 So anything you say is going to be posted on YouTube. So don't say anything stupid. The second part of this is so we just spent the last time getting everybody got verb installed, which is what we did last week, and then everybody got Docker installed so that we can play with a vulnerable image later. So we left off about HTML forms. So you'll see as you play with the when you look at forms. So a form is what puts that input box on your screen. So we looked at HTML. So the form is specifically the way that one way that input can be specified. And I think last time we looked in our proxy, we could see a form. So here, like this form, the search the docs form. Let's see if I right click on this. And I save you page source. This may work. It may not work. I have no idea. Search the docs. So I can see that this is a form. It has a class, which is about cascading style sheets. We can ignore it. It has an ID. And it has an action. So the action is important because this is a relative URI that specifies where should this request go when we submit this form. Can you make it bigger? Yes. I can just make the Docker page huge. Oh, wait, wait, can I zoom? I'm zooming. Nothing's happening. Probably has a song I control now. Yeah, but I don't know how. Yes, it's only affecting that. Sorry. Yeah, I can. You have to trust me. So it has this action. Oh, man, that's not even good quality. Action equals slash. So this is the action attribute of the form tag. So the action attribute specifies where the request should go. So this means when they post or when they submit this form, the browser should make a request to the post, which is docs.docker.com slash search and another slash actually at the end. Let's see. The other thing in here, there's no method specified, so what's the default method? Get. Yeah, so it's going to be a get request. So the method attribute specifies what kind of HTTP request the browser should make if it's either a get or a post. The data will be encoded in different ways, depending. So for an input, we have an input field here. There are different types of input fields. So this is an attribute. I had no idea there was a search value here. I've only ever seen type equals text. Yeah, that's the standard one. This must be like an HTML5 thing. But what the browser does, so when you, let's see, there is a button that's of type submit. So this is how it creates the submit button, which is here at this little icon, I think, is what they have here. What happens is the browser looks for all these sub-children of the form that are inputs, or text areas, or check boxes, or some other things, any kind of input parameters. You can look at the specification to find out. And it takes their name, so here the name is Q. It puts whatever the value was passed in there as a URL parameter. So if it's a get request, it'll put it as part of the URL parameter. So if I put in foo here, the request that my browser should generate, assuming there's not any JavaScript nonsense going on, will be an HTTP request to docs.doctor.com slash search slash question mark Q equals foo. This is exactly what it searched for here up at the top. And so, so Q is for like what queries? It doesn't matter to us. So yeah, that's why it's like, it could be Q, it could be foo bar, it could be query. Is it a standard, or they made it up? They made it up. So every web application basically defines their own interface of how they want to pass parameters. Now, if this was a post request, so get puts it in the query parameters, if it's a post request, it's sent as the body of the HTTP request. So most of the HTTP requests we saw had no body. So normally, if you're just doing a get request, you would never send a body in the HTTP request. But if you're sending a post and you're trying to send data, that data will be encoded in the body. I think that's the main takeaways from here. One tricky thing about URL encoding of forms is that plus is translated to, spaces are translated to plus instead of percent 20. It's URL encoding, except for this. You can also use percent 20, it's very good. So that's how the data is sent. So it's basically like URL parameters, except for this little tweak. Cool, so yeah, we can see this is a form. So this one I can't make a figure before I cancel. Anybody have a really good memory and know exactly where we're at? 50 something? Yep. OK. So this is a form, a post form. So this is to example.com slash grade slash submit. So now we have actually four input fields. So there should be four parameters, a student parameter, a class parameter, a grade parameter, and a submit parameter. The value here is what will be inside that text field by default, if there is one. So it will be par. And when it submits, if you didn't change anything, it will be par. So if I were to change this to change for me as a student, CSE 590, which is a class I taught, and a grade of A plus, if I click submit query, it is going to make a, the browser will make a post request to example.com slash grade slash submit. So here we can see, unlike other HTTP requests, we have a content length, and the content type says that it's this XWW form URL encoded. And so it will URL encode our data that we send. So it'll set student equals to the value I typed in and class equals CSE space 591 and grade equals A plus and submit equals submit query. So this is how the server can then tell what application, what data was sent. Okay, we did that, we did that. Okay, next things that are important. So what we looked at so far are the fundamentals of how the web works, right? So these are incredibly important because without these you don't really understand any of the other vulnerabilities. The web used to be just simple HTML pages, so there's nothing dynamic. Like even, when you think about Yahoo, the way you know what Yahoo was originally, except for Eric. Netscape? Netscape, no. Jail. Jail cities? No. What was like the original functionality of Yahoo? Ask. It was just a site directory, it was just a site directory of categories of types of websites with links to other websites. It wasn't even a search engine, it wasn't even anything. So did they hard code everything? Kind of. I'm sure, yeah. If it wasn't a search engine, it must have been a hard code. At the start, it's just all static. And if you use the Wayback machine, which is as anybody ever played with that, you can look at versions of websites that were as they looked way back then, so it's really cool. Anyways, so over time, people realized, man, static web pages are cool and useful, but it would be really useful if we could actually have a full-fledged application that lived on the server that we could interact with over HTTP and use HTML for the user interface. So that was kind of a big shift, because if you think back in the day, you either used an application that you downloaded to your computer, or you maybe used some application that ran on the server, but it would use some custom protocol so you'd have a viewing software to be able to view it. And so web applications were a way of running full-fledged applications on a server. And the web was really structured