Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,480 --> 00:00:02,790 But they're going to start with desperation. 2 00:00:05,270 --> 00:00:13,040 We have for every bag, we're going to have a little definition and we start right away. 3 00:00:13,360 --> 00:00:14,750 This is not a beginner. 4 00:00:17,170 --> 00:00:24,520 Workshop, so a skilled injection as cure injection that consist of insertion or injection of a secretary 5 00:00:25,150 --> 00:00:28,450 via the input data from the client of application. 6 00:00:29,170 --> 00:00:33,220 In fact, this fuel injection have always been one of the must use attack, ever. 7 00:00:33,730 --> 00:00:36,940 So I guess everyone knows about this challenge. 8 00:00:36,940 --> 00:00:41,470 Addictions, good injections are like. 9 00:00:42,520 --> 00:00:50,860 One of the top three of the most used for breaches in the hacking, and I also like the most critical 10 00:00:50,860 --> 00:00:55,150 you can get because with the actual injection, you can do many, many, many, many things. 11 00:00:56,530 --> 00:01:03,190 So first, with this kind injection, you can retrieve data from the database, which says give injections. 12 00:01:03,190 --> 00:01:09,760 You can inject data into the database with an injection, and you might end up having a remote code 13 00:01:09,760 --> 00:01:14,560 execution if the user is database administrator. 14 00:01:14,920 --> 00:01:16,150 So give us injection. 15 00:01:16,150 --> 00:01:23,600 There is many things to be done, but how do you find injections easily? 16 00:01:23,690 --> 00:01:31,420 No, I won't say easy, but like the good ways, the ways I use the places that people don't usually 17 00:01:31,420 --> 00:01:31,990 explore. 18 00:01:36,560 --> 00:01:37,820 So let's go. 19 00:01:39,610 --> 00:01:41,710 How to do tests for askin injections. 20 00:01:41,830 --> 00:01:44,470 There are multiple ways of testing voiceprint injections. 21 00:01:44,950 --> 00:01:50,110 One of the most known is a single cut to prometteurs that you put on. 22 00:01:50,110 --> 00:01:51,700 Look for errors in the webpage. 23 00:01:52,240 --> 00:01:53,530 Everyone knows this technique. 24 00:01:53,530 --> 00:01:54,540 You just come. 25 00:01:54,550 --> 00:02:00,760 You put single code and you wait for a single injection error and you're good, but it doesn't happen. 26 00:02:00,760 --> 00:02:01,630 Always like this. 27 00:02:01,990 --> 00:02:04,930 So you have many different types of insulin injections. 28 00:02:04,930 --> 00:02:10,900 You have blind insulin injections, you have Boolean based injections, you have no major injections. 29 00:02:11,320 --> 00:02:15,280 So it doesn't just work like I'm going to put a single, couldn't wait for it. 30 00:02:15,600 --> 00:02:18,990 And especially in big bouncy were the big launch of. 31 00:02:19,810 --> 00:02:27,190 So the moment you feel is a field where people are hitting on targets days and days after this. 32 00:02:27,640 --> 00:02:33,640 So you're never going to end up testing your website that no one has it on before. 33 00:02:34,300 --> 00:02:43,120 You should suspect that in case there was an insulin injection, it a simple single quote someone should 34 00:02:43,120 --> 00:02:45,910 have found it like way before you. 35 00:02:46,180 --> 00:02:55,090 It's possible that I've never had this luck to just come on the website, try to do my backbone decision 36 00:02:55,570 --> 00:02:56,920 and just put the quotation mark. 37 00:02:56,920 --> 00:02:58,340 And yeah, I was doing it. 38 00:02:58,690 --> 00:02:59,620 It doesn't work like that. 39 00:03:00,380 --> 00:03:07,840 So there is many different characters you can use to test for insulin injections. 40 00:03:09,130 --> 00:03:15,970 We talk about a single quote, but you can also try to inject some weird shards to the inputs. 41 00:03:16,480 --> 00:03:24,160 So, for example, double quotes, you have this the MacDonald thing, you have this chance. 42 00:03:24,160 --> 00:03:30,430 You're going to try to inject and see if there is any error in the end in the book that gets activated. 43 00:03:31,570 --> 00:03:32,370 That's good for them. 44 00:03:32,400 --> 00:03:32,770 Check. 45 00:03:33,970 --> 00:03:41,080 Later, as we said, a transitions can be found everywhere once you as this forest transitions in jet 46 00:03:41,080 --> 00:03:43,870 and custom parameters sent by the application. 47 00:03:44,170 --> 00:03:50,860 But not only do you have this first conviction on the is such accepting which you might get surprised. 48 00:03:51,310 --> 00:03:52,240 So funny. 49 00:03:52,840 --> 00:03:54,370 But it happened. 50 00:03:54,370 --> 00:04:01,780 Like, let's say, two weeks ago I was testing website and I have this website and I'm checking on Brexit 51 00:04:02,260 --> 00:04:09,340 and I've seen it except on the perimeter that is getting set like on every request I do to the web application. 52 00:04:10,760 --> 00:04:17,000 So it's not like typical to just see an application that is going to just sit except on acceptance, 53 00:04:17,020 --> 00:04:23,150 which I went forward and took the precaution language from the head there was the website was sitting 54 00:04:23,150 --> 00:04:28,010 to me and they put it in my request and I tried to play with it a bit. 55 00:04:28,370 --> 00:04:33,110 And after some tries ended up finally gets an injection on this header. 56 00:04:33,410 --> 00:04:41,540 So this is like the most uncommon thing you can find funny is an injection in except on a header. 57 00:04:43,130 --> 00:04:50,540 You also have to test first your injections on or don't you it to put on education firms, but not only 58 00:04:50,540 --> 00:04:57,560 you have to test for acute injection on site based inputs, such as, for example, when you have API, 59 00:04:57,560 --> 00:05:05,420 such users that you want just have to assume that the idea is not getting like past three GB. 60 00:05:07,280 --> 00:05:12,830 You have to assume that it might be vulnerable so you can just try to inject in the past. 61 00:05:13,220 --> 00:05:15,620 So let's say that you have, for example. 62 00:05:18,490 --> 00:05:20,750 That's to say that you have, for example. 63 00:05:22,630 --> 00:05:23,800 How to respond. 64 00:05:24,400 --> 00:05:24,700 Yeah. 65 00:05:26,690 --> 00:05:36,980 If you have such a such users large one, for example, Shaft to try to inject here, you know, so 66 00:05:37,340 --> 00:05:45,860 just like you will do for like perimeter equal value, you're just going to taste like that and double 67 00:05:45,860 --> 00:05:48,260 code and start testing it manually. 68 00:05:48,560 --> 00:05:53,420 Just have to do the same focus for the database. 69 00:05:53,960 --> 00:05:57,520 So this is something that many people do. 70 00:05:57,530 --> 00:06:01,700 People just assume it exists on parameters? 71 00:06:01,740 --> 00:06:07,220 No, you have to test for everything that you can think about that is going to get passed to database. 72 00:06:09,750 --> 00:06:10,380 Let's see. 73 00:06:12,230 --> 00:06:13,790 Yes, sorry, we are here. 74 00:06:16,260 --> 00:06:21,630 OK, so let's see some real world example reports. 75 00:06:23,100 --> 00:06:27,150 Gaze one blind as an injection via death perimeter. 76 00:06:27,450 --> 00:06:33,000 So I was testing for I was sitting here with web applications for program on Hacker one. 77 00:06:34,050 --> 00:06:39,030 Upon visiting once abdomen, I look at my history and I found this picture being made. 78 00:06:41,640 --> 00:06:51,390 So this post request is something that you see you typically see every day just supposed to log in with 79 00:06:51,420 --> 00:06:54,060 the language permettre being said here. 80 00:06:55,370 --> 00:07:03,850 And mud and meltdown, which means like looking, I guess, in in Dutch and so us saw the user of which 81 00:07:03,860 --> 00:07:10,400 is being set by an application, the first thing to try is to open a single quote, which from within 82 00:07:10,400 --> 00:07:10,970 the request. 83 00:07:11,540 --> 00:07:13,690 But as I said, this never. 84 00:07:14,210 --> 00:07:16,010 Like almost never works. 85 00:07:16,460 --> 00:07:19,400 So sadly, this led to nothing. 86 00:07:20,000 --> 00:07:28,340 After further investigation, I found out that the language could permit or that is here was vulnerable 87 00:07:28,340 --> 00:07:30,200 to blind as cruel injections. 