 That's only because I made a mistake and forgot to write port 8080 in the URL. I just fixed it on my screen. So if you decided to use the training lab instead of dojo or whatever you plan to use in this course for a training lab, if you decide to use my Wi-Fi training lab, this is the right address. It's HTTP, 192, 168, 0, 109, port 8080 slash webgoat. W capital letter and G capital letter. That's the right address. It's slow, but it will work. We have a couple of training labs here because we didn't know which devices you'll bring. We didn't know if it would be Mac or Linux or Windows or something like that. We didn't know which configuration the various computers had in your BIOS, reading virtualization flags or not. We came prepared for each eventuality. So there's a couple of training labs. There's the Wi-Fi that you can connect to, the training lab Wi-Fi. You can connect just with your browser and zap and work in front of it. That's good enough for the purposes of the course. That's the worst-case scenario. It's not ideal. It's for somebody that has nothing else working for him. He can't install anything on his PC or he can't run the virtual machine. My main recommendation is using the two following training labs. A, for the first phase of the course, if you can import the web security dodge of VM to virtual box, that's the most preferred option because all the tools there are already configured. So even if you have problems following through with our various configuration instructions, it should work out. You should be able to use the tools at least in there, both bear, zap or whichever tools you decide to use later on. The second preference we have already provided you in the Discon keys, the web code training kit for your own PC. It's simply an executable jar. I'm going to show it to you just for a moment. Jally. Just a second. That's a jar file, web code container jar. Almost the same one for all operating systems. Just by double-clicking it, it should work and already automatically open port 8080. You won't see it do anything. It won't open a browser, won't see a pop-up window. Just double-clicking it will open the actual instance. If you can't double-click it or don't have an association between Java and jar files for whatever reason, after installing the JDK, you can simply go to the directory web code is located in, CD into it in command line and simply execute the following command. Java minus jar and the name of the file. Web code, jar, whatever it is. In the actual pass, the file is found. That should execute web code and cause it to listen to localhost port 8080. Localhost port 8080. Let's see if it's working for me. Let's give a shot. That's the training lab. Let's see localhost. Pooxy server. Let's give it another Pooxy server. Ah, but please listen into 8080 as well. I get it. So we'll get to conflicts with ports in a second. In general, various programs that you have may listen to various ports, but sometimes two programs use the same port address. If that's the case, you'll have collisions and you won't be able to access or initiate one of the programs. To avoid that, let's go to a simple configuration session in both SAP and other relevant platforms. Let's start by configuring OSP-ZAP. As I mentioned before the break, I want you to start the session with OSP-ZAP open on your PC. Not in Dojo, in your PC. In Dojo, it's already perfectly configured. I want to make sure it's working well for your own station. We want to make sure that SAP doesn't listen to the default port of 8080. The reason we want it not to listen to 8080 is that almost any other generic software listens to 8080. Tomcat or one of our training labs. Webgoat also listens to 8080. If we use this port in our proxy, we'll have endless conflicts. I highly recommend configuring another port that is typically not used by any other program. I typically recommend 99999 or 9998. To configure SAP, to listen to another port, I just magnified my phone so you're able to see properly. I can already see that it's not visible. Oh, phone size minus 1, very effective. I'll just to start SAP and let's hope you'll be able to see it more clearly. I'm guessing that's better, maybe even too big. Maybe even too big. We'll use the size later on. For our purposes right now, it's good. Tools, options. Under options, there's an option called local proxy. There's an option called local proxy. You should see it somewhere around the middle lower button. Local proxy. It defines the port that SAP is using to listen to. The port that you should connect your browser to. By default, it's 8080. Either change it to 99999 or 9998. In my case, I typically use 9999 for BIRP and 9998 for SAP, whatever you prefer. Just remember that port number because you'll have to use it later on when you configure your browser to use the proxy. Do that right now. Change the port number to 9998 or 9999. After you have configured the port in SAP, just press OK. Tools, options, local proxy. Those of you who don't remember tools, options, local proxy. We want to be able to configure our browser to work with SAP. Now, I'm going to have to insist that you use Firefox, if