 So we're switching gears from web, we're switching gears from binaries, we're going to move into web. As I mentioned at the top of the hour, I'm going to try to post some resources for binaries because a lot of the CTFs are still very much binary based and binary challenges so those type of vulnerabilities are always important to know and to understand but we haven't gone over web in three years, I don't think so. I don't think anybody here was actually there for that. So I'm going to kind of slowly go over the slides. I think I'm going to jump around, we don't have to talk about the birth or the design even though it's very cool. So the key ideas behind the web are on my computer. Okay I'll put them in the Dropbox. I think I saw you at the Mesa heating lab right? Did you go there? Not just somewhere. What's that? Yeah, that's right. Are you doing any? So the web has three really important technologies, URLs or URIs. So this is where we're kind of going over the basic goal, the rest of the attacks. URIs, right? So this is fundamentally the web is created of how to find documents on other computers. So the URI that you see in your URL, in your R of your browser tells your browser exactly what requests to make to fetch that resource. So URLs will generate HTTP requests when we look at HTTP as the hypertext transport protocol. This is how your browser, your client talks to a server to try to fetch some document on it. Then finally, what you'll get back will typically be an HTML page where HTML is the hypertext markup language. So if you've never right clicked on a website and looked at the source instead of view source before, you're going to do a lot of that now. And the beautiful thing about the web, why I like this beautiful circular nature, is in that HTML page there are hyperlinks which point you to new URIs to make new HTTP requests to get new documents, which are new HTML to make new links, right? So that's why the web has this beautiful circle. So really to really understand what the heck's going on at a really low level, you need to understand all these different technologies. So we'll just kind of split it out really quickly. So URIs are very similar to what we know is a scheme. So typically we're used to using HTTP or HTTPS, right? So that tells your client whatever protocol you want to use. The I, so URL is universal resource locator and URI is universal resource, something. Identifier. Resource identifier. Yeah, uniform resource. Uniform resource identifier. So it's more broad than the web itself. This is why when you see links that have, you can have FTP colon slash slash, or you can have mail to colon and that's an email. So there's a bunch of different schemes that are actually defined in a standard somewhere that specify what applications and what these things mean. So these are the incredibly important parts of a URL and these understanding means allows you to understand web and web vulnerabilities. So scheme tells you what to use. You said HTTP, HTTPS. The authority means what server do I go talk to, right? So typically this will be a domain name. So this will be google.com. So it's everything, the way to read this, right? Is everything from the colon to the slash is going to be the authority. So this says who do I get this page from or this document from? After that everything from the slash to the first question mark and this is, all of this is optional. So everything from the slash to the question mark is the path. This is a path just like in the Unix file system, right? So folder directories, that's kind of what it represents, but really it doesn't mean anything. It only has meaning to the authority to that server. So if you go to google.com slash docs, right? It's going to redirect you to Google docs. It doesn't mean that there's a folder or file called documents or docs on google.com servers. They can do whatever the heck they want with these paths. After that we have the query which is incredibly important. So we have the query section here which is a series of key value pairs. And we'll go into that in a second, followed by a hash sign or a hash. And after that, so the idea is the path tells you what document you're trying to get. This is traditionally how this is. A query is any additional parameters. And the fragment though is only used by the client. So the key thing here is when you ask the browser for something, nothing after the hash is sent to the server. It's only used, so this is how when somebody sends you a link to the middle of a web page, this is how they're doing it because they're sending you a link to a fragment or a sub document or a sub resource. So the correct syntax for the authority is username at host colon port. So this is how you can specify a username when you're visiting this server. And you can also specify a password too. But usually it'll just be the host. If it's just hosted, the scheme will depend on what port it's going to use to make that connection. Otherwise you can specify the port to use non-standard reports. Path, hierarchical, so there we have a slash. Query is used to pass non-hierarchical data. Some examples, we have a scheme foo for the host example.com with a port of 8042. The path is over there. And the parameters are test equals bar. So this means we have a parameter, a query parameter of test and the value of that parameter is positive. You have to give multiple parameters. Yes. You don't have an example. You separate that with ampersands. So you ampersand new key equals new value. You have FTP as one in here. This is a valid URI. Also mail to links. So this is one of your writing web pages. You want the mails to pop up. HTTPS. So here we have something interesting. So we have a colon here. So that's not part of the port. But that's fine because we know everything from here to the first question mark is part of the path. That's how we parse this. We have scheme colon, scheme colon. Authority is host colon port. And then from the first slash all the way to the first question mark, that is the path. This whole thing is the path. And then the query. So this is all formed because of this right here. So we have the question mark, but then we have a slash. We don't have something equal to something else. So part of the problem here is we can't parse this because we have special characters essentially in our URI syntax. We have the colon, we have slash, we have question mark, and we have the hash symbol. So if we wanted to try to access a document that had a question mark in the name, using this we would be able to do it because it would mess up the parsing. So we have to use escaping. So this is a lot on the web has to do with escaping and how you change special characters to make them mean something else. So this is a list of all the reserved characters that you're not supposed to ever use in a URI. And you know what they are. What's the special character we use? So like when you're coding in like C or Java, and you have a double quoted string, how do you include a double quote in that double quoted string? Backslash. Yeah, you have to put a backslash first, right? The backslash double quote doesn't mean I want a backslash character and then a double quote, right? It's a special character that says I actually want a double quote, right? This double quote isn't to end the string. This double quote is an actual double quote that I want here. So in URIs they have used the percent symbol. So the percent symbol, so these are all the reserved characters and I believe percent should be on here. So you can basically percent encode anything. And you must do it to encode anything that's not alphabetic, digits, dash, dot, underscore, or tilde. So the idea is actually pretty easy. You do percent and then a hexadecimal representation of the light. So for instance a space character is not any, it's not alphabetic, it's not a digit, it's not dash, dot, underscore, or tilde. So if you want to include a space in your URI, you do percent 20. Because hex 20 is ASCII value for space. And if you ever don't know, I'm also a big fan of, I'm going to ask you to look this stuff up, the whole hexadecimal set here. So you can see 20 is space. So that's how you include space in URIs. If you want to include a double quote in space 22, if you want to include a colon in space 3A, and that's why when you look at a URI that you get, it's going to look really weird because all these characters are encoded in this way. How do you encode a percent sign? Can you just use percent, the special characters? Yeah, so how do you represent it? Two of them. No way. Find that hexadecimal. What is it? 25? Yeah, percent 25. Instead of doing something special, like doubling it up, they say, well, we already have a way to do this. You can percent 