88 00:07:32,230 --> 00:07:40,690 So why a punching one and this payload to we should permit requests the application to delay the response 89 00:07:40,690 --> 00:07:41,830 time by nine seconds. 90 00:07:43,000 --> 00:07:49,960 So this there are some aspirin injection payloads you can find like on GitHub. 91 00:07:49,960 --> 00:07:54,580 You can find if an on both default warchest. 92 00:07:54,940 --> 00:08:02,020 So you have like a ton of extra injection payloads and you can just if you suspect that an input is 93 00:08:02,020 --> 00:08:09,280 vulnerable, you can just like import the parameters to the payloads to shoot and shrewder and just 94 00:08:09,730 --> 00:08:12,280 run them against the the input. 95 00:08:13,090 --> 00:08:18,310 And you can even -- like you can do everything you need so you can check their response time. 96 00:08:18,310 --> 00:08:23,020 How much time did the response take to to to respond to this? 97 00:08:23,020 --> 00:08:28,720 For brainiest fuel injection, you can see the webpage content up to send the request. 98 00:08:28,720 --> 00:08:32,560 So it's very m- very handy tools to have. 99 00:08:35,360 --> 00:08:43,460 So they can we don't look only for a transaction via single quotes, which are Richard, earn this for 100 00:08:43,670 --> 00:08:44,870 instruction as well. 101 00:08:45,740 --> 00:08:49,170 These are more widespread and less detected by other hikers. 102 00:08:49,190 --> 00:08:50,330 So this is a report. 103 00:08:51,490 --> 00:09:00,220 As you said, it's the brand is construction where we can sit that any time delay and application was 104 00:09:00,340 --> 00:09:04,990 during the response after the time we set. 105 00:09:08,020 --> 00:09:08,650 Case to. 106 00:09:10,330 --> 00:09:11,650 If anyone has questions. 107 00:09:12,980 --> 00:09:19,490 Throw the the curse, please just dump them into the chat and I can answer them. 108 00:09:21,600 --> 00:09:22,890 Just checking if everyone. 109 00:09:24,340 --> 00:09:25,360 Everyone is following. 110 00:09:26,380 --> 00:09:27,370 Is my connection? 111 00:09:28,780 --> 00:09:29,410 Good to you. 112 00:09:32,220 --> 00:09:32,880 So can. 113 00:09:34,530 --> 00:09:35,190 Okay, all right. 114 00:09:36,220 --> 00:09:36,610 Thank you. 115 00:09:39,230 --> 00:09:45,340 So to bullion based blind rescue transactions, geographical barometer. 116 00:09:46,400 --> 00:09:47,390 So everyone. 117 00:09:48,730 --> 00:09:53,890 You know, rough birth control have been implemented. 118 00:09:54,550 --> 00:10:02,320 You can see in the last couple of last three or four years, I've seen many websites started adopting 119 00:10:02,320 --> 00:10:05,590 graphic shell, which is kind of. 120 00:10:07,660 --> 00:10:17,110 And points for us, for hikers where we can get skimmers and check try to retrieve data from it, but 121 00:10:17,110 --> 00:10:21,790 not also people always go for like IDRs on go after requests. 122 00:10:22,270 --> 00:10:26,710 But you can test for any type of bridges you can test for transactions. 123 00:10:27,130 --> 00:10:33,070 You can test for remote code execution so you can test for buy strawberries and industry requests. 124 00:10:33,580 --> 00:10:38,830 So there is you can Typekit test every bit of that you have in mind. 125 00:10:40,900 --> 00:10:47,050 A couple of weeks ago, I decided to take on the internship program, which is public and had more than 126 00:10:47,050 --> 00:10:52,240 1000 reserve grade reports while perusing the application. 127 00:10:52,270 --> 00:10:57,900 I found the request that was being made to drill and print through created at websites that's worth 128 00:10:57,910 --> 00:10:58,270 creating. 129 00:10:59,260 --> 00:11:03,880 The first thing that comes in mind is rough and introspection tree lot. 130 00:11:04,330 --> 00:11:09,070 Can they find more methods to test either in the and looked. 131 00:11:10,950 --> 00:11:15,300 So I'm going to give chips as soon as we we advance. 132 00:11:16,290 --> 00:11:18,030 I know everyone has. 133 00:11:18,870 --> 00:11:20,400 I myself, I have. 134 00:11:20,670 --> 00:11:29,820 I've had much, much trouble with rescuers and risk worth dinner when everyone started to for it. 135 00:11:30,420 --> 00:11:41,490 So I didn't understand how science works and how should I proceed to be able to construct a a good rescue 136 00:11:41,510 --> 00:11:45,900 request and how I should, how I should run it. 137 00:11:46,860 --> 00:11:51,390 So there is this boat extension, which is called. 138 00:11:53,730 --> 00:11:54,930 Ian Curtis, Canada. 139 00:11:56,650 --> 00:12:04,120 I guess some people might know about it, some might not know more about it, so you can just get it 140 00:12:04,510 --> 00:12:05,230 from GitHub. 141 00:12:13,410 --> 00:12:14,700 So from the Jim. 142 00:12:16,120 --> 00:12:21,670 And this is an extension that whatever rough, cruel. 143 00:12:22,730 --> 00:12:31,090 Um, Link, to you add, in case they work for Fell and don't accept and restrictions is going to be 144 00:12:31,100 --> 00:12:32,540 to you, is karma. 145 00:12:32,810 --> 00:12:38,000 You can just like use Santa's repeater and you can just add your cookies. 146 00:12:38,720 --> 00:12:41,780 Let me see if I can get a pretty quick reaction. 147 00:12:45,430 --> 00:12:46,510 Let's see here. 148 00:12:49,640 --> 00:12:50,170 OK. 149 00:12:50,270 --> 00:12:51,560 Let's see what happens. 150 00:12:59,740 --> 00:13:03,610 So as you have seen, this is a of career. 151 00:13:04,980 --> 00:13:07,650 And points like attrition that use such. 152 00:13:08,160 --> 00:13:12,480 And all I had to do is just post it here and press loot. 153 00:13:12,960 --> 00:13:17,490 And so we have the mutation theories that have been built for us. 154 00:13:18,990 --> 00:13:21,840 And also all the curious which have been. 155 00:13:23,690 --> 00:13:28,070 Returns, so you just have to like it, right click centripetal. 156 00:13:28,790 --> 00:13:32,090 And it's also just have to start testing. 157 00:13:37,560 --> 00:13:43,640 So this is something that you have to save because it's not included in the slides. 158 00:13:45,120 --> 00:13:52,020 Is this stuff I'm going to just like talk about every time, every every time we go forward? 159 00:13:52,950 --> 00:13:54,750 So this is very important. 160 00:13:55,380 --> 00:13:58,240 I I myself, I can this Rochelle. 161 00:13:58,440 --> 00:14:06,240 I'm going to put out this extension because it's very hard to construct the the requests if you don't 162 00:14:06,240 --> 00:14:08,970 have all the knowledge on it. 163 00:14:11,230 --> 00:14:13,850 I can go the here and. 164 00:14:15,610 --> 00:14:17,230 Well, why does it go back? 165 00:14:20,430 --> 00:14:23,010 So we were here. 166 00:14:24,220 --> 00:14:32,250 So why burning application that was being made to shell and points repeated at websites such work shell? 167 00:14:33,420 --> 00:14:37,950 The first thing that comes to mind is governance, introspection, a load. 168 00:14:39,280 --> 00:14:45,220 Can they find more methods to test the theory right now between the methods invoked? 169 00:14:46,540 --> 00:14:52,600 Let's go forward for a thing trying introspection theory on the brink. 170 00:14:53,230 --> 00:15:03,190 So as I have shown you just like five subsequently go, you can use your scanner on purpose to test 171 00:15:03,190 --> 00:15:04,330 for introspection. 172 00:15:05,730 --> 00:15:09,310 And this one, luckily was working. 173 00:15:10,500 --> 00:15:15,990 The request was successful, and there's several responded with all the available risk of cruel methods. 174 00:15:16,620 --> 00:15:19,560 One caught my eyes really fast. 175 00:15:20,250 --> 00:15:27,350 So there was the growth methods Method Place called Polaris Connect up by Clancy. 176 00:15:28,800 --> 00:15:32,070 And it says in description, This operation is in beta. 177 00:15:33,210 --> 00:15:40,680 This field is currently in beta phase and missions without even notice and a bunch of other information 178 00:15:40,680 --> 00:15:42,210 about the point. 179 00:15:42,420 --> 00:15:43,800 We are going to check. 180 00:15:46,590 --> 00:15:50,670 So Türkce the request assigned to the previous slide. 181 00:15:51,090 --> 00:15:55,710 The application needs us to set the custom header for the server to process a request. 182 00:15:56,220 --> 00:16:02,500 You can see here ex experimental IP API is visible. 