Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,520 --> 00:00:05,200 welcome in the demo 2 00:00:03,198 --> 00:00:07,599 let's play with the authentication 3 00:00:05,200 --> 00:00:09,039 cookie as you can see in the upper right 4 00:00:07,599 --> 00:00:11,919 corner you see my name 5 00:00:09,039 --> 00:00:13,039 david you see that i am really logged in 6 00:00:11,919 --> 00:00:15,519 because you see 7 00:00:13,039 --> 00:00:16,719 my profile what i'm going to show you 8 00:00:15,519 --> 00:00:19,278 right now is 9 00:00:16,719 --> 00:00:21,599 again i'm going to show you my cookie 10 00:00:19,278 --> 00:00:25,118 with session id so let me go to 11 00:00:21,600 --> 00:00:27,599 cookies manager and yeah here it is 12 00:00:25,118 --> 00:00:28,960 um the name of the cookie is phpsys id 13 00:00:27,599 --> 00:00:31,679 you see some 14 00:00:28,960 --> 00:00:32,799 random value out there it's random it's 15 00:00:31,678 --> 00:00:35,920 long it's good 16 00:00:32,799 --> 00:00:36,799 the host is example.com but let's take a 17 00:00:35,920 --> 00:00:40,079 look at 18 00:00:36,799 --> 00:00:43,119 this stuff send for 19 00:00:40,079 --> 00:00:46,719 any type of connection 20 00:00:43,119 --> 00:00:50,558 this is really really cool for 21 00:00:46,719 --> 00:00:53,840 hackers because it basically means that 22 00:00:50,558 --> 00:00:55,359 this cookie can be sent over insecure 23 00:00:53,840 --> 00:00:58,879 http 24 00:00:55,359 --> 00:01:01,920 or secure https 25 00:00:58,878 --> 00:01:03,439 so this is a clear message for me for 26 00:01:01,920 --> 00:01:07,519 tester for hacker 27 00:01:03,439 --> 00:01:10,879 that this cookie has been set without 28 00:01:07,519 --> 00:01:12,158 secure attribute and now i'm gonna show 29 00:01:10,879 --> 00:01:14,399 you that indeed 30 00:01:12,159 --> 00:01:15,719 this cookie can be disclosed over 31 00:01:14,400 --> 00:01:19,359 insecure 32 00:01:15,719 --> 00:01:22,478 http okay 33 00:01:19,359 --> 00:01:23,920 so far so good let me now do something 34 00:01:22,478 --> 00:01:27,039 like this i'm gonna 35 00:01:23,920 --> 00:01:28,159 intercept the outgoing request from my 36 00:01:27,040 --> 00:01:30,479 browser 37 00:01:28,159 --> 00:01:31,280 i'm going to send the request over http 38 00:01:30,478 --> 00:01:33,200 and i'm going to 39 00:01:31,280 --> 00:01:35,040 intercept this request and i'm going to 40 00:01:33,200 --> 00:01:37,759 show you that this cookie 41 00:01:35,040 --> 00:01:39,200 with session id can be disclosed over 42 00:01:37,759 --> 00:01:42,959 insecure http 43 00:01:39,200 --> 00:01:43,920 request right okay so in order to do it 44 00:01:42,959 --> 00:01:46,319 i need a kind of 45 00:01:43,920 --> 00:01:47,600 interceptor and what i've got in my 46 00:01:46,319 --> 00:01:51,359 testing environment 47 00:01:47,599 --> 00:01:55,118 is a proxy with interceptor actually 48 00:01:51,359 --> 00:01:59,359 so i'm using here burp suite which is an 49 00:01:55,118 --> 00:02:02,640 integrated tool for web app security 50 00:01:59,359 --> 00:02:04,078 testing one of the functionalities out 51 00:02:02,640 --> 00:02:06,560 there 52 00:02:04,078 --> 00:02:08,399 in this tool is a proxy and in this 53 00:02:06,560 --> 00:02:08,959 proxy we had an interceptor so that you 54 00:02:08,399 --> 00:02:11,840 can 55 00:02:08,959 --> 00:02:13,280 really intercept the outgoing traffic 56 00:02:11,840 --> 00:02:14,959 you know from the browser and that's 57 00:02:13,280 --> 00:02:17,280 exactly what i'm gonna do right now 58 00:02:14,959 --> 00:02:18,000 i'm gonna send the request over http and 59 00:02:17,280 --> 00:02:20,080 i'm gonna 60 00:02:18,000 --> 00:02:21,039 i'm gonna just