25 represents percent encoding. So percent is the same? Yes, exactly. So for instance, the ampersand will be percent 26. So percent will be percent 25, space percent 20, and so on. So we can fix this example. So what are we going to replace here to fix our example? So you said the problem was percent. Or question mark slash. That's where the error was. Can you tell me what's the problem? So what was the criteria? What do we not have to... Can have a colon. Can have a colon. So we have to encode that, and then what? So the dot is there? No, dot's fine. It's a through z, digit, underscore, dash, dot. Tilt to close it. Yeah, well it kind of actually depends on what we want it to do. Right? And what we actually want to request. So if we wanted to do example.com slash test slash example colon 1.html question mark with question mark part of the path. And then slash atom, we would encode it. We could encode this percent character, this question mark. If we don't, then we will encode the slash. If we wanted this just to be an atom. So this is acceptable syntax for a query parameter. So you can have key values. You can have keys without actual values. So you just don't have the equals sign. Which I did not go over. So it's going to practice for four months or so. Okay, I'm going to skip this for now. Let's see how I'm going to go. There's a difference when you look at a URI. It can specify different things. I'm going to ignore this kind of for now, but I think you should revisit this on your own. HTTP, so this is what we're going to... So it's a very old protocol. It's basically from the beginnings of the web when 91 is when this came out, and there really have not been that many changes. More and more version HTTP2 will be released, and the usage is still not really there, so we'll just focus on HTTP. Basic idea, it's a completely stateless protocol. So the client makes a connection to a server based on the URI. So it looks for the authority, it says, what server do I need to talk to makes a TCP connection to that server. It says, hey, I want to make a request for this document. The server processes that, reads the request, and sends an HTTP response. So fundamentally HTTP has two things, requests and responses. Yes, so request response. Unfortunately, reality is a lot more complicated. There's caching involved, there's firewalls in the middle, there's proxying, there's madding even when you think about networking levels. There's even people do crazy stuff with men cached, and now you have content networks. We can just still think about it in this very simplified model. So requests, what we are going to do, I want, let's look at an HTTP request. So everybody, that's what it is. What operating system is everybody running? Does everybody have access to a Linux box? Yes. I think by now I'm not sure. Okay, if you're, I think, is there TCP? So, one of the best tools, I have to check my configuration. I also want to make sure. Yeah, you got tunnels. Well, TCP dump, if you have not, TCP dump is what we're going to use. I want you to, I can figure out what now. Interface is zero. So, I want you to listen using TCP dump on your interface, and I want you to listen for port 80. I want you to listen to port 80. If you just listen on port 80, this will listen on your local interface for any HTTP requests that are making it. So the default port for HTTP is at 80. The default port for HTTPS, which is the SSL secure version, is 4.43. Those are good things. Do we have to do anything if it's running on VM? Do we have to do anything different? No, you just have to figure out, use I have config to figure out what your interface actually is called. So that should go after the dash I parameter, which is interface. You want to use the dash N, because this will disable remote DNS. Yeah, so it'll try to resolve all the IP addresses it sees to remote to a DNS name. And so the dash N, it makes it faster. So do that in one parameter or in one window. I want to see. You have to browse about that. What? That's right now I'm not doing anything. Oh, yeah, we're not doing anything. We're in Spain right here. If you want to see this in another window, or a tab or whatever, however you want to use it, curl, let's change our options. That is A for sdm. That's good. Okay, yes. So use tzip dump dash N, use the dash A option, but another thing if you're not familiar with Unix commands, if you're passing this N0 argument to the I argument, so if you put the A, if you switch those, it's not going to work, because it will think that the A that you're sending is the parameter to the I interface. Anyways, you have to be cognizant of what parameters take values and which ones do not. Which interface? I'm like doing the t3 dump. Use on ETH0, so that'll be your extra. So this is different if most Linux machines use ETH0, it's going to be the default interface. Mac is based on BSD, so it uses N. Well, sometimes I would include two ones, do that, like switch on and N. A-dub. What is the A-dub? The A prints out the ASCII values here of each packet that it receives so that we can actually look at the requests that we're sending. So I did do it that way. And so, you're going to go up and scroll up all the sends and active did packets. You can see there is the, that's going to be the response, so that's from Google basically to you. You're in the template. So you go up and see the request. Still garbage though. I mean, it's just, that's the SIN, SINAC, ACK. That's that. Yes. This is the 3-game engine. SIN, SINAC, ACK. And then the next one is pushing. So that's kind of it. So that's the request. Oh, that's what you're running. It's probably TeamViewer. TeamViewer. Is it 480? Is it 480? Is it 480? And you're running W-Lite-on. So, that's 480. Are you using me? Yes. I need to help downstairs now. Yeah, none. None now? But you can help me in things. So 422, it's 480, and sort of, yeah, and it hosts 1google.com, right, that's what we're doing. That's not in their authority to host different 1google, but they have to do, like, a map, and then host it. And for that, yes. That's a lot. That's a lot. Yeah. That's a lot. That's a lot. Yeah. It's 9-1. Oh, so it's all vertical, right, I think, except it's good. Yeah. I'm going to use Q0S. There you go. Got a map. Okay, you're fine. So what's happening? Do you have the two-factor or something? No, it's Google Hangouts. I'm trying to click my phone number. So your machine is essentially dating all the requests that that machine sends, so it's like it's coming from your machine instead of the host machine. So you don't have to type the number at all. Yes. Okay, so it's currently running so you can't type the number at all. Yeah. Do you have that? Yeah. So first of all, it's going to be disabled. Okay. So it's going to be disabled. Really? Yes. You're going to have to, like, do it again? Yeah. That's a lot. Yeah. So there's just a lot to do. So you're going to be requesting, and this is the request file? No. Okay. So what's the situation? What's the situation? I think that's right. Then, yeah. We'll put another card on those so you can make the crawl request. Okay. What could I see? Since you brought the food on us. Great. Here for you. I'm going to announce that it's good. Feel free to have some pizza. There is meatlovers, pepperoni, and cheese. Cool. You okay? Yes. They're doing something. Yeah. So that's true, right? Okay. Okay. Okay. So we're going to talk about next. So you are listening to every request that this computer is making on 480 or any IP, any TCP traffic that's happening on 480, what you're looking at. So this is all. So if you go up, you can see going down a little bit. So that is the HTTP response. You go up. We just started with that, I think. That is your request. Okay. So you're asking this IP address, so that's your computer. So this is an IP packet. Okay. So that was a little bit of a pointer. So your computer had this weird report to that IP address. So we just started talking to you. And that would be Google.com. Oh, okay. That makes sense. And then it's making a get. So what do they need? It's going to go far. I pretty want you to just TCP dumb because that goes far. This is the request. That's the HTTP request that's making in Google. And you can look down and see that this is the reply. So it's actually doing a redirection. It's telling you actually, I want you to click there. www.google.com. Yes. And that's why if you go in your browser and type in google.com, it will go to first www.google.com and then it's going to be able to track this. I'm not going to miss anything. anything when I watch his video, right? I just want to be done with it. I don't think we'll talk about that maybe, because we'll see how it goes. We'll see if we can read it right here, or