183 00:16:03,870 --> 00:16:05,790 So I just said this header. 184 00:16:06,880 --> 00:16:17,230 On my growth call out see on point and you can see here, lest we forget, there is this kiri, you 185 00:16:17,230 --> 00:16:25,660 have set the header that the server was nudging and we just get it 200 OK and with some data. 186 00:16:25,660 --> 00:16:33,370 So our request is well constructed the way it formed, and we can go forward and start to start searching 187 00:16:33,370 --> 00:16:36,070 for vulnerabilities in the methods. 188 00:16:39,230 --> 00:16:50,820 So we had this it says courey policies connect up my client e.g. hotel client e.g. authorization as 189 00:16:50,830 --> 00:16:51,290 81. 190 00:16:51,950 --> 00:16:53,210 OK, so. 191 00:16:54,930 --> 00:17:03,950 I have tried some some scanning on this, some specific barometer transition command I.G. 192 00:17:04,770 --> 00:17:15,690 And after some time, I can see that injection speed injection can lead to something really bad. 193 00:17:17,010 --> 00:17:26,520 So when I tried this Blindspotting injection, which basically is to test for the gist of the vulnerability, 194 00:17:27,780 --> 00:17:32,880 if I said the parameter value to or not equal that one. 195 00:17:33,210 --> 00:17:37,990 And for example, anything equal, anything I was getting. 196 00:17:38,940 --> 00:17:39,810 It's not. 197 00:17:40,200 --> 00:17:46,980 I was not in Europe because in fact, there is no thing that is wrong in my territory. 198 00:17:47,790 --> 00:17:48,750 So one. 199 00:17:50,140 --> 00:18:00,730 Equal one, and this equals this, so going forward, in case I challenge this value of the parameter, 200 00:18:00,760 --> 00:18:09,880 so addiction, there's a payload for gene or not, one equal to if I change one to two, I was getting 201 00:18:09,880 --> 00:18:12,010 this error which sees. 202 00:18:13,660 --> 00:18:20,230 Connect applications arrow with the London Sign and Gaze 10 06. 203 00:18:20,620 --> 00:18:25,180 And so it is good that the wait time out. 204 00:18:26,380 --> 00:18:29,320 So this is very disrespectful. 205 00:18:29,330 --> 00:18:35,890 So if you have like one equal one, you get no error. 206 00:18:36,070 --> 00:18:38,710 You both want equal to and you start getting errors. 207 00:18:39,160 --> 00:18:43,360 So of course, there might be something that is very fishy. 208 00:18:45,320 --> 00:18:55,010 What I usually do when they suspect that there is there is an injection reach of a bone matter after 209 00:18:55,010 --> 00:18:56,330 doing some manual tests. 210 00:18:56,660 --> 00:19:01,100 I just directly import the request to aspirin. 211 00:19:01,100 --> 00:19:06,950 My suggestion might be a really powerful tool for detecting and scanning aspirin injection. 212 00:19:15,710 --> 00:19:16,020 Yes. 213 00:19:17,440 --> 00:19:17,950 Of course. 214 00:19:22,800 --> 00:19:23,120 Sure. 215 00:19:25,110 --> 00:19:31,710 Do you want us to just go forward with the questions, or do you prefer them at the end? 216 00:19:35,840 --> 00:19:36,340 Let's see. 217 00:19:37,190 --> 00:19:47,660 So there is this tool for Shivam, there is a tool called Atlas Access is a tool which basically takes 218 00:19:49,490 --> 00:19:51,200 its cash injection dumper scripts. 219 00:19:54,370 --> 00:19:58,230 You are going to bypass the words like cloud all. 220 00:19:58,750 --> 00:20:00,640 So for example, let's see here. 221 00:20:01,050 --> 00:20:03,340 You should take Atlas Obscura map. 222 00:20:10,230 --> 00:20:15,960 So Atlas is a testament, Thumper suggests, or, you know, a skill map. 223 00:20:16,350 --> 00:20:25,230 You have no scripts and no scripts are, for example, scripts which are going to change some showers 224 00:20:25,230 --> 00:20:28,560 to other chairs to bypass the wolf's. 225 00:20:29,160 --> 00:20:39,870 So access is a tool that takes your your venerable link and it takes a skill map and it's going to like 226 00:20:40,210 --> 00:20:43,650 find the perfect Tampa-St. for your boss. 227 00:20:44,490 --> 00:20:49,170 Of course, it doesn't work every time, and sometimes you have to go manually and you have to start 228 00:20:49,170 --> 00:20:57,360 testing it by yourself and trying to find a good bypass for each each wolf. 229 00:20:58,410 --> 00:21:04,170 So it might be custom sometimes, but usually this tool works really well for me as. 230 00:21:07,010 --> 00:21:10,520 And so, as I said, for the two --, I'm for the one injection. 231 00:21:10,880 --> 00:21:14,180 So first thing I would try to do is just a messenger. 232 00:21:14,180 --> 00:21:17,090 Could someone think I'm going to try to do is just. 233 00:21:19,160 --> 00:21:19,850 But seeing some. 234 00:21:21,060 --> 00:21:28,320 Some random showers and checking for potential errors or time delay or something that's going to happen. 235 00:21:29,250 --> 00:21:29,730 One. 236 00:21:30,780 --> 00:21:32,700 Yeah, it's a good time to talk about it. 237 00:21:32,700 --> 00:21:39,450 So there is one trick or one thing that worked for me in the past week for an injection. 238 00:21:39,450 --> 00:21:46,270 So I've had a similar similar request, says like host sludge. 239 00:21:46,410 --> 00:21:55,320 For example, let's see script that beach equal test and we had like, for example, a username. 240 00:21:59,430 --> 00:22:00,330 Yeah, that's cool. 241 00:22:02,040 --> 00:22:04,950 You can ask as many questions as you possibly will have time. 242 00:22:05,880 --> 00:22:06,570 Don't be shy. 243 00:22:08,190 --> 00:22:12,390 So I had the website which was doing something like that. 244 00:22:13,140 --> 00:22:20,640 We had hosts that scripted BHP as there's some user name equality and the one trick that worked for 245 00:22:20,640 --> 00:22:24,600 me to detect and it's injection is in pushing. 246 00:22:26,590 --> 00:22:31,520 This weird character to put the percentage story on this cable. 247 00:22:31,540 --> 00:22:36,670 Yeah, so I just this went. 248 00:22:40,250 --> 00:22:40,820 OK, so. 249 00:22:42,110 --> 00:22:42,390 You. 250 00:22:48,330 --> 00:22:48,840 That's right. 251 00:22:49,480 --> 00:22:49,860 Good. 252 00:22:56,840 --> 00:22:58,490 So this is not even credible. 253 00:22:58,850 --> 00:23:05,810 So this is a child just like, you know, f and stuff. 254 00:23:05,810 --> 00:23:13,700 So some most of the time application don't have if they don't have the proper processing for this kind 255 00:23:13,700 --> 00:23:19,790 of input, it might it might just like break something and throw on there. 256 00:23:20,420 --> 00:23:20,810 So. 257 00:23:22,870 --> 00:23:32,650 After I put this input here, there was debug log, which showed me, like, for example, insert I 258 00:23:32,660 --> 00:23:34,840 insert egg equals test. 259 00:23:36,640 --> 00:23:45,100 Username equals something zero, because this sure is not valid, but what was interesting is that in 260 00:23:45,100 --> 00:23:52,500 this era, it says, for example, it was something that insert IG. 261 00:23:54,290 --> 00:24:02,690 Your username, name, password into a pop up of the values, it says. 262 00:24:06,870 --> 00:24:13,650 It says we have A. username, which we don't have, we have here, sorry. 263 00:24:14,660 --> 00:24:21,650 Name, which we don't have in this request, so it was empty and password, which was empty too. 264 00:24:22,340 --> 00:24:23,930 So it was something like that. 265 00:24:24,350 --> 00:24:32,560 So this didn't trigger this transaction, but one I didn't put this chart. 266 00:24:32,600 --> 00:24:35,630 It showed me that there was a prometteurs. 267 00:24:35,660 --> 00:24:38,270 The request that our. 268 00:24:40,140 --> 00:24:41,910 I.D. username, password. 269 00:24:42,180 --> 00:24:47,910 So I've had I.D. and I had username, but I didn't have name nor password. 270 00:24:48,870 --> 00:24:54,810 So basically this I.D. parameter was not vulnerable to extra injection. 271 00:24:55,350 --> 00:24:57,510 I've tried everything and it was not vulnerable. 272 00:24:57,870 --> 00:25:04,770 But after I've seen this parameter here, I was just able to add it up. 273 00:25:06,110 --> 00:25:10,280 Here and this one was renewable. 274 00:25:11,910 --> 00:25:17,910 So by throwing, by making an application through an error log, I've had the opportunity to see other 275 00:25:17,910 --> 00:25:26,310 parameters that are not that I don't know about, which were indeed venerable test convictions. 