this way. So that's why we have all these query parameters, we have post parameters, we have ways to actually interact with the website. Get and post kind of have this, so get means that just give me the resource. So the spec says, even though this is not, doesn't have to be this way, but get should not have any other action except for retrieving something. So there should be no side effects. Like making a get request should be perfectly safe all the time. It's safe and item-poked. So what's item-poked? Besides a confusing word. OS, people take an OS plus. I didn't see that word in there. Yeah, what? I think it's teaching an OS. What do you learn about threading? What about it? Is it? I didn't know that. Yeah, what was you talking about? I can guess like the state before the get should be exactly the same as the state after the get. Yes, in essence it means when you make a get, you can make more than one request and it does not affect the results at all of what you get or doesn't change in the state of the application. So making one request is the same thing as making a hundred requests. Yeah, it just means it doesn't change anything. Post is actually used for changing data. This is what the specs is, I'm not gonna go into it. So this is the core concept behind a web application and this is why I often use the, I think of it differently and it's also because I'm an academic and I like to label things correctly. A website is something that's completely static that you just visit. Like me, if you go to my homepage, that's just a website. Like it's literally just generated HTML code that doesn't do anything special, it just displays stuff. A web application is dynamically generating HTML responses, HTML in response to your HTTP requests. So that's fundamentally to me what a web application is. And one of the key problems that we looked at so far is that each request, HTTP request is distinct. When we looked at get slash, from hostgoogle.com, we're asking Google to give us the homepage of slash, right? So by default, the web, so the server has the client IP address and the user agent, right? That's what we send in our request. But the problem is how do you link different requests? If you wanna build an actual application, you need to know, hey, is this person requesting a page from you, the same person I saw a month ago, or is it a brand new person? And the way HTTP itself is there's no, that information does not exist at all in the request. There's nothing that says, hey, remember me, I'm the person from last time. And so the community had to actually build this kind of on top of HTTP. So it's really about maintaining state. So fundamentally, HTTP is stateless. You just make a request and you get a response. You make a request, you get a response. And every time you make a request, the server says, hey, brand new person. Great, here's your response. So, but we want to maintain state and link our request together. And the goal is to create a session so that we are actually interacting with the same user over time. Cookie. There's three ways that this is done. We'll go, we're not gonna go into the other ones. We're gonna go mainly into the main one where this actually happens. Oh, good, we did not do that. Okay, so cookies. Cookies are basically state information. The cookies, if you've ever been told to clear your cookies or clear your browsers cookies, this is exactly what they're talking about. So cookies are a way that the web server can ask the web client, hey, store this bit of information for me and next time you talk to me, send it back to me. That way I know that you're actually the same user that I've been talking to. And either the server or the user agent can terminate the session. So if you delete your cookies and make a new request to the web server, it thinks you're a brand new person. The server can decide to terminate your session as well as anybody that logged out of their bank account if they've left it open. That's the same type of thing. Okay, there's RFCs that define cookies. Cookies are name value pairs separated by equal sign. So again, there's a little bit of consistency in the web just like URL parameters. If a server wants to set cookies, it sends the set cookies header to tell the client, hey, please set these cookies. So again, say set cookies user equals foo or whatever it wants. Then on every subsequent request, the user agent or your browser should send the cookie back with a cookie header that says, hey, these are the cookies. So when it makes a request, it would say cookie user equals foo. You can ask for multiple set cookies so you can set as many cookies as you want. I think browsers do have limits, probably on the total number and the size of the data you can store into a cookie, but that probably varies between browsers. There are also, the other thing is there's attributes that the browser can set on a cookie, right? So because the key question is, okay, a server sent me this cookie. When do I send it back? Do I send it back on the entire domain or do I restrict it based on the path? So the path allows the server to restrict a cookie to only a specific URL domain. So this would be some things, I'm trying to give a good example. Is it, what allows you to create your own subdomains on their sites? Free webs, is that what I'm talking about? Yeah, anything that, or allows you to, so like a subdomain. Slack this. Slack, yes, Slack's a good one. ASU.edu? Yes, well, maybe, Slack's a better one. So for Slack, right? Depending on which Slack channel you're on, like ours is PoneDevils.slack.com, there's also other Slack's like UCSB, I think has like seclab.slack.com, right? And so the idea is you don't want, you want those cookies to only be restricted to that subdomain, so they will restrict it and say, hey, don't send these cookies to, like only send these cookies to the PoneDevil Slack. The server can say how long this cookie should be valid for. It can say other security things, which we'll talk about later, of HTTP only that says this cookie should only be sent over HTTP and should not be accessed through JavaScript. We haven't got the JavaScript yet. Secure says this cookie should only be sent over HTTPS connections. So this is secure connection. So this was a curl request I made a long time ago. These are the headers that Google.com sent back. Just making a brand new curl to Google.com. You could do this and try this. It's kind of cool. You can see that it's sending this preference equals and this is everything here from the end, from here to the semicolon is the cookie. Again, it's just an opaque blob to the client, this value that's being set. We as humans can look at this and see, yeah, they're doing some weird splitting on colons here. I don't know what this FF ID, LM, TM, you'd have to kind of look at it to see what it is. And they also ask for two different cookies. One HTTP only and the other one that's not. So yeah, so this is the value of the preference, P-R-E-F cookie. I hope there's nothing important in here, but whatever. The expires, oh no, it just expired last month. That's funny. The path, this is why you should net, if you ever make slides, don't ever put times and dates or the current class in that. That's what I found by experience. Yeah, so this one specifically says to send it to all subdomains of Google.com. So this is why anywhere you go to in Google.com, these cookies will be sent and Google knows how to link you. This one is HTTP only. So an interesting thing, so the ID, wow, okay. So, okay. So cookies are used for, okay. The other thing we need to talk about, oh man, I did it again, sorry. It was in the 50s, it was probably 60 something. 