possible. However, I'll show how to configure it for other browsers. I'll start with the easiest method in Firefox. If you noticed in the installation, in the directory that you copied, there isn't just Firefox. There's also a plugin of Firefox called foxy proxy. That's how the file looks like. foxy proxy standard. See that? You should have it in the installation disk on key. Now, I want you to start Firefox and drag and drop that file into it. Okay? Let's hope it works. I actually have foxy proxy, so I haven't tested it myself. You should get an installation notification. Let's see if it works. If it's not working for you, don't worry. I'll explain how to use it without it. It's just more convenient. You should see a pop-up like that. Click add, and you're good. At the end of the drag and drop part, after you install foxy proxy, the foxy proxy extension to Firefox, you should see a small Fox icon in your browser. All this is just a very, very convenient method to switch between proxies. That's it, okay? We want to be able to switch between being in non-proxy mode to proxy mode, okay? And also to be able to configure proxies really quickly. For those of you of, you know, fans of other browsers, that's fantastic. There's foxy foxy extensions for Chrome, IE, and other browsers, but for all purposes, let's start here. After you drag and drop the extension, install it, and right-click on the Fox icon in Firefox, go to option and press add new proxy, okay? Click the add new proxy. I'll repeat that because I'm guessing that most of you will need me to repeat it at least once or twice. After you drag and drop, after you install Firefox, and after you drag and drop the foxy proxy standard extension into it and press add, okay? You should have dragged and dropped it inside, press add, and then we'll start Firefox. After you do that, you should see the Fox icon on your Firefox. Is there anyone here that has a problem with it? Raise your hand. Roy will come and help you out with it, okay? If there's anyone that has a problem, just raise your hand, okay? So eventually, just right-click on the Fox icon, press options, and add new proxy. In the add new proxy configuration, I want you to write localhost, okay? Either localhost like that or 127.001. Same thing for us. And the port that you chose when you configured Zap, either 9999 or 9998, depending on you, okay? That's what I want you to write down in the proxy details. Don't check any other flags. Don't touch anything else. Localhost 9998. After you do that, swap to the general tab, or you don't even have to do that. Just keep it like that. Localhost 9998. After that, you can press okay, and you should see the proxy configuration. When you right-click the Fox icon from now on, okay? Should see localhost 9998 that you configured. And that's it. You want to switch working with Zap. All you have to do is right-click the Fox icon, click localhost 9998. You want to stop working with Zap? You can. No. Just completely disable the proxy proxy, and then you'll stay in front of the Internet. Very effective, very easy to use. Okay? Now, let's do a test dive. I want you to access a website which isn't necessary. Okay? A website which isn't necessary. I'm doing some small commercial here. Don't be alarmed with it. HTTP www.takeapi.com. If you have another non-necessary website, that's fantastic. Just configure your browser to work instead of it in front of it. Okay? And access this website. See, whatever it is, which isn't necessary. You should see in Zap the communication to the website. You should be able to see the communication to the website that you accessed. If it's a necessary website, it won't work. Okay? We haven't yet configured Zap to work with the same. But at the moment, clear-text HTTP website should work perfectly. Take a minute or two to set that up. Okay? Just a minute or two. In the meantime, I'll try to explain how to use Zap in Web Security Dojo. Again, if you have questions, raise your hand. One of these answers will join you. Roy, anywhere? Roy? We'll get you in a second, okay? So Web Security Dojo, and I'm switching from your local Zap instance which you used, is the platform that you're going to use for most of these courses, especially because it has a bunch of tools and a bunch of training platforms built into it. Now, at the upper left section of Web Security Dojo, we'll see some sort of weird blue icon. Okay? If you click it, you'll have various menus. Okay? The menus that are specifically interesting to us are targets and tools located at the bottom of the menu. Okay? Now, tools is simply a category of various hacking tools that exist within the platforms. Targets is a variety of targets to hack, various, vulnerable websites. Okay? Under tools, we'll see what's Zap, okay? Z-attack proxy. Zap issues of Z-attack proxy. Okay? That's the tools. You can activate it simply by clicking that button. Okay? So button at the upper left corner of the screen, the blue button. Tools, Z-attack proxy. Okay? Click it and activate it in your virtual machine right now. Accept license concerns. There. This is agreement and Zap should start any moment. It's an updated version