Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,480 --> 00:00:02,790
But they're going to start with desperation.
2
00:00:05,270 --> 00:00:13,040
We have for every bag, we're going to have a little definition and we start right away.
3
00:00:13,360 --> 00:00:14,750
This is not a beginner.
4
00:00:17,170 --> 00:00:24,520
Workshop, so a skilled injection as cure injection that consist of insertion or injection of a secretary
5
00:00:25,150 --> 00:00:28,450
via the input data from the client of application.
6
00:00:29,170 --> 00:00:33,220
In fact, this fuel injection have always been one of the must use attack, ever.
7
00:00:33,730 --> 00:00:36,940
So I guess everyone knows about this challenge.
8
00:00:36,940 --> 00:00:41,470
Addictions, good injections are like.
9
00:00:42,520 --> 00:00:50,860
One of the top three of the most used for breaches in the hacking, and I also like the most critical
10
00:00:50,860 --> 00:00:55,150
you can get because with the actual injection, you can do many, many, many, many things.
11
00:00:56,530 --> 00:01:03,190
So first, with this kind injection, you can retrieve data from the database, which says give injections.
12
00:01:03,190 --> 00:01:09,760
You can inject data into the database with an injection, and you might end up having a remote code
13
00:01:09,760 --> 00:01:14,560
execution if the user is database administrator.
14
00:01:14,920 --> 00:01:16,150
So give us injection.
15
00:01:16,150 --> 00:01:23,600
There is many things to be done, but how do you find injections easily?
16
00:01:23,690 --> 00:01:31,420
No, I won't say easy, but like the good ways, the ways I use the places that people don't usually
17
00:01:31,420 --> 00:01:31,990
explore.
18
00:01:36,560 --> 00:01:37,820
So let's go.
19
00:01:39,610 --> 00:01:41,710
How to do tests for askin injections.
20
00:01:41,830 --> 00:01:44,470
There are multiple ways of testing voiceprint injections.
21
00:01:44,950 --> 00:01:50,110
One of the most known is a single cut to prometteurs that you put on.
22
00:01:50,110 --> 00:01:51,700
Look for errors in the webpage.
23
00:01:52,240 --> 00:01:53,530
Everyone knows this technique.
24
00:01:53,530 --> 00:01:54,540
You just come.
25
00:01:54,550 --> 00:02:00,760
You put single code and you wait for a single injection error and you're good, but it doesn't happen.
26
00:02:00,760 --> 00:02:01,630
Always like this.
27
00:02:01,990 --> 00:02:04,930
So you have many different types of insulin injections.
28
00:02:04,930 --> 00:02:10,900
You have blind insulin injections, you have Boolean based injections, you have no major injections.
29
00:02:11,320 --> 00:02:15,280
So it doesn't just work like I'm going to put a single, couldn't wait for it.
30
00:02:15,600 --> 00:02:18,990
And especially in big bouncy were the big launch of.
31
00:02:19,810 --> 00:02:27,190
So the moment you feel is a field where people are hitting on targets days and days after this.
32
00:02:27,640 --> 00:02:33,640
So you're never going to end up testing your website that no one has it on before.
33
00:02:34,300 --> 00:02:43,120
You should suspect that in case there was an insulin injection, it a simple single quote someone should
34
00:02:43,120 --> 00:02:45,910
have found it like way before you.
35
00:02:46,180 --> 00:02:55,090
It's possible that I've never had this luck to just come on the website, try to do my backbone decision
36
00:02:55,570 --> 00:02:56,920
and just put the quotation mark.
37
00:02:56,920 --> 00:02:58,340
And yeah, I was doing it.
38
00:02:58,690 --> 00:02:59,620
It doesn't work like that.
39
00:03:00,380 --> 00:03:07,840
So there is many different characters you can use to test for insulin injections.
40
00:03:09,130 --> 00:03:15,970
We talk about a single quote, but you can also try to inject some weird shards to the inputs.
41
00:03:16,480 --> 00:03:24,160
So, for example, double quotes, you have this the MacDonald thing, you have this chance.
42
00:03:24,160 --> 00:03:30,430
You're going to try to inject and see if there is any error in the end in the book that gets activated.
43
00:03:31,570 --> 00:03:32,370
That's good for them.
44
00:03:32,400 --> 00:03:32,770
Check.
45
00:03:33,970 --> 00:03:41,080
Later, as we said, a transitions can be found everywhere once you as this forest transitions in jet
46
00:03:41,080 --> 00:03:43,870
and custom parameters sent by the application.
47
00:03:44,170 --> 00:03:50,860
But not only do you have this first conviction on the is such accepting which you might get surprised.
48
00:03:51,310 --> 00:03:52,240
So funny.
49
00:03:52,840 --> 00:03:54,370
But it happened.
50
00:03:54,370 --> 00:04:01,780
Like, let's say, two weeks ago I was testing website and I have this website and I'm checking on Brexit
51
00:04:02,260 --> 00:04:09,340
and I've seen it except on the perimeter that is getting set like on every request I do to the web application.
52
00:04:10,760 --> 00:04:17,000
So it's not like typical to just see an application that is going to just sit except on acceptance,
53
00:04:17,020 --> 00:04:23,150
which I went forward and took the precaution language from the head there was the website was sitting
54
00:04:23,150 --> 00:04:28,010
to me and they put it in my request and I tried to play with it a bit.
55
00:04:28,370 --> 00:04:33,110
And after some tries ended up finally gets an injection on this header.
56
00:04:33,410 --> 00:04:41,540
So this is like the most uncommon thing you can find funny is an injection in except on a header.
57
00:04:43,130 --> 00:04:50,540
You also have to test first your injections on or don't you it to put on education firms, but not only
58
00:04:50,540 --> 00:04:57,560
you have to test for acute injection on site based inputs, such as, for example, when you have API,
59
00:04:57,560 --> 00:05:05,420
such users that you want just have to assume that the idea is not getting like past three GB.
60
00:05:07,280 --> 00:05:12,830
You have to assume that it might be vulnerable so you can just try to inject in the past.
61
00:05:13,220 --> 00:05:15,620
So let's say that you have, for example.
62
00:05:18,490 --> 00:05:20,750
That's to say that you have, for example.
63
00:05:22,630 --> 00:05:23,800
How to respond.
64
00:05:24,400 --> 00:05:24,700
Yeah.
65
00:05:26,690 --> 00:05:36,980
If you have such a such users large one, for example, Shaft to try to inject here, you know, so
66
00:05:37,340 --> 00:05:45,860
just like you will do for like perimeter equal value, you're just going to taste like that and double
67
00:05:45,860 --> 00:05:48,260
code and start testing it manually.
68
00:05:48,560 --> 00:05:53,420
Just have to do the same focus for the database.
69
00:05:53,960 --> 00:05:57,520
So this is something that many people do.
70
00:05:57,530 --> 00:06:01,700
People just assume it exists on parameters?
71
00:06:01,740 --> 00:06:07,220
No, you have to test for everything that you can think about that is going to get passed to database.
72
00:06:09,750 --> 00:06:10,380
Let's see.
73
00:06:12,230 --> 00:06:13,790
Yes, sorry, we are here.
74
00:06:16,260 --> 00:06:21,630
OK, so let's see some real world example reports.
75
00:06:23,100 --> 00:06:27,150
Gaze one blind as an injection via death perimeter.
76
00:06:27,450 --> 00:06:33,000
So I was testing for I was sitting here with web applications for program on Hacker one.
77
00:06:34,050 --> 00:06:39,030
Upon visiting once abdomen, I look at my history and I found this picture being made.
78
00:06:41,640 --> 00:06:51,390
So this post request is something that you see you typically see every day just supposed to log in with
79
00:06:51,420 --> 00:06:54,060
the language permettre being said here.
80
00:06:55,370 --> 00:07:03,850
And mud and meltdown, which means like looking, I guess, in in Dutch and so us saw the user of which
81
00:07:03,860 --> 00:07:10,400
is being set by an application, the first thing to try is to open a single quote, which from within
82
00:07:10,400 --> 00:07:10,970
the request.
83
00:07:11,540 --> 00:07:13,690
But as I said, this never.
84
00:07:14,210 --> 00:07:16,010
Like almost never works.
85
00:07:16,460 --> 00:07:19,400
So sadly, this led to nothing.
86
00:07:20,000 --> 00:07:28,340
After further investigation, I found out that the language could permit or that is here was vulnerable
87
00:07:28,340 --> 00:07:30,200
to blind as cruel injections.
88
00:07:32,230 --> 00:07:40,690
So why a punching one and this payload to we should permit requests the application to delay the response
89
00:07:40,690 --> 00:07:41,830
time by nine seconds.
90
00:07:43,000 --> 00:07:49,960
So this there are some aspirin injection payloads you can find like on GitHub.
91
00:07:49,960 --> 00:07:54,580
You can find if an on both default warchest.
92
00:07:54,940 --> 00:08:02,020
So you have like a ton of extra injection payloads and you can just if you suspect that an input is
93
00:08:02,020 --> 00:08:09,280
vulnerable, you can just like import the parameters to the payloads to shoot and shrewder and just
94
00:08:09,730 --> 00:08:12,280
run them against the the input.