74, 74. Look at us. Okay. The other thing we need to think about, so we've been talking so far about clients and web servers, right? But we need to add another layer there. We need the actual web application code. So the client makes an HTTP request to the web server. The web server, like Apache or Nginx, its entire job is talking HTTP. All it does is accept incoming HTTP requests. It doesn't actually do any complex processing. There's some web application code behind that that the web server passes the request back, gets a response. The web application has to generate an HTML page that will then get passed to the web server, which will then send it back as an HTTP response. Exactly how this mechanism happens depends on the web server. Rails is different from Python, which is different than PHP. So all different kinds of technologies. I suggest you look at this to get familiar with all the different type of ways to make web applications. But now we're going to get into how to script on care in MySQL. Okay, cool. So I suggest if you're not familiar with PHP, you look over the slides in PHP, you get familiar with PHP. It is the absolute most popular language on the web. And there's a lot of really crappy PHP code. And so really like learning PHP is the biggest language on the web. So it's behooves you to learn that. And so the classic, so a lamp stack is Linux, Apache, MySQL and PHP. This is kind of the bog standard web application. And this is nice because you can actually swap out each component. So we'll talk about MySQL really quickly and then we'll get into vulnerabilities. So MySQL is currently the second most used open source relational database. Anybody know what the first is? What's grass? Nope. What are called? If they wish. What are called? Nope. SQLite. SQLite. Why SQLite? Yeah, all mobile devices. Like androids, iPhones, everything. Even I think Mac OS, I think is using SQLite internally. I know Firefox. I think so. I think Firefox. I think Firefox uses it. I mean SQLite is everywhere. But on the web, MySQL is definitely the most popular. It was an open source project. I was purchased by Sun, which is now owned by Oracle for a billion dollars, which is pretty cool. So the other thing, so this is what we studied so far. We studied HTTP. We studied URLs. We studied HTML. We looked at forms and how those work. So that's already three essentially languages or specifications that are incredibly important. Throw on top of that PHP, because you should be able to read PHP code, and then SQL, the structured query language, which is used by most web applications to fetch things from a database. That's like five technologies that you need to be proficient in and understand in order to do web security. And this is part of the reason why web security is difficult, because there's a lot of different technologies in play. And this is just the basics. Getting on top of that, you have to watch more complicated stuff. So SQL, is it, how many know I've done SQL? Oh, most of you. Okay, this will be quick. Special language to interact with a database, different commands, select, give me things, update, change things, insert, add new things, delete, delete things at a very high level. There are, even though it's SQL, itself is a well-defined language, there is differences in the syntax and implementation among the different database engines. That's something when you're testing a website and you have no idea what the back application is written in, that can be a problem. So, a SQL query looks something like this. Select star, so select, so SQL is a table-oriented database, so you have a database which has multiple tables. Each table has a different number of columns. So, for instance, this query is trying to get all the columns from the user's table where the username column equals Adam. Or, we can try to select all columns from the book table where price is greater than 100.00, order by title, so this will order the results based on the titles of the book. I think alphabetic by default and ascending order first you can flip it around with the descending here too. You can do complicated nestings of queries. You can have, so this is selecting the ISBN number column, the title column, the price column from the book table where the price column is less than select the average price from book. So, average is a function, so it's gonna average all of the prices. So, this is getting all of the books that are less than the average price from the database. So, it's doing sub queries. This is an insert, so insert into the example table where column one of field one, column two field two, column three field three is test n and null. Update table example, set column field one equal to updated value where field two is equal to where column of field two is n. You have unions which are crazy which I'm not really gonna get into right now. So, this is a snippet from how to use PHP to connect to my SQL database. Is there anything interesting here? No, okay, cool. So, now we switch over to my other slides. Sorry, this is not in the draw box yet because I'm stealing this from something else. Okay, we definitely talk about that. What about avoiding JLN, that seems important. I'm pretty sure we've already done that, right? Okay, well, let's do it easy then. Okay, it's been a long time, we haven't done this. Don't do anything illegal. Don't hack into a site that you do not own or have permission. This is actually very important as part of this group. Probably don't emphasize this enough, but we're emphasizing it now, so that's good. So, and also, this means don't even attempt to find vulnerabilities in a site that you don't own or have permission. So this is like if you were walking around the street, try walking up to every house you saw and trying to jiggle the door knob to see who didn't lock their house. Even if you're not gonna open the door, it's not a nice thing to do, it's not an ethical thing to do and it can get you in trouble. You're still trespassing. In that case, yes, you may still be trespassing. But doesn't it happen all the time and it helps them out too? People disclose the vulnerabilities. You don't get to choose whether, because you are actively testing against a real life service. So you can't guarantee that your testing is not gonna affect their service in any way. So if you end up taking down their service, crashing it, it costs them millions of dollars, and all you were doing was trying to help them out. But then it's their fault for not. Oh, that's your fault. They should have built it. That's like saying you left your car unlocked