which is good because we want to sync the versions in the PC with that for the purposes of our training session. After starting or Zap in Web Security Dojo, those of you who have Web Security Dojo, start the Firefox proxy in Web Security Dojo. The Firefox can be started simply by using the Firefox icon at the upper left corner of the virtual machine. Okay? Click it. It should immediately open up to the main page, which includes links to all the vulnerable testing application in the virtual machine. There's a bunch of those, ten at least. We'll be using primarily in-secure web app, Wafsep, and a couple of others if we'll get to that. Okay? But eventually, those are the applications you're going to hack. Every application here, just to start hacking, you just have to pick it up, but you just have to click the right name in the main menu. Now, instead of using foxy proxy, there's a nice plugin here called MJ, or I don't know what its real name is, but it's found in the upper left corner that enables you to choose the proxy that you want to use. Okay? So, in Web Security Dojo, Zap is preconfigured to listen to port 0883. Okay? 0883. To work with Zap in Dojo, just pick that option. You should see MJ on the left becoming red. Okay? See MJ on the left becoming red? That means that there's an active proxy, and the browser currently is working with the proxy. To disable the proxy, simply click that icon, the red icon again should turn gay, and you're good to go. You can access the internet with that proxy. Click again. It's going to work with the proxy you chose. To switch proxies, just become a proxy. That's pretty much it. Easy, convenient, should work. To make sure it's working, those of you who have the VM installed and Zap active, click in secure web app and see that there's traffic in Auth Zap. Make sure that you see traffic. You see that the tree is populated with content. Okay? Like that. It's not blank and empty anymore. So, if you follow two more steps, you should have, by now, have Zap installed on your station, and you should have a foxy proxy installed in Zap, and you shouldn't have been able to access the internet and see some content populated in Zap, at least in HTTP websites. Okay? If you want to use Zap to access a training kit from your PC, we'll get to that in a second. If you want to use Dojo, that's fantastic. You can use the NCEQ web app for the various training kits and labs. Okay? Now, as I mentioned earlier, you all should have received the training kit, and in the HTTP kit, you should have found the webbot file, the webbot Java file. Those of you who haven't done it yet, after configuring Zap to listen to another port and after making sure that Tomcat if you installed it, is down. If you don't know how to make sure Tomcat is down, there's a software that should be installed in your computer called Monitor Tomcat. I don't have it here, but Monitor Tomcat, you should open up an icon. You can see if Tomcat is up or not. Only if you disable Tomcat, if you installed it, and you changed Zap to another proxy with the following process work. You should be able to double-click on the webbot container. Okay? Let's just close all the proxies here and I'll show it to you. Make sure it's working for all of us. Clean any excess Java processes. Now I'm clean. I don't have any Java processes. I'm going to start Zap. We should listen to port 9998, in my case at least. And then I'm going to execute the webbot jar, either executed by double-clicking on it or by running Java minus jar and the name of the jar file, after installing the JDK, of course. That's it. You shouldn't see any pop-up. There shouldn't be any bars opening up. Nothing. If you want to verify that it's actually working, you can run the following command in your command line window. Let's start minus an N, find str. Listen. It should open up a listening port on 8080. Okay? Accessing the webgoat you already, that you accessed in the remote lab, will now be available. You can access it in your whole PC. HTTP, localhost, port 8080, webgoat. It should be slow, but it should work. I hope. See? Okay? So even if you don't have a VM and you can't connect to the Wi-Fi, just installing Zap, configuring your browser and double-clicking on the webgoat JAR file will help set you up with a training kit for the purposes of our course. Okay? All of those methods should work out for you. If you have any issues with those methods, no problem will be available throughout lunch and the beginning of lunch, during lunch, after lunch, to help you set it out for the rest of the course. I really need you to get this working, so you'll be able to participate actively in the course. Okay? Now, after we explained the toolkit and we explained the protocol, I think it's about time we start talking about attacks, right? When this is a hacking course. So I don't want to learn HTTP debugging or anything. So we're going to start the actual real content for the course, which is web hacking. So we're going to start and talk about two very simple and very common attack methods. Forceful browsing and parameter tampering. Okay? Forceful browsing and parameter tampering are