95
00:08:13,090 --> 00:08:18,310
And you can even -- like you can do everything you need so you can check their response time.
96
00:08:18,310 --> 00:08:23,020
How much time did the response take to to to respond to this?
97
00:08:23,020 --> 00:08:28,720
For brainiest fuel injection, you can see the webpage content up to send the request.
98
00:08:28,720 --> 00:08:32,560
So it's very m- very handy tools to have.
99
00:08:35,360 --> 00:08:43,460
So they can we don't look only for a transaction via single quotes, which are Richard, earn this for
100
00:08:43,670 --> 00:08:44,870
instruction as well.
101
00:08:45,740 --> 00:08:49,170
These are more widespread and less detected by other hikers.
102
00:08:49,190 --> 00:08:50,330
So this is a report.
103
00:08:51,490 --> 00:09:00,220
As you said, it's the brand is construction where we can sit that any time delay and application was
104
00:09:00,340 --> 00:09:04,990
during the response after the time we set.
105
00:09:08,020 --> 00:09:08,650
Case to.
106
00:09:10,330 --> 00:09:11,650
If anyone has questions.
107
00:09:12,980 --> 00:09:19,490
Throw the the curse, please just dump them into the chat and I can answer them.
108
00:09:21,600 --> 00:09:22,890
Just checking if everyone.
109
00:09:24,340 --> 00:09:25,360
Everyone is following.
110
00:09:26,380 --> 00:09:27,370
Is my connection?
111
00:09:28,780 --> 00:09:29,410
Good to you.
112
00:09:32,220 --> 00:09:32,880
So can.
113
00:09:34,530 --> 00:09:35,190
Okay, all right.
114
00:09:36,220 --> 00:09:36,610
Thank you.
115
00:09:39,230 --> 00:09:45,340
So to bullion based blind rescue transactions, geographical barometer.
116
00:09:46,400 --> 00:09:47,390
So everyone.
117
00:09:48,730 --> 00:09:53,890
You know, rough birth control have been implemented.
118
00:09:54,550 --> 00:10:02,320
You can see in the last couple of last three or four years, I've seen many websites started adopting
119
00:10:02,320 --> 00:10:05,590
graphic shell, which is kind of.
120
00:10:07,660 --> 00:10:17,110
And points for us, for hikers where we can get skimmers and check try to retrieve data from it, but
121
00:10:17,110 --> 00:10:21,790
not also people always go for like IDRs on go after requests.
122
00:10:22,270 --> 00:10:26,710
But you can test for any type of bridges you can test for transactions.
123
00:10:27,130 --> 00:10:33,070
You can test for remote code execution so you can test for buy strawberries and industry requests.
124
00:10:33,580 --> 00:10:38,830
So there is you can Typekit test every bit of that you have in mind.
125
00:10:40,900 --> 00:10:47,050
A couple of weeks ago, I decided to take on the internship program, which is public and had more than
126
00:10:47,050 --> 00:10:52,240
1000 reserve grade reports while perusing the application.
127
00:10:52,270 --> 00:10:57,900
I found the request that was being made to drill and print through created at websites that's worth
128
00:10:57,910 --> 00:10:58,270
creating.
129
00:10:59,260 --> 00:11:03,880
The first thing that comes in mind is rough and introspection tree lot.
130
00:11:04,330 --> 00:11:09,070
Can they find more methods to test either in the and looked.
131
00:11:10,950 --> 00:11:15,300
So I'm going to give chips as soon as we we advance.
132
00:11:16,290 --> 00:11:18,030
I know everyone has.
133
00:11:18,870 --> 00:11:20,400
I myself, I have.
134
00:11:20,670 --> 00:11:29,820
I've had much, much trouble with rescuers and risk worth dinner when everyone started to for it.
135
00:11:30,420 --> 00:11:41,490
So I didn't understand how science works and how should I proceed to be able to construct a a good rescue
136
00:11:41,510 --> 00:11:45,900
request and how I should, how I should run it.
137
00:11:46,860 --> 00:11:51,390
So there is this boat extension, which is called.
138
00:11:53,730 --> 00:11:54,930
Ian Curtis, Canada.
139
00:11:56,650 --> 00:12:04,120
I guess some people might know about it, some might not know more about it, so you can just get it
140
00:12:04,510 --> 00:12:05,230
from GitHub.
141
00:12:13,410 --> 00:12:14,700
So from the Jim.
142
00:12:16,120 --> 00:12:21,670
And this is an extension that whatever rough, cruel.
143
00:12:22,730 --> 00:12:31,090
Um, Link, to you add, in case they work for Fell and don't accept and restrictions is going to be
144
00:12:31,100 --> 00:12:32,540
to you, is karma.
145
00:12:32,810 --> 00:12:38,000
You can just like use Santa's repeater and you can just add your cookies.
146
00:12:38,720 --> 00:12:41,780
Let me see if I can get a pretty quick reaction.
147
00:12:45,430 --> 00:12:46,510
Let's see here.
148
00:12:49,640 --> 00:12:50,170
OK.
149
00:12:50,270 --> 00:12:51,560
Let's see what happens.
150
00:12:59,740 --> 00:13:03,610
So as you have seen, this is a of career.
151
00:13:04,980 --> 00:13:07,650
And points like attrition that use such.
152
00:13:08,160 --> 00:13:12,480
And all I had to do is just post it here and press loot.
153
00:13:12,960 --> 00:13:17,490
And so we have the mutation theories that have been built for us.
154
00:13:18,990 --> 00:13:21,840
And also all the curious which have been.
155
00:13:23,690 --> 00:13:28,070
Returns, so you just have to like it, right click centripetal.
156
00:13:28,790 --> 00:13:32,090
And it's also just have to start testing.
157
00:13:37,560 --> 00:13:43,640
So this is something that you have to save because it's not included in the slides.
158
00:13:45,120 --> 00:13:52,020
Is this stuff I'm going to just like talk about every time, every every time we go forward?
159
00:13:52,950 --> 00:13:54,750
So this is very important.
160
00:13:55,380 --> 00:13:58,240
I I myself, I can this Rochelle.
161
00:13:58,440 --> 00:14:06,240
I'm going to put out this extension because it's very hard to construct the the requests if you don't
162
00:14:06,240 --> 00:14:08,970
have all the knowledge on it.
163
00:14:11,230 --> 00:14:13,850
I can go the here and.
164
00:14:15,610 --> 00:14:17,230
Well, why does it go back?
165
00:14:20,430 --> 00:14:23,010
So we were here.
166
00:14:24,220 --> 00:14:32,250
So why burning application that was being made to shell and points repeated at websites such work shell?
167
00:14:33,420 --> 00:14:37,950
The first thing that comes to mind is governance, introspection, a load.
168
00:14:39,280 --> 00:14:45,220
Can they find more methods to test the theory right now between the methods invoked?
169
00:14:46,540 --> 00:14:52,600
Let's go forward for a thing trying introspection theory on the brink.
170
00:14:53,230 --> 00:15:03,190
So as I have shown you just like five subsequently go, you can use your scanner on purpose to test
171
00:15:03,190 --> 00:15:04,330
for introspection.
172
00:15:05,730 --> 00:15:09,310
And this one, luckily was working.
173
00:15:10,500 --> 00:15:15,990
The request was successful, and there's several responded with all the available risk of cruel methods.
174
00:15:16,620 --> 00:15:19,560
One caught my eyes really fast.
175
00:15:20,250 --> 00:15:27,350
So there was the growth methods Method Place called Polaris Connect up by Clancy.
176
00:15:28,800 --> 00:15:32,070
And it says in description, This operation is in beta.
177
00:15:33,210 --> 00:15:40,680
This field is currently in beta phase and missions without even notice and a bunch of other information
178
00:15:40,680 --> 00:15:42,210
about the point.
179
00:15:42,420 --> 00:15:43,800
We are going to check.
180
00:15:46,590 --> 00:15:50,670
So Türkce the request assigned to the previous slide.
181
00:15:51,090 --> 00:15:55,710
The application needs us to set the custom header for the server to process a request.
182
00:15:56,220 --> 00:16:02,500
You can see here ex experimental IP API is visible.
183
00:16:03,870 --> 00:16:05,790
So I just said this header.
184
00:16:06,880 --> 00:16:17,230
On my growth call out see on point and you can see here, lest we forget, there is this kiri, you
185
00:16:17,230 --> 00:16:25,660
have set the header that the server was nudging and we just get it 200 OK and with some data.
186
00:16:25,660 --> 00:16:33,370
So our request is well constructed the way it formed, and we can go forward and start to start searching
187
00:16:33,370 --> 00:16:36,070
for vulnerabilities in the methods.
188
00:16:39,230 --> 00:16:50,820
So we had this it says courey policies connect up my client e.g. hotel client e.g. authorization as
189
00:16:50,830 --> 00:16:51,290
81.
190
00:16:51,950 --> 00:16:53,210
OK, so.
191
00:16:54,930 --> 00:17:03,950
I have tried some some scanning on this, some specific barometer transition command I.G.