and it's your fault that it got stolen. Yeah, because you did not have permission to do that. If you have permission, you can do whatever you want. So I'm gonna give you resources in this group of websites to hack and how to actually play with it. The key is it's gotta be running on your system. So that's what we'll do with today. If it's, you can take any open source project, take WordPress, take anything, install it on your machine and you can go to town and do whatever you want to it. Servers that you own and you have set up, you can do whatever you want to it, right? It's your server. It's just like I can try to hack into my laptop as much as I want. It's unethical for me to try to hack into Will's laptop unless he gives me permission. Which I do not. Right, which he does not. Pretty good. Sure. The third one is, so not to sound super negative, a lot of websites actually have bug bounty programs, including big ones like Facebook, Facebook, I'm trying to think of ones that I absolutely know have it. Facebook, Google, I think GitHub may, if you just Google bug bounty websites, there's tons of websites out there that have bug bounty programs. And how these work is they say, hey, we give you the right or we give you permission to try to find vulnerabilities in our site and depending on the site, there may be some guidelines. So for Facebook, they specifically give you a test section of their website where you can create as many fake accounts as you want. And they say, go to town, do anything on this site that you want, but don't affect the real Facebook site. Unless you absolutely have to do that to show your vulnerability. So then when you find the vulnerability, then you report it to them and oftentimes they'll give you money for finding that. So yeah, really cool stuff. Oh, Amazon has one too, I believe. So it has lots of opportunities to practice. The things we talked about today, please do not go and just try searching for SQL injection vulnerabilities on the web. You will find one eventually, but you still should not do that. You should practice on your own things. Okay, we're talking about CNA. Okay, I'm gonna talk about this. Okay, so now we need to talk about, oh, maybe this is a good example. Okay, so we're gonna look at finding vulnerabilities and web applications from the outside. So we don't know the source code of the application, right? So this is simulating a real attacker, right? The attacker doesn't have inside knowledge of the organization, but it's still trying to find vulnerabilities in the application. So our goal is to try to make some, make the application, the web application, do something that it's not supposed to do, right? And this is incredibly broad, right? So we're gonna focus on two things today, SQL injection and cross-site scripting. Well, maybe just SQL injection, but, but web application vulnerabilities could be all kinds of things, right? So like on Facebook, there is a famous vulnerability where anybody could write on anybody's wall, right? Without being friends with them, which is a clear vulnerability and a bug, but it's not necessarily something that you would think of classic SQL injection or cross-site scripting. So there's all kinds of permission issues that you have to be aware of. But in order to actually find vulnerabilities, you actually need to understand the application because if you don't know what the application does, then you won't know if what you found is actually a vulnerability or not. And you always have to be thinking about when you're testing a website, what's the intended functionality? What's the intended behavior? And trying to figure out what does the application use as input? So where's my input used in the application? And what does the application produce as output? For example, what if I told you that you found on a website that anybody not logged into the website could edit the content of a page on that site? Is that a serious vulnerability? Yeah, no. You know, like if you did that stuff. Yeah. The answer is it depends, right? It sounds really bad if it's cnn.com and I can just sitting here, edit the homepage of cnn.com. That sounds like a very serious vulnerability, but that is the entire point of Wikipedia is that random arbitrary people can edit contents on a page, right? And so this shows that understanding what the web application is supposed to do is critical to finding these vulnerabilities. Okay. How do we rob a bank? Ooh. How do you talk about this in class? Somebody who's not in my class. Oh. You've watched movies. Hopefully nobody here has actually robbed a bank. Yeah. You've watched movies about bank robberies. You walk in, slip the teller a note. Ooh. Oh, yeah, that's if you want to get caught, Will. So then you buy something. No, you know, like 60% of bank robbers don't get caught because they just slip them the note and they get out, they only grab like $7,000. Okay, you want to realize that Ocean's Lemon didn't just slip anybody a note. Crawl through the vents. What's the first step? Case it. So you need to, you perform reconnaissance, right? You need to gather as much information as possible about the bank. You want to know what guards are working there. What's their shift schedule like? When do they go on smoke breaks? When do they take lunch breaks? When do they switch shifts? What happens when they switch shifts? Switch shifts. Who works? Who's the manager of the bank? Who are his or her wife, husband or kids, right? The more information you have about the bank, maybe you go to city hall and try to get the plans for the bank, right? The more information you have, the better your heist is going to get. And this is always the first step. They do, you know, they go to the cafe across the street like wear hats while they pretend to talk but are really checking out the bank. This is the first step. Well, zero, step zero is assemble your team. That's not fun. Yeah, then you build some elaborate plan and everything goes wrong and maybe you profit, maybe not. But the point is the first one is reconnaissance and you should take this mindset to testing web applications, right? You first need to use it to figure out as much as you can. Okay. Same thing you're doing here. You need to ask yourself, how does this work? Are there user accounts? Do the user accounts have different privileges, right? How are privileges actually enforced? Are they enforced? That would be a good finding. What does the layout of the web application look like in terms of URLs? What are the URLs that the web application looked like? What URLs should only be accessible to a certain privilege? What are admin URLs versus logged in URLs versus logged out URLs? And then try testing the opposites, right? What is all the ways I can get input into this web application, right? So we saw it's forms but it's also the headers that you send to the web application, the anything that you post, anything that you send in a get request, anything in the path, all things are ways that your input can get to the web application. What is the output of this web application? And the key thing you're always thinking about is how is