two methods pretty much universal that either relate to lack of security control enforcement or are related to misunderstanding on the developer's part of what the client should be able to affect. Okay? Now, when I initially started in security, that's the thing that doesn't mean most. How many how many unintentional parameters with very significant business values are being sent from the client side to the server side. As hackers, eventually, the whole purpose or the whole method of hacking is to manipulate stuff being sent from the client to the server. If something is being sent from the client to the server, I can intercept it using a proxy on some other methods, change it and send it to the server. However, if this value is significant for the server side, okay? This value can affect major elements in the business logic and therefore can be abused. So, the following example is from a real website which I won't name or refer because that will lead you to abuse it, okay? It's a website that deals with renting cars. That's as far as I'll go, okay? And for some bizarre reason, the user interface allows the client to send the price of the car rental from the client side. So, in the purchase, I mean, when you actually order, when you book the car, you... if you intercept the HTTP request in verpo's app of which other interception tool, you'll see currency, total price, basic price and the number of other parameters you can manipulate it to, you know, book the car at your cost or negative cost if you want to get in a booth or no, whatever. Actually, that's the second version of the website. The other version of the website actually had a discount field with a value between 0 to 100, okay? So, that may seem rare, but it's actually not rare. I think it's the second test I did in Pentesting somewhere in 2004 or 2005. I saw a parameter called a privilege level equals, I think it was 5 or 1, it was 1, something like 1. Privilege level equal 1. 2 didn't do anything, 3 didn't do anything. Changing the parameter to 5 got me an admin interface. So, those various flags with business significance are everywhere. In courses throughout the years, you know, in courses in which I had more time, 3 days, 4 days, 5 days, I would actually let the students pick websites, typically e-commerce websites and look at the parameters. It would be amazing to see the things that you see. Prices and flags and coupons equals false or true and other elements really affected business logic in the server side. Once I had a student they picked a credit card company, a major credit card company in IL and I won't name it because I don't want to get in too much trouble these days and tried to avoid it. So, there was actually a flag in an HTTP header called customer ID. It was a numeric flag and changing it to another number got you the entire information of another customer. It would actually allow you to change anything for that customer, complete impersonation just because a value with business significance was sent from the client to the server side. Okay? I'm going to demo, I will try to demo something related to it, but just to get us on the same page. There's various parameters being sent from the client to the server and there's no really going around it. There's no way to avoid it. The client needs to send some into the server in order to create some sort of dynamic interaction in the application. However, the developer can choose which parameters the client should be able to send or which parameters it's too dangerous for the client to be able to send. As hackers, we can typically manipulate a couple of categories in terms of business logic manipulations. I'm going to categorize it although there's more categories in order to simplify it, we'll deal with five or six categories. We'll talk about numbers anything related to numbers sent from the client side which is a number used for calculation can typically be abused with emphasis on prices, quantities and sums. A few examples, not part examples, and later webcode examples which you're going to do on your own in the lunch break. Let's say, for example, that a price parameter has been sent from the client side to the server side. What can I do? It's a terrible question. I can reduce the price and send zero instead. I can send a negative sum or whatever. Let's say I'm doing a wide transfer in my bank from myself to you. I can send a positive sum like 100 and I can send a negative sum. Now, if you think about it, when the bank subtracts the transfer sum from your account, it does whatever it is in your account minus the sum that you're transferring. Now, if you're transferring a negative sum, it's minus, minus one, which in mass equals plus, right? So, you're getting a gift and the other entity is contributing his you know, sum to whichever great cause in Africa. Okay? So, you got the point. Now, one of the instructors tomorrow, Irene, those of you you can see, check her up. I saw her do that once for 60 million dollars to other variations, not exactly like I discovered for a major bank. Not now, you know, it was 2006, 2007, but it worked. That's my point. Okay? It's insane, but it