 Good morning everyone. Can you hear me? So I have a problem. I talk really really loud and I'm using a microphone So if it gets unbearable, you know just shout whatever and plug your ears or something like that. Okay, so Today we're going to have a very intense training that's going to cover a lot of walls We're not only going to get into secure development actually going to get to secure development only at the end of the training We're going to do some real hard-con legal vandalism. We're going to do some hacking We're going to learn some Techniques going to talk about attack methodologies going to talk about attack tool sets and we're going to learn a couple of basic Application security attack just to get you started because it's designed specifically to get you Into the field of application security at the lowest core at the level of the actor. Okay, so During the course, we're going to have three phases of exercises. This is a really short course It will have out eight or nine nine hours. We're going to do the Learning part and the exercise by exercise part simultaneously as much as possible It's going to be hard. So going to do the training in several phases We want to see that we have a training Wi-Fi. You can connect to it right now. There's no password whatsoever to it Okay We have an Professional application called webgoat in there. I'm going to set up the URL there in a second. So we'll be able to connect The you can actually connect to it right now to sit to make sure that it's working for you The address is the following address once you connect to a Wi-Fi You won't be able to get to there from the Conference Wi-Fi. So please switch right now Although it's not necessarily Required for the training to actually do some hands-on those of you that want to feel or get some more Practical experience in using the tools. I really recommend start working directly with that We spread some disconquise among you and I know some of you guys really like the design of the disconquise But we really really need them back because I want to spread them around the rest of the participants We only have 35 disconquise and you should have seen the face of the guide store when I asked for 35 disconquise What? So anyway, give them back to us or move them to the next to the guy next to the guy beside you So they'll be able to couple the The training lab Toolset. Okay. Now what do you need to copy from the disconquise? There's the expertise in the disconquise that list the operating system type supported by the training There's one for Windows Mac Linux various versions of each and so on and so on you need to copy the OVA file in the root of The disconquise. Okay, that's the training lab the main training lab And there's various tools in a directory with the name of your operating system I really really really recommend copying the Windows directory if you have windows But if you know you have the budget and you have Mac or Linux or whatever We're kind of adjusted to that you need at least 10 gigabyte of free space in your hard drive For the entire tool kit to work But if you can't afford the space 200 giga 200 megabytes would suffice for everything beside the VM. Okay So you don't really need to You know delete half of the content of your hard drive. You don't have enough but 10 gigas recommended so a Roy here, Roy can raise your hand. Just get up so people will see him He's going to assist me in the various course phases by going between you and assisting anybody to get stuck Either without a disconquise or with configuration of the toolset. Avi hopefully will help as well And you know we'll figure out what to do if there's more demand We're going to start as I mentioned earlier with training in three phases Installing and configuring the toolset is relatively complicated at the first time you do it So initially we'll just hack with the browser. No toolset required going to learn how to hack to the GUI We're going to use our browser against what go to other websites in the Internet such as hackathon Just to get us started in delivering attack payloads. Okay And The second phase of the training will be performed on a toolset called web security dojo It's a virtual machine a fantastic virtual machine by Maven security that contains everything both the attack tools and the target Vulnerable websites demo websites that simulate vulnerabilities in the application security field and we will be using that to Perform some of the attack and the benefit of that that you won't be able to want need to configure the toolset yet In order to get that VM started you need to install virtual box the one located in the directory of your Specific in your own specific director in the disk. Okay, we can install virtual box And then double click on the OVA file. You'll get an import pop-up Just press import next next next and eventually play and you'll see the virtual Web security dojo virtual machine. It looks something like This nice can can do ninja stuff. Okay So that's the toolset will be discussing a lot about it and both me and all will go between you to help you out with the Various configuration elements of it and with the actual testing Finally eventually to more near the end of the course We're going to teach you how to install the various tools on your own station Linux Mac PC whatever, okay We're going to teach you how to configure it. Why the elements of the configuration We're going to use a required how to use it for automatic testing or manual testing and so on and so on and our device are excited and going to give a couple of Notes here just for you to remember everything that we're going to teach in