the web application likely written? So this is why being a web developer actually helps you out a lot in pen testing web applications because I do this a lot is I'm thinking about, okay, if I was really lazy, which developers are all the time, what would I have forgotten about? What are the corner cases they likely didn't think about, right? And then I'll test those things. Then you always wanna think like a scientist. So you wanna develop a, what I call vulnerability hypothesis, right? So you wanna say, ha, I think there could be a SQL injection vulnerability on this parameter. That's a hypothesis, right? You think that there could be. Then you need to actually test that hypothesis. So you need to give input to the web application and you need to know before you make that input, if it does X, then I know it's vulnerable. If it does Y, or if it does X, then I know my hypothesis is true. If it does Y, I know my hypothesis is false, right? If you can't distinguish, then you made a terrible experiment, right? The truth could be either true or false. Then you actually develop an exploit to exploit that vulnerability to do cool stuff when you found a real vulnerability. Then you profit. Okay, we talked about this all the different ways we can get input into the web application. Wacko Pico, I don't have a reset. Okay, so you should be able to, if everything went well, you should be able to do Docker pull, Adam DuPay slash Wacko Pico. So try that. So this is, I created a Docker image that has this intentionally vulnerable web application running, or inside of the container. And so if you pull it, it won't actually run anything, it's just getting all the files from Docker Hub onto your machine. I realize it's not actually, okay, well, thanks, John. We're filling it in again. ASU's got a big fight. Everybody got it? What? When I downloaded Docker, it reinstalled VirtualBox and changed all the IDs of my machine so I can't use my machines. So now I have to move all my machines, which is 120 gigs, delete VirtualBox, reinstall VirtualBox, then- I sure a lot of complaining, really. Ha, ha, ha, hee, hee. It's working on the third way for an idea. Downloading, or downloading, because it's very personal. What do you want to do? Let's go, doc, let's go, what's the problem? The great game, I can't even put it in. I'm excited. Let's hope there's no longer way to turn it on for the both. I still have 48 gigs to go. All right. So, what do you think of the Docker? Oh, I don't know. I guess it's fine, okay, fine. What's made it, okay, okay, what's the problem? It's between Docker and Docker. Oh, you still Docker? I don't know what Docker is. I'm gonna go for like, again, let's see, package Docker. I'm waiting, so you may need to run it with pseudo. Okay, cool. System trade. Install and install. Yeah, I had to uninstall it. Add and just install, like, rootkits, racks, and stuff, and that works. It's cool, though, it's doing that. Regenerating that entire thing of text. It's gonna do all that, if you're about to. It's cool. It's cool. Although, actually, the game's not gonna run. Instead, it should be downloaded. I can't really send it the first time, that's why I got you here. Send it the first time, you know, I was like, Oh, you can't, We don't have a distribution problem. The image is up to you. The problem exists between keyboard and chair. Yeah. It's probably just spinning out EDN. At least it's not an ID-10T error. What do you want to say? Yes. I don't know, dude. What do you want to say? ID-10T. Yes. Type of menu. Oh, I did it. No, but it actually looks like it's kind of... Yeah. But I am wearing it. I'm wearing it. I'm wearing it. ID-10T. So what? He doesn't have a right. Oh, it's working. Yeah. Hi, Jesse. Wait, this is Callie, right? I've just turned this thing on. That's how it works. Well, I leave it here. I'll put it on. Trying to... I've got 20 gigs left remaining. Almost there. Perfect number of gigs. Perfect. 20? Yeah, but I think it's your LSB release. So how does that know to go to your page and get a... Right, right. A doctor has a doctor release where people can push their own... Okay. What doctor it is. So that's what it is. I'm trying to get it back up to... It's just, like, given, essentially. Yes. Maybe in 9.2. What's the cover? I just find that interesting. Yeah, it's... I don't know how they're going to make money. I'm ready to put it. When you downloaded it. Just magically. Okay, so doctor, quick overview for those that don't know. So doctor, so everybody know virtualization, virtual machines? You're already virtual machines. So what's happening there? How does that work? The software is pretending to be another machine. Yeah, so you're... The virtual box, either virtual box VMware is pretending to be a CPU that another thing is running on top of it. Right, another operating system is running on top of it. So you have this very hard separation between the virtualized OS which thinks it has full control of the hardware and the actual host OS where it's running on. So that's one end of the spectrum. You get really good separation there. So they're very, you know, partly separated. The downside is it's very slow because you have to emulate this CPU, right? Even though there's other techniques to speed it up. So docker is kind of in a weird middle ground. So docker uses LXC, which is this Linux container. I don't know if it's the right word. It's technology or module. What that does is allows you to run a process on Linux in its own view of its own file system. So it can't see any of the other files in the file system and you can also restrict the networking capabilities of what ports it can access or ports it can listen on, all this kind of stuff. So you kind of can contain that process to its own container. So docker is a layer on top of that container technology. So the cool thing about containers is there's no virtualization overhead. It's running natively in your operating system. So docker allows you to define containers. And so I created a container using a container, using a docker file of this Lacko Pico application all installed. I created it. I pushed it to, so what you're pulling from is docker hub. So if you go to docker hub, it's similar to github where people can post, you can post your own docker images like adamduke.com. So that's just a docker hub page. And so you're all pulling down this image and so when we run it, we'll all run exactly the same things. So if it sounds weird that I'm telling you you're running a Linux process natively, but it also works on Windows and Mac, it's because they all use virtualization under the hood. So you're actually virtualizing a VMware image on all of these to run these docker containers. So we can then run this like so. So what we're going to do is we're going to ask docker to run our container. And the container that we want to run is at the end. The dash D says we want this to run in daemon mode, which means it's going to run in the background because we're going to have a web server running. The dash P does port forwarding. So it says forward from localhost 8080 to the docker image port 80. Port 80 is