works. It's very hard these days, but you never know. Actually, in my case, I saw it working in some bank's website in the last two years. Okay? It was fixed, by the way. Don't worry, but all I'm saying is that those instances happen from time to time. Quantities, another example, let's say you want to buy something at a lower cost. So, I can buy five products which cost, I don't know, 100 bucks each. Okay? And then I can buy another Minel Street products that cost I don't know, 150 bucks. Okay? Okay, I saw the, switch it. It's nothing to see, it's just an old pattern, just, you know, trying to help you get a graphical image. Okay? So, imagine it. So, if I mess with the quantity field, which is something that exists in any online Web Store, even secure online Web Store, send the quantity from the client side to the server side, they have to let you, you know, set the number of products you want to buy. So, you can actually mess with the quantity field by sending a negative sum instead of the positive sums in addition to positive sum transactions. The overall sum that you'll have to pay would be reduced. It can be, I know, plain stupid and buy minus three products that would simply not get to, you know, you can succeed with it, but it's very rare. However, buying five products and minus three products can actually affect a sum and may call it to be lower. It will still be positive and you might actually get the shipment. Okay? Which I saw certain entities get. Not to mention their name. So, that's numbers. That's not as common as the second entity which we mess with in parameter temporary, which is identities. Identity is any parameter that signifies the identity of an entity. Okay? So, an ID card sent from the client to the server. An email sent from the client to the server. A user ID sent from the client to the server. A user name and so on and so on. All of those values are identity containing parameters. It's a parameter meant to signify the identity of the user to the server. Now, in the login phase, that's fine. The user sends a user password combination or an email password combination. It's not that he's able to send the username of somebody else. He has to guess the password of someone else. But if you see the username being sent in the application in an internal page which is in the login, registration or password recovery page, it's probably vulnerable. Okay? So, if you see a username, for example, in an internal edit page, it enables you to edit your image, you can simply send the username of another user and change his image. Another instructor, tomorrow, Guildcoin, I used to mess with this account for a long, long time. I used to change his image in social networks. I'm not sure I ever showed it to him, but, you know, it works. That's the main point. So, any identity signifying parameter that you'll see, you can intercept and send the identity of someone else. So, for example, if you saw a parameter called username equals Anno. You saw a parameter called username equals something in the URL. Let's see that, let's say that's http website.com slash page.jsp. For example, username equals Danny and your Danny you just logged into the website and that's Anno, a page that does something in the website such as edit details, you can change that username to admin or to another user account and impersonate that user account throughout the website or throughout the specific vulnerable page. So, that's the second type of manipulation we can use. It's important that you listen because you have to do it immediately after the explanation. It's important. So, identities is the second type. You can use identity manipulation to impersonate users to bypass permissions and restrictions and generally cause havoc in various identity authorization elements. The third entity is flags and flags unfortunately are much more common than the rest. Flags can take any form especially in e-commerce website. You'll see coupon equals false. Let's say you want to get coupon just intercept the request change the flag the input parameter to do and you'll be able to get whatever benefit you'll get from the coupon. You'll see discounts. You'll see is admin. You'll see role equals simple usage. You can change that to admin. You'll see various flags with important significance sent from the client to the website. Now, I encourage you either throughout the large break or you know once you get back home today to use the proxy access not access the you know the price comparison application zap you should all be familiar with it in some extent and try surfing throughout the various e-commerce websites there and go buy air conditioners or go buy whatever you should take a look at the parameter being sent from the client to the server just to see how the world really works just to figure out that everything you thought was you know generally secure because there was an SSI website on the website isn't necessarily so okay and actually is most likely isn't so many many cases okay so I encourage you to do that at the end of the day but for our purposes I want you to take a look I'm going to stop right now with the presentation I want you