this class is actually a real attack we're using it against your bank or you know Your e-commerce website is you know, it's a felony you can go to jail for doing that So I really really recommend doing it on training websites or as a part of your job Instead of going on and trying to hack the you know some security agency or whatever And the second comment is that it really opens your eye to see how the world really works now since this is a recorded Session is going to be online. I won't be incriminating myself by showing you actual vulnerability in real websites Even though I typically do that in my courses. I show real vulnerability in real website without packing them just showing the potential to do it So we'll be avoiding showing real websites But I will give you hints about various vulnerable websites You can check out later just to see the actual abilities that they contain or to see the obvious flows in the design That they have after while after getting the This specific course and something around the internet some of you will be really shocked to see how many mistakes Developers do that can be abused using these techniques. Okay, but in order to get us started I'm going to switch back and forth from this Initial setup design those of you haven't written down the URL of webgoat the IP or the Training lab, please take a second to take a picture with your phone because you won't be able to see it later on Okay, yes, you'll have like a nice Snapshot session right now. I don't know how it will take with the recording. Oh, but that's up to you. We're gonna start it I've already introduced me which is fun so I can skip the entire bow introduction part We're going to talk about the various techniques In order to talk about the virus techniques, you have to cover the basic elements. Okay, the basic elements is a the basic methodology of hacking and be The metals we which we will use and the protocol we will use to perform the various attack phases Okay, so in general in order to hack an application. I don't necessarily need a toolset I only need to be able to intervene or manipulate the element Which is potentially vulnerable those elements are typically called input delivery vectors those are also called parameters each application in the Internet world is being designed in a manner in which the client side application Delivered deliver some sort of elements to the server side application to make the application dynamic So let's say it's an e-mog e-commerce application You deliver the idea of the product that you want to purchase Let's say it's an e-commerce application and you want to buy a couple of products deliver the quantity There's input being delivered from the client side to the server side throughout the course of the session in the application So in order to hack an application we typically need to manipulate those values If we can manipulate them in the GUI level you know through the URL or through messing up with the text boxes That's fine if we need to intervene at a deeper level such as hidden parameters things We cannot see we typically use something called an interception proxy now an interception proxy is Simply a tool that enables us to intervene stop the communication intercept it Change whatever you want to change in the transmission sent from the client to the server and then we send it So let's say there's a secret flag in it in the client side code Which says is admin equals false We can intercept that flag in an interception proxy change the isn't me flag to to and send a request to the server side But this is a very exaggerated Example, but I have seen similar incidents in the world So it won't be that surprising to see it in various applications these days even in 2017. So our Training will focus on all us zap There's other tools we use in the industries primarily burp suit either free additional or professional edition which is just as simple as that and Fiddler which is used for you know very specific tasks when we have problems with Interceptor requests in certain Situations, but also zap has the advantage of including a free Automated application security scanner a number of other features which are not available in other free products at the same level So we'll be using it as our main interception proxy for the course We'll discuss other Proxies for various reasons But I really really command even those of you are using belt for the purpose of the course and for the purpose of the automation Faces of the course to install or zap and use it for the various elements of the training Okay, we'll be covering or zap and how to install it in either clear-text and Environments or cell-driven environments will be using it in web security Dodger Or we'll be using it on your PC doesn't matter But as I mentioned earlier in the initial phases we'll be using simply a Our browser, okay Now in the training kit that you got each of you should see a the virtual box and the and with security dojo Virtual machine fine. Those are the main files that you need to copy, but you'll also have a JDK a Java development kit installer and you should also see a zap installer. There's one for every Operating system that we could think of okay except you know those or whatever you guys decided to bring But we have it for most modern operating systems. We can pretty much handle that We also brought in Firefox. The reason we want to bought in Firefox is that It's not necessarily defining the system proxy or changing anything in the system proxy So you won't get any garbage or so much garbage information that would confuse you in the interception proxy We don't want to write anything to