could be Smarter in some sense and include that We have to deal with it somehow. Alright, so how do you look for these things? Well, you can either Try to do it passively if you put in actually one plus two The sequel server will interpret that as three if it's interpreting that as code The main way to do it is to look for errors. So this actually one of my very first jobs as a programmer was doing this like Social network startup thing The funny thing was we deployed and we had a bug report that came in because somebody whose name I don't think it's O'Malley, but it was a name like this that had a semi a single book in it completely broke the site and this person who couldn't log in could be their pages reading error messages and I fixed it eventually, but looking back on it was a horrible horrible sequel injection vulnerability So you can use names like these to actually try to trigger errors because and what well coded web application should never Change I mean never error depending on your input, right? It could tell you your input is not acceptable But it shouldn't trigger an error So Where could it be possible? Where could a sequel injection be possible? What has to be involved? Database the database is literally in the name sequel injection, right? If so You just explored this whole application you see all these pages you see all these parameters all these form fields Which ones do you test first? Well, you test which ones are likely touching the database or which ones? Do you know have to be touching the database? so Let's look for sequel injection vulnerability. So we want to cause this this crash. So we'll do like We'll do three minutes So guys expiration make it crash randomly typing on a keyboard. We should be able to find some vulnerabilities, right? Or even not you're much better than random monkeys Oh Everybody find anything Hmm, so what so how did you do it? So what do we think this is doing then so let's log out let's go to the login page Food tick bar Password so everyone gets that see the error message Right on the log in so it's saying you have an error in your sequel syntax check the manual that corresponds for the right syntax to use near bar tick and Back tick password equals Shaw one can cat password with salt limit one and line one So this would be the smoking gun that tells us man. There's probably a sequel injection vulnerability here The question is what so what can you do? So when we did one tick or one equals one hash So everyone tried you want to try that so should this log you in right we think about our Authentication there's no user with the username one tick space or one equals one. Maybe there is but that's a separate issue Okay, but we log in and we get to sample users so what so don't don't remember this site And we go to uploaded pictures, what's our user ID one so likely what happened is we Let's go back to the login page Well first we did one which means it'll show us the user No, it'll return all users What we just did this do we think this would work, but so Previously we just log in as as the first user, right? Presumably because what we're doing is essentially returning every user in the database and the code is just choosing one the first user But if we wanted to try to let's say log in as user three No, it works for two Well, I should have used that there we go. We got in this pop I didn't know that that was gonna work. Ah, there is no user three There we go Cool, yeah, so we found one sequel injection. Everybody find anything else. There definitely is one somewhere else I just don't know what's on my head where it is That's why we're on all of you. I don't know. I have to look at the code. All right. Cool. All right So now we can play with sequel injection We can do other type of stuff we can try to steal data. Let me see. I'll try to get this demo of sequel maps going to be installing So the up is cross-site scripting Fers when malicious JavaScript that somebody else controls Executes in the context of your browser your window. So we're not going to go into the details, but there exists a Access control policy in your browser called the same origin policy, which basically means you can have Facebook.com open in a tab and you can have attacker.com open in a tab And that JavaScript code can't talk to each other because you don't want the malicious comm JavaScript code to try to Alter or change your Facebook page or add users or interact with Facebook on your behalf But if the attacker can trick your browser To execute JavaScript that they choose inside your Facebook.com page Then they can do whatever they want so they can actually steal cookies perform actions as you which include On the website, which would mean like friending people Sending your money away. This is a website or my favorite is they can actually do a super sophisticated phishing attack and present present you with the fake login form. So you're on Facebook.com But what's shown to you is a fake login form that when you fill out the form your details go to the attacker and not to Facebook How this happens is actually pretty simple. So it goes back to the HTML parsing we were talking about So this is some samples This is php like code or basically the way to interpret this is everything that's in between this This bracket question mark Everything else is static. So you can think about it again. It's string concatenation So this code is equivalent to first output this constant string and then at this point Substitute so the equal sign means place in the output whatever the value is of name variable and then append this