to access either webgoat or insecure web app right now I actually recommend webgoat for this specific exercise so either connect to the training lab wifi and access the webgoat URL there there's the URL okay or double click on webgoat in your own pc and login you have a username and password in the main page you simply write them down guest guest okay login there's various attack categories in webgoat I want you to select the parameter tampering category using the local instance will typically be much much faster okay for those of you who don't have access neither to local instance or the wifi don't worry I'll explain it in yeah I know I want the guest I want the guest in my house isn't it let's see if it's okay that's the parameter tampering categories go to exploit hidden fields okay I'll mark it so you'll be able to see it go to parameter tampering exploit hidden fields okay there's a web page here and if you configured your proxy I don't want to show it to you I want you to experience it yourself for a moment if you configured your proxy if you configured your browser to use the proxy and you're going to serve webgoat through your proxy activate anything purchase, update cart, whatever and see what the proxy contains right now okay do it for a moment see what the proxy contains right now go to the tree of request in your proxy to the domain localhost 8080 you should see it in your proxy let's see I don't have a proxy, funny okay I see there's a problem here let's see you should see the request sent in the proxy both in the tree and more importantly as a request in the history tab okay see that the history tab you should see the request being sent in the history tab if you go to the request tab here you should be able to see the various parameters sent if there were any parameter sent okay let's do it again let's update our cart date cart and purchase see that and switching fast there would be one or more post request that includes parameters you should be able to see a couple of very interesting things there just note for yourself what are those interesting parameters that you identified we'll compare it in a second Roy can you raise your hand to stand up those of you who have issues can access Roy just raise your hand grabbing once is free okay it's one guy can you be helping throughout the break don't worry if you're missing out just listen okay in the meantime so the setup of the webgoat true ah sure of course in webgoat you should go to see you should go in webgoat after you logged in to webgoat it's guest-guest or webgo-webgoat doesn't matter go to the lower section there click it and go to exploit hidden fields let me magnify that for you oh yes there's a problem who called me? yes I don't see all the menus on there yeah I see I'll just how about now is it better? I don't see all those menus in webgoat mm so Roy will be with you in a second to help you out if you want a cheap trick try writing the link manually you need to walk off so Roy will be in a second oh a couple of minutes to be more realistic so you should have seen those of you accessed it you have a training your exercise will include a couple of tasks and one of them is to actually exploit it okay you should have seen the following parameters once using the shopping cart okay one of the parameters that was set in the shopping cart is the quantity parameter which already discussed what we can do anyone? don't be afraid to shout change to negative go buy a couple of things with positive and add a couple of negative values and you also see that there's another interesting value which is the price which is very funny because I the customer tells the dealer how much the polar cost she's obviously something that can be abused so that's a good parameter template example one of the tasks for the lunch break and we have very little time to exercise these days so I'm going to steal as much as I can from your lunch breaks and other breaks is to exploit it remember the task don't do it now one of the task is to exploit it is to buy something at the lower price completely transaction with actually doing something which is malicious buying something at lower rate whatever exploit that feature in the application now getting back to under tampering another form of parameter tampering which still works even in very secure websites in 2017 simply because it's a tedious job to secure it resource identifier manipulation ORF has a fancy name for it I think it's insecure direct object reference that's the official OSP name for it it's good I'm working for OSP right now so I won't say anything about it but it is a bit more complicated to understand the point is entities in an application have their own private resources you and me we can be users in the same bank same privilege level but I have my account and you have your account I have 7 accounts of my own each one of them with their own identifier you have 2 accounts of your own we also have other resources that are our own in the bank we can have a trade account an investment account we can have check numbers all of those are associated or owned by specific entities okay tell the application to instruct