route anything that we don't need to mess with to the interception proxy So I really recommend installing Firefox, which is also located in the Disney the lab this cookie And use it for the purpose of the course to add you to add the reasons as well Okay, so that's our main recommendations. You can see the various configurations required Here but we'll get back to them later on at the installation sessions Initially, we're just going to listen and watch in terms of priority Your first priority should be to listen and understand and the second priority should be to do as much as you can While understanding what I'm saying to do what you can during the training Now we're going to use a couple of training platforms We're going to use webgoat just because it's very easy to install it in your laptops We're going to use the vast platform the web security dojo primarily Insecure web app and what's it very good for training for specific Specific elements and we're going to use internet websites. Just to call and send and see how they look like, okay That's pretty much it. So in order to kick or get it started I want to show you how it looks like, okay I don't need you to do the entire configuration right now I'm just going to want you to take a look at what I'm doing I want to start off zapping my computer and explain How it works and then crawl around the internet just a little bit for you to see what's going on, okay? so That's awesome job Tool is written in Java Includes numerous tools Originally based off very ancient tools these days called pause proxy no longer maintains Okay Indicates a couple of nice features the main feature which is relevant for us is the ability to document list intercept and modify HTTP HTTPS or web socket requests Okay, the main protocols being used in the in the internet these days now the way it works It's really a proxy. That's not just its name interception. It's not just a different category It is a proxy just an epoxy that you have the organization if you're trying to access the internet from a big organization You need to configure a proxy typically to gain access. That's exactly how it works So in order to use it we have to configure the browser to use it, okay as a proxy There's various ways to do it for various browsers. I'm going to explain it on Firefox I'm going to list the methods to do it in Chrome and I as well, but I really recommend using Firefox for the virus purposes Options those of you want to do it right now. You don't have to do it. Just take a look We're going to configure the actual proxy and you know what I'm going to do it in a bit easier method I have a plugin here. You also have it in your disk. Okay, it's called foxy proxy. It enables you to define real quickly Interception proxies into your browser just selecting the proxy address and post enables you to correct it Now the proxy actually listens to a specific port in your computer Okay, if we get to the proxy configuration, I'm going to show you Tools options local proxy don't worry. You'll get it later on The proxy is listening to a specific port. It's pretty hard to be service from this distance But I'm listening to port nine nine nine eight or nine nine nine nine That's the port I chose for the proxy to listen to now in order to intercept the request from the browser I'm telling my browser. Hey instead of accessing the internet directly go through the proxy first I'm doing that by defining the proxy server in the browser configuration Now instead of accessing the internet directly the browser now sends the HTTP request to my proxy Which then delivers them to the internet which then routes them to the internet or no That's whatever I want in the middle now the proxy does a couple of things at this phase a any access to website the proxy will Documented present in the various tributes and history. Let's let's access a specific website. For example, oh See if it works As you can see it's as I said, it's really hard to see It because of the size of this distance, but there's actually a Pages in or being presented here in various ways. Okay, and the proxy can identify at the very least some of them Let's see those are the various pages that and content that have been downloaded from us that you can see in your visual Representation in the browser. Okay, so far so good Not so much. That's okay That's the beginning. There's going to be many many many more moments like that But we're just starting once we get to the specific configuration space to understand so eventually what I just demonstrated is I am configuring my browser to use a proxy and Use it to access the internet instead of accessing the internet directly any browser supports it and The proxies know these days how to handle many of the Elements that supposed to prevent such intervention such in many the media prevention or protection in SSL So we're going to configure our proxy later on to use To use it for the various purposes of testing But at the moment I want to explain a little bit about the actual protocol being used between the client and the server What's the protocol? What are the different versions and differences between them? How does it work? Why does the proxy what what can you change in protocol and something to understand that? I'm going to give you a quick glimpse at the protocol It's going to be hard to see but don't worry. I will see it soon in the presentation Which will be much much more clear. That's HTTP. That's the protocol Most of the internet is built on in this case HTTP 1.1. Okay It's a textual protocol that you can read with your eyes and Understand every portion of it without much difficulty. Most of