276 00:25:28,170 --> 00:25:34,020 So for Atlas, as you were talking address here, you can see what it says. 277 00:25:37,380 --> 00:25:44,430 Atlas is an open source tool that can suggest, assume attempts to bypass rough edges eyepiece. 278 00:25:44,850 --> 00:25:50,220 So let me just try to drop in just like for you, baby. 279 00:25:56,590 --> 00:25:58,850 And I buy it here. 280 00:25:58,870 --> 00:25:59,170 Yeah. 281 00:26:00,580 --> 00:26:02,950 So we've had this one undergrads. 282 00:26:05,300 --> 00:26:08,330 Ian Cure-All Scanner. 283 00:26:13,470 --> 00:26:14,190 But it's. 284 00:26:17,550 --> 00:26:17,850 OK. 285 00:26:18,960 --> 00:26:24,060 So if anyone needs the tools, you can find them on this election, Chanel. 286 00:26:26,920 --> 00:26:30,280 So let's see some use cases of Atlas. 287 00:26:32,320 --> 00:26:41,950 Basically, you're going to put two runs the strip titan Atlas, with the link you suspect is vulnerable 288 00:26:41,950 --> 00:26:52,780 to a injection but has enough behind and you put the payload that triggered the worst to burn you or 289 00:26:52,780 --> 00:26:53,560 give you on Earth. 290 00:26:53,950 --> 00:27:04,540 So for example, if you were doing website such I'd equal, for example, let's say it was this and 291 00:27:04,540 --> 00:27:13,630 you did like, for example, and one econ one at that, though if you had this, so you are going to 292 00:27:13,630 --> 00:27:16,720 use Python, Atlas 293 00:27:20,020 --> 00:27:20,650 Twitter. 294 00:27:21,860 --> 00:27:23,590 That's the link. 295 00:27:24,010 --> 00:27:27,880 So you just saw it, but it here. 296 00:27:29,860 --> 00:27:34,510 And you include a payload that caused the error to trigger. 297 00:27:37,210 --> 00:27:47,830 So this is the payload which got the wolf to burn me, and one access has this payload. 298 00:27:48,040 --> 00:27:49,810 It's going to do mutations. 299 00:27:50,230 --> 00:27:57,890 So he's going to try for other, for example, on the other hand, or, for example, at least some 300 00:27:58,020 --> 00:27:59,590 documents or trying. 301 00:27:59,800 --> 00:28:08,110 And it's going to give you back a response of which Tampa-St. is useful for your wife kids. 302 00:28:09,460 --> 00:28:17,080 And later on, once access gives you the proper postscript to use, can just go to a school map and 303 00:28:17,080 --> 00:28:21,130 do the shrimp, basically with the Tampa-St. permit. 304 00:28:21,820 --> 00:28:22,660 So let's see here. 305 00:28:23,140 --> 00:28:28,390 For example, you can use birth, you can use get you can add up headers to if needed. 306 00:28:30,220 --> 00:28:32,770 And, for example, you can see. 307 00:28:34,730 --> 00:28:39,380 Let's see, do everyone see when they zoom like this? 308 00:28:39,800 --> 00:28:40,430 Yeah, I guess. 309 00:28:42,110 --> 00:28:42,440 So. 310 00:28:44,940 --> 00:28:45,320 OK. 311 00:28:46,110 --> 00:28:47,400 So for example, here. 312 00:28:50,180 --> 00:28:56,050 He but we don't buy it unless you're up the bite on the issue. 313 00:28:56,620 --> 00:29:00,160 The website databases random agents, OK? 314 00:29:00,520 --> 00:29:03,430 Just the basic as everyone uses. 315 00:29:04,980 --> 00:29:10,740 And Aptos come up with him, he got potential permission from the state that access denied. 316 00:29:11,250 --> 00:29:21,870 This means that the he doesn't know if the permit is renewable, but he knows that there is a wolf that 317 00:29:21,870 --> 00:29:24,690 is blocking him from going forward. 318 00:29:25,170 --> 00:29:27,390 So what he did is. 319 00:29:28,920 --> 00:29:37,080 Copying the payload, the trickier the wolf, so we can see here payload price and photo. 320 00:29:37,500 --> 00:29:39,510 So he did patent access link. 321 00:29:39,830 --> 00:29:45,600 He put the link payload, he put the payload and wait for access to give you back. 322 00:29:47,380 --> 00:29:48,880 The Tampa-St. 323 00:29:51,160 --> 00:29:51,640 results. 324 00:29:52,180 --> 00:29:56,280 Atlas is trying with space to make sure history. 325 00:29:56,920 --> 00:30:00,280 OK, this is the payload that it generated. 326 00:30:00,700 --> 00:30:01,930 No, it doesn't work. 327 00:30:01,930 --> 00:30:04,840 It's still four or three with this payload. 328 00:30:05,620 --> 00:30:06,220 And so. 329 00:30:08,810 --> 00:30:11,150 Train with version key stomper. 330 00:30:11,660 --> 00:30:21,780 And this is the payload that Atlas has generated and oops, 200, OK, so this payload worked. 331 00:30:21,860 --> 00:30:25,670 This means that this payload is not blocked by the wolf. 332 00:30:25,820 --> 00:30:27,050 The wolf doesn't catch it. 333 00:30:27,410 --> 00:30:32,630 And so the a script we just use is called version that keyword. 334 00:30:33,890 --> 00:30:40,640 And at this point, all you have to do is run Python as trail map the website, the same commands you 335 00:30:40,640 --> 00:30:53,470 just run, basically with the parameter thumper and the double script atlas found here, which is race 336 00:30:53,480 --> 00:30:55,490 unit keyword. 337 00:30:59,030 --> 00:31:01,210 So I hope this makes sense to everyone. 338 00:31:01,520 --> 00:31:09,220 See, for this transition behind wolves and behind growth run on sorry. 339 00:31:10,520 --> 00:31:13,280 So sometime you will have. 340 00:31:15,380 --> 00:31:18,650 Yeah, excrement is a very powerful tool. 341 00:31:19,100 --> 00:31:20,490 I had a document about this. 342 00:31:20,960 --> 00:31:29,330 I have found on on a during that bar exam, which was very, very, very, very useful to me. 343 00:31:32,690 --> 00:31:35,090 Let's see if I can find the links we can share with you. 344 00:31:36,040 --> 00:31:40,160 It's it's basically the best resource map I have found. 345 00:31:41,910 --> 00:31:42,240 Yeah. 346 00:31:42,510 --> 00:31:44,160 So I talked about it. 347 00:31:46,030 --> 00:31:47,470 One or two years ago? 348 00:31:48,990 --> 00:31:49,560 This is it. 349 00:31:52,190 --> 00:31:53,750 So every time I have. 350 00:31:55,080 --> 00:32:01,200 Problems came up or I don't understand the function or I need help with astronomer. 351 00:32:02,040 --> 00:32:05,330 I just go back to this obscure map encyclopedia. 352 00:32:05,850 --> 00:32:14,240 It contains basically everything that is needed for you to moisturize astronomer. 353 00:32:14,260 --> 00:32:16,710 So basically everything. 354 00:32:16,740 --> 00:32:23,400 So for example, if we just go and search for Tampa-St., you can see some rejection data. 355 00:32:25,350 --> 00:32:26,850 And you can see here. 356 00:32:28,260 --> 00:32:31,920 But an escaped mob and the Tampa perimeter here. 357 00:32:32,310 --> 00:32:36,740 So this is very, very, very complicated question. 358 00:32:37,590 --> 00:32:45,150 I'm just going to send it to you through Slack so you can have to read it if you like. 359 00:32:45,960 --> 00:32:46,590 Later and. 360 00:32:53,790 --> 00:32:54,180 So. 361 00:32:56,850 --> 00:32:59,910 Yeah, sure, Shivam, this was the first. 362 00:33:01,090 --> 00:33:07,330 Solution to your problem about wolves and close friends and. 363 00:33:08,600 --> 00:33:13,730 Cared for and how to see what's behind it websites. 364 00:33:15,440 --> 00:33:23,120 So the Syrian solution for cases where you have potential is an injection and there is enough that is 365 00:33:23,120 --> 00:33:32,720 behind the blocking you from making the request is you are going to try to find the real IP of the website. 366 00:33:34,470 --> 00:33:42,630 Finding the real IP of the website is going to make you pass by the cloud forever and so avoid getting 367 00:33:42,630 --> 00:33:46,710 blocked by cloud from to find the IP of a website. 368 00:33:46,710 --> 00:33:55,620 You have multiple multiple people, multiple methods and you have to try all of them to get a real IP 369 00:33:56,090 --> 00:33:56,790 IP website. 370 00:33:57,510 --> 00:34:00,540 Let's talk about the easiest ones first. 371 00:34:01,770 --> 00:34:07,650 Shivam, the easiest worm, the easiest method to get a website's real IP behind them. 372 00:34:08,580 --> 00:34:10,590 Yeah, and I'll see it. 373 00:34:10,590 --> 00:34:15,540 One for proxy is just looking for IP history or internet. 374 00:34:16,530 --> 00:34:20,550 So if you go to IP history, you open a you genius. 375 00:34:22,780 --> 00:34:31,600 And you just type like not know why this website is legit, so it's going to tell you IP history results 376 00:34:31,600 --> 00:34:33,180 for sites. 