the application to present or edit a resource the client typically sends the resource identifier to the server when I want to tell the banking application hey present me the transactions I have in my account I'll typically need to send my bank account number to the application in a parameter so a page that presents content of a specific account website in a website we'll typically send 4444 in an input parameter to the website but what you can do with resource identifiers is to send the identifiers of someone else okay send the identifiers of someone else that's really fantastic because you can do a lot of things for example when when you accessing an account just accessing an account of someone else or when you telling the application which account to build you can give the account of someone else even better you can access you know do you guys remember in earlier instances of facebook that you had a parameter in the url that had a number what was that you remember that it was an identifier and this identifier was also set in hidden parameters in other pages but in theory I'm not saying it worked if you would have taken the identifier of someone you viewed the profile in you could have used data identifier in other locations in facebook in which there was a hidden parameter that set that identifier okay no you don't I'll explain session is generally associated to an identity that's true we haven't gotten to session I'm not sure we'll be able to cover sessions in this page however when a developer accepts a parameter from the client side he typically relies on that parameter otherwise why would he receive it from the client side does that make sense understanding developers is using values he doesn't he isn't using from the client side and no an unnecessary practice really when you see a parameter that includes identity even if there's session the developer may by mistake ignore the session identity and use the client originating one okay it's not something that occurs everywhere every flaw in security is dependent on developer mistakes common issue okay so that resource identifiers I'm going to demonstrate not I'm not going to demonstrate anything I'm going to help you identify yourself in a short exercise of how about 15 minutes okay those of you who don't have a VM image I highly highly highly encourage you to sit by somebody who has because there's no other good example of parameter tampering like that we're currently searching for resource identifier parameter tampering in the application in secure web app I'll help you out we'll start from scratch to get the training application started testing application started I'll simply open zap in web security dojo I'll click the button go to tools go to z attack proxy zap okay I'll start Firefox and make sure that Firefox uses zap as the interception proxy in dojo it's not like foxy proxy you have to click the button on the right on the left side pick z attack proxy and make sure it's red if zap proxy is already started here should press yes yes start start to whichever question it's asking you and eventually access the in secure web app link ignore update instructions by zap by the way in secure web app link okay you should see zap being populated with request content okay so the login information you can use one of the following users I'm going to write it down write it down you don't have to know the URL just open up your browser open up a new Firefox window open up a new Firefox window I'm going to close this Firefox instance open up a new Firefox window you should see in secure web app as one of the options should see it here close all the Firefox windows that you have open a new one okay instead of just know writing down the actual URL others much easier you can either use the user a smith and nd if you want to get straight to the point I recommend you use the following payload instead or one equals one it's important you guys get used to using payloads even if you don't understand them yet better or quote one just as I wrote it don't anything below before after your purpose is to identify a web page in the application that sends a parameter to the server from the client to the server that includes a resource identifier report ID whatever you find go through the various links in the application and see in see the parameters being sent in either in the URL section or the body section a smith nd just to show what I mean there's various websites, there are various links preferences, products whatever okay find a link that uses an account or product or report or whatever identifier and try to abuse it to access another person account okay now we haven't learned interception with zapp yet we haven't learned how to intercept request and change them but you don't have the parameters in dojo at the moment the insecure web application are URL parameters you can actually change them you can actually change them in the URL of the browser okay you should be able to see URLs with parameters in the browser like no at the URL address you should see param equals value you can change it here okay so go through the various pages right now and see what you can find