HTTP. That is where our web server is going to run. And then this is, we're telling it exactly which container we want to run. So if you hit enter, oh, it failed for me. Oh, that's because I'm already running one. I can kill it. So have you run it? Now it'll take a little while because what's happening is the docker image is starting up. It's installing, it's setting up the database for Waco Pico, and it's starting both the MySQL server and the Apache server. Is anybody's, oh, this may be a problem. I would choose a different port. Yeah, because Burp is on that port. The good thing is you can put whatever you want here. Port 90. You're mad now. You're mad now. But just the port where it's going to be going to download, but once you've done it. No, no, no. This is a port. So port 80 inside the docker container is running Apache. So Apache in the container is listening on port 80. What we're doing is saying on our local machine, so on this Mac, port 9999 will forward to the docker container port 80. This means once I run this, assuming everything went well, I should be able to go local host, colon 9999, and I should see this. Actually, funny story about that, I was a taxi or Uber driver who's taking me home, and that's like the code to my set of the code, whatever, it's like, I don't know, star four nines. And so I tell her that, it's like star four nines, and so it's just star four nines. And I was like, oh, sorry. Failure to communicate. I thought that would be easier to explain, but apparently star nine nines. So how do we kill the AQ? Doctor AQ? Doctor AQ, or something? I don't know. No idea. I would just ignore it. Are you sure? You could buy the rights to high quality versions of someone else's picture. So you are running two of them. One's listening on port 80, one's listening on port 9999. Looks like that was a docker error, not necessarily. So you do docker ps, and enter, and you got to run it in a suit. How do you kill a docker? So this will show you all the docket carriers that are running, and then you can kill it by name. So you docker kill a dog, a pseudo. Oh, that's all. I think you think that. And then five cf. Yeah, you only need enough of this name so that it's not anything like that. And what port do we need to start? I would do 999. 999. 880 needs to be the same. Oh. It may work. It may not work. Yeah, it's got a... Yeah, it's got a refreshable starting everything up. Why is it WWW? Oh, yeah. I would like that. Now we just have to just... It's not working. All right, so if it's working, exploit the website. We know what it does. Cut. I don't know what that is. It's not a doctor, it's not a... It's not a... It's not going to do the right thing. It's not a doctor. No, no, no. It's not a doctor. Oh, 37%. There's a lot of undefined variables in here. Neither. Oh, my timing's wrong. You ever had the time error that I did your time for your system is probably off? What time is it? No. Time on Windows is never correct. It isn't never correct. I'm just trying to make sure that I see what I'm doing. You already know how to do it. How did you get Docker? It works. Does it? No, I just got virtual box to work. That's what I'm happy about. So they have this page over here. I was going to be so sad. There was so many files out there. Get Docker for a dms console. So follow this machine. No, please. Copy and paste this. Then run this command. Then when you get to this part, you're going to have to add it manually to this file. Then after that, you just run this and then that's it. What is it called? So just search for get Docker for dms or come up on Google. So the time thing was because I had my time off. Because you don't move. Interesting. So Yes. So actually what you're downloading is a bunch of layers. So it's a bunch of file system. Can I play in my computer? You can play with it. It's part of when you have a Docker file you have different ways. Good ass, yes. Oh, that's for a button. No, that's for a button. Would you like to... Why is it not installed? It's just one thing after another. It's just a file and it uses each of these Docker images to crew. I think it depends exactly on what file system you use but the AUFS, one of the file systems will do copy on write. So you can have every Docker image essentially has its own file system but it only changes what that image changes so that it gets its own copy of that file. So everything that happens in this container can be... Yes, you should refresh it after you go away. Yeah, because this means it can't connect to the database. So that just means you refresh it from when the supply... It had to be what started but... It's in 2009 so... I may not be updated to the latest version of MySQL or HP or anything. Is there a flag or something on it? There's vulnerabilities. What do you have an issue with? Getting Docker on there. Take a look at it. Which one did you use? So... Which one did you use? Is it their official one? Is it working yet? I got my virtual box to work and so now I get to install Docker. Moving up in the world. I keep trying to... Trying to look into an issue for the install script for some reason. It's saying it's missing some type of files. Weird. Does Mint accept the Docker? You're using Mint. Yeah, I think that's the issue. What are you doing? It's like a derivative of what we're going to do. Yeah, that's what I was thinking of. If you go to the GitHub page or download the... There's a file that has the API code. Which then does the PPA repo stuff. I think that's actually saying something. Apparently. Did it actually work this time? It looks like it's good. I don't know what they did to make it work. It's working, it's working. How do you look at it on this page? It's turning up baits. That's a really good heat too. That's what I thought. I thought that up when it did not work. So... I'm trying to do what it's called. Yeah. Do you know what my command is? It's up there. Do we got it? It's Docker run dash d dash p I need to install the repository first. What's the... Actually if you just do this if you do the Docker run it will actually pull it and then just run it. That's kind of cool. But I need to specify the wacko, don't I? It needs to be out of the page slash wacko. No, you can do docker run. You can just do docker run dash d dash p. Added to page slash wacko pico cco There we go. Thank you very much. That's for Weezy. For another version of the game. Can I move on to the third one? Postage ppp What was the... Docker run dash p dash p colon That's just that. We're just going to see if we can just do it like that. It's like this. I'll just do this one. Don't do it like that. pico pico etc Don't do that. Oh it's cco. Let's add repo. Open up the pico pico pico pico pico pico pico pico pico pico pico After running the run should I be able to connect to the local host colon Yes. It's telling it can't be green. Where Where's the output? Of what? The run. Oh of the run. Docker ps Do Docker logs and then the first couple digits that can take 9 6 That should be good. It is running. Right again. Is anybody going to work in windows? Look up windows Docker port forwarding. Autistic. Autistic. I'm sure, why? Docker run. Oh Is that what Autistic means? You know he didn't do the crap? What was that? Dash the dash. Oh Do an app to clean. You might have something up. That's crappy because it used to be like this on back. Oh really? It's not Jesse. That's one that we put in yours. No we didn't. No we didn't. Oh stretch. Not testing stretch. What's stretch? Is it stretch after desi? Yes, stretch is version 9. Ah got it. This, I had to go to the IP address of the virtual machine. Oh God Is that different? Did you get it? No, port 80. What? I think 999 maps take localhost 99999 and map it to port 84 What if I want to map it to another port? You can't. All the Docker images 80 needs to be there. 