constant string So if the name was just Adam, we would get hello Adam That would be parsed by the browser and it would just say hello Adam And it would look something like this But if we can include JavaScript tags in our input We can then trigger arbitrary JavaScript code to execute on this page And so we can do something like script alert cross-excripting which pops up that alert box that you've probably seen before and Again remember the key thing is that the website is very stupid the code It is simply concatenating strings together Sends these bytes to your browser which then parses it and interprets it as HTML So the attacker can actually trick you so if you remember if we go back is there any JavaScript code on this page Is there anything in between script tags? No, it's just pure basic HTML It's very clear the developer did not want any JavaScript code to be executed here But if an attacker can alter this name parameter to get the name parameter to be script alert cross-excripting Now the browser will parse that and say oh The developer wants me to execute this JavaScript code to pop up this cross-excripting Alert box, and if we go on this next page we can actually see that if it's part of this name parameter We'll see this here So the idea is basically when I'm doing this. I'm trying to So the defense against this would be the HTML encoding that we saw the ampersand LT semi colon if the web application Transforms less than symbols to that then we know we're safe So they're actually several different places of cross-excripting in wacko minutes to find them So give me one of these I want to see a box All our box I'll try inputting things like this and don't look at the other stuff. I'm going to make this smaller Is it the right something Yeah Yeah It's just script and then close script and then whatever His exact It looks like I Like I All right All right Somebody want to be my I'll be your hands. Tell me what to hack the guestbook Would which parameter is vulnerable? Yeah, it still works. Okay good Yeah, so actually the browsers since I made this have gotten much better in detecting. So basically they detect hate You sent a script tag and that is exactly what was sent back to us. That looks like a cross-excripting attack We're gonna block it but because but this still works We can see by this name here because all this is stored in the database. So it's a Stored cross-excripting vulnerability anybody find anything else Just this page. Yeah Yes, good good one So yes, there's a flash. I'm not gonna enable flash on this but there is flat Well, let's try it does Yeah, the technical reason is that The scanners are very good at identifying basic cross-excripting and so something like this test. Can they actually execute yet? So this thing is not gonna let me because this XSS auditor But We wanted to test can they actually execute flash for me answer was no cool That was good You need to sanitize things one thing before we All right, so this is about the So the sequel injection vulnerability that we found seems pretty bad, right? Anybody could bypass the login and login as any other user But it's actually much worse as we saw so there's actually a tool called sequel map Which will you can fire at a sequel injection and it will do things like? Let's see what's gonna do Yes, get test so it detects that the back end is my sequel it looks like it found Username as opposed parameters vulnerable to sequel injection Would say for the main test you want to include all tests for yes do everything Do you want to follow? No. Oh No, is this gonna work? So it's detecting a bunch of vulnerabilities here. You know, I don't want to do all that No Just do random stuff No, don't test the others. Okay, so This will all there we go. That's a long so this is downloading the entire database Based on that one subject so it's getting all the values You see it doesn't take very long, I mean it's making a lot of requests, but It's actually going so fast. I can't show you the things that it's figuring out, but it's actually querying Okay, you can query my sequel stores all its meta data in fixed tables So you can query that table to figure out what are all the different databases in your database Then you can query use database to figure out one of the different tables They can quickly figure out query each table for all the data inside of it and so sequel map Install sequel map and you have get install sequel map and you can So again, do not do this on a system that you do not control Okay, this is too much actually All right, so it's too much data in there we could do Look at these options We can do dash dash. Oh, we can do dash dash dumb D. I know it's wacko Wow, this is asking me if I want to save the password to try to crack them with the dictionary attack So, okay, so let's see. Oh, so now we have wacko Sequel map output local hose dump wacko pico So this is every single database or every single table that's in the database So we have all of the the users table We can see this is every single user. So we know he has an id salt login last name trade bucks value password first name created on Literally anything we want comments So we just got everything from this database Stuff is dangerous. Be safe out there Yeah, I guess that's it. Have a good semester. See y'all on oh, I guess Oh god, I hate talking about this the final is cumulative. It's gonna be everything we've covered up until that point I don't ask me anything else. There'll be anywhere from one to a hundred questions Just to tell you that that question is meaningless. All right, we'll be on Tuesday