377 00:34:34,300 --> 00:34:35,800 So this was the IP. 378 00:34:36,010 --> 00:34:42,220 Then on 2014, this became the IP here, later in 2005. 379 00:34:43,630 --> 00:34:45,430 This is a piano and so on. 380 00:34:45,730 --> 00:34:48,370 So for example, if you see this. 381 00:34:49,060 --> 00:34:55,270 And later on, you see in 2014, it was this was owned by Konopka or something. 382 00:34:55,720 --> 00:34:57,010 And you see Cloudflare. 383 00:34:57,190 --> 00:35:02,140 So you you know that this IP was moved to this IP behind Soter. 384 00:35:02,620 --> 00:35:07,960 So you know that this IP, the real IP of the website that is behind called for. 385 00:35:08,200 --> 00:35:13,180 And usually when you connect to the websites directly without passing by the growth where you don't 386 00:35:13,180 --> 00:35:16,950 have any problems anymore with objections and worse. 387 00:35:17,830 --> 00:35:20,440 So this is one of the methods. 388 00:35:21,990 --> 00:35:24,690 To get the websites, Real AP. 389 00:35:27,400 --> 00:35:36,940 Let's talk about other potential solutions to bypass the works by finding what sites like you can go 390 00:35:36,940 --> 00:35:39,670 for server side request forgeries. 391 00:35:40,180 --> 00:35:42,070 Let's say you have an application. 392 00:35:44,160 --> 00:35:56,730 Which takes, for example, website behind love that comes attached, it says it takes emerged that 393 00:35:56,730 --> 00:35:59,220 BHP link equal. 394 00:35:59,520 --> 00:36:02,100 OK, so you have this, for example. 395 00:36:03,270 --> 00:36:08,790 And this is behind us, and you have to know the you of the website so you can easily do just that. 396 00:36:09,030 --> 00:36:10,860 But the website you own. 397 00:36:13,250 --> 00:36:23,870 And wait for the website to call your external website in case the website is sending its the request 398 00:36:24,230 --> 00:36:26,270 through its real IP. 399 00:36:26,630 --> 00:36:35,570 You are just going to get the real IP of the website just like this and usually web site just make the 400 00:36:35,570 --> 00:36:38,290 request with the real IP. 401 00:36:38,750 --> 00:36:41,780 So, OK, the blog what you can see. 402 00:36:43,560 --> 00:36:49,980 But they don't usually look when they are making external requests to too hard to implement. 403 00:36:50,670 --> 00:36:52,410 So this is something to remember. 404 00:36:52,420 --> 00:37:00,830 You can get real websites by using, for example, server side request forgeries and trying to get Typekit 405 00:37:00,840 --> 00:37:01,650 from your logs. 406 00:37:02,820 --> 00:37:08,790 And let's talk about other again other methods to get the website help you out. 407 00:37:08,790 --> 00:37:16,950 For example, if you go, for example, in JavaScript files, you might end up finding some informations. 408 00:37:17,550 --> 00:37:21,990 You can, for example, go to I send Finder. 409 00:37:24,620 --> 00:37:27,620 OK, so by fixing by company name. 410 00:37:29,780 --> 00:37:30,170 OK. 411 00:37:31,770 --> 00:37:38,910 I'm not sure which website was it was, yeah, this one. 412 00:37:40,380 --> 00:37:44,430 This is a very handy website. 413 00:37:45,330 --> 00:37:52,920 This is the last year for ABC, for a sense. 414 00:37:54,330 --> 00:38:00,450 You can see here, for example, let's say I put OK, let's say Facebook is behind it was. 415 00:38:02,280 --> 00:38:10,740 OK, I'm just going to what Facebook and this website is going to give me all the IP ranges that Facebook 416 00:38:10,740 --> 00:38:11,370 owns. 417 00:38:12,360 --> 00:38:19,620 So even if, for example, let's say, Facebook was behind Cloudflare, they you have you still have 418 00:38:20,100 --> 00:38:23,000 the declaration of the IP the own. 419 00:38:23,400 --> 00:38:27,810 So all you have to do is just take, for example, each IP range. 420 00:38:29,550 --> 00:38:40,860 And Musk can using a map or else you love and find the application you were hiking on inside the appearance, 421 00:38:40,860 --> 00:38:42,430 you are chicken. 422 00:38:43,470 --> 00:38:45,270 So I hope this one makes sense. 423 00:38:45,660 --> 00:38:48,810 Shivam, do you have any other question before we continue forward? 424 00:38:59,770 --> 00:39:01,540 Seems like she fell asleep. 425 00:39:03,080 --> 00:39:03,960 No, he didn't. 426 00:39:05,490 --> 00:39:08,540 Okay, so let's see, um. 427 00:39:09,620 --> 00:39:15,110 Do you feel as if we permitted just some specific one, a first for? 428 00:39:15,650 --> 00:39:22,860 I can't see that a fist for every parameter because you might get those and just like being lazy to 429 00:39:22,870 --> 00:39:24,470 to notice anything you click on. 430 00:39:25,070 --> 00:39:33,980 So I think this moment of transitions when I find the need to, for example, if I see um. 431 00:39:34,100 --> 00:39:46,160 So just with the time it's it begins being more easy to to know where to find the the good parameters, 432 00:39:46,160 --> 00:39:46,760 for example. 433 00:39:47,060 --> 00:39:53,420 But for example, if I have a barometer that says website, for example. 434 00:39:55,120 --> 00:39:59,050 It's equal for seven, let's say, this one. 435 00:39:59,230 --> 00:39:59,560 OK. 436 00:40:00,640 --> 00:40:11,380 And you come and your input, for example, is significant and the applications their issue needs integer. 437 00:40:13,510 --> 00:40:21,550 OK, so the application is clearly telling you that this is not going to pass through the functionality 438 00:40:21,940 --> 00:40:27,430 because we need an integer and not anything else than a number. 439 00:40:28,000 --> 00:40:38,010 So it's not worth spending at just four, in my opinion, it's not worth spending time trying to to 440 00:40:38,020 --> 00:40:44,020 inject something that tells me, Oops, what I need is a number, not what we put. 441 00:40:45,890 --> 00:40:47,420 So I hope this makes sense. 442 00:40:48,110 --> 00:40:57,950 And so, you know, how to how to choose the parameters and also so forwards to adapt to it, for example, 443 00:40:57,950 --> 00:41:00,080 let's say that you have. 444 00:41:02,340 --> 00:41:09,470 Websites that lets see username equal, let's say, for example, this and it gets you reflected in, 445 00:41:09,480 --> 00:41:14,070 for example, for example, a. 446 00:41:16,800 --> 00:41:17,410 Starchy. 447 00:41:17,670 --> 00:41:26,910 OK, so you can clearly see that this barometer username is not getting processed by the backend, just 448 00:41:26,910 --> 00:41:32,040 getting reflected on the page, on the H.M. page, on the dome. 449 00:41:33,000 --> 00:41:39,750 So it's not worth injecting here because there's nothing that is actually processed by the by either 450 00:41:39,750 --> 00:41:40,740 the database. 451 00:41:42,290 --> 00:41:46,250 So just skip this kind of cases to to to save time. 452 00:41:47,810 --> 00:41:51,800 How this make sense forward, have I answered your quiz? 453 00:41:56,600 --> 00:41:56,960 OK. 454 00:41:59,180 --> 00:42:04,520 Anyone has questions because before we go forward on those projections topics. 455 00:42:12,800 --> 00:42:15,380 OK, so I guess we can go forward. 456 00:42:20,180 --> 00:42:20,540 OK. 457 00:42:21,140 --> 00:42:24,170 So when do you stop on the perimeter and say it's not for? 458 00:42:25,400 --> 00:42:37,010 So at first before even trying to to to go in depth into it or trying to to to hack into a perimeter 459 00:42:37,010 --> 00:42:45,290 first injection, I should have some signs, but tell me, man, this perimeter is really fishy, you 460 00:42:45,290 --> 00:42:45,530 know? 461 00:42:46,130 --> 00:42:48,080 So this one is really fishy. 462 00:42:48,080 --> 00:42:58,580 I have to get this feeling after doing some tests is, for example, at some point I don't find any 463 00:42:58,580 --> 00:43:04,520 way to confirm my statements, but this parameter is vulnerable. 464 00:43:05,150 --> 00:43:10,460 I'm just going to save the the request to my legs. 465 00:43:10,880 --> 00:43:18,920 And maybe, you know, two, three, four, five months later, five months later, in case I get better 466 00:43:18,920 --> 00:43:24,680 at a second injection, I can visit again this request and try to exploit it again. 467 00:43:26,820 --> 00:43:35,490 So it is good having a fixed five where you just see the request and throwing up and functionality you 468 00:43:35,790 --> 00:43:40,650 were not able to to test today, you were not able to hack today. 