80 needs to be there. Because the web server is listening on port 80 fast. It's changing the container. There's an Apache server running listening for port 80. But if it's just there in the container because it's only listening inside its Docker container it's never going to get any of the outgoing connections. But what if I make it listen on another port? You can't. You have to change the Apache configuration. Oh Oh you're saying Apache? Yes. This is your back button? Yes. Head pseudo. There you go. You're now in hot. And now localhost. Okay. Nice. Trying to do it there. Oh, so the 999 is what port this is running. But the external port to the internal Docker for me. Oh, okay. Yay. Docker is not happy. Oh I saw a package there. Packers? Packers are running. Oh no. Hey Yo Ali is already downloading all the files on microphone. She already broke the system. Okay. Okay. Do we want to talk about vulnerabilities so we can know what to look for? I know. Okay. So the first vulnerability we're going to look at is SQL injection. I think it will be the only one. The key idea, so we saw web applications query a database by issuing SQL queries. The key problem, and this is the critical thing to understand about SQL injections is the web application is building up these queries by concatenating strings together. So I'll show you in a second. So typical PHP code on the server side looks like this. This is a query to select a user. Select star from the users table where the ID column is equal to some, this is a PHP for a variable called ID and then concatenate this single quote and semi colon. So on the server side at runtime whatever ID this ID variable is will be concatenated with these constant string on the left and the constant string on the right. So if the ID is something like 10 then what will happen is the web application will concatenate those strings together then send this string to the MySQL server which then parses it as a SQL query. So it parses it and says, oh this is a select and selecting everything from the users table where ID is equal to 10. So in SQL single quotes are the delimiters here inside of a string. So the idea is what happens if our because building of this string and the SQL server parsing it are happening the problem is the SQL server is interpreting our string. So if we can inject into this ID content that alters the structure of the SQL query then we can take control of this query. So for instance we can do negative 1 or 1 equals 1. We can try that. So what's this going to do? Remember the web application code is only going to do exactly what it says. So it's going to take this string concatenate it with this string and concatenate it with that string. So what we'll get is the query select star from users where ID is equal to tick negative 1 or 1 equals 1 tick. So what's this going to return? Always true. All the interesting users. All the what? Interesting users. We'll select everything. From where? We'll select everything from users. Why? 1 equals 1. What do you mean 1 equals 1? It's always true. Is it? I don't know. It's intentional. The word clause is going to be true. So what is the server going to do? Compare ID to the string negative 1 or 1 equals 1. We're all about parsing. This is 340 again. So what's it going to say? It's going to say select, so that's the action, select star from users where ID is equal to the string negative 1 or 1 equals 1. Are there any users with that ID? Probably not. Because of how it parses it. This is part of the trick when you're doing this is you're on the outside. You don't know what queries it's issuing when you test this. Now the question is what do I want to do to try to get out of this string? What do I need? Another single quote somewhere? A single quote. If I have a single quote, then this single quote will maybe match that other single quote. Now I can do something like ID is equal to negative 1 tick single quote or 1 equals 1. Now when the web application parses it, what's going to happen? So what's going to happen when this query executes? Selects all the users. There needs to be another single one. That's the thing. What does the web server do when it gets these bytes for the SQL server? I think it will give Adam because of the last quote. Yeah, it's got to parse it. That's the other thing. It's got to parse this string, take this sequence of bytes and make sense of it as a SQL query. Exactly. Selects start from user for ID is equal to negative 1 or 1 equals 1. Then there's an unmatched single quote here which is a syntax error. It's going to say error. This is not valid. Why'd you put it that way? You really understand what's going on when you give these inputs and to look exactly at this string. Not what you think is going to happen, but how is the SQL server going to actually parse it? It's very easy for us to jump when we start seeing these or 1 equals 1s or these kinds of things. Without understanding or thinking about what does the query look like, that's the part that we really have to understand and this is what happens frequently when you test these things. Now we can do something like negative 1 tick or 1 equals 1 semicolon hash mark. And what's the hash symbol in a SQL query? Comment. Comment there to the end of the line. So it's just like slash slash in C or C++ or most programming languages. So now when it parses it, it's going to say, hey, this is the query select start from users where ID is equal to negative 1 or 1 equals 1 and it ignores the rest of this part. Why do we have to have this comment here? Because we need the other tick, right? Why? Because we don't know what comes after it. Yes, so there's two things. A, remember every single time, no matter what we send, this static string will be concatenated with our input, which will be concatenated with this static string. That means that no matter what we input, we'll always have the stuff that comes before us and always the stuff that comes after us. So we need to deal with it somehow. Another way we could deal with it is maybe say or 1 equals 1 or 5 equals tick 5 and then it will do the other tick and then a semicolon and we're fine. But oftentimes we may not know exactly what it's sending so it's easier just to comment that out. So we can do other cool things like negative 1 tick, semicolon, drop table users. So again the SQL server takes this, if it has the configuration set where it allows multiple queries in one command, it