the names in the protocol makes some sense twisted sense, but sense, okay, and In order to hack any application We should be able to at least manipulate some elements of the virus requests. Now today I started the protocol How about to magnify the relevant text a little bit, okay, so An HTTP request typically has the following format Get method URL version That's it method URL version. That's the entire HTTP request So not to access any website in the internet my browser behind the scenes sends a line of text ended by two enters that Begins with the method Get post whatever the method is a URL the page you're trying to access in to access in the server and The version of the protocol being used HTTP one HTTP one point one and so on some okay To prove my point. That's all. Let's hope it works That's just disabled presentation and get to a nice command line window. Let's and let's see if it works I'm not sure I have done it here. No, I don't have it here Not I said I would be you I said I'll use Zap but in some instances because it's more convenient to me I live by using back. I'm going to prove my point by accessing Google with a single line Okay, just to show you how it's being done and so I'm gonna read out loud what I'm doing. I'm configuring my Interception proxy to access double double google.com To port 80 Let's hope it works. Okay. I'm going to write a single line get Slash the root URL HTTP slash one point one enter enter Let's see if it works What happened what you see is that the server Responded with something I'm going to copy it to a notepad and modify the writing so we'll be able to figure out what we got. Okay, I think that should be a leader to the guys in the back That's the request I sent simply a single line With two enters at the end to a character line fit character at the end Okay, and the server responded with some response that typically includes both HTTP adder And HTML. Okay, that's how it typically works We can access most website with this single line Although these days both are more complicated and they provide Additional information to the website about the accessing entity. Okay now as I mentioned earlier the format of an HTTP request and you'll see it in no any website you'll access today is request method request URL and version Followed Optionally by a couple of HTTP headers typically additional lines coming after the first line those headers Include information about the accessing entity for example a user agent Which type of browser is accessing the server side or host? Which host are we trying to access in case the accessing entry point is epoxy? Etc. Etc. So the first Well, not necessarily the first most of those headers come to signify something to the server on the accessing entity the browser finally and Depending on the HTTP method being used there's optional data found after the header section of the page Okay Which is a for our purpose will call it post data Okay, so the post data will include various parameters that the application is trying to deliver to the server Think about it like an input section. This is how the browser typically Transfers large quantities of content either through the URL or through the body method Okay, now the HTTP response service have a very similar format as well It has a format of the version of the HTTP some sort of access code or response code 202404 those of you recognize the number and the description of the code Okay, now if we get back to the example with Google that we had You'll see with that we accessed Google with a specific request and we got HTTP 1.1 signified that the response is also in the protocol that we accessed 302 which is typically a message that says hey, it's not here. It's there. It's a redirect message It's telling us that the resource that you try to access isn't found in the address that we accessed and Found which is the description of the message of the response. Okay, but there's various headers Here as well, but the server headers are typically different Although there are some headers that are informative and tell us which type of server it is or what time it is many Edders are actually instructions to the browsers telling the browser what to do. Okay So for example, the cash control private element tells the browser. Hey, don't store cash here Okay, no need to store any search history and there's a location header which tell the browser and go to that specific Address to the redirect due to the redirect. Okay, so it's instructions from the server to the browser In order for the browser to know how to be able to website now the HTML content in the body Which is optional these days by the way because there's less adjuncts and capital technologies as we use these days is Is actually being passed by the browser and anything inside a tag the HTML head Textbook says HS is actually a presentation instruction to the browser. The browser renders Disinformation and presents it as GUI as long as it's in a tag. Okay, all of that is basic information I know for those of you are new it's new but those of you are developers or experienced developers It should probably be a trivial Let's start with the interesting part the hacking related part. Okay, let's talk about the HTTP methods and HTTP parameters to key elements in hacking HTTP methods not going to cover everything especially to have that we're going to cover the basic methods We typically hear about get and post Now get at least historically the purpose is for you to get information on the server Okay, it typically is a method that does not include any information in the HTTP body It only includes the first line, which is the method URL