192
00:17:04,770 --> 00:17:15,690
And after some time, I can see that injection speed injection can lead to something really bad.
193
00:17:17,010 --> 00:17:26,520
So when I tried this Blindspotting injection, which basically is to test for the gist of the vulnerability,
194
00:17:27,780 --> 00:17:32,880
if I said the parameter value to or not equal that one.
195
00:17:33,210 --> 00:17:37,990
And for example, anything equal, anything I was getting.
196
00:17:38,940 --> 00:17:39,810
It's not.
197
00:17:40,200 --> 00:17:46,980
I was not in Europe because in fact, there is no thing that is wrong in my territory.
198
00:17:47,790 --> 00:17:48,750
So one.
199
00:17:50,140 --> 00:18:00,730
Equal one, and this equals this, so going forward, in case I challenge this value of the parameter,
200
00:18:00,760 --> 00:18:09,880
so addiction, there's a payload for gene or not, one equal to if I change one to two, I was getting
201
00:18:09,880 --> 00:18:12,010
this error which sees.
202
00:18:13,660 --> 00:18:20,230
Connect applications arrow with the London Sign and Gaze 10 06.
203
00:18:20,620 --> 00:18:25,180
And so it is good that the wait time out.
204
00:18:26,380 --> 00:18:29,320
So this is very disrespectful.
205
00:18:29,330 --> 00:18:35,890
So if you have like one equal one, you get no error.
206
00:18:36,070 --> 00:18:38,710
You both want equal to and you start getting errors.
207
00:18:39,160 --> 00:18:43,360
So of course, there might be something that is very fishy.
208
00:18:45,320 --> 00:18:55,010
What I usually do when they suspect that there is there is an injection reach of a bone matter after
209
00:18:55,010 --> 00:18:56,330
doing some manual tests.
210
00:18:56,660 --> 00:19:01,100
I just directly import the request to aspirin.
211
00:19:01,100 --> 00:19:06,950
My suggestion might be a really powerful tool for detecting and scanning aspirin injection.
212
00:19:15,710 --> 00:19:16,020
Yes.
213
00:19:17,440 --> 00:19:17,950
Of course.
214
00:19:22,800 --> 00:19:23,120
Sure.
215
00:19:25,110 --> 00:19:31,710
Do you want us to just go forward with the questions, or do you prefer them at the end?
216
00:19:35,840 --> 00:19:36,340
Let's see.
217
00:19:37,190 --> 00:19:47,660
So there is this tool for Shivam, there is a tool called Atlas Access is a tool which basically takes
218
00:19:49,490 --> 00:19:51,200
its cash injection dumper scripts.
219
00:19:54,370 --> 00:19:58,230
You are going to bypass the words like cloud all.
220
00:19:58,750 --> 00:20:00,640
So for example, let's see here.
221
00:20:01,050 --> 00:20:03,340
You should take Atlas Obscura map.
222
00:20:10,230 --> 00:20:15,960
So Atlas is a testament, Thumper suggests, or, you know, a skill map.
223
00:20:16,350 --> 00:20:25,230
You have no scripts and no scripts are, for example, scripts which are going to change some showers
224
00:20:25,230 --> 00:20:28,560
to other chairs to bypass the wolf's.
225
00:20:29,160 --> 00:20:39,870
So access is a tool that takes your your venerable link and it takes a skill map and it's going to like
226
00:20:40,210 --> 00:20:43,650
find the perfect Tampa-St. for your boss.
227
00:20:44,490 --> 00:20:49,170
Of course, it doesn't work every time, and sometimes you have to go manually and you have to start
228
00:20:49,170 --> 00:20:57,360
testing it by yourself and trying to find a good bypass for each each wolf.
229
00:20:58,410 --> 00:21:04,170
So it might be custom sometimes, but usually this tool works really well for me as.
230
00:21:07,010 --> 00:21:10,520
And so, as I said, for the two --, I'm for the one injection.
231
00:21:10,880 --> 00:21:14,180
So first thing I would try to do is just a messenger.
232
00:21:14,180 --> 00:21:17,090
Could someone think I'm going to try to do is just.
233
00:21:19,160 --> 00:21:19,850
But seeing some.
234
00:21:21,060 --> 00:21:28,320
Some random showers and checking for potential errors or time delay or something that's going to happen.
235
00:21:29,250 --> 00:21:29,730
One.
236
00:21:30,780 --> 00:21:32,700
Yeah, it's a good time to talk about it.
237
00:21:32,700 --> 00:21:39,450
So there is one trick or one thing that worked for me in the past week for an injection.
238
00:21:39,450 --> 00:21:46,270
So I've had a similar similar request, says like host sludge.
239
00:21:46,410 --> 00:21:55,320
For example, let's see script that beach equal test and we had like, for example, a username.
240
00:21:59,430 --> 00:22:00,330
Yeah, that's cool.
241
00:22:02,040 --> 00:22:04,950
You can ask as many questions as you possibly will have time.
242
00:22:05,880 --> 00:22:06,570
Don't be shy.
243
00:22:08,190 --> 00:22:12,390
So I had the website which was doing something like that.
244
00:22:13,140 --> 00:22:20,640
We had hosts that scripted BHP as there's some user name equality and the one trick that worked for
245
00:22:20,640 --> 00:22:24,600
me to detect and it's injection is in pushing.
246
00:22:26,590 --> 00:22:31,520
This weird character to put the percentage story on this cable.
247
00:22:31,540 --> 00:22:36,670
Yeah, so I just this went.
248
00:22:40,250 --> 00:22:40,820
OK, so.
249
00:22:42,110 --> 00:22:42,390
You.
250
00:22:48,330 --> 00:22:48,840
That's right.
251
00:22:49,480 --> 00:22:49,860
Good.
252
00:22:56,840 --> 00:22:58,490
So this is not even credible.
253
00:22:58,850 --> 00:23:05,810
So this is a child just like, you know, f and stuff.
254
00:23:05,810 --> 00:23:13,700
So some most of the time application don't have if they don't have the proper processing for this kind
255
00:23:13,700 --> 00:23:19,790
of input, it might it might just like break something and throw on there.
256
00:23:20,420 --> 00:23:20,810
So.
257
00:23:22,870 --> 00:23:32,650
After I put this input here, there was debug log, which showed me, like, for example, insert I
258
00:23:32,660 --> 00:23:34,840
insert egg equals test.
259
00:23:36,640 --> 00:23:45,100
Username equals something zero, because this sure is not valid, but what was interesting is that in
260
00:23:45,100 --> 00:23:52,500
this era, it says, for example, it was something that insert IG.
261
00:23:54,290 --> 00:24:02,690
Your username, name, password into a pop up of the values, it says.
262
00:24:06,870 --> 00:24:13,650
It says we have A. username, which we don't have, we have here, sorry.
263
00:24:14,660 --> 00:24:21,650
Name, which we don't have in this request, so it was empty and password, which was empty too.
264
00:24:22,340 --> 00:24:23,930
So it was something like that.
265
00:24:24,350 --> 00:24:32,560
So this didn't trigger this transaction, but one I didn't put this chart.
266
00:24:32,600 --> 00:24:35,630
It showed me that there was a prometteurs.
267
00:24:35,660 --> 00:24:38,270
The request that our.
268
00:24:40,140 --> 00:24:41,910
I.D. username, password.
269
00:24:42,180 --> 00:24:47,910
So I've had I.D. and I had username, but I didn't have name nor password.
270
00:24:48,870 --> 00:24:54,810
So basically this I.D. parameter was not vulnerable to extra injection.
271
00:24:55,350 --> 00:24:57,510
I've tried everything and it was not vulnerable.
272
00:24:57,870 --> 00:25:04,770
But after I've seen this parameter here, I was just able to add it up.
273
00:25:06,110 --> 00:25:10,280
Here and this one was renewable.
274
00:25:11,910 --> 00:25:17,910
So by throwing, by making an application through an error log, I've had the opportunity to see other
275
00:25:17,910 --> 00:25:26,310
parameters that are not that I don't know about, which were indeed venerable test convictions.
276
00:25:28,170 --> 00:25:34,020
So for Atlas, as you were talking address here, you can see what it says.
277
00:25:37,380 --> 00:25:44,430
Atlas is an open source tool that can suggest, assume attempts to bypass rough edges eyepiece.
278
00:25:44,850 --> 00:25:50,220
So let me just try to drop in just like for you, baby.
279
00:25:56,590 --> 00:25:58,850
And I buy it here.
280
00:25:58,870 --> 00:25:59,170
Yeah.
281
00:26:00,580 --> 00:26:02,950
So we've had this one undergrads.
282
00:26:05,300 --> 00:26:08,330
Ian Cure-All Scanner.
283
00:26:13,470 --> 00:26:14,190
But it's.
284
00:26:17,550 --> 00:26:17,850
OK.
285
00:26:18,960 --> 00:26:24,060
So if anyone needs the tools, you can find them on this election, Chanel.
286
00:26:26,920 --> 00:26:30,280
So let's see some use cases of Atlas.