intercept this request 61 00:02:20,080 --> 00:02:24,319 okay so 62 00:02:21,039 --> 00:02:26,159 let me now go to my web application 63 00:02:24,318 --> 00:02:28,399 let me go to web application and now you 64 00:02:26,159 --> 00:02:31,919 see that well my web application is 65 00:02:28,400 --> 00:02:34,480 protected by https https 66 00:02:31,919 --> 00:02:35,280 secure it guarantees confidentiality 67 00:02:34,479 --> 00:02:37,359 integrity and 68 00:02:35,280 --> 00:02:39,120 authentication but i'm going to send the 69 00:02:37,360 --> 00:02:42,879 request over http 70 00:02:39,120 --> 00:02:46,000 over insecure protocol right 71 00:02:42,878 --> 00:02:49,280 http is insecure this is just plain text 72 00:02:46,000 --> 00:02:50,479 and now i'm gonna you know send out this 73 00:02:49,280 --> 00:02:52,318 request 74 00:02:50,479 --> 00:02:53,518 and and you will see how this request 75 00:02:52,318 --> 00:02:56,639 looks like 76 00:02:53,519 --> 00:02:58,959 in the proxy so in the real 77 00:02:56,639 --> 00:03:01,199 attack scenario i'm going to send a link 78 00:02:58,959 --> 00:03:02,158 over http to victim the victim is going 79 00:03:01,199 --> 00:03:04,000 to click the link 80 00:03:02,158 --> 00:03:06,000 and the attacker the so-called man in 81 00:03:04,000 --> 00:03:08,318 the middle can can see the traffic 82 00:03:06,000 --> 00:03:09,360 uh sending the plaintext because http is 83 00:03:08,318 --> 00:03:14,878 plain text right 84 00:03:09,360 --> 00:03:14,879 so let me now do it let me hit enter 85 00:03:16,400 --> 00:03:20,000 and this is my request as you can see 86 00:03:18,959 --> 00:03:23,280 there's a request 87 00:03:20,000 --> 00:03:26,878 goes over insecure http 88 00:03:23,280 --> 00:03:28,080 to domain example.com and what is 89 00:03:26,878 --> 00:03:31,120 crucial 90 00:03:28,080 --> 00:03:34,640 in this demo is that the 91 00:03:31,120 --> 00:03:36,799 cookie with session id has been 92 00:03:34,639 --> 00:03:37,839 appended to this request so what we've 93 00:03:36,799 --> 00:03:41,200 got here 94 00:03:37,840 --> 00:03:41,680 is a disclosure of cookie with session 95 00:03:41,199 --> 00:03:45,679 id 96 00:03:41,680 --> 00:03:47,760 over insecure http voila the game over 97 00:03:45,680 --> 00:03:49,360 now the man in the middle can get access 98 00:03:47,759 --> 00:03:51,759 to my account right 99 00:03:49,360 --> 00:03:53,599 beautiful and now let me show you 100 00:03:51,759 --> 00:03:54,719 something even more interesting i mean 101 00:03:53,598 --> 00:03:56,318 more interesting 102 00:03:54,719 --> 00:03:58,000 and maybe it will be a kind of 103 00:03:56,318 --> 00:04:00,158 eye-opener for you 104 00:03:58,000 --> 00:04:01,598 because i told you that this kind of 105 00:04:00,158 --> 00:04:03,679 attack works 106 00:04:01,598 --> 00:04:05,199 in the web application protected by 107 00:04:03,680 --> 00:04:07,280 secure https 108 00:04:05,199 --> 00:04:08,399 and indeed you saw that my web 109 00:04:07,280 --> 00:04:11,919 application 110 00:04:08,400 --> 00:04:13,200 is protected by a secure https but let 111 00:04:11,919 --> 00:04:16,478 me now take this request 112 00:04:13,199 --> 00:04:19,439 click right and send to repeater 113 00:04:16,478 --> 00:04:21,358 i want to show you something i want to 114 00:04:19,439 --> 00:04:22,478 have on one screen the request and 115 00:04:21,358 --> 00:04:25,519 response right 116 00:04:22,478 --> 00:04:28,478 and i'm gonna send this request again 117 00:04:25,519 --> 00:04:30,000 so let me click go now there is 118 00:04:28,478 --> 00:04:32,159 something very interesting 119 00:04:30,000 --> 00:04:33,839 please take a look on the left side 120 00:04:32,160 --> 00:04:36,560 we've got the request 121 00:04:33,839 --> 00:04:37,519 the request as you already know goes 122 00:04:36,560 --> 00:04:41,600 over 123 00:04:37,519 --> 00:04:42,478 insecure http and our cookie has been 124 00:04:41,600 --> 00:04:45,520 disclosed 125 00:04:42,478 --> 00:04:47,758 right over insecure http but the 126 00:04:45,519 --> 00:04:50,159 response is very interesting 127 00:04:47,759 --> 00:04:51,439 in the response you see something like 128 00:04:50,160 --> 00:04:54,720 this here 129 00:04:51,439 --> 00:04:58,600 301 moved permanently 130 00:04:54,720 --> 00:05:01,440 and the location is here the location is 131 00:04:58,600 --> 00:05:05,039 https column slash 132 00:05:01,439 --> 00:05:07,839 example.com profile.php so the web 133 00:05:05,038 --> 00:05:11,199 application is trying to redirect 134 00:05:07,839 --> 00:05:14,560 you to secure https 135 00:05:11,199 --> 00:05:18,160 protected version of profile.php right 136 00:05:14,560 --> 00:05:20,720 so you you see that indeed https is 137 00:05:18,160 --> 00:05:23,280 enforced in this web application right 138 00:05:20,720 --> 00:05:24,000 every single attempt to reach a given 139 00:05:23,279 --> 00:05:28,959 resource via 140 00:05:24,000 --> 00:05:31,439 http results in https redirection right 141 00:05:28,959 --> 00:05:33,120 or redirection to https protected 142 00:05:31,439 --> 00:05:36,399 resource 143 00:05:33,120 --> 00:05:39,680 but be really careful here 144 00:05:36,399 --> 00:05:43,038 the leakage of cookie with session id 145 00:05:39,680 --> 00:05:45,439 happens before the redirection 146 00:05:43,038 --> 00:05:47,680 this is beautiful so even if you've got 147 00:05:45,439 --> 00:05:50,959 this redirection you see the response 148 00:05:47,680 --> 00:05:55,519 you are redirected to secure 149 00:05:50,959 --> 00:05:57,758 https protectedpageprofile.php 150 00:05:55,519 --> 00:05:58,959 this is good that you've got this https 151 00:05:57,759 --> 00:06:02,160 enforcement but 152 00:05:58,959 --> 00:06:05,799 the leakage happened before 153 00:06:02,160 --> 00:06:06,960 the redirection that's why enforcing 154 00:06:05,800 --> 00:06:11,360 https 155 00:06:06,959 --> 00:06:14,638 or having https protected a web page 156 00:06:11,360 --> 00:06:17,680 is not enough you here clearly see 157 00:06:14,639 --> 00:06:18,478 that when you don't process the cookie 158 00:06:17,680 --> 00:06:20,560 security 159 00:06:18,478 --> 00:06:21,680 then the leakage happens before the 160 00:06:20,560 --> 00:06:24,160 redirection 161 00:06:21,680 --> 00:06:25,759 and the game is over i believe that this 162 00:06:24,160 --> 00:06:28,639 is clear for you this is 163 00:06:25,759 --> 00:06:29,360 really an eye-opener for many people 164 00:06:28,639 --> 00:06:32,400 because 165 00:06:29,360 --> 00:06:36,000 people think that https solves all 166 00:06:32,399 --> 00:06:38,318 problems now well not necessarily 167 00:06:36,000 --> 00:06:40,959 here you see an interesting and attack 168 00:06:38,319 --> 00:06:42,000 scenario that can happen in https 169 00:06:40,959 --> 00:06:44,478 protected 170 00:06:42,000 --> 00:06:46,399 a webpage so i believe this is clear i 171 00:06:44,478 --> 00:06:48,800 believe that now you can 172 00:06:46,399 --> 00:06:51,359 check if this kind of problem can happen 173 00:06:48,800 --> 00:06:52,879 in your own web application or 174 00:06:51,360 --> 00:06:54,800 in the web application that you are 175 00:06:52,879 --> 00:06:58,240 testing so 176 00:06:54,800 --> 00:07:01,918 let's finish this demo and let's 177 00:06:58,240 --> 00:07:06,240 jump to another bug the bug number five 178 00:07:01,918 --> 00:07:06,240 on our list 11924