will parse this, see two separate queries to select from the users table where id is equal to negative 1 and also to drop the whole users table. So this shows you that with the SQL injection you can actually delete data completely. We can also do things like insert into tables so we can try to insert into the admin table, this user name and password and these values out of D and pwned and again same thing will happen. The way, so this is very high level overview, we can actually spend quite some time going into depth in this which I think we should and will. For now there's two ways to think about detecting these. So the way to think about this is passive approaches where you look for success. So for instance if you have a field that's id equals 3 and it gives you articles so it's a blog, it gives you blog number 3. If you put in 1 plus 2 what should it give you back? If it's safe what should it give you back? It should look for a blog article with an id of 1 plus 2 which should be nothing so it should give you a 404 or not found or something. If it gives you the blog that has id3 what does that probably mean? That they actually first solve the addition of that. Yeah, so that's actually part of SQL so SQL allows you to do this arithmetic operations inside of it. So that means that this value is not properly sanitized and so SQL is adding those two numbers together and giving you the id with 3. You can also do something like this. We saw subqueries so we could say subqueries select 2 so this would substitute 2 in there and if we got the table of 2 I would show that. The other way to do it is an active approach where you try to look for errors. So put it something like right so this has a tick in it so if it was single quoted it will cause it to be an extra single quote so you should get an error message or some 500 message with or you can do things like less than 10, all kinds of stuff. So and the other key thing to think about is when you think about pentesting these applications where is it possible? So in Maco Pico where could it be possible? So what's the criteria but why a form field? Is it every form field? Everything I mean yes everything that we sent to the server could be a potential vulnerability but narrowing that down. Like a database of search pillars? Anything that touches the database right so all input could touch the database right but you can know that for certain right if you're using search it's got to be searching through the database in some way right that would be a good thing to look for. What else? Yeah the user name Yeah login what else? There's a coupon coupons registration user registration creating new users right all this has to go into the database some dynamic maybe it all depends on you have to think through using it where did they put this data in the database somewhere if it did you should try to fuzz it in this way or to test it. Cool all right Let's do it I found a stored cross-site scripting I did if you go to guest book That's cross-site scripting Yeah that's what it is Sorry I thought you didn't even see one No You can try to download the tool box or docker So your tool box I can't get a tool box Let me show what you're doing Well it's everything that's installed right now I was actually going to So using the repeater in verb as we saw last week it's super handy to do this because you can look through the request that you made Why is it like that Like mine shows up as this Oh I used repeater that's why I didn't see it That is super unfortunate You don't have to use verb See I was seeing it in the Yeah I was seeing this and I didn't look like Oh that's the html Idiot So how do we exploit this Oh you eventually crashed for windows All right so So So you can do this It just takes forever So eventually all I do is just like Okay So I need to figure out how to con it So let's just start with or right What do you need to con it Is the password vulnerable or the username built Uh hold me You know why Don't know why Now you should be able to use your browser Don't import it I've been using it for a while Oh except that you're on windows Will what do you have to do to do that To do what For Docker Oh you type in I think Docker space ipconfig Or maybe ifconfig It'll give you the IP address And then you go to that instead of localhost I think So After spinning lots of crap into the username So you know Like this Assault And the password This one you cannot have Just leave it with something else Eventually You need to crash something here When you click this It'll log you in as the first user So if you want to try it But I didn't See so you know how That's what I don't like You can most people go like this Or one to go one And comment There you go And I think that's it So if you get that error too The SQL syntax So probably go up What was the output there Why Why did we start with the tick So what are you doing with this So what Closed Because you can change You have a code You need to close that tick And then Once the username is now closed You put some kind of True method here And now It's going to It shows me what my query is Right here So if I go to action It's in here For my Yes What I'm sending What I'm sending I've got a class of Where I'll be able to I can try To figure out what's happening I have No idea although I have to figure out Why I can't I've got I've got the upper probably I'll show you the code I'll tell you No, don't do that I try to create users with The SQL injectors To set the error You have to close The To do it on the order I want And then Yes And then You can do that I just hope that when I upgrade So there are I think there's like 12 Intentional vulnerabilities In lack of decode There's only one Somebody found one unintentional vulnerability Like six years after I released it Six years Wasn't that really strange one? It was a really good one It was a really good one I can't remember exactly what it was I never went and fixed it because Why would I? It's meant to be vulnerable It came in right when I started This job because I was going crazy I was like oh that's cool I'm going to ignore it I was just talking about the web apps you made For when you were doing all the black box I like how the code You thought you were done No I didn't think I was done I had something It was close On the right track A couple old quarters I started in my fourth year I was on the four plus one program I started the last semester My fourth year I was in the site Yeah I did that It was the same one It took me, yeah The summer I didn't do anything So I've been joining at Microsoft When I came back I was T.A. I didn't have time to work on it either So I hired me as an R.A. Over the next two years So I'd say a total About an academic year To do everything To run all the things Do all that Yeah it was tricky Because we had well, maybe a halt to Ask me other questions Oh Yes Yeah Oh Is that center point? Oh yeah Oh well Only 15 trade bucks For this picture What a steal Total? I can't remember 12 or something In the read me on the ticket I think it says I don't know if the list is on there I think I have to count Cool all right Check