287
00:26:32,320 --> 00:26:41,950
Basically, you're going to put two runs the strip titan Atlas, with the link you suspect is vulnerable
288
00:26:41,950 --> 00:26:52,780
to a injection but has enough behind and you put the payload that triggered the worst to burn you or
289
00:26:52,780 --> 00:26:53,560
give you on Earth.
290
00:26:53,950 --> 00:27:04,540
So for example, if you were doing website such I'd equal, for example, let's say it was this and
291
00:27:04,540 --> 00:27:13,630
you did like, for example, and one econ one at that, though if you had this, so you are going to
292
00:27:13,630 --> 00:27:16,720
use Python, Atlas
293
00:27:20,020 --> 00:27:20,650
Twitter.
294
00:27:21,860 --> 00:27:23,590
That's the link.
295
00:27:24,010 --> 00:27:27,880
So you just saw it, but it here.
296
00:27:29,860 --> 00:27:34,510
And you include a payload that caused the error to trigger.
297
00:27:37,210 --> 00:27:47,830
So this is the payload which got the wolf to burn me, and one access has this payload.
298
00:27:48,040 --> 00:27:49,810
It's going to do mutations.
299
00:27:50,230 --> 00:27:57,890
So he's going to try for other, for example, on the other hand, or, for example, at least some
300
00:27:58,020 --> 00:27:59,590
documents or trying.
301
00:27:59,800 --> 00:28:08,110
And it's going to give you back a response of which Tampa-St. is useful for your wife kids.
302
00:28:09,460 --> 00:28:17,080
And later on, once access gives you the proper postscript to use, can just go to a school map and
303
00:28:17,080 --> 00:28:21,130
do the shrimp, basically with the Tampa-St. permit.
304
00:28:21,820 --> 00:28:22,660
So let's see here.
305
00:28:23,140 --> 00:28:28,390
For example, you can use birth, you can use get you can add up headers to if needed.
306
00:28:30,220 --> 00:28:32,770
And, for example, you can see.
307
00:28:34,730 --> 00:28:39,380
Let's see, do everyone see when they zoom like this?
308
00:28:39,800 --> 00:28:40,430
Yeah, I guess.
309
00:28:42,110 --> 00:28:42,440
So.
310
00:28:44,940 --> 00:28:45,320
OK.
311
00:28:46,110 --> 00:28:47,400
So for example, here.
312
00:28:50,180 --> 00:28:56,050
He but we don't buy it unless you're up the bite on the issue.
313
00:28:56,620 --> 00:29:00,160
The website databases random agents, OK?
314
00:29:00,520 --> 00:29:03,430
Just the basic as everyone uses.
315
00:29:04,980 --> 00:29:10,740
And Aptos come up with him, he got potential permission from the state that access denied.
316
00:29:11,250 --> 00:29:21,870
This means that the he doesn't know if the permit is renewable, but he knows that there is a wolf that
317
00:29:21,870 --> 00:29:24,690
is blocking him from going forward.
318
00:29:25,170 --> 00:29:27,390
So what he did is.
319
00:29:28,920 --> 00:29:37,080
Copying the payload, the trickier the wolf, so we can see here payload price and photo.
320
00:29:37,500 --> 00:29:39,510
So he did patent access link.
321
00:29:39,830 --> 00:29:45,600
He put the link payload, he put the payload and wait for access to give you back.
322
00:29:47,380 --> 00:29:48,880
The Tampa-St.
323
00:29:51,160 --> 00:29:51,640
results.
324
00:29:52,180 --> 00:29:56,280
Atlas is trying with space to make sure history.
325
00:29:56,920 --> 00:30:00,280
OK, this is the payload that it generated.
326
00:30:00,700 --> 00:30:01,930
No, it doesn't work.
327
00:30:01,930 --> 00:30:04,840
It's still four or three with this payload.
328
00:30:05,620 --> 00:30:06,220
And so.
329
00:30:08,810 --> 00:30:11,150
Train with version key stomper.
330
00:30:11,660 --> 00:30:21,780
And this is the payload that Atlas has generated and oops, 200, OK, so this payload worked.
331
00:30:21,860 --> 00:30:25,670
This means that this payload is not blocked by the wolf.
332
00:30:25,820 --> 00:30:27,050
The wolf doesn't catch it.
333
00:30:27,410 --> 00:30:32,630
And so the a script we just use is called version that keyword.
334
00:30:33,890 --> 00:30:40,640
And at this point, all you have to do is run Python as trail map the website, the same commands you
335
00:30:40,640 --> 00:30:53,470
just run, basically with the parameter thumper and the double script atlas found here, which is race
336
00:30:53,480 --> 00:30:55,490
unit keyword.
337
00:30:59,030 --> 00:31:01,210
So I hope this makes sense to everyone.
338
00:31:01,520 --> 00:31:09,220
See, for this transition behind wolves and behind growth run on sorry.
339
00:31:10,520 --> 00:31:13,280
So sometime you will have.
340
00:31:15,380 --> 00:31:18,650
Yeah, excrement is a very powerful tool.
341
00:31:19,100 --> 00:31:20,490
I had a document about this.
342
00:31:20,960 --> 00:31:29,330
I have found on on a during that bar exam, which was very, very, very, very useful to me.
343
00:31:32,690 --> 00:31:35,090
Let's see if I can find the links we can share with you.
344
00:31:36,040 --> 00:31:40,160
It's it's basically the best resource map I have found.
345
00:31:41,910 --> 00:31:42,240
Yeah.
346
00:31:42,510 --> 00:31:44,160
So I talked about it.
347
00:31:46,030 --> 00:31:47,470
One or two years ago?
348
00:31:48,990 --> 00:31:49,560
This is it.
349
00:31:52,190 --> 00:31:53,750
So every time I have.
350
00:31:55,080 --> 00:32:01,200
Problems came up or I don't understand the function or I need help with astronomer.
351
00:32:02,040 --> 00:32:05,330
I just go back to this obscure map encyclopedia.
352
00:32:05,850 --> 00:32:14,240
It contains basically everything that is needed for you to moisturize astronomer.
353
00:32:14,260 --> 00:32:16,710
So basically everything.
354
00:32:16,740 --> 00:32:23,400
So for example, if we just go and search for Tampa-St., you can see some rejection data.
355
00:32:25,350 --> 00:32:26,850
And you can see here.
356
00:32:28,260 --> 00:32:31,920
But an escaped mob and the Tampa perimeter here.
357
00:32:32,310 --> 00:32:36,740
So this is very, very, very complicated question.
358
00:32:37,590 --> 00:32:45,150
I'm just going to send it to you through Slack so you can have to read it if you like.
359
00:32:45,960 --> 00:32:46,590
Later and.
360
00:32:53,790 --> 00:32:54,180
So.
361
00:32:56,850 --> 00:32:59,910
Yeah, sure, Shivam, this was the first.
362
00:33:01,090 --> 00:33:07,330
Solution to your problem about wolves and close friends and.
363
00:33:08,600 --> 00:33:13,730
Cared for and how to see what's behind it websites.
364
00:33:15,440 --> 00:33:23,120
So the Syrian solution for cases where you have potential is an injection and there is enough that is
365
00:33:23,120 --> 00:33:32,720
behind the blocking you from making the request is you are going to try to find the real IP of the website.
366
00:33:34,470 --> 00:33:42,630
Finding the real IP of the website is going to make you pass by the cloud forever and so avoid getting
367
00:33:42,630 --> 00:33:46,710
blocked by cloud from to find the IP of a website.
368
00:33:46,710 --> 00:33:55,620
You have multiple multiple people, multiple methods and you have to try all of them to get a real IP
369
00:33:56,090 --> 00:33:56,790
IP website.
370
00:33:57,510 --> 00:34:00,540
Let's talk about the easiest ones first.
371
00:34:01,770 --> 00:34:07,650
Shivam, the easiest worm, the easiest method to get a website's real IP behind them.
372
00:34:08,580 --> 00:34:10,590
Yeah, and I'll see it.
373
00:34:10,590 --> 00:34:15,540
One for proxy is just looking for IP history or internet.
374
00:34:16,530 --> 00:34:20,550
So if you go to IP history, you open a you genius.
375
00:34:22,780 --> 00:34:31,600
And you just type like not know why this website is legit, so it's going to tell you IP history results
376
00:34:31,600 --> 00:34:33,180
for sites.
377
00:34:34,300 --> 00:34:35,800
So this was the IP.
378
00:34:36,010 --> 00:34:42,220
Then on 2014, this became the IP here, later in 2005.
379
00:34:43,630 --> 00:34:45,430
This is a piano and so on.
380
00:34:45,730 --> 00:34:48,370
So for example, if you see this.
381
00:34:49,060 --> 00:34:55,270
And later on, you see in 2014, it was this was owned by Konopka or something.
382
00:34:55,720 --> 00:34:57,010
And you see Cloudflare.
383
00:34:57,190 --> 00:35:02,140
So you you know that this IP was moved to this IP behind Soter.
384
00:35:02,620 --> 00:35:07,960
So you know that this IP, the real IP of the website that is behind called for.