version and a couple of others Ended by two enters to CLF characters. Okay, it looks like let's copy request from a zap That's a typical Get request. Okay, I'll just modify the window Get It's hard to see Here just some cheats. Good. So There's the method get that's URL which if you'll notice carefully includes various elements includes the protocol it includes the Full URL of the website it includes the directories in the website and it includes the target file That the browser is trying to access then there's a couple of headers that provide information to the server about the browser Let's get a quest the post request. However, it's slightly different I'm going to simulate one in a second. Let's see how See force as a form here Nope This is the best request. So I just manually craft a post request just for a second a Post request would typically look something like that There'll be posts here as the HTTP method and there'll be additional parameters here two enters after the end of the header section Like user equals something and password equals something Let's say if it was a login page for whatever reason. There'll also be a header called content lengths That signifies how many characters are found in the body, okay So we feel there's no 15 characters. I've counted. There'll be a number 15 in the content length header. Okay, those Methods are the main methods being used in HTTP in HTML in various forms that you see, okay With the exception of modern rest implementations post and get is pretty much what you'll see online Post is a method is totally designed to post information to the server to send information from the client side to the server However, eventually What happened is that both methods were used for client server interaction and for parameter delivery The reason is that you can actually deliver parameters and pass them in the server side pretty much Anywhere in the textual format of HTTP, okay So to figure out Where we can deliver parameters just before we get back to the methods Here's some more some old-school methods to deliver parameters. Okay delivering input parameters in HTTP get is possible by appending them To the URL after a question mark. Okay, we'll typically see that in search queries Search query equals something in the URL for example in OS website that we just demonstrated and just get back to it You'll see that when I said something or those of you that can see that You'll see that I have the search criteria in the URL so the browser created or Appended more accurately a parameter to the error of the page and the parameter includes a parameter equals value sequence Okay, so the server is now Getting that URL and is able to pass the parameters out of it and figure out that user sent some input and then The server can do whatever he wants with the input whatever the developer intended it to do that's one method to deliver inputs and if as I remind you if input is being delivered from the client to the server We as hackers can mess with it So we can you know do all the virus attacks that we're going to talk about today To it we're going to inject malicious payloads. We're going to manipulate with flag I'm going to do a couple of things to that input if there's something significant in there or if the developer is passing it correctly, okay so the second type of a Method that I mentioned is post and post I just saw the presentation again In HTTP post the parameters are delivered in HTTP, but do you see it? No, let's use a market here. Probably would be easier to see You see it here. Okay. That's a section of the parameters in HTTP post You see that only get with which has a question mark to separate the URL From the parameters in order for the server to know where the URL stops and the parameters start In HTTP post there's no point in using the question mark The parameters are simply placed directly at the body part. Okay after the header section of the HTTP There's also additional methods to deliver parameters You can also deliver parameters in HTTP headers such as the cookie or just any headers Or even when you upload the file, which has a very specific convention in HTTP Can deliver parameters throughout the convention of the file upload request called multipath. Okay, so Point is we can deliver parameters anywhere in HTTP. So unlike the original intention you can deliver parameters both in get and in post in both methods So any method can be used for various attacks and manipulations other important methods for our purposes are head And options. Okay. I'm going to skip taste like these days. Got a little bit of sweet. Okay options is a method that Causes the server if it supports the method to tell me hey the following HTTP methods are supported get put delete Okay, the server actually tells me as a response What I'm not is supports the specific method that method methods than time to access Okay, I'll try to activate and head is a very interesting HTTP method because it's actually the same as get it and post it accesses an entry point in the server and Activates it, but the server does not present any content. Okay, the server does not respond any specific content See So Those four methods are the main methods that we learn about does other methods potentially them source such as put and delete And I'm not talking about the rest implementation It can actually uploads file to the servers or delete files from the servers Various hacking incidents that I called in the past such as a defacement incident and so on some Happened because the it means I told it forgot to disable the put and delete methods There's a number of other methods as well that you want that