more see if it's okay. Let me see. I don't think he'll stop. The things that I try to teach are the things that are gonna appear on CDF, the style things. Yeah, I'll say that. Yes. I know. Think about it, you're in my class, right? Yeah, so just think about it, we'll get it. We'll put some of the man in the middle stuff we're talking about. So he just talked about those things, and besides that, he just like, you guys should get food. So, what about you? Carl. Okay. I'm gonna use that. Pizza and diet. Can we do like, sandwich next time instead of pizza? Oh my god. Always got like a bunch of pizza. We can do that. That's soda, a lot of pizza. Always get like pizza, soda, a lot of pizza out. Oh, so you're like, I'm saying like, suggestion. I like to try different things, life's too short for the same thing, you know? We can. Sweet. The thing is like, with like pizza, you can just have like, five pizzas and- Yeah, it's easy. It's easy to, for people just grab either one slice or two slices, but with, if it's sandwiches, you have to know how many people are going to show up, because if you buy 15 sandwiches and 16 people happen to show up. Is that the same as catering? How would cater go? Because they cut it off, right? Like, I don't know. Like- I don't know if it's cheaper or more expensive or- I got your invite for Dropbox. Click it in right here, go for it. Really far. It's like, yeah, like more floors down. What? Okay, I'm gonna see you. I always need it. How are you doing? Good. I'm fine. But I still had to force myself on. I'm just so sad now that Mount JJ is not around. I feel like crying. What are we going to do with that? Yeah. I'll see you trying your brows today. Yeah. Try your brows today. Okay. Every post on it. Oh, but my shirt fits definitely in. Do you have some bits at you? I have a family account for you. I told you. You told me what? He's gonna die. He's gonna die? You know, I think he is some sort of, like, anorexic teenage girl or something. Oh, I have the snacks, too. You wanna bring the snacks? I'm having a while. I'll just- If you like it. You've been hearing me, right? I did, you know. Show me the snacks. Also recorded forever, so, thanks. Oh, wait. Hang on. I'll move this over here. It's a good thing it gets everything. You guys got my eye-bottom out of it. I called him. He goes back to the mailman. So if anybody involves a mailman. Okay, can everybody look at me for a second? I'm gonna send this to our sponsor. So, get in the picture. No, you've just got out of the picture. Okay. He's gonna get upset, but, yeah. He's screwed in his face. Yeah, that's why I was going down a little bit. Yeah, you know what? Screw it. We're just doing it. But you have to be in the picture, too. I don't know. He wants to see his students. I'm not a student though, but okay. Okay. I'm just after you though, if he wants to eat that. You also heard that, too. You know, we don't have time for that. So, shut up, shut all our email students up front, so it looks like we have more than we, the guys who are walking behind. I think it's fine. You're gonna run over. Okay. Okay, so everybody's done this. Got about at the right place. Okay, so now let's look through what maybe, hopefully, as we've seen some stuff. So you should scroll kind of towards the top. Wow, okay, I got a lot of stuff here. We switched to web. Will. What? FYI. We switched to web. To web. Yes, web. Oh, not web. Yeah, because H29 fails. I'm recording. Okay. All right, so if we look at what's going on here, what is going on here? Well, it just got a document moved, so it can't really settle. Yes, no, no, I know that part. Okay, so if you look to kind of, so if you looked at everything, you could pinpoint the exact, so TCP dump looks at every packet that's getting sent and received based on your filter. So we're filtering it, so it's only port 80 traffic that we're seeing. And we can see that here because this is port 80. So this means we're making some requests from here to this IP address on port 80. The flags of this are very weird, which I don't understand. I think something must have gone wrong here. But basically, this is the start of a TCP handshake. So if you don't know what that is, you should definitely refresh your networking skills and look at that. We're not gonna cover it right now. But this three-way handshake, we first send a SIN packet, they send a SIN ACK packet back, this machine on port 80 back to here. And finally, we acknowledge their transmission with an ACK and then we push and send them our request. So in this, you should see, this is the HTTP request that Curl sent when we executed this curl, HTTP colon slash slash Google.com. And when we pick it apart, we see get slash HTTP 1.1, host Google.com. We have a user agent, which is Curl. So this actually tells the server. Anyways, we'll get into exactly what it is. But this is essentially the request. And I wanted us to be able to actually look at this, be able to do this. So then when we read the request, you actually have something to look at. And then we can see that we get a reply back from Google. So we get an HTTP 1.1, this is saying that we're talking the HTTP 1.1 version. We get a response, there are various codes, 301 means redirect, look somewhere else. And where do we look? HTTP colon slash slash www.google.com, right? So this is why when you type just google.com into your browser, you'll get redirected to www.google.com and then redirected somewhere else and then it'll redirect you to HTTPS google.com. Yes? So before that HTTP, what is the garbage before that? Is that the other part of the package? This is parts of the packet, yeah. So this is not anything to do with HTTP protocol. This is just the way TCP dump is parsed. I think it shows you the ASCII of the entire packet. So this includes all the header information. So yeah, it's all a bunch of stuff we don't need, but it starts right here. Cool thing is it also does send us HTML. So it sends us some HTML that we can look at. And then we finish and everything stops. So, all right. So requests, HTTP requests have a method. So there are various methods here. We have get, so this get is a method. There's get, post, head, put, delete, series of other ones, but there's a standard ones. We then have the resource. So which resource are we trying to get? Here we're just trying to get slash, right? Remember we typed in just google.com. So what if we did google.com slash foobar when I'm actually recording? We will see that we will get slash foobar. So this is the path that comes afterwards. So this is everyone after here, including the query parameters. So this would be foo equals, okay. And you gotta make sure when you're typing this in you wanna be in this foo equals bar. So here I'm passing in query of foo equals bar and baz equals random stuff. Oh, no, but it doesn't matter. I'm just making a request. Yeah, that's kind of the important part about the web. Whatever this is, it depends on google.com. They're the ones that say whether this part is valid or not, right? If they don't have anything for it, then they'll ignore it. If they do have something for it, then they'll deal with that. So if we look at the request now, we can see we're doing get slash foobar, question mark foo equals bar and baz equals this. So this is everything up until the hash mark. So the hash mark, everything is not sent. We also say the protocol. So the protocol we're saying we're making an HTTP 1.1 request. We send information about us, the client making the request and sometimes the request will have a body if we're sending data to the server. So yeah, where is my, yes. Okay, so this is essentially the request that we just saw. There's a bunch of methods that I can use. You can go and review these, but this is in essence what's going on here. Why do we need to host here? Why do we need this host header? Yes, but I typed in curl, ww, you know, I typed in curl, google.com. So I typed that. So why, so I did a DNS query to turn the google.com into an IP address, right? So that's why that's how we know which server to contact. So then why do I have to use this host? It was all the two IP address. So remind you. Where are you at? It's not the IP address. Well, you could just use the IP address. Or could it switch to somewhere else? You could just use the IP address. You could. To make a request. So make sure you know it's not the IP address. Could, that's just, could one IP address be the same as multiple websites? Yeah. So if you, if every DNS name maps to one IP address and you did not have this host field, this means that you would, if you wanted to host a new domain, you would have to have a new IP address. So every single domain would have to be on a different IP address so it knows who you're