Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,599 --> 00:00:04,799 okay guys uh this is the first demo in 2 00:00:03,759 --> 00:00:07,599 this course and 3 00:00:04,799 --> 00:00:09,599 what i'm going to show you is forgot 4 00:00:07,599 --> 00:00:12,558 password functionality so i've got 5 00:00:09,599 --> 00:00:14,000 a testing web application here and let's 6 00:00:12,558 --> 00:00:16,559 assume that i have forgotten 7 00:00:14,000 --> 00:00:17,198 my my password so i'm going to use 8 00:00:16,559 --> 00:00:19,839 forgot 9 00:00:17,199 --> 00:00:20,400 password functionality i'm going to put 10 00:00:19,839 --> 00:00:25,198 my 11 00:00:20,399 --> 00:00:27,439 email here david at example.com 12 00:00:25,199 --> 00:00:28,720 right this is my email and i just want 13 00:00:27,439 --> 00:00:31,198 to to receive 14 00:00:28,719 --> 00:00:32,719 a password reset link right so let me 15 00:00:31,199 --> 00:00:35,280 click this and you see that password 16 00:00:32,719 --> 00:00:39,200 reset link has been sent to your email 17 00:00:35,280 --> 00:00:42,480 okay that's cool let me go to my mailbox 18 00:00:39,200 --> 00:00:46,399 right now i'm going to 19 00:00:42,479 --> 00:00:49,279 log in and 20 00:00:46,399 --> 00:00:51,198 see you will see that indeed i have 21 00:00:49,280 --> 00:00:54,879 received the password reset link yes 22 00:00:51,198 --> 00:00:57,679 indeed it is here and and 23 00:00:54,878 --> 00:00:58,238 yeah the password reset link actually is 24 00:00:57,679 --> 00:01:01,600 here 25 00:00:58,238 --> 00:01:04,239 right so it's inside of the email 26 00:01:01,600 --> 00:01:06,478 so now i'm going to click this password 27 00:01:04,239 --> 00:01:08,880 reset link and i'm going to show you 28 00:01:06,478 --> 00:01:10,478 how this automatic leakage of password 29 00:01:08,879 --> 00:01:14,640 reset link 30 00:01:10,478 --> 00:01:14,640 can happen so let me click it 31 00:01:14,959 --> 00:01:18,719 and this is what i see so i'm actually 32 00:01:17,920 --> 00:01:23,439 as you can see 33 00:01:18,719 --> 00:01:26,079 i am asked to enter a new password right 34 00:01:23,438 --> 00:01:27,199 so it works as intended but now the 35 00:01:26,079 --> 00:01:30,078 question is 36 00:01:27,200 --> 00:01:32,400 whether there is some kind of data that 37 00:01:30,078 --> 00:01:34,078 is loaded from external domain 38 00:01:32,400 --> 00:01:35,920 and i'm going to show you how you can 39 00:01:34,078 --> 00:01:38,399 easily use 40 00:01:35,920 --> 00:01:39,359 dev tools to find out if a given for 41 00:01:38,400 --> 00:01:41,359 example image 42 00:01:39,359 --> 00:01:42,640 is loaded from external domain or not 43 00:01:41,359 --> 00:01:45,359 how you can do it 44 00:01:42,640 --> 00:01:47,680 quickly so um basically what we've got 45 00:01:45,359 --> 00:01:50,399 right now we've got password reset link 46 00:01:47,680 --> 00:01:51,439 in the url bar please take a look out 47 00:01:50,399 --> 00:01:53,840 there 48 00:01:51,438 --> 00:01:54,798 we are asked to enter a new password and 49 00:01:53,840 --> 00:01:57,280 now we've got some 50 00:01:54,799 --> 00:01:58,960 kind of image here we've got some kind 51 00:01:57,280 --> 00:02:01,920 of image here right 52 00:01:58,959 --> 00:02:02,478 so let me use dev tools and dev tools 53 00:02:01,920 --> 00:02:05,759 are 54 00:02:02,478 --> 00:02:06,718 built into the browser so i can easily 55 00:02:05,759 --> 00:02:08,479 use them to 56 00:02:06,718 --> 00:02:09,919 you know to quickly learn something 57 00:02:08,479 --> 00:02:13,120 about the web application 58 00:02:09,919 --> 00:02:16,719 right now i'm going to open dev 59 00:02:13,120 --> 00:02:17,840 tools and i will use the inspector in 60 00:02:16,719 --> 00:02:19,759 depth tools 61 00:02:17,840 --> 00:02:22,800 because when i've got inspector i can 62 00:02:19,759 --> 00:02:26,639 move my mouse over a given element 63 00:02:22,800 --> 00:02:29,840 and i can just see the underlying 64 00:02:26,639 --> 00:02:34,399 html right and what you can see here is 65 00:02:29,840 --> 00:02:34,400 that this image is loaded from domain 66 00:02:34,840 --> 00:02:40,000 silesiassecuritylab.com and yeah so 67 00:02:36,959 --> 00:02:40,800 this kind of attack leakage of password 68 00:02:40,000 --> 00:02:42,878 reset link 69 00:02:40,800 --> 00:02:44,800 should happen in this web app right 70 00:02:42,878 --> 00:02:46,079 because we've got password reset link in 71 00:02:44,800 --> 00:02:49,599 the url 72 00:02:46,080 --> 00:02:50,160 and this image has been actually loaded 73 00:02:49,598 --> 00:02:52,878 from 74 00:02:50,159 --> 00:02:54,479 external domain right my application my 75 00:02:52,878 --> 00:02:56,000 testing