I'm going to be coming But for the purposes of how our post get post options and head are key head can typically be used to bypass authentication enforcement because sometimes developers specifically in Java only protect URLs From get and post access and head can still access the internal URLs Even if you're not able to see the content that returns you'll be able to execute operations there So it's a nice very basic hacking technique simply to replace the method instead of get or post Okay, that's one of the methods to do it and options, you know, it's just information gathering now I only showed you that in the past but a couple of interesting header that we Use or it's important to recognize the host header, which is key to using a proxy When we connect to a proxy and access the internet through the proxy The most important header is the host header. It tells the proxy What is the original target? What is the main target the final destination of the browser? So let's say I'm accessing Google to a proxy the proxy knows how to or where to out the request because there's a whole Trader header with www.google.com in it. Okay User agent tells the server which browser type is accessing it or which mobile type is accessing it Whatever and content type and content that pretty much sense the type of content binary textual and so on Jason And the length of the content that the browser sends Response headers also have some very specific significance and we get it at all the various places of the course now Input vectors or the places we use to hack the server side I'll typically get in post but in modern applications We also have Jason and XML developers these days We most likely use this as the main source of input delivery in their applications specifically views Platforms such as Angular react or other objects base platforms. Okay now We Should be able to manipulate those values with the same is we manipulate get and post parameters However, we want to be able to do it through a browser GUI. Okay Get and post parameters in most cases not all can be manipulated Just by using a browser I don't need to do anything specific just to demonstrate what I'm saying I'm going to show you a very short attack with very simple attack to figure out how easy it is once it's get or post Okay, going to show you the training kit for our course web security dojo, okay Going to start a browser here an accent application called insecure web app Very nice application you all have it in your local virtual machine Have a login page here. I'll magnify it a little bit. So we'll be able to see So instead of getting in by knowing the reason using a more password I'm going to rocket using a very simple cheesy and rarely Existing attacks these days, which is SQL injection login bypass for logging pages. Okay, so In this case, I just bypassed the login sequence of the application I'll get to the how phase later on and explain over small of it obviously explain more complicated Attack vectors and all one equals one which is more iconic than actual practical these days, but The point is I didn't need to use any toolset because it's a get or post parameter I only need to use the browser to perform whatever it is I wanted to perform I just need Manipulate elements or the elements of the GUI and inject my payload to them I want to be able to do it if I have a JSON or XML input because the method will be delivered in the input in The body section of the page and there won't be a GUI component to a to alter or change it Okay, now I'll get back to the presentation and show you how it will look like in Your interception proxy Now Jason arise pretty modern method these days to deliver input from the kind of servers But especially in Ajax based application will be Will look like a allies of value It will be enough for a of parameter name value sequence in the Jason format Okay, and XML will typically include tags like HTML just in XML format Which include values either in HTML and either in XML attributes just a little bit then XML attributes or in XML body elements All of these values the values of the Jason elements the parameter names in Jason the attributes in XML the But the element values in XML all of those are manipulator Can be manipulated to an interception proxy We're going to have to intercept the request if you want to change change whatever it is We want to change and you know we send it to the server or fold it to the server. There's also Additional input delivery methods these days More complicated methods. There's web sockets that can you know send any request regardless of the format There's no real limitation here and there's a See Gwt, which is a bit more complicated textual format and there's binary format such as AMF We want to be learning about those formats in the course and sometimes when you know Use your hacking tool set you'll see those binary or complicated protocols It is possible to manipulate them just the same, but you typically need the Interception proxy to include a plug-in or an extension that is able to Reformat or present the content that you want to manipulate in a presentable method Okay presentable way, okay, but it's interception proxy bear suits up includes plug-ins to manipulate DWR JWT all that and a couple of other more complicated formats, okay, which are Being used from time to time these days the main Content that you'll see out there however the main methods of input delivery are get post Jason and XML that those are the main things that you'll see and the main things that you'll have to mess with okay So Since I need I think that you guys need some hands-on exercise I think you should