requesting. The host header was added so that you could have multiple domain names share the same IP address. So for instance, that's how our lab works. So we have one external IP address. We host multiple websites inside that IP address. And so we have a web server that looks and depending on that host value we'll send it to the right backend. And that's how, why that was added. But what if you curl up with an IP address instead? Look here. So here we curl without the IP address. We do the get. We see that it sets the host as that. So then the server gets to decide what does it want to do? Does it actually want to respond or does it want to just drop the request? Do they have a default set of this? It looks like here they just do the same thing. Actually fun fact about Google is all of Google's external IP addresses will respond to any of the Google services. I'll explain later why that's interesting. Okay. This is a curl request, if you look. So now if you're running, I think what would be interesting is run the TCP dump. Do a request in your browser. Do a request in your browser to see what gets sent. I can't find it. Okay, search. Gravatar. No, I mean through the buffers. And this depends. That depends. Okay, so depending on your, you're on 16, so you only do EMS 30, but like a fun 214 lower, it'll go to zero. So that's good. Okay, so it depends on what? Yeah, so if you want to mark out, put IF config to tell you which interface to look at. Wow, okay. I don't know which one's a Google request because there are lots of requests. But we can see that there's one request to gravatar, www.gravatar.com. We can see that this request has much more header options than previously. So the things that are important, this has to be here, the first line, which is the method, the document you want to get, and then the protocol. And then after that is a series of key value header options. That's best advice. Host, we have a connection. Keep it alive. All these things mean different things. And there's RFCs that you can study to look at and you can see exactly what each of these things means. The modern requests are complicated. So the response, as we saw, so the response has the protocol version first off to tell us what exactly version of HTTP it's talking. It has a status code to tell us, it needs to communicate to the client, was this request successful? Was it not? If it failed, why did it fail? Was it a temporary failure, a permanent failure? Should the client look somewhere else for this resource? If they look somewhere else, should that be permanently they should look somewhere else? So this has always moved or has it never moved? All kinds of stuff. So basically you have one line that has protocol version, status code, and a short reason, and then headers in a body. Yes, so there's status code we can see. Okay, cool. So we can see in this reply, first thing we have is protocol. Then next we have the 301 response code, and then we have short reason followed by headers. So each of these are headers. And then we have a blank line. So technically at the end of each of these lines is a CRLF. Those are the exact bytes that are there in those requests. And then we have an empty line that signifies the end of the headers and the start of the body. And so then this is where your browser starts parsing and looks for this for HTML. Questions on this? So status codes, the 100s are very strange. I've never really seen one in practice. They're used to say that everything is good and going good. 200 is the normal one. So 200 means everything was successful. So we got your, we received your request, we understood it, and we accepted it. Everything that starts at the three, so 300 levels are all redirects, or say actually you need to go somewhere else. So this is exactly how when you type in a URL or try to go somewhere, somebody sends you a link, you click and they say, oh, you're not logged in, you're redirected to the login page. This is how that happens. A 400 means you messed up. So the client made a wrong request. So what's the classic 400 error message? 404. 404 means not found, right? Well, it's not my problem, the server says, you requested the wrong document, right? And so that's what a 404 error is. There's many different 400 type of errors. The other one is I messed up. So 500 is the server saying, oh crap, something went wrong. Sorry, like, I've never seen that one. You've never seen that? No, no, no, no, no. Is that 403, though, forbidden? Yes, there's various, I don't know. You can, so this is just general codes, right? So everything that starts with a one, two, three, four, five mean these things. And then depending on what they are, so 200 has these couple things. 300 has different types of redirects. So redirect just for this time, or redirect always. And these affect the client behavior. Like I said, 403 is forbidden, 401 is unauthorized. 400 means you made a bad request, so your HTTP request itself was wrong, which is a bad thing to be. Yeah, 500, there's various other 500 errors. So this one, why are they giving us a 301 for Google.com? Because they permanently want you to always go to www.google.com. So permanent redirect means that the browser can cache that result. And so next time you try to fetch Google.com, it knows that that's actually redirected to www.google.com. But does Carol do that? No, it doesn't do any caching, it's just a command line thing. It does that over there every time. Yeah, well it's not an error. That's a wrong message. Yes, exactly. The browser is the one that does the caching. Yes. Okay, so we can look at the, so if we look at a response to www.google.com, you can see that we get more information. You can do this on your own. So you'll get like in 200 okay, it'll have the date that you made this. There's a bunch of cache controls to control any caches that are in between you and the other server to say whether it should cache it or not cache it. Also that controls your browser, how long your browser will cache it. It may set cookies on your browser, which we'll get to later, as all kinds of stuff. What's private cache control? I don't remember. Cache control private means, I think that means your browser can cache it, but nobody else can cache it, right? Because if any other cache in between you and the browser cached it, that means if somebody else tries to fetch www.google.com, they'll get that result back. But Google customizes your homepage based on you. I did this while signed in I think or something. Oh no, maybe private MaxAge Zero. MaxAge Zero, that means never cache it. Don't ever cache this. Content type is important because it tells your browser, what is this body that you're sending? Because it doesn't have to be HTML, right? We can get JavaScript files and I don't know, movies or whatever through there. So this text slash HTML, this is a mine type. It's another file format that describes different types. Anyways. Questions on responses. We're gonna skip this. Other thing, I think before we get into HTML, I think you all need to solve the birth proxy. B-U-R-P, yes, like a birth. So this is one of the best tools on before doing web application pen testing. And they have a great free version that you can use. I think investing in Chrome version is worth it. No, I don't. It has some cool stuff. It has a scanner. It does have a pen testing like scanner component to it so you can use it to automatically scan and pen test. But really that's, you should be, especially for the stuff that we're doing, you should be doing all of it. You don't wanna rely. They're not gonna have something that the tools can just automatically find, so. Close the way to learning is to do it manually. Exactly. Yeah, especially while you're learning. But using this is awesome. So every download and install list gets running. It's Java, so it runs everywhere. I mean, the other thing I think about full purpose is it has a whole plug-in and an extension community so you use other people have written cool stuff that looks for things and responses and other kinds of things that can be cool. How do you turn it on? How do you turn it on? It is currently on. It is on. Yes. It gets there in a second. Oh, you don't want to turn it on? Yes, you just set it up. I usually use Firefox. Firefox is the browser that's easiest to choose a proxy for. Do you need to do it now? Or just go here and just turn it on. To be honest, I don't know 100%. I think you may be able to change it in the networking setting. Of course, I'm curious. I know you have Italian, but maybe you can put it in. Or you can put it in. Or you can put it in. Or you can put it in. What? I'm curious. How do you turn it on? Because I can't resolve. Very well. I started on it. But you can't resolve. You should do