385
00:35:08,200 --> 00:35:13,180
And usually when you connect to the websites directly without passing by the growth where you don't
386
00:35:13,180 --> 00:35:16,950
have any problems anymore with objections and worse.
387
00:35:17,830 --> 00:35:20,440
So this is one of the methods.
388
00:35:21,990 --> 00:35:24,690
To get the websites, Real AP.
389
00:35:27,400 --> 00:35:36,940
Let's talk about other potential solutions to bypass the works by finding what sites like you can go
390
00:35:36,940 --> 00:35:39,670
for server side request forgeries.
391
00:35:40,180 --> 00:35:42,070
Let's say you have an application.
392
00:35:44,160 --> 00:35:56,730
Which takes, for example, website behind love that comes attached, it says it takes emerged that
393
00:35:56,730 --> 00:35:59,220
BHP link equal.
394
00:35:59,520 --> 00:36:02,100
OK, so you have this, for example.
395
00:36:03,270 --> 00:36:08,790
And this is behind us, and you have to know the you of the website so you can easily do just that.
396
00:36:09,030 --> 00:36:10,860
But the website you own.
397
00:36:13,250 --> 00:36:23,870
And wait for the website to call your external website in case the website is sending its the request
398
00:36:24,230 --> 00:36:26,270
through its real IP.
399
00:36:26,630 --> 00:36:35,570
You are just going to get the real IP of the website just like this and usually web site just make the
400
00:36:35,570 --> 00:36:38,290
request with the real IP.
401
00:36:38,750 --> 00:36:41,780
So, OK, the blog what you can see.
402
00:36:43,560 --> 00:36:49,980
But they don't usually look when they are making external requests to too hard to implement.
403
00:36:50,670 --> 00:36:52,410
So this is something to remember.
404
00:36:52,420 --> 00:37:00,830
You can get real websites by using, for example, server side request forgeries and trying to get Typekit
405
00:37:00,840 --> 00:37:01,650
from your logs.
406
00:37:02,820 --> 00:37:08,790
And let's talk about other again other methods to get the website help you out.
407
00:37:08,790 --> 00:37:16,950
For example, if you go, for example, in JavaScript files, you might end up finding some informations.
408
00:37:17,550 --> 00:37:21,990
You can, for example, go to I send Finder.
409
00:37:24,620 --> 00:37:27,620
OK, so by fixing by company name.
410
00:37:29,780 --> 00:37:30,170
OK.
411
00:37:31,770 --> 00:37:38,910
I'm not sure which website was it was, yeah, this one.
412
00:37:40,380 --> 00:37:44,430
This is a very handy website.
413
00:37:45,330 --> 00:37:52,920
This is the last year for ABC, for a sense.
414
00:37:54,330 --> 00:38:00,450
You can see here, for example, let's say I put OK, let's say Facebook is behind it was.
415
00:38:02,280 --> 00:38:10,740
OK, I'm just going to what Facebook and this website is going to give me all the IP ranges that Facebook
416
00:38:10,740 --> 00:38:11,370
owns.
417
00:38:12,360 --> 00:38:19,620
So even if, for example, let's say, Facebook was behind Cloudflare, they you have you still have
418
00:38:20,100 --> 00:38:23,000
the declaration of the IP the own.
419
00:38:23,400 --> 00:38:27,810
So all you have to do is just take, for example, each IP range.
420
00:38:29,550 --> 00:38:40,860
And Musk can using a map or else you love and find the application you were hiking on inside the appearance,
421
00:38:40,860 --> 00:38:42,430
you are chicken.
422
00:38:43,470 --> 00:38:45,270
So I hope this one makes sense.
423
00:38:45,660 --> 00:38:48,810
Shivam, do you have any other question before we continue forward?
424
00:38:59,770 --> 00:39:01,540
Seems like she fell asleep.
425
00:39:03,080 --> 00:39:03,960
No, he didn't.
426
00:39:05,490 --> 00:39:08,540
Okay, so let's see, um.
427
00:39:09,620 --> 00:39:15,110
Do you feel as if we permitted just some specific one, a first for?
428
00:39:15,650 --> 00:39:22,860
I can't see that a fist for every parameter because you might get those and just like being lazy to
429
00:39:22,870 --> 00:39:24,470
to notice anything you click on.
430
00:39:25,070 --> 00:39:33,980
So I think this moment of transitions when I find the need to, for example, if I see um.
431
00:39:34,100 --> 00:39:46,160
So just with the time it's it begins being more easy to to know where to find the the good parameters,
432
00:39:46,160 --> 00:39:46,760
for example.
433
00:39:47,060 --> 00:39:53,420
But for example, if I have a barometer that says website, for example.
434
00:39:55,120 --> 00:39:59,050
It's equal for seven, let's say, this one.
435
00:39:59,230 --> 00:39:59,560
OK.
436
00:40:00,640 --> 00:40:11,380
And you come and your input, for example, is significant and the applications their issue needs integer.
437
00:40:13,510 --> 00:40:21,550
OK, so the application is clearly telling you that this is not going to pass through the functionality
438
00:40:21,940 --> 00:40:27,430
because we need an integer and not anything else than a number.
439
00:40:28,000 --> 00:40:38,010
So it's not worth spending at just four, in my opinion, it's not worth spending time trying to to
440
00:40:38,020 --> 00:40:44,020
inject something that tells me, Oops, what I need is a number, not what we put.
441
00:40:45,890 --> 00:40:47,420
So I hope this makes sense.
442
00:40:48,110 --> 00:40:57,950
And so, you know, how to how to choose the parameters and also so forwards to adapt to it, for example,
443
00:40:57,950 --> 00:41:00,080
let's say that you have.
444
00:41:02,340 --> 00:41:09,470
Websites that lets see username equal, let's say, for example, this and it gets you reflected in,
445
00:41:09,480 --> 00:41:14,070
for example, for example, a.
446
00:41:16,800 --> 00:41:17,410
Starchy.
447
00:41:17,670 --> 00:41:26,910
OK, so you can clearly see that this barometer username is not getting processed by the backend, just
448
00:41:26,910 --> 00:41:32,040
getting reflected on the page, on the H.M. page, on the dome.
449
00:41:33,000 --> 00:41:39,750
So it's not worth injecting here because there's nothing that is actually processed by the by either
450
00:41:39,750 --> 00:41:40,740
the database.
451
00:41:42,290 --> 00:41:46,250
So just skip this kind of cases to to to save time.
452
00:41:47,810 --> 00:41:51,800
How this make sense forward, have I answered your quiz?
453
00:41:56,600 --> 00:41:56,960
OK.
454
00:41:59,180 --> 00:42:04,520
Anyone has questions because before we go forward on those projections topics.
455
00:42:12,800 --> 00:42:15,380
OK, so I guess we can go forward.
456
00:42:20,180 --> 00:42:20,540
OK.
457
00:42:21,140 --> 00:42:24,170
So when do you stop on the perimeter and say it's not for?
458
00:42:25,400 --> 00:42:37,010
So at first before even trying to to to go in depth into it or trying to to to hack into a perimeter
459
00:42:37,010 --> 00:42:45,290
first injection, I should have some signs, but tell me, man, this perimeter is really fishy, you
460
00:42:45,290 --> 00:42:45,530
know?
461
00:42:46,130 --> 00:42:48,080
So this one is really fishy.
462
00:42:48,080 --> 00:42:58,580
I have to get this feeling after doing some tests is, for example, at some point I don't find any
463
00:42:58,580 --> 00:43:04,520
way to confirm my statements, but this parameter is vulnerable.
464
00:43:05,150 --> 00:43:10,460
I'm just going to save the the request to my legs.
465
00:43:10,880 --> 00:43:18,920
And maybe, you know, two, three, four, five months later, five months later, in case I get better
466
00:43:18,920 --> 00:43:24,680
at a second injection, I can visit again this request and try to exploit it again.
467
00:43:26,820 --> 00:43:35,490
So it is good having a fixed five where you just see the request and throwing up and functionality you
468
00:43:35,790 --> 00:43:40,650
were not able to to test today, you were not able to hack today.
469
00:43:41,010 --> 00:43:48,270
And just coming back to them five months later, six months later, when you feel like you are ready
470
00:43:48,270 --> 00:43:56,400
to take it again and you are ready to stick with other perspectives because you have learned much between
471
00:43:56,400 --> 00:43:57,540
this time.
472
00:44:03,320 --> 00:44:07,610
Usually you just followed up against my answer.
473
00:44:08,240 --> 00:44:11,960
Usually if I can't find any.
474
00:44:14,280 --> 00:44:22,420
Confirmation that if biometrics were never an estimate, which is, of course, better than me assuming
475
00:44:22,440 --> 00:44:29,520
injections because this crime is committed in Australia, there is means that it is not even able to
476
00:44:29,880 --> 00:44:33,810
and I can't find a way to to to to confirm.
477
00:44:34,260 --> 00:44:37,200
I'm just going to stop here to not waste much time.
478
00:44:38,100 --> 00:44:40,500
So they don't she's not about.
479
00:44:41,950 --> 00:44:49,090
The best big you found, so everyone that joins backbone, of course, there is the need to hike the
480
00:44:49,090 --> 00:44:54,580
result of two hugging and the love to trying to break to breach stuff.