469 00:43:41,010 --> 00:43:48,270 And just coming back to them five months later, six months later, when you feel like you are ready 470 00:43:48,270 --> 00:43:56,400 to take it again and you are ready to stick with other perspectives because you have learned much between 471 00:43:56,400 --> 00:43:57,540 this time. 472 00:44:03,320 --> 00:44:07,610 Usually you just followed up against my answer. 473 00:44:08,240 --> 00:44:11,960 Usually if I can't find any. 474 00:44:14,280 --> 00:44:22,420 Confirmation that if biometrics were never an estimate, which is, of course, better than me assuming 475 00:44:22,440 --> 00:44:29,520 injections because this crime is committed in Australia, there is means that it is not even able to 476 00:44:29,880 --> 00:44:33,810 and I can't find a way to to to to confirm. 477 00:44:34,260 --> 00:44:37,200 I'm just going to stop here to not waste much time. 478 00:44:38,100 --> 00:44:40,500 So they don't she's not about. 479 00:44:41,950 --> 00:44:49,090 The best big you found, so everyone that joins backbone, of course, there is the need to hike the 480 00:44:49,090 --> 00:44:54,580 result of two hugging and the love to trying to break to breach stuff. 481 00:44:55,000 --> 00:44:57,970 But we all love money. 482 00:45:01,310 --> 00:45:05,090 So, but really, they are looking for bonuses, too. 483 00:45:05,660 --> 00:45:09,530 So if you end up spending too much time on. 484 00:45:10,660 --> 00:45:13,000 It's a barometer of that is. 485 00:45:14,230 --> 00:45:20,770 For example, not 100 percent, but no, you're just going to waste money because every second that 486 00:45:20,770 --> 00:45:21,220 passed. 487 00:45:22,350 --> 00:45:26,460 State, you invested time, but you didn't get anything out of. 488 00:45:28,250 --> 00:45:30,140 Out of it, so just focus. 489 00:45:30,680 --> 00:45:37,490 Focus on the thing that you are sure our venerable and try to exploit them till you can provide a good 490 00:45:37,490 --> 00:45:38,420 performance at. 491 00:45:41,740 --> 00:45:41,970 You. 492 00:45:47,480 --> 00:45:54,170 You, Safwat says, what about the Dum Dum Dum Dum tool, Jeff Barton's? 493 00:45:55,340 --> 00:45:57,800 I decided to vote for funding, yes, transitions. 494 00:45:58,610 --> 00:46:04,100 So I guess forward, I guess this are stories for people who go for automation. 495 00:46:05,540 --> 00:46:08,210 This is not something that I do on my own. 496 00:46:08,450 --> 00:46:09,150 I don't use. 497 00:46:10,670 --> 00:46:14,440 I love Dum Dum Dum Stool is a great brother. 498 00:46:14,720 --> 00:46:21,180 And he he he added up so much value and backbone and U.S. and history. 499 00:46:21,980 --> 00:46:23,180 But I don't use this word. 500 00:46:25,130 --> 00:46:27,470 So I can't give much. 501 00:46:28,550 --> 00:46:31,010 Informations about it, so. 502 00:46:33,810 --> 00:46:40,750 I there says, what are the most common characters the triggers are for you by 16 points per injection, 503 00:46:41,200 --> 00:46:42,340 like you had mentioned? 504 00:46:43,150 --> 00:46:44,120 Are there any more? 505 00:46:44,140 --> 00:46:45,580 Yeah, there is more. 506 00:46:46,660 --> 00:46:54,310 So basically everything that is not printable by the application triggers arose every time for me. 507 00:46:54,820 --> 00:46:56,290 Let's talk about a issue. 508 00:46:56,740 --> 00:46:57,310 So I have. 509 00:46:57,760 --> 00:47:02,380 So there is, for example, this one we talked about. 510 00:47:02,830 --> 00:47:05,590 There's also this one that usually. 511 00:47:07,240 --> 00:47:08,500 Returns errors. 512 00:47:09,960 --> 00:47:18,660 You have also in your bite that sometimes you turn around, you have just trying to to to to insert 513 00:47:18,660 --> 00:47:19,560 some random. 514 00:47:20,830 --> 00:47:28,930 Factors into a barometer, so for example, if a website, if the Obameter takes only, for example, 515 00:47:28,930 --> 00:47:30,760 numbers and you put this. 516 00:47:32,990 --> 00:47:38,290 If it's not 100 on the background, it's just going to throw some debug log, which might be helpful. 517 00:47:39,250 --> 00:47:41,530 And there is a couple more, for example, we should go to. 518 00:47:42,040 --> 00:47:44,050 Let's see if we could. 519 00:47:47,440 --> 00:47:55,390 You have these websites with which takes any doctor you want and turns it into. 520 00:47:57,150 --> 00:47:57,990 Into any goods. 521 00:47:58,020 --> 00:47:58,890 So, for example. 522 00:48:00,930 --> 00:48:01,350 So. 523 00:48:03,300 --> 00:48:12,480 For example, this kind of practice sometime triggered it for me, which helped me explore it more and 524 00:48:12,480 --> 00:48:13,140 more in depth. 525 00:48:13,500 --> 00:48:19,350 My big bone she targets so. 526 00:48:19,800 --> 00:48:20,970 Yeah, yeah. 527 00:48:23,360 --> 00:48:29,660 So you can this this one and entry from today on Troy, watching them when you are trying. 528 00:48:31,520 --> 00:48:38,990 Oh, there is something I should also tell you about that I was about to to forget, so thanks, I'll 529 00:48:38,990 --> 00:48:40,010 be there for the question. 530 00:48:41,720 --> 00:48:50,810 And there's another thing that might trigger errors and the backlogs that might help you, for example, 531 00:48:50,810 --> 00:48:56,780 if you have this website and the promoter IG sometimes. 532 00:48:58,130 --> 00:49:01,700 Adding The brackets here are going to cause. 533 00:49:03,190 --> 00:49:04,700 The application was through. 534 00:49:05,410 --> 00:49:15,490 And if this happens because this is not released, so it is normally a single object, but you are going 535 00:49:15,490 --> 00:49:22,300 to input a list which is not supported by the, I can say is going through an error. 536 00:49:22,340 --> 00:49:31,180 So you have along with this one and other characters that you might find everything that is not pretty 537 00:49:31,180 --> 00:49:34,380 but on is read for the application. 538 00:49:34,420 --> 00:49:39,790 Can you just keep pushing also adding up brackets just before? 539 00:49:43,100 --> 00:49:51,750 Just before interest, and so this happens more often than you think you're got really more often that 540 00:49:51,770 --> 00:49:55,580 you think sometime when. 541 00:49:56,730 --> 00:50:06,060 Doing some backbone to this or hiking your mind, for example, need a single path to a bus? 542 00:50:07,020 --> 00:50:08,160 Full disclosure. 543 00:50:09,690 --> 00:50:15,480 A full disclosure of the server, so, for example, where is the server located at, for example? 544 00:50:15,480 --> 00:50:15,890 Let's see. 545 00:50:17,140 --> 00:50:18,670 That's OK. 546 00:50:18,810 --> 00:50:19,380 Let's see. 547 00:50:19,380 --> 00:50:20,010 It's here. 548 00:50:20,550 --> 00:50:23,790 So just pushing. 549 00:50:23,880 --> 00:50:24,630 You should really. 550 00:50:27,190 --> 00:50:36,460 So if so, just in pushing this, you're going through some holes which are going to lead you to just 551 00:50:37,720 --> 00:50:38,170 get. 552 00:50:39,510 --> 00:50:47,230 Some the burglars that might help you with our expectations, such as credit ABC. 553 00:50:48,470 --> 00:50:50,760 And although we know which is. 554 00:50:52,820 --> 00:50:59,990 So one thing I forgot to tell you about a scale map is that we actually map you can also and gives you 555 00:50:59,990 --> 00:51:01,780 a very successful transaction. 556 00:51:03,140 --> 00:51:05,000 The user is the administrator. 557 00:51:05,330 --> 00:51:08,900 You can use a skill map to escalate the bank. 558 00:51:09,410 --> 00:51:17,420 So not I don't know if everyone is aware of it here, but this map has some parameters like I read. 559 00:51:19,330 --> 00:51:32,320 For example, if but if I read that is that password in case the username gave the user that is the 560 00:51:32,360 --> 00:51:40,440 database is administrator, if you input this to a school map as the. 561 00:51:42,140 --> 00:51:49,110 You stood strong and you put this is going to try to read the local file. 562 00:51:50,250 --> 00:52:00,630 Buzzwords so you have more and more common words like I'm always and others, which you can see on the 563 00:52:00,820 --> 00:52:03,570 astronomy lingo sound like. 564 00:52:06,000 --> 00:52:11,060 So for what is it going to taste, one promoter for different burgers like this is this is just for 565 00:52:11,070 --> 00:52:11,340 you. 566 00:52:11,550 --> 00:52:12,360 And if it's true. 567 00:52:12,810 --> 00:52:18,740 Yeah, of course, every promoter can be vulnerable to any kind of ability. 