that soon, really, also. That is what it has to be. Very exciting. I'm going to try to remember how to get the point out that I have to install the Cali dash. Or dash pool. Is it worth commanding on it? Or is it? It's a GUI. And then, because I figured that out, you didn't want to do it for like six years. That's not cool. So that looks like a script that will install in the middle. Yes. It's a .sh. I thought it was all good. I'm curious. What are your views on the Cali dash? I'm curious. I have a 32-year-old. I mean, the same monitor. Yeah. That's just for the root directory. And it's always like, you're sound and arse on that. I don't have any scores. I don't have any one there today. Really? We might want to go to the party. Edit your hair faces. Find your network. Does that mean? Like, do you have 22? The point of view, right? Or three? Or three? It's not good. So I'm going to go to the party. I'm going to the party. I'm going to the party. I'm going to the party. I'm going to the party. I'm going to the party. So, Burp is in Java, so you can run on anything. So you don't have to run it to VM. You totally can though. I bought four or two. Thank you. I don't know. I just looked up the thing and I just bought it. I don't know. Is that not what it's supposed to be? I don't know. I've been using the same thing. Oh, you wanted a smaller one? She said it's a size bigger than that. Thank you. Is this a game? Yeah. They took the hard drive. They're going to do the hard drive. Pretty sure. Yes. Nothing could come after dark elements this year. But you're not. No, you're not. Hey! Now you might just pass him the case of a catalog board. That I'll bring to you. Yes. Wait, do you download the Dart file? I can actually download the Dart file, right? I just didn't download for my PC. What is this? I don't know what this is. Oh, it's SH. No, I want to download. Look, the SH file is like 880 megabytes. This is only 12 megabytes. So try to look at the Dart. Why is it so much bigger? Why is it so much bigger? Oh, I have no idea what this is. So this is the next one. This shell is good. That's 82 megabytes. This Dart file is 12 megabytes. We're like, what the heck? But why? Can they kill all of them? No, they still have the cheese pizza left. I'm sure some hungry hackers will take it to it. So what should we do now? OK, yes. So once you have Burp up and running, so the idea is Burp is a proxy. So it's going to sit in between you and the server that you want to test. But by default, that doesn't happen. So you have to set up your browser so that it knows to redirect requests through Burp. So Burp has a lot of different modules. I really only use about two. The module you want to look at first is proxy. So the proxy tab. You want to click on that. It'll say that intercept is on, which means that it's running. We'll see what this does in a second. You want to look at the options tab, a sub tab of the proxy. So this tells you that you have a Burp proxy running and listening on the interface. It's 127 001 port 8080. So this means that it is running and listening on your local host for incoming HTTP connections on port 8080. But we won't see anything unless we configure our browser specifically to do this. So I actually use Firefox basically as my pen testing browser. So I only use Firefox to go through Burp because it's actually very easy to change the settings here. So you have to go advanced, network settings, and then you have to say manual proxy configuration. And your proxy that you want is that exact thing that's in here. You want local host port 8080. So local host port 8080, use this proxy server for all protocols. And you want to click OK. So now what should happen, so this is what you want. If I go to a little bit of my website. So it should hang. And why is it hanging? When we look, we can see that this intercept. What we've done is the browser sees the HTTP request that we've made and is pausing and waiting for us to do something. So you can forward that request on and you'll see other requests that get sent and more requests. And then you can click the intercept off so it won't bug you every time. But you shouldn't see in history all the requests that you made to this domain. If the intercept is off, it will still log them into the history. If what? If the intercept is off. Yes, it will still log it. Yeah, exactly. You should get to this point where you're proxying traffic in between your browser. And I need to go get my charger. 30%. So you go to advanced, right? And then the settings and then where you should put in, you need to go to manual proxying. It's like the last thing. And then you enter in if you go to BIRT and then proxy and then option, the option sub cap. It'll show you like 127.0.0. Yeah, so you use that. That one. 488. 488. 488. Hey, how are you? Oh, what's up? Do... It's... I'll be a boxer. Why are you doing proxy and proxy? Instead of just... You're a regular boxer. I don't want to be between you every time. Really? Yeah, I'll be. Because you need to see this. Yeah, I've done this many times. I've done that, though. Oh, it allows you to... It allows you to... It allows you to change the proxy connection. So this, you know how you have to go to... At least not that hard. You just have to go up to... No, but I think I'd say it's like the profile and you can turn it on. Watch this. And you can probably enter multiple... multiple... regular settings. If I go to preferences, I have to go all the way to... Where's network? See, I don't even know where network is. Thank you. Network. And then setting C. So long. So what we're going to do... is... See, watch. Oh, what the hell? Look, a host. 488. Oh, I mean... Oh, are you... You're not interested. Oh, yes. But I have my proxies. Okay. Okay. Okay. Give a little... A what? Well, a girl needs to be prepared. Yes. It's perfect. So if I go to proxy... So one thing to note is... You need to be running a browser whenever your proxy is running. Right? So you can't run the proxy in your virtual machine. Well, you can. You have to set it up a lot more confusingly. You can't run your proxy in your virtual machine and run your browser in your normal machine. So that makes sense. I think you both be on the same thing. So either both in your guest on your Ubuntu virtual machine, or both on your physical host. In very good mood. Websites. Do you have the proxy to set up? The same one. Yeah. What? Oh, right click on that. Right click. Is that... Right click here. Set up the... Set that down there. Yeah. Now go back. Now it should be a... No. Go back. Go back. It should be a proxy. If you run your browser in your virtual machine. No. Okay. Get off. It's good. Now go back. Yeah. Before you go to pick up. Because we tried to do this here. Any HTS. Here, go ahead. No, don't. Go ahead. Okay. Okay. I've got a party session. Okay. Yeah. Big smoke. Is this it? No. Okay. That's the real thing. You have to do this. Yep. Go ahead and keep forward. You can see. Oh, the back is open. Okay. Okay. Now go back. Okay. What? How do I make the proxy? I should put on. Yeah. Just did it log? Log. Yeah. Okay. When you're done, close. Right, and then it'll log this. For example, if you run this over here or anything. You know. So if I keep forwarding my class. Right. Yeah. But it's still log. Do you have these illustrians? The street? Yeah. Oh. Got owned by... Got owned it. You'll make the perfect signature. Wait, the site actions having on it? What's going on? Is there an option in that running, uncheck the running, and now it's refreshable? Well, I mean, there's modernizer in Octopress, but I think it's right, so basically it's going to refresh, and then it's going to refresh. And then it's going to refresh, and then it's going to refresh. I think we're having the same problem since you were here. Reconnection is not secure. Yeah. If you don't want to pause, you hit intercept is off, then it will just keep going, but it will keep tracking it. I delete that one. Oh, it's here. I see it's ancient. Yeah. I would delete all of those. I just want to know where it's worth a part. I already have that. Yeah, go down. And this is running in... Watch it back with the syntax. Yeah, what did it do? Oh, okay. So I'm going to let that watch ready, Cito. Okay. Yeah, so let's see what the difference is. So for example, I can see that it should fail. It should fail first. That's a program. This is its function. Oh, okay. And then also, see if it does... If I'm entering a specific type of file, it'll color it. That's not that. No, that's default. That's default. Now, I don't need it, but I'm saying sometimes it does it in here. Oh, okay. So for example, if I go... So I'm going to let it... I have... This is all being done. I mean, this is all... Okay, so I just don't