481
00:44:55,000 --> 00:44:57,970
But we all love money.
482
00:45:01,310 --> 00:45:05,090
So, but really, they are looking for bonuses, too.
483
00:45:05,660 --> 00:45:09,530
So if you end up spending too much time on.
484
00:45:10,660 --> 00:45:13,000
It's a barometer of that is.
485
00:45:14,230 --> 00:45:20,770
For example, not 100 percent, but no, you're just going to waste money because every second that
486
00:45:20,770 --> 00:45:21,220
passed.
487
00:45:22,350 --> 00:45:26,460
State, you invested time, but you didn't get anything out of.
488
00:45:28,250 --> 00:45:30,140
Out of it, so just focus.
489
00:45:30,680 --> 00:45:37,490
Focus on the thing that you are sure our venerable and try to exploit them till you can provide a good
490
00:45:37,490 --> 00:45:38,420
performance at.
491
00:45:41,740 --> 00:45:41,970
You.
492
00:45:47,480 --> 00:45:54,170
You, Safwat says, what about the Dum Dum Dum Dum tool, Jeff Barton's?
493
00:45:55,340 --> 00:45:57,800
I decided to vote for funding, yes, transitions.
494
00:45:58,610 --> 00:46:04,100
So I guess forward, I guess this are stories for people who go for automation.
495
00:46:05,540 --> 00:46:08,210
This is not something that I do on my own.
496
00:46:08,450 --> 00:46:09,150
I don't use.
497
00:46:10,670 --> 00:46:14,440
I love Dum Dum Dum Stool is a great brother.
498
00:46:14,720 --> 00:46:21,180
And he he he added up so much value and backbone and U.S. and history.
499
00:46:21,980 --> 00:46:23,180
But I don't use this word.
500
00:46:25,130 --> 00:46:27,470
So I can't give much.
501
00:46:28,550 --> 00:46:31,010
Informations about it, so.
502
00:46:33,810 --> 00:46:40,750
I there says, what are the most common characters the triggers are for you by 16 points per injection,
503
00:46:41,200 --> 00:46:42,340
like you had mentioned?
504
00:46:43,150 --> 00:46:44,120
Are there any more?
505
00:46:44,140 --> 00:46:45,580
Yeah, there is more.
506
00:46:46,660 --> 00:46:54,310
So basically everything that is not printable by the application triggers arose every time for me.
507
00:46:54,820 --> 00:46:56,290
Let's talk about a issue.
508
00:46:56,740 --> 00:46:57,310
So I have.
509
00:46:57,760 --> 00:47:02,380
So there is, for example, this one we talked about.
510
00:47:02,830 --> 00:47:05,590
There's also this one that usually.
511
00:47:07,240 --> 00:47:08,500
Returns errors.
512
00:47:09,960 --> 00:47:18,660
You have also in your bite that sometimes you turn around, you have just trying to to to to insert
513
00:47:18,660 --> 00:47:19,560
some random.
514
00:47:20,830 --> 00:47:28,930
Factors into a barometer, so for example, if a website, if the Obameter takes only, for example,
515
00:47:28,930 --> 00:47:30,760
numbers and you put this.
516
00:47:32,990 --> 00:47:38,290
If it's not 100 on the background, it's just going to throw some debug log, which might be helpful.
517
00:47:39,250 --> 00:47:41,530
And there is a couple more, for example, we should go to.
518
00:47:42,040 --> 00:47:44,050
Let's see if we could.
519
00:47:47,440 --> 00:47:55,390
You have these websites with which takes any doctor you want and turns it into.
520
00:47:57,150 --> 00:47:57,990
Into any goods.
521
00:47:58,020 --> 00:47:58,890
So, for example.
522
00:48:00,930 --> 00:48:01,350
So.
523
00:48:03,300 --> 00:48:12,480
For example, this kind of practice sometime triggered it for me, which helped me explore it more and
524
00:48:12,480 --> 00:48:13,140
more in depth.
525
00:48:13,500 --> 00:48:19,350
My big bone she targets so.
526
00:48:19,800 --> 00:48:20,970
Yeah, yeah.
527
00:48:23,360 --> 00:48:29,660
So you can this this one and entry from today on Troy, watching them when you are trying.
528
00:48:31,520 --> 00:48:38,990
Oh, there is something I should also tell you about that I was about to to forget, so thanks, I'll
529
00:48:38,990 --> 00:48:40,010
be there for the question.
530
00:48:41,720 --> 00:48:50,810
And there's another thing that might trigger errors and the backlogs that might help you, for example,
531
00:48:50,810 --> 00:48:56,780
if you have this website and the promoter IG sometimes.
532
00:48:58,130 --> 00:49:01,700
Adding The brackets here are going to cause.
533
00:49:03,190 --> 00:49:04,700
The application was through.
534
00:49:05,410 --> 00:49:15,490
And if this happens because this is not released, so it is normally a single object, but you are going
535
00:49:15,490 --> 00:49:22,300
to input a list which is not supported by the, I can say is going through an error.
536
00:49:22,340 --> 00:49:31,180
So you have along with this one and other characters that you might find everything that is not pretty
537
00:49:31,180 --> 00:49:34,380
but on is read for the application.
538
00:49:34,420 --> 00:49:39,790
Can you just keep pushing also adding up brackets just before?
539
00:49:43,100 --> 00:49:51,750
Just before interest, and so this happens more often than you think you're got really more often that
540
00:49:51,770 --> 00:49:55,580
you think sometime when.
541
00:49:56,730 --> 00:50:06,060
Doing some backbone to this or hiking your mind, for example, need a single path to a bus?
542
00:50:07,020 --> 00:50:08,160
Full disclosure.
543
00:50:09,690 --> 00:50:15,480
A full disclosure of the server, so, for example, where is the server located at, for example?
544
00:50:15,480 --> 00:50:15,890
Let's see.
545
00:50:17,140 --> 00:50:18,670
That's OK.
546
00:50:18,810 --> 00:50:19,380
Let's see.
547
00:50:19,380 --> 00:50:20,010
It's here.
548
00:50:20,550 --> 00:50:23,790
So just pushing.
549
00:50:23,880 --> 00:50:24,630
You should really.
550
00:50:27,190 --> 00:50:36,460
So if so, just in pushing this, you're going through some holes which are going to lead you to just
551
00:50:37,720 --> 00:50:38,170
get.
552
00:50:39,510 --> 00:50:47,230
Some the burglars that might help you with our expectations, such as credit ABC.
553
00:50:48,470 --> 00:50:50,760
And although we know which is.
554
00:50:52,820 --> 00:50:59,990
So one thing I forgot to tell you about a scale map is that we actually map you can also and gives you
555
00:50:59,990 --> 00:51:01,780
a very successful transaction.
556
00:51:03,140 --> 00:51:05,000
The user is the administrator.
557
00:51:05,330 --> 00:51:08,900
You can use a skill map to escalate the bank.
558
00:51:09,410 --> 00:51:17,420
So not I don't know if everyone is aware of it here, but this map has some parameters like I read.
559
00:51:19,330 --> 00:51:32,320
For example, if but if I read that is that password in case the username gave the user that is the
560
00:51:32,360 --> 00:51:40,440
database is administrator, if you input this to a school map as the.
561
00:51:42,140 --> 00:51:49,110
You stood strong and you put this is going to try to read the local file.
562
00:51:50,250 --> 00:52:00,630
Buzzwords so you have more and more common words like I'm always and others, which you can see on the
563
00:52:00,820 --> 00:52:03,570
astronomy lingo sound like.
564
00:52:06,000 --> 00:52:11,060
So for what is it going to taste, one promoter for different burgers like this is this is just for
565
00:52:11,070 --> 00:52:11,340
you.
566
00:52:11,550 --> 00:52:12,360
And if it's true.
567
00:52:12,810 --> 00:52:18,740
Yeah, of course, every promoter can be vulnerable to any kind of ability.
568
00:52:19,710 --> 00:52:22,020
So you have to test for everything.
569
00:52:22,800 --> 00:52:30,300
What are you finding the need to just have don't have just to stop on one parameter and see, I'm done.
570
00:52:30,750 --> 00:52:33,480
No, you have to test for everything except this.
571
00:52:33,540 --> 00:52:34,290
You have something.
572
00:52:37,530 --> 00:52:43,050
So coming forward is everyone, you have more question before we go.
573
00:52:50,000 --> 00:52:50,660
I guess.
574
00:52:53,010 --> 00:52:53,640
Welcome.
575
00:52:54,540 --> 00:52:55,230
My pleasure.
576
00:52:57,980 --> 00:52:59,630
So I guess we can go forward.
577
00:53:02,050 --> 00:53:04,840
Let's see where we were.
578
00:53:08,820 --> 00:53:12,570
We were exactly here.
579
00:53:12,870 --> 00:53:13,190
OK.
580
00:53:13,740 --> 00:53:15,540
OK, so you were here.
581
00:53:17,870 --> 00:53:23,420
And we've had the error that triggered us to to launch a school map.