568 00:52:19,710 --> 00:52:22,020 So you have to test for everything. 569 00:52:22,800 --> 00:52:30,300 What are you finding the need to just have don't have just to stop on one parameter and see, I'm done. 570 00:52:30,750 --> 00:52:33,480 No, you have to test for everything except this. 571 00:52:33,540 --> 00:52:34,290 You have something. 572 00:52:37,530 --> 00:52:43,050 So coming forward is everyone, you have more question before we go. 573 00:52:50,000 --> 00:52:50,660 I guess. 574 00:52:53,010 --> 00:52:53,640 Welcome. 575 00:52:54,540 --> 00:52:55,230 My pleasure. 576 00:52:57,980 --> 00:52:59,630 So I guess we can go forward. 577 00:53:02,050 --> 00:53:04,840 Let's see where we were. 578 00:53:08,820 --> 00:53:12,570 We were exactly here. 579 00:53:12,870 --> 00:53:13,190 OK. 580 00:53:13,740 --> 00:53:15,540 OK, so you were here. 581 00:53:17,870 --> 00:53:23,420 And we've had the error that triggered us to to launch a school map. 582 00:53:23,900 --> 00:53:35,520 And so if you have like lost data using a school mapper but data or delete method, don't just copy 583 00:53:35,870 --> 00:53:42,680 copy the link and other matters, just save the request to testify. 584 00:53:42,830 --> 00:53:47,080 An important user of a barometer, an astronomer. 585 00:53:48,150 --> 00:53:51,900 So you have to have the records to checks in plaintext. 586 00:53:52,920 --> 00:53:54,930 And you can import it was pretty up easily. 587 00:53:56,220 --> 00:53:59,580 This makes it really timesaving for everyone. 588 00:54:02,550 --> 00:54:04,000 So you get to experiment. 589 00:54:05,430 --> 00:54:15,590 Give me access to other databases to to to databases which contains like informations about the tables 590 00:54:15,600 --> 00:54:19,800 and columns, and I was able to retrieve data too. 591 00:54:20,760 --> 00:54:24,930 So this is a simple case with experts. 592 00:54:27,850 --> 00:54:33,310 Take away, Luke, for a second injections everywhere, even in healthcare, as more people look for 593 00:54:33,610 --> 00:54:40,720 the addiction is pitiable, parameters go beyond it, so have it in mind. 594 00:54:41,560 --> 00:54:47,740 This was from injections and here there is this first injection in professional on points. 595 00:54:48,160 --> 00:54:57,040 This first two injections in the full path of the website to test, you have to test for it everywhere 596 00:54:57,040 --> 00:54:58,300 you feel the need to. 597 00:55:01,330 --> 00:55:06,790 Import the the questions came up when confirming system placements, it should be cheap to dump other 598 00:55:06,790 --> 00:55:12,580 bases on Trump, like, if so not to dump but released and don't dump any other BS. 599 00:55:13,240 --> 00:55:15,010 Champagnie program blows it. 600 00:55:16,050 --> 00:55:20,500 OK, so we have some labs we're going to do. 601 00:55:21,850 --> 00:55:24,070 Is everyone ready for the labs? 602 00:55:24,580 --> 00:55:26,110 We have actually. 603 00:55:27,580 --> 00:55:30,850 I guess see here. 604 00:55:35,140 --> 00:55:39,500 We have around one, one hour and a half to go before the next. 605 00:55:41,340 --> 00:55:45,450 Before the first break, right, because I'm not very good with standing stuff. 606 00:55:47,140 --> 00:55:48,700 So we can start doing. 607 00:55:49,810 --> 00:55:54,100 The labs rescue transactions, so. 608 00:55:55,700 --> 00:56:03,650 You all have the website should be tests BHP that where would that come? 609 00:56:06,170 --> 00:56:11,240 I'm going to give you 10 minutes to spot the screen injections. 610 00:56:13,440 --> 00:56:13,800 OK. 611 00:56:21,050 --> 00:56:26,690 You have your hiking set up set can try to to get it. 612 00:56:39,430 --> 00:56:40,120 Do you hear me? 613 00:56:44,670 --> 00:56:46,410 OK, so everyone is on edge. 614 00:56:47,640 --> 00:56:50,250 OK, so try to split the screen injection. 615 00:56:51,250 --> 00:56:53,170 On this level. 616 00:56:54,190 --> 00:57:03,310 And the first one to solve it in the next 10 minutes will have to to show his screen and show us how 617 00:57:03,310 --> 00:57:05,260 he approaches the target. 618 00:57:06,160 --> 00:57:12,220 And so he can command all together and get more ships around this. 619 00:57:17,670 --> 00:57:25,680 Please, if everyone is trying to inject to find this fuel injection, please reply yes in the newsroom. 620 00:57:25,830 --> 00:57:30,360 So I know everyone is connected and doesn't have phones connections. 621 00:57:32,480 --> 00:57:36,260 Okay, thank you for your responses, very appreciated. 622 00:57:40,960 --> 00:57:44,160 So, first man, give give your friends some time. 623 00:58:24,580 --> 00:58:28,450 Let me take my camera for one minute and try to fix one thing. 624 00:58:33,140 --> 00:58:36,680 And you also continue trying to find those transition. 625 00:58:49,110 --> 00:58:49,830 Okay, nice. 626 00:58:54,010 --> 00:58:55,590 Give me one minute for the video. 627 00:58:55,990 --> 00:58:58,270 Give time to the other to try to find it. 628 00:59:01,650 --> 00:59:03,060 So everyone wants to hear me. 629 00:59:03,780 --> 00:59:04,840 I'm fixing one thing. 630 00:59:04,860 --> 00:59:05,670 Give me some time. 631 1:01:14.360 --> 1:01:18.200 So does anyone need more time to try to find it? 632 1:01:19.260 --> 1:01:20.100 Nine, Survivor. 633 1:01:21.130 --> 1:01:22.720 So what nice name a nice. 634 1:01:30.310 --> 1:01:31.060 Alejandro. 635 1:01:32.610 --> 1:01:33.390 You get it. 636 1:01:35.090 --> 1:01:35.390 Is. 637 1:01:36.490 --> 1:01:36.940 Nice. 638 1:01:38.890 --> 1:01:40.570 Umi Mishra, did you get it? 639 1:01:53.350 --> 1:01:54.340 Lewis, can you hear me? 640 1:01:55.680 --> 1:01:56.430 You got it to. 641 1:02:00.790 --> 1:02:01.490 Dramatic. 642 1:02:02.470 --> 1:02:02.920 OK, you. 643 1:02:04.910 --> 1:02:05.400 OK. 644 1:02:06.940 --> 1:02:11.950 OK, so who wants to go Sherry screen and show us what higit? 645 1:02:20.520 --> 1:02:24.720 Who's down to show his screen and show us what he found? 646 1:02:26.880 --> 1:02:29.250 And then we can go forward together. 647 1:02:39.230 --> 1:02:41.210 Now you do want to show restraint. 648 1:02:50.650 --> 1:02:51.770 Yes, sure, no problem. 649 1:02:51.790 --> 1:02:54.550 You can go on, you can write on, it takes some. 650 1:02:56.950 --> 1:02:57.760 When it takes not. 651 1:03:03.870 --> 1:03:06.450 How do I give you short screen? 652 1:03:11.790 --> 1:03:13.740 Let me see how I do. 653 1:03:25.740 --> 1:03:26.700 I'm not sure if. 654 1:03:28.020 --> 1:03:32.100 You should you should show from your side, I guess. 655 1:03:33.740 --> 1:03:34.280 OK. 656 1:03:35.240 --> 1:03:35.400 Hmm. 657 1:03:35.930 --> 1:03:38.990 It's pretty easy you should have a show screen. 658 1:03:42.820 --> 1:03:44.680 You should have your show screen option. 659 1:04:00.840 --> 1:04:06.210 There is two people in the WHO is GB and everyone. 660 1:04:06.450 --> 1:04:07.290 I'm not sure. 661 1:04:25.000 --> 1:04:25.600 You see. 662 1:04:28.400 --> 1:04:29.020 OK. 663 1:04:30.110 --> 1:04:31.430 So I'm not sure how we. 664 1:04:33.310 --> 1:04:34.210 Activated. 665 1:04:38.870 --> 1:04:40.220 She's from here. 666 1:04:41.820 --> 1:04:42.240 You know. 667 1:04:48.350 --> 1:04:52.340 Do we have anyone from from Twitter.com to you? 668 1:04:52.790 --> 1:04:53.390 Yeah, OK. 669 1:04:53.540 --> 1:04:54.380 Let's do it like this. 670 1:04:54.860 --> 1:04:56.140 You can share the link. 671 1:04:56.150 --> 1:04:58.610 Everyone shares his link and his solution. 672 1:05:01.270 --> 1:05:01.960 In the chat. 673 1:05:10.640 --> 1:05:11.150 OK. 674 1:05:12.970 --> 1:05:13.460 Okay. 675 1:05:27.050 --> 1:05:28.670 Let's go and see 676 1:05:31.280 --> 1:05:32.930 what's up here. 677 1:05:34.720 --> 1:05:37.630 U.S., do you need me to look into anything here? 678 1:05:38.620 --> 1:05:40.960 Yeah, I wanted to try to. 679 1:05:41.260 --> 1:05:43.540 How do I allow people to show their screens? 680 1:05:44.470 --> 1:05:52.900 OK, so I think you can go to the participant section and click on more when you there's a more option 681 1:05:52.900 --> 1:05:54.970 and when you were over, there means. 682 1:05:55.720 --> 1:05:56.800 And I think. 683 1:05:58.400 --> 1:06:00.500 Can allow them. 684 1:06:01.510 --> 1:06:03.890 OK, so it's good, someone. 