see your time. Oh, yeah, I'm done. So I'm like, what am I supposed to do next? Do you know where I can do the trust certificate? So that it trusts the port swinger? No. The answer is no. I can't remember. I know there's... You have to like... I've done it before, but it's a huge pain. So yeah, basically, so essentially what you're doing right now is you're manning the middling all of your own traffic. So this is why if you try to go to something like Google.com, it'll say the connection is not secure. You'll get this super scary page. The problem is you're not talking to Google.com. You're talking to the proxy, and the proxy is talking to Google.com. So Google can sense that? Or yes, yes, because... Burp says, yeah, I'm Google.com. Trust me, I was signed by this important swinger certificate, which is the guy who created Burp. And your browser goes, I don't trust that in a way. You're not Google.com. But what you can do, there is a way to add Burp's certificate to your browser. I just don't remember how to do it. And you don't really want to do that for your normal browser because then that means anybody as Burp can like me out of the middle of these. You don't necessarily want to do that. But you could like, like, promise to try it out, I think. So instead of getting it out to the bad, and that would stop you from getting it out to the bad. And so if you would take it forward, then it would go like that. Or if you would turn it in or try to model somebody with a question, she'd say okay at once. Or deny it to the board and make sure that it just, you know, won't happen. It won't, because I think it's protected that you're... Go ahead and turn it in. I'm going to jump over over here. Yeah, here's my... I'll do that. Good. Okay. So you have JavaScript running on your home page and debate.com. Are you like running statistics on that? No. Okay, so we all... Is this page? Okay, cool. So one of the cool things that we turn Intercept on, if we go to a non-HTBS site... Oh, okay. You need to refresh. So now this actually can help you see exactly what's going on with your browser, right? So you can see that this is... So this shows you different views in the request. So this is the raw request that you're sending. The parameters are the cookie parameters that I'm sending. I hope these don't mean anything because I recorded them. All the headers that you're sending. And it can show you even the hex value of exactly what you're sending. So you can look at cool things. You can see what it's sending. We're getting slash. The host is here. We have cookies. We can also, I think... There's also an option to... You can intercept. So this has a bunch of options of what you want to intercept. So this is intercepting request going out. So you can say... So basically the default that I have here is... I mean, I didn't do this. This is what comes with my installation of verb. Intercept it if the file extension does not match. If it's not a GIF or a JPEG or a PNG or a CSS or JavaScript or an ICO. So it's not going to intercept any of those requests. You can also add whatever types of additional query filters to maybe only want to intercept certain types of traffic. To say about the responses, you can intercept the responses that are coming back from the web server to mess with your browser. Or to change the request. So one cool thing, and this is where it comes in. So you can do this on my site. I'm giving you permission right now. If you right click on any of the... So some cool things you can spider from here. So this will automatically go and crawl all the links. So as you proxy, your target is keeping track of all the sites that you're visiting. And it's keeping track of kind of what it sees as the sites in there. And you can click on them and you can see the request that it's made and things that it's fetched. So you can see actual requests that it's made. So one thing you can do in the proxy is you can right click on it and say spider from here. So you should only ever do this really on sites that you own, control, everything. Outside the current spidering scope. Yes, include that in the scope. So now the spider is going to go through and you can see it's making hundreds of requests to my own website to try to get all the content. And try to see all of the webpages. So this is not something you normally need to do because you should be interacting with the website you're trying to test, but this is just a good way to kind of see what's out there and try to double check. You guys don't bring down my website. With so many people doing it at the same time? Yeah, it should be fine. Let's hit them hard. Okay, so I think that got it all. So now you can see the whole structure of my website. And you can see for any of these things, not only can you see the exact request that Burt made in order to get this page, you can also see the response that it got back. A bunch of other parameters. But you know what, it's actually going to download a lot, by the way. It's all of my slides for all of my classes ever. Really? Oh, I see your CSC stuff. You've only been teaching here for like 20 years? I thought you were like a senior. Like a business? Like a senior as in like 1, 7 years. We're hanging on publications, 2010. Wait, you have keys? You have a GTT? Yeah. So that's... Literally my website is open. I know it's on there. Okay, some other fun stuff we can do besides spidering my website? So the other thing that's really cool that we can do, and this is something that I actually use all the time, this is what I was using when we were pen testing websites for the CTF. So right click, I do send to repeater. So repeater is a very cool module where you get the raw request that you see here and you can change it and make the request again to see what happened. So you can do get slash food. You can click go. It will make the request on the right and show you the response. And so this is how I do a lot of my testing work, is testing parameters, testing things, saying like you can see what happens if I put spaces in between the HDD things. It'll say 404 not found. Oh, interesting. Actually it works. I can tell that I'm HDDB 2.0. It will still say it's not found. Yeah, it still works. It's crazy. It's not even checking this. So I know you're running fun too. Wait, but it's not updating right there. It's still HDDB 1.1. Right, right, right. Because that's the response is 1.1. Yeah, you can alter the hex in here. The headers. This is a super handy way that like when you're testing parameters is what I do so I can see what the response is right away. No, that's my picture. So let me see how much stuff you did so far. But you don't have anything about teaching. In target. So this is everything that I've seen so far. And then you click that so it's like the hierarchy. It shows all the results that you've done there. Oh yeah, some of the things that the pro version does it will automatically close as you're using the site. So it'll automatically try to close the parameters while you're using it, which can be cool. But all like stuff that for CTFs you don't need. You should try all of these. What do you mean by closing like randomized? Like try SQL injection and cross-site scripting actively as you're using the site. It'll automatically look interactive attack as it goes. Exactly, okay. Now there it is. Yeah. Yeah, but all of the spiderweb is in the link. So when you click it. Oh yeah. What do you call it? Look there. Key. That's what happens. Yeah, next to top. What is the entry? Alright, the last guy. Yeah, she took the one integration. Really old. Did you check it out? Well, that was like, I mean, give it I didn't know. I haven't used it yet. I haven't even used it yet. I haven't even used it yet. Okay. Then it will be you. No. Are you going to stop? No. Oh, we should close it. You need to look back. Ha, ha, ha. So all these websites? Wait, what is that? What is that? What is that? So all these websites are like things that she's linking? Uh-huh. Then again, some of them are from you. I mean, you have whatever your your Firefox is connected to it. So... I have only used it. Wait, do you connect to your Firefox? Or do you just scroll? What? What is he doing? He's adding music. Why? What are you trying to do? No, I was just learning what was this thing called. The thing that she's not asking me why is like, so she goes to her target list. There's like a bunch of packages.bunny.com but that's probably caused by um, one of her sites on her browser. Because there we go. Because there we go. Yeah, package.bunny.com Unless she went to... Yeah, but it's not like the proxy. Why would it go up to the proxy? Only first-worlds should be going to the first-worlds. So... Now it is possible that if it goes to Google and