do a couple a bit before the break going to have anyway And how about we start installing the kids right now? Okay, and We'll try to access a couple of components now. Is there anyone here in the audience that? They didn't get the discount key the insertion this one key good Roy Roy, can you see those entities those participants? see Okay, those of you that have a decent kid having to turn it to us and Just forward it to somebody doesn't have it. Okay. Do you want me to be something? anyone Good Okay, so I am Can you have them out with this movie is just falling before them take another one? Good so I want you to in style to copy everything we mentioned earlier They should copy your own specific library And the OVA file inside the discount key at the root of the distant key But what I want you to install is virtual books most of all It's a very simple fire. It's a very strict simple installation process nothing too complicated That's the file that you should see just show it to you To be dng file for Mac for those of you with Mac, but that's the file You should see and install a simple next next next installation The only problem you may have and you may have it is if your Virtualization flag in your bios is not open if your virtualization flag in your bios is not open Skip in starting it until the lunch break when I explain how to handle it Okay, and use the other tools you're going to explain in a moment Okay, so anyone that doesn't have virtualization flag open, you know just Avoid it for now. Don't use it. Okay, and The second tool set you want to use you're not going to use it on a Virtualization platform or going to use it on your local actual PC is OSP zap Now what I want you to do right now in addition to installing virtual books install JDK Java development toolkit which isn't necessarily required But you know it's a good baseline and by installing this toolkit will make sure that Zap is working on your station. So please install it right now, okay? JDK version 8 After installing it you can start the zap installation a very simple next next installation and should be able You know to get zap start and you should have an icon on your desktop. Just double-click it should have on your screen, okay now initially initially, I Want you to access either the training Wi-Fi? To the webgoat application. I'm going to access it right now with you. Okay. It doesn't work. Let's see It's not working. We'll use hackers on Online, okay should work with a tiny lab open. Let's see. That's the one you try to access training up See In my case, it's just connected. It just takes a little bit of time on a couple of seconds The others here is the following others. Let's see So when there's no surprises Okay, we'll set it up in a section. I don't in a second. I don't want to To delay you in the initial session. So what I want you to act to do is at the moment access After you install JDK and zap just using your browser access hackathon That's how come those of you haven't seen it in the past It's an online Training application that you can use I'll just access it to my browser. So we're going to see it application by rapid seven We'll be using it for various purposes. So just to see the tools it is working the purposes of this course the purposes of this course Let's see See, okay. That's how cause on you can access it online to the following others Hacker zone web scan test dot com. Okay. Can you see it? Magnificence Htp. Hacker zone web scan test dot com. Okay Firefox Whatever you want at the moment later on I told about the force. I'd recommend Firefox Yes, okay so access this website should be able to See the following user interface By the way, we're both works. It's just very slow I can see right now that it actually did work when I connected to the Wi-Fi. It's just super slow I guess it's not handling the load, but we'll see what to do. Okay, so that's what both if you access the Training lab, we should see that good if you access Hacker zone Okay, you should be able to see the following good now. What I want you to do is just correct a bit in The application with your browser access a couple of links that you see that it's working for you while you're installing JDK and zap why or You know more quickly after you finished installing the JDK virtual box zap and whatever activate or zap And wait, okay, so give take you a couple of minutes five minutes. I'm going to give you the time to do it Okay, there's no point starting the course for the vast majority of you if those elements are not configured You're lagged behind We won't be able to experience the course like you want you to experience it So really invest the time to try and get everything working right now, okay, so After activating or zap you should see a blank screen. Don't worry. I won't rush forward I'll give you guys the opportunity to copy and Join us so you know Let's let's do the smart thing. We're going to take a short break right now of 20 minutes during those 20 minutes, I hope that you a Drink it do whatever you want and at least start the installation processes of virtual box import OVA file by double-clicking on it install JDK and install or zap Those of you are really fast Installed firefox as well. Okay at the end of the break Please have zap or zap open or your screen. Don't do anything with it Just have it open because you're going to start and configure it. Okay It's probably the only complicated session for the day. Even though it's not really complicated. Okay, so Do your best to be prepared for it. That's it Please be back in class in 11 and 10 minutes my clock is the only one that counts. Okay, don't be late That's it