582
00:53:23,900 --> 00:53:35,520
And so if you have like lost data using a school mapper but data or delete method, don't just copy
583
00:53:35,870 --> 00:53:42,680
copy the link and other matters, just save the request to testify.
584
00:53:42,830 --> 00:53:47,080
An important user of a barometer, an astronomer.
585
00:53:48,150 --> 00:53:51,900
So you have to have the records to checks in plaintext.
586
00:53:52,920 --> 00:53:54,930
And you can import it was pretty up easily.
587
00:53:56,220 --> 00:53:59,580
This makes it really timesaving for everyone.
588
00:54:02,550 --> 00:54:04,000
So you get to experiment.
589
00:54:05,430 --> 00:54:15,590
Give me access to other databases to to to databases which contains like informations about the tables
590
00:54:15,600 --> 00:54:19,800
and columns, and I was able to retrieve data too.
591
00:54:20,760 --> 00:54:24,930
So this is a simple case with experts.
592
00:54:27,850 --> 00:54:33,310
Take away, Luke, for a second injections everywhere, even in healthcare, as more people look for
593
00:54:33,610 --> 00:54:40,720
the addiction is pitiable, parameters go beyond it, so have it in mind.
594
00:54:41,560 --> 00:54:47,740
This was from injections and here there is this first injection in professional on points.
595
00:54:48,160 --> 00:54:57,040
This first two injections in the full path of the website to test, you have to test for it everywhere
596
00:54:57,040 --> 00:54:58,300
you feel the need to.
597
00:55:01,330 --> 00:55:06,790
Import the the questions came up when confirming system placements, it should be cheap to dump other
598
00:55:06,790 --> 00:55:12,580
bases on Trump, like, if so not to dump but released and don't dump any other BS.
599
00:55:13,240 --> 00:55:15,010
Champagnie program blows it.
600
00:55:16,050 --> 00:55:20,500
OK, so we have some labs we're going to do.
601
00:55:21,850 --> 00:55:24,070
Is everyone ready for the labs?
602
00:55:24,580 --> 00:55:26,110
We have actually.
603
00:55:27,580 --> 00:55:30,850
I guess see here.
604
00:55:35,140 --> 00:55:39,500
We have around one, one hour and a half to go before the next.
605
00:55:41,340 --> 00:55:45,450
Before the first break, right, because I'm not very good with standing stuff.
606
00:55:47,140 --> 00:55:48,700
So we can start doing.
607
00:55:49,810 --> 00:55:54,100
The labs rescue transactions, so.
608
00:55:55,700 --> 00:56:03,650
You all have the website should be tests BHP that where would that come?
609
00:56:06,170 --> 00:56:11,240
I'm going to give you 10 minutes to spot the screen injections.
610
00:56:13,440 --> 00:56:13,800
OK.
611
00:56:21,050 --> 00:56:26,690
You have your hiking set up set can try to to get it.
612
00:56:39,430 --> 00:56:40,120
Do you hear me?
613
00:56:44,670 --> 00:56:46,410
OK, so everyone is on edge.
614
00:56:47,640 --> 00:56:50,250
OK, so try to split the screen injection.
615
00:56:51,250 --> 00:56:53,170
On this level.
616
00:56:54,190 --> 00:57:03,310
And the first one to solve it in the next 10 minutes will have to to show his screen and show us how
617
00:57:03,310 --> 00:57:05,260
he approaches the target.
618
00:57:06,160 --> 00:57:12,220
And so he can command all together and get more ships around this.
619
00:57:17,670 --> 00:57:25,680
Please, if everyone is trying to inject to find this fuel injection, please reply yes in the newsroom.
620
00:57:25,830 --> 00:57:30,360
So I know everyone is connected and doesn't have phones connections.
621
00:57:32,480 --> 00:57:36,260
Okay, thank you for your responses, very appreciated.
622
00:57:40,960 --> 00:57:44,160
So, first man, give give your friends some time.
623
00:58:24,580 --> 00:58:28,450
Let me take my camera for one minute and try to fix one thing.
624
00:58:33,140 --> 00:58:36,680
And you also continue trying to find those transition.
625
00:58:49,110 --> 00:58:49,830
Okay, nice.
626
00:58:54,010 --> 00:58:55,590
Give me one minute for the video.
627
00:58:55,990 --> 00:58:58,270
Give time to the other to try to find it.
628
00:59:01,650 --> 00:59:03,060
So everyone wants to hear me.
629
00:59:03,780 --> 00:59:04,840
I'm fixing one thing.
630
00:59:04,860 --> 00:59:05,670
Give me some time.
631
1:01:14.360 --> 1:01:18.200
So does anyone need more time to try to find it?
632
1:01:19.260 --> 1:01:20.100
Nine, Survivor.
633
1:01:21.130 --> 1:01:22.720
So what nice name a nice.
634
1:01:30.310 --> 1:01:31.060
Alejandro.
635
1:01:32.610 --> 1:01:33.390
You get it.
636
1:01:35.090 --> 1:01:35.390
Is.
637
1:01:36.490 --> 1:01:36.940
Nice.
638
1:01:38.890 --> 1:01:40.570
Umi Mishra, did you get it?
639
1:01:53.350 --> 1:01:54.340
Lewis, can you hear me?
640
1:01:55.680 --> 1:01:56.430
You got it to.
641
1:02:00.790 --> 1:02:01.490
Dramatic.
642
1:02:02.470 --> 1:02:02.920
OK, you.
643
1:02:04.910 --> 1:02:05.400
OK.
644
1:02:06.940 --> 1:02:11.950
OK, so who wants to go Sherry screen and show us what higit?
645
1:02:20.520 --> 1:02:24.720
Who's down to show his screen and show us what he found?
646
1:02:26.880 --> 1:02:29.250
And then we can go forward together.
647
1:02:39.230 --> 1:02:41.210
Now you do want to show restraint.
648
1:02:50.650 --> 1:02:51.770
Yes, sure, no problem.
649
1:02:51.790 --> 1:02:54.550
You can go on, you can write on, it takes some.
650
1:02:56.950 --> 1:02:57.760
When it takes not.
651
1:03:03.870 --> 1:03:06.450
How do I give you short screen?
652
1:03:11.790 --> 1:03:13.740
Let me see how I do.
653
1:03:25.740 --> 1:03:26.700
I'm not sure if.
654
1:03:28.020 --> 1:03:32.100
You should you should show from your side, I guess.
655
1:03:33.740 --> 1:03:34.280
OK.
656
1:03:35.240 --> 1:03:35.400
Hmm.
657
1:03:35.930 --> 1:03:38.990
It's pretty easy you should have a show screen.
658
1:03:42.820 --> 1:03:44.680
You should have your show screen option.
659
1:04:00.840 --> 1:04:06.210
There is two people in the WHO is GB and everyone.
660
1:04:06.450 --> 1:04:07.290
I'm not sure.
661
1:04:25.000 --> 1:04:25.600
You see.
662
1:04:28.400 --> 1:04:29.020
OK.
663
1:04:30.110 --> 1:04:31.430
So I'm not sure how we.
664
1:04:33.310 --> 1:04:34.210
Activated.
665
1:04:38.870 --> 1:04:40.220
She's from here.
666
1:04:41.820 --> 1:04:42.240
You know.
667
1:04:48.350 --> 1:04:52.340
Do we have anyone from from Twitter.com to you?
668
1:04:52.790 --> 1:04:53.390
Yeah, OK.
669
1:04:53.540 --> 1:04:54.380
Let's do it like this.
670
1:04:54.860 --> 1:04:56.140
You can share the link.
671
1:04:56.150 --> 1:04:58.610
Everyone shares his link and his solution.
672
1:05:01.270 --> 1:05:01.960
In the chat.
673
1:05:10.640 --> 1:05:11.150
OK.
674
1:05:12.970 --> 1:05:13.460
Okay.
675
1:05:27.050 --> 1:05:28.670
Let's go and see
676
1:05:31.280 --> 1:05:32.930
what's up here.
677
1:05:34.720 --> 1:05:37.630
U.S., do you need me to look into anything here?
678
1:05:38.620 --> 1:05:40.960
Yeah, I wanted to try to.
679
1:05:41.260 --> 1:05:43.540
How do I allow people to show their screens?
680
1:05:44.470 --> 1:05:52.900
OK, so I think you can go to the participant section and click on more when you there's a more option
681
1:05:52.900 --> 1:05:54.970
and when you were over, there means.
682
1:05:55.720 --> 1:05:56.800
And I think.
683
1:05:58.400 --> 1:06:00.500
Can allow them.
684
1:06:01.510 --> 1:06:03.890
OK, so it's good, someone.
685
1:06:05.360 --> 1:06:10.210
I'm not sure which which of you guys in the abraded, but it's good news.
686
1:06:12.640 --> 1:06:13.060
It's good.
687
1:06:26.000 --> 1:06:27.680
Not sure what's happening here.
688
1:06:30.970 --> 1:06:34.630
It's someone hugged me, my connection is not working.
689
1:06:37.880 --> 1:06:39.140
Yeah, I do have internet.