it goes to some site then it goes to package.bunny.com It's possible. It goes for an infinite loop. But yeah, look how far you've got to scroll this. Yeah. That's what they have. That's what they have. Yeah. What's the purpose? No, what's the wrong one? Yeah, that's the wrong one. What's the wrong one I think. I'm feeling like... I was just... I was just thinking. I was just bored out. I'll watch the rest of the video. It's courtesy of our sponsors, which is the lab of cybersecurity labs that Alan used to. So they're the ones that sponsored this? Yes. So they are our sponsors? I thought you guys make a bump in Orc Singh or whatever they are. No, we are not Orc Singh. We are affiliated to them. So thanks to you for coming. Hopefully you come back again. You want to look tomorrow or Saturday? Maybe. Is that for security or just selling? Is that with your friend, John? The secret agent? So basically it's not open for the people to join? Yeah, I'm with the students. What does it say on our deal? Absent without a base. Absent without a base. It's a military term. But it just means they haven't heard from them. Is there another piece of the part? The slots are... Okay, should we continue a little bit? Yes. So right now, you know how you can do like intercepts? Yes. And then every time you have to forward every single one second? What do you work at now? So what if you just let that... Is there like a lifetime to live that drops it? I guess to make it possible. Okay. For a work house like a station? Okay. Okay, so just to start with all this stuff. Okay, so now we're going to move on to ATL so that we can go around time. This is my deal. Once you have that, we'll see you. Yes, that's true. Okay, so... So all of the requests, or most of the requests that we've seen, the response that we're getting back from our HTTP requests are HTML, right? So it has a long history, we're not going to go through the history. The idea is we have text, and we're going to mark up the text using special tags. And these tags will add meaning to our raw text. So instead of looking at raw text files which don't mean anything, we'll use these tags. So there are four types of things. Start tags. So first the start angle. Right. Brace. Angle. Carol? Chaperon. Angle brace. Angle brace, yeah. Or you can think of less than greater than symbols, whatever. Then the name of the tag. So that's the first thing after that. And then any attributes of the tag which we'll get later. And then a closing tag. So this starts a tag. Then you can have some text, maybe not some text. And then you have an end tag. So this closes the tag. So the reason why we note this tag closes this tag is because it has exactly the same name and it has a slash. The text in here could also have other tags which we'll look at in a second. You can also have a self-closing tag which is this bar with a slash at the end. This means that it's equivalent to having an empty tag right next to each other. So like a start bar and an end bar tag right next to each other. So a tag. If you don't want to fill in anything. Yeah, you don't want anything in the text but you want that whatever it represents. Other tags don't have any end tag implicitly based on their type. So the IMG is an image tag. So an image tag has no end and it doesn't need to be self-closed. So that's kind of when you're looking at things. So tags fundamentally, I think of them as a tree structure. So tags are hierarchical. So for instance, this simple HTML page, I think probably this may be good. So the outermost tags of this are HTML. So you can think of that as the root node of the tree. So this is the tags and then everything in between that. So there's a head tag right starting and closing. In between that there's a title tag and there's text in between that title tag example. This is how at the top of your tabs in your browser, this is what showed what the title of that web page is. This is exactly how it's done. Then you can have a body and that body can have some text like a P or a paragraph tag. And it has some text in there. So in this example, you have head. So you have head is a child of HTML, title is a child of head. Body is a child of HTML and body is a sibling of head. They're at the same level. So you have to tilt this kind of on its edge and draw it out. As a tree, HTML would be the top node. It would have two children, head and body. Head would have a child node of title and body would have a child node of P. So something like this. It's like a tree structure like this. Cool. We don't just have these tags just as they are. These aren't really expressive enough. We also want attributes on the tag. So for instance, like an image tag. An image tag tells the browser, we want to include an image here. Where do you get that image from? And what if you can't get that image? What if the person is blind? What text should be there instead of the image? What size should the image be? What size should the image be? Is it a tiny little 10 by 20? Or is it 300 pixels by 500 pixels? All kinds of attributes. These attributes provide metadata about the tag. So attributes essentially live inside the start tag and after the tag may. So there's four different types of syntax which make this super confusing. We can kind of get used to it. So one could be just bar. So this means an attribute bar. So foo has some attribute bar. Bar does not have a corresponding value. So foo is the tag name bar as some attribute. You can also have foo bar equals baz. And the important thing is this is separated by spaces. It has to be at least one space because otherwise it would be part of the tag name. So it has to be at least one space but it can be multiple spaces. This is saying that the attribute bar has the value baz. You can single quote the value. So you can say and you can double quote the value. Can't technically and only put quotes around the web. Part of the problem with the web is the worst thing you can do if you write a web browser is for the web to break when you browse the web. So web browsers, so HTML is a standard. There is exactly how you should parse it and how you should be parsed. The problem is there's a lot of crappy HTML out there so browsers will do their best effort parsing and just parse whatever they can parse. So sometimes you can, and that'll, sometimes comes up with vulnerabilities but so you can sometimes throw random stuff in here and they'll just guess when you try to do something and try to make sense of this garbage HTML that you've given it. For the first attribute, does it go to the web? How do you... It depends on the tag itself. So some tags will have default... What's the scenario that you want to have just... Oh, you mean just an attribute? This is used on forums. I think there's, I can't remember, there's certain attributes like no check or no password field or I can't remember. There are some that are like that. I guess they make the trade-off of do you want to have, is something equal yes or no or just have something being no and the default being yes. It's not present. I've seen it before, I just can't remember all of them. You should figure out... Oh yeah, like disable, there we go. That's good. And you can, so you separate multiple attributes by spaces and you can have as many as you want and they can all have this different syntax. Cool. The key is what actually makes what puts the H in HTML or hypertext is the link, right? This is the standard blue link we're all familiar with. So it stands for A, when the tag itself is just an A, it stands for an anchor tag. Href, so the hypertext reference is what URI does this hypertext point to. In that sense, when you click this link, where should your browser take you? And text inside the anchor tag is what your browser displays to you as the anchor. So, this is what a link looks like. A, href equals hgdb colon slash slash google dot com. Example. And it looks like this. Okay. We don't need to go over, basic HTML5 page looks like this. If you're trying to do HTML5, this is the standard that, or this is what has to be there, not in terms of the body here. That presentation's on the ground box. Yes. It's under training web. Just added a web security. I'm also recording everything now. Browsers. Your browser is responsible for parsing, interpreting HTML and displaying it to the user. Lots of types of browsers. You can have the link browser, like a console-based browser. This is a browser. This is also a browser. Okay. So now, just like we looked at, and this is another thing that's key, just like we looked at with URIs, we needed some way to encode special characters, like the colon and the question mark and the ampersand and the equal sign to be able to include those as data. So, looking at what our sample