685 1:06:05.360 --> 1:06:10.210 I'm not sure which which of you guys in the abraded, but it's good news. 686 1:06:12.640 --> 1:06:13.060 It's good. 687 1:06:26.000 --> 1:06:27.680 Not sure what's happening here. 688 1:06:30.970 --> 1:06:34.630 It's someone hugged me, my connection is not working. 689 1:06:37.880 --> 1:06:39.140 Yeah, I do have internet. 690 1:06:49.990 --> 1:06:51.880 We see lights up here. 691 1:07:05.760 --> 1:07:06.360 Q So. 692 1:07:07.500 --> 1:07:08.550 Tim Burton from. 693 1:07:19.000 --> 1:07:21.880 So we have this here. 694 1:07:33.100 --> 1:07:33.850 Yes, Peter. 695 1:07:36.390 --> 1:07:36.650 Yeah. 696 1:07:37.860 --> 1:07:43.950 So, yeah, everyone obviously got it so pretty easy to just. 697 1:07:46.710 --> 1:07:47.520 But this one. 698 1:07:49.130 --> 1:07:51.770 Just by pushing a single. 699 1:07:53.290 --> 1:07:56.950 Could you can see those transition and you can start to see for it? 700 1:08:00.340 --> 1:08:01.090 There's just one. 701 1:08:02.130 --> 1:08:05.460 You can see a video at what I was talking about. 702 1:08:07.500 --> 1:08:10.050 So this is the week I was talking about. 703 1:08:13.320 --> 1:08:16.230 Area, so giving this. 704 1:08:18.050 --> 1:08:22.190 He's going to throw under Sing US to Bruce was brilliant. 705 1:08:22.550 --> 1:08:29.510 Even so, this can give us more tips and tricks preaching what we are trying to exploit. 706 1:08:32.620 --> 1:08:42.670 So I didn't this on this parameter before, though before we started, but luckily it's working so you 707 1:08:42.670 --> 1:08:43.870 can see a live example. 708 1:08:47.770 --> 1:08:49.840 Thank you for showing this. 709 1:08:50.190 --> 1:08:52.060 The four neighboring districts. 710 1:08:53.990 --> 1:08:58.160 There is two people in the waiting room and the choice you should accept them. 711 1:09:04.060 --> 1:09:05.760 OK, so let's go. 712 1:09:06.370 --> 1:09:10.120 We can have more labs coming later on. 713 1:09:10.780 --> 1:09:17.830 Let's just take the next steps and see what you have and what you should do. 714 1:09:20.040 --> 1:09:24.420 So now we are going to check for exactly. 715 1:09:25.510 --> 1:09:30.370 Also known as external anti-cheat injection. 716 1:09:32.300 --> 1:09:40.220 Before we start this module, this and you want to have questions about everything that we've talked 717 1:09:40.220 --> 1:09:40.670 about. 718 1:09:46.170 --> 1:09:49.260 The anything I should develop more for you. 719 1:09:58.300 --> 1:09:59.120 Man, yeah. 720 1:09:59.150 --> 1:10:01.870 Neil Askew injections are everywhere. 721 1:10:03.690 --> 1:10:09.690 As conditions are still very, very common, but it's just not. 722 1:10:10.890 --> 1:10:13.670 As indisputable as it was in the past. 723 1:10:17.120 --> 1:10:19.270 So just take the chips I give you. 724 1:10:20.690 --> 1:10:27.940 And start testing these chips, and hopefully you can start getting some good results. 725 1:10:30.240 --> 1:10:30.990 You have to. 726 1:10:35.050 --> 1:10:36.940 Alejandro, is there anything? 727 1:10:38.190 --> 1:10:39.960 You want to ask before you go forward. 728 1:10:40.420 --> 1:10:40.800 Be done. 729 1:10:44.700 --> 1:10:48.350 Lezion, yeah, go on one more. 730 1:10:48.860 --> 1:10:51.700 You know, this fuel injection. 731 1:10:51.780 --> 1:10:53.490 What are your feelings about it? 732 1:10:55.460 --> 1:10:56.600 Sorry, I didn't get you. 733 1:10:59.870 --> 1:11:00.260 Yes. 734 1:11:01.340 --> 1:11:02.540 I didn't hear. 735 1:11:05.140 --> 1:11:08.980 Know no fuel injection, what do you experience about the. 736 1:11:11.150 --> 1:11:20.360 So extra injections, just like extra injection, though, also come on and MongoDB, so you know, 737 1:11:20.720 --> 1:11:24.620 it's two injections, mostly on MongoDB also. 738 1:11:25.550 --> 1:11:32.960 Nowadays, most of the databases you will find are MongoDB and you will find a little the rescue here. 739 1:11:34.090 --> 1:11:37.330 And as for injections on MongoDB? 740 1:11:38.600 --> 1:11:40.640 Is also command, so. 741 1:11:42.290 --> 1:11:42.710 So. 742 1:11:44.190 --> 1:11:49.170 When you have, for example, there is a really good website. 743 1:11:50.430 --> 1:11:51.810 Let's see here. 744 1:11:53.520 --> 1:11:54.420 Yes, working on. 745 1:11:58.620 --> 1:11:59.040 So. 746 1:12:01.410 --> 1:12:08.250 Here you can find many, many, many payloads you can import into merchant reader when you have to. 747 1:12:09.350 --> 1:12:10.370 To make with this. 748 1:12:11.060 --> 1:12:11.990 So, for example. 749 1:12:14.920 --> 1:12:23.980 If you just see one of them to a text file, for example, myself I've made, let's see if freezing 750 1:12:25.600 --> 1:12:30.190 folder where I have like my custom payload. 751 1:12:30.730 --> 1:12:39.010 I have developed and some payloads I have seen in the wilds and own resources. 752 1:12:39.580 --> 1:12:42.760 So for example, if you choose, I'm not sure. 753 1:12:44.480 --> 1:12:48.620 So at the top of the situation, I have a bunch. 754 1:12:49.650 --> 1:12:51.150 Of payloads. 755 1:12:51.570 --> 1:12:56.730 I'm just going to mass three if I find something that's fishy. 756 1:12:56.820 --> 1:12:58.270 Using Burp Suite on Twitter. 757 1:12:58.650 --> 1:13:01.710 So I recommend you to do the same as transitions. 758 1:13:02.990 --> 1:13:14.510 And with service, eye surgery on local institutions, and all this might help you much, the new backbone 759 1:13:14.510 --> 1:13:15.250 she journey. 760 1:13:15.800 --> 1:13:19.790 So with nurse projection, it's come on. 761 1:13:20.270 --> 1:13:29.060 But it's not that easy to spot because with no skin injections, you don't have many years that show. 762 1:13:29.840 --> 1:13:34.810 So it's mostly about education bypass. 763 1:13:35.660 --> 1:13:39.260 So for example, when you you, you can see here for. 764 1:13:41.800 --> 1:13:45.730 For bypassing the detention methods. 765 1:13:46.210 --> 1:13:48.190 So if you want to, for example. 766 1:13:51.100 --> 1:13:52.420 Sometime on. 767 1:13:53.920 --> 1:14:04.380 So you have two cases on the mogaji, been in business transactions, for example, under this equal, 768 1:14:04.450 --> 1:14:07.390 this value and bust an equal one. 769 1:14:08.020 --> 1:14:12.340 This is this might bypass the distribution methods. 770 1:14:13.030 --> 1:14:20.260 So it's hard to find it's not easier to find, but it's worth putting time. 771 1:14:20.680 --> 1:14:26.560 But one thing you should know is that when you in case you are trying this payloads, for example, 772 1:14:27.070 --> 1:14:34.630 on a database that is not MongoDB on the backend, you'd be just wasting your time. 773 1:14:35.650 --> 1:14:36.960 Just a waste of time. 774 1:14:37.030 --> 1:14:43.210 You might be trained payloads and payloads in the payload payloads and just end up getting nothing out 775 1:14:43.210 --> 1:14:53.460 of it because just the database is MySchool, or it's another database that is not MongoDB. 776 1:14:55.650 --> 1:15:04.740 So it'd be good to what I recommend is having, for example, two or three entries from each its gel 777 1:15:05.550 --> 1:15:06.450 injection method. 778 1:15:06.900 --> 1:15:13.830 So you can check here you get your injection, you take two or three peyroux that might trigger errors 779 1:15:13.830 --> 1:15:14.160 like. 780 1:15:16.660 --> 1:15:24.910 Like, on a scale, this is the pillow that my three don't ever just take a bunch of out to a bunch 781 1:15:24.910 --> 1:15:27.610 of payloads, throw them into. 782 1:15:28.950 --> 1:15:35.450 At least and start spreading it into a custom perimeter. 783 1:15:35.490 --> 1:15:41.460 If you find anything that fishy and from this point of view, you might have more information about 784 1:15:41.940 --> 1:15:50.010 if a permit is reasonable or not and you'll do you, you will know which databases are on the back end 785 1:15:50.760 --> 1:15:54.000 based on the response you get from your scans. 786 1:16:08.460 --> 1:16:09.920 Did they respond, you agree? 787 1:16:11.850 --> 1:16:15.020 Did they think you like come? 788 1:16:19.770 --> 1:16:22.920 So I'm just going to post this thing to. 789 1:16:34.790 --> 1:16:45.440 OK, so it seems like if anyone's wants to build a custom list later on for his B-roads can just take 790 1:16:45.440 --> 1:16:48.320 a bunch of barrels from there and go on. 791 1:16:50.870 --> 1:16:52.940 So we're going to start with the second. 71068