690
1:06:49.990 --> 1:06:51.880
We see lights up here.
691
1:07:05.760 --> 1:07:06.360
Q So.
692
1:07:07.500 --> 1:07:08.550
Tim Burton from.
693
1:07:19.000 --> 1:07:21.880
So we have this here.
694
1:07:33.100 --> 1:07:33.850
Yes, Peter.
695
1:07:36.390 --> 1:07:36.650
Yeah.
696
1:07:37.860 --> 1:07:43.950
So, yeah, everyone obviously got it so pretty easy to just.
697
1:07:46.710 --> 1:07:47.520
But this one.
698
1:07:49.130 --> 1:07:51.770
Just by pushing a single.
699
1:07:53.290 --> 1:07:56.950
Could you can see those transition and you can start to see for it?
700
1:08:00.340 --> 1:08:01.090
There's just one.
701
1:08:02.130 --> 1:08:05.460
You can see a video at what I was talking about.
702
1:08:07.500 --> 1:08:10.050
So this is the week I was talking about.
703
1:08:13.320 --> 1:08:16.230
Area, so giving this.
704
1:08:18.050 --> 1:08:22.190
He's going to throw under Sing US to Bruce was brilliant.
705
1:08:22.550 --> 1:08:29.510
Even so, this can give us more tips and tricks preaching what we are trying to exploit.
706
1:08:32.620 --> 1:08:42.670
So I didn't this on this parameter before, though before we started, but luckily it's working so you
707
1:08:42.670 --> 1:08:43.870
can see a live example.
708
1:08:47.770 --> 1:08:49.840
Thank you for showing this.
709
1:08:50.190 --> 1:08:52.060
The four neighboring districts.
710
1:08:53.990 --> 1:08:58.160
There is two people in the waiting room and the choice you should accept them.
711
1:09:04.060 --> 1:09:05.760
OK, so let's go.
712
1:09:06.370 --> 1:09:10.120
We can have more labs coming later on.
713
1:09:10.780 --> 1:09:17.830
Let's just take the next steps and see what you have and what you should do.
714
1:09:20.040 --> 1:09:24.420
So now we are going to check for exactly.
715
1:09:25.510 --> 1:09:30.370
Also known as external anti-cheat injection.
716
1:09:32.300 --> 1:09:40.220
Before we start this module, this and you want to have questions about everything that we've talked
717
1:09:40.220 --> 1:09:40.670
about.
718
1:09:46.170 --> 1:09:49.260
The anything I should develop more for you.
719
1:09:58.300 --> 1:09:59.120
Man, yeah.
720
1:09:59.150 --> 1:10:01.870
Neil Askew injections are everywhere.
721
1:10:03.690 --> 1:10:09.690
As conditions are still very, very common, but it's just not.
722
1:10:10.890 --> 1:10:13.670
As indisputable as it was in the past.
723
1:10:17.120 --> 1:10:19.270
So just take the chips I give you.
724
1:10:20.690 --> 1:10:27.940
And start testing these chips, and hopefully you can start getting some good results.
725
1:10:30.240 --> 1:10:30.990
You have to.
726
1:10:35.050 --> 1:10:36.940
Alejandro, is there anything?
727
1:10:38.190 --> 1:10:39.960
You want to ask before you go forward.
728
1:10:40.420 --> 1:10:40.800
Be done.
729
1:10:44.700 --> 1:10:48.350
Lezion, yeah, go on one more.
730
1:10:48.860 --> 1:10:51.700
You know, this fuel injection.
731
1:10:51.780 --> 1:10:53.490
What are your feelings about it?
732
1:10:55.460 --> 1:10:56.600
Sorry, I didn't get you.
733
1:10:59.870 --> 1:11:00.260
Yes.
734
1:11:01.340 --> 1:11:02.540
I didn't hear.
735
1:11:05.140 --> 1:11:08.980
Know no fuel injection, what do you experience about the.
736
1:11:11.150 --> 1:11:20.360
So extra injections, just like extra injection, though, also come on and MongoDB, so you know,
737
1:11:20.720 --> 1:11:24.620
it's two injections, mostly on MongoDB also.
738
1:11:25.550 --> 1:11:32.960
Nowadays, most of the databases you will find are MongoDB and you will find a little the rescue here.
739
1:11:34.090 --> 1:11:37.330
And as for injections on MongoDB?
740
1:11:38.600 --> 1:11:40.640
Is also command, so.
741
1:11:42.290 --> 1:11:42.710
So.
742
1:11:44.190 --> 1:11:49.170
When you have, for example, there is a really good website.
743
1:11:50.430 --> 1:11:51.810
Let's see here.
744
1:11:53.520 --> 1:11:54.420
Yes, working on.
745
1:11:58.620 --> 1:11:59.040
So.
746
1:12:01.410 --> 1:12:08.250
Here you can find many, many, many payloads you can import into merchant reader when you have to.
747
1:12:09.350 --> 1:12:10.370
To make with this.
748
1:12:11.060 --> 1:12:11.990
So, for example.
749
1:12:14.920 --> 1:12:23.980
If you just see one of them to a text file, for example, myself I've made, let's see if freezing
750
1:12:25.600 --> 1:12:30.190
folder where I have like my custom payload.
751
1:12:30.730 --> 1:12:39.010
I have developed and some payloads I have seen in the wilds and own resources.
752
1:12:39.580 --> 1:12:42.760
So for example, if you choose, I'm not sure.
753
1:12:44.480 --> 1:12:48.620
So at the top of the situation, I have a bunch.
754
1:12:49.650 --> 1:12:51.150
Of payloads.
755
1:12:51.570 --> 1:12:56.730
I'm just going to mass three if I find something that's fishy.
756
1:12:56.820 --> 1:12:58.270
Using Burp Suite on Twitter.
757
1:12:58.650 --> 1:13:01.710
So I recommend you to do the same as transitions.
758
1:13:02.990 --> 1:13:14.510
And with service, eye surgery on local institutions, and all this might help you much, the new backbone
759
1:13:14.510 --> 1:13:15.250
she journey.
760
1:13:15.800 --> 1:13:19.790
So with nurse projection, it's come on.
761
1:13:20.270 --> 1:13:29.060
But it's not that easy to spot because with no skin injections, you don't have many years that show.
762
1:13:29.840 --> 1:13:34.810
So it's mostly about education bypass.
763
1:13:35.660 --> 1:13:39.260
So for example, when you you, you can see here for.
764
1:13:41.800 --> 1:13:45.730
For bypassing the detention methods.
765
1:13:46.210 --> 1:13:48.190
So if you want to, for example.
766
1:13:51.100 --> 1:13:52.420
Sometime on.
767
1:13:53.920 --> 1:14:04.380
So you have two cases on the mogaji, been in business transactions, for example, under this equal,
768
1:14:04.450 --> 1:14:07.390
this value and bust an equal one.
769
1:14:08.020 --> 1:14:12.340
This is this might bypass the distribution methods.
770
1:14:13.030 --> 1:14:20.260
So it's hard to find it's not easier to find, but it's worth putting time.
771
1:14:20.680 --> 1:14:26.560
But one thing you should know is that when you in case you are trying this payloads, for example,
772
1:14:27.070 --> 1:14:34.630
on a database that is not MongoDB on the backend, you'd be just wasting your time.
773
1:14:35.650 --> 1:14:36.960
Just a waste of time.
774
1:14:37.030 --> 1:14:43.210
You might be trained payloads and payloads in the payload payloads and just end up getting nothing out
775
1:14:43.210 --> 1:14:53.460
of it because just the database is MySchool, or it's another database that is not MongoDB.
776
1:14:55.650 --> 1:15:04.740
So it'd be good to what I recommend is having, for example, two or three entries from each its gel
777
1:15:05.550 --> 1:15:06.450
injection method.
778
1:15:06.900 --> 1:15:13.830
So you can check here you get your injection, you take two or three peyroux that might trigger errors
779
1:15:13.830 --> 1:15:14.160
like.
780
1:15:16.660 --> 1:15:24.910
Like, on a scale, this is the pillow that my three don't ever just take a bunch of out to a bunch
781
1:15:24.910 --> 1:15:27.610
of payloads, throw them into.
782
1:15:28.950 --> 1:15:35.450
At least and start spreading it into a custom perimeter.
783
1:15:35.490 --> 1:15:41.460
If you find anything that fishy and from this point of view, you might have more information about
784
1:15:41.940 --> 1:15:50.010
if a permit is reasonable or not and you'll do you, you will know which databases are on the back end
785
1:15:50.760 --> 1:15:54.000
based on the response you get from your scans.
786
1:16:08.460 --> 1:16:09.920
Did they respond, you agree?
787
1:16:11.850 --> 1:16:15.020
Did they think you like come?
788
1:16:19.770 --> 1:16:22.920
So I'm just going to post this thing to.
789
1:16:34.790 --> 1:16:45.440
OK, so it seems like if anyone's wants to build a custom list later on for his B-roads can just take
790
1:16:45.440 --> 1:16:48.320
a bunch of barrels from there and go on.
791
1:16:50.870 --> 1:16:52.940
So we're going to start with the second.
71068
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.