HTML page, we can already see that angle brackets are very important. Right? Because angle brackets, and this is the key idea about the web. Right? The website just sends text, literally a stream of bytes to your browser. Right? Just like those of you who've taken 340, I've harped on a lot, that you take bytes and then you interpret those bytes to finally compile a program or interpret a program. Your browser's doing the same thing. Your browser gets just bytes from the server and then it has to parse that and turn it into HTML. And so the angle brackets tell it, hey, start parsing an HTML tag. But what if you want to have a math equation that says x is less than 10 and you want to include the less than symbol? So just like with URI encoding, we need a way to encode those special characters. Unfortunately, it's completely different. It is not the same type of encoding, which is part of the reason why the web is so crazy and there's so many vulnerabilities. Because even just today, we've touched on three different technologies, URI, HTTP, and UR and HTML. Each of them has their own parsing, own file formats, and they can all lead to vulnerabilities in each one of them. So the character references, so the way this is solved is character references. So we want to include these special characters as text or data, so we encode them. The annoying thing is, so we start with an ampersand. It's also referred to as entity reference or entity encoding. Names of change. Everything's... There's three different types of encoding, but everything starts with an ampersand and ends with a semicolon. So that's how you can see it in the HTML text. There are three different types. Name character reference where you use a name of a character. So for instance, when doing an ampersand, it is the ampersand, and the letters amp end with a semicolon. So amp stands for ampersand. The less than symbol is ampersand LT semicolon for less than. The greater than symbol, the same way. And there's a list of all of these predefined names for lots of characters. You can also reference, just like URI encoding, you can reference the decimal unicode code point. So that's how you include unicode in the HTML pages. You can also use the... So for decimal, you include a hash. So you do ampersand hash, and this is decimal. For hexadecimal, you do ampersand dollar sign, ampersand hash x, and then the hexadecimal unicode code point. And this really, this lack of, you know, the fact that these special characters are less than a greater than, are the root of essentially cross-site scripting vulnerabilities. So there's three different ways to encode ampersand. So each of these maps to, so when the browser parses it, it sees it as a text less than a symbol. Well, this one is ampersand. All of this is ampersand, yes? If you were to use the ampersand character code, or maybe like a less than... I'm sorry. If you were to use Eigenbraces, like instead of putting the actual Eigenbrace, you put the code of it. Would that still create these same vulnerabilities? Or would that not be... So we need to study the vulnerabilities more first before we can talk about that and answer that. But fundamentally, so one thing is, if you were just coding up a document and you had a less than symbol and just kept going, the browser would probably interpret that as a less than symbol and not as a start tag. It's only going to do it as a start tag if you try to do less than X and then a space, like it's all kind of one, then now you're messing up the browser's parsing, so different browsers may do it differently. You're off spec, it's all kind of crazy. But if you want it to appear as a text ampersand, you need to use this any of these four different ways to do this. This is the stupid E on my name. This is how you do that. Absolutely must encode the less than symbol because it indicates to the browser that we're trying to parse things. And we're trying to start a new tag. Many different ways to do that as well. The most common way is this ampersand LTE. And if we look at our history, we should be able to see that at some point. So we can see... I search for ampersand B. I also know this is a small way to look at this. Any kind of... An example. There was one at the end. It was like ampersand LTE. Oh, there's that one. It's like in the corner on the right. Oh, there you go. Ampersand M dash. So an M dash is a long dash. Copyright, the copyright symbol. So that would show up on there. Wait, but why do you have to... Oh, because it's a special character. Yes. I don't know if there's something that says it has to be ASCII or UTF-8 or something, but to get compatibility across all browsers because you never know what they're going to have, you should use that for any non-ASCII characters. Can I just put the actual symbol there? Right. Because it may show up correctly in some browsers because you're sending different bytes down, right? And so it depends on how the browser works. What if you code the website but you don't care about both browsers? Then you can do whatever you want. Okay, so let's see. I thought we'd get some vulnerabilities. I'm not quite there yet. Okay, but this is important. Okay, so when we think about pen testing, we think about security, we need to think about all the ways that our user input gets into the application. Because fundamentally, vulnerabilities boiled down to, I can, using my input, can get the application to do something it's not supposed to do. What we need to do, so when we look at this, we can see, basically, looking at this request, we can see that anything in this request we can change. We can add additional headers, we can change. We saw it in the repeater, right? I can change and add whatever I want here. So everything that the website is receiving that can come from me is potentially untrusted and it's potential ways that we can get our malicious content into a web application. The other way, so one way is through the URL, as we saw, right? Because everything that we send in the URL will get sent to the web application. The other standard way of doing this is a form, right? These are standard HTML forms that we fill out. This is anything, for instance, let's see what we have. Do I have anything on? The search form. This is a form field. When I type something in, if it enters, stuff happens. The question is, what exactly happens? So if we look, the response here, if I look for form, so this is the HTML that generates that form. So it says, I'm a form. It has several attributes that are important. One is method. Which HTTP method do I use to make this request? Do I use get or post? So those are the two different ones and that will affect the post field and we'll see it affects other things. The other thing is who do I make this? Where do I send this? This is the action attribute. This means when you click this search button, it's gonna send you to google.com.search. Now, what's being sent? So there's several input fields here. One input field is hidden. It's a parameter's name. It's called site search and the value is avidupay.com. So this is how Google knows that I want to search my website. And then, this is a search field whose name is Q, probably stands for query parameter. The type is text, which tells the browser to turn into something that we can see and has a placeholder of search. So if we look at it and we refresh this page, we can see the search here is what the browser puts in there. But it puts it in that faded kind of way. So fundamentally, forms are really important because this is how our data gets into the web application. So we have the action attribute, which tells us where to go. The default, if it's not present, is the current URI. So just submit to the current URI. Method is used. It can be either get or post. The default is get if it's not there. Input tags are transformed into, and this is where it gets complicated. So I think we have to stop here for now. But how the data actually gets from the browser to the HTTP request to make this depend specifically on how this is getting sent. So for now, we'll stop it here. Sorry we didn't get to any vulnerabilities, but I think we laid a lot of good groundwork so that we should be able to definitely cover and get to cross-site scripting vulnerabilities and other types of vulnerabilities. Well, any questions? I actually have to go. So this is what's that post? This was a get because it was a get. So this is... So it didn't actually... So you can see... Yes, exactly. So it said method get. So here you can see... It's making a get request to Google.com to site call it. So in a get request, it transforms all the user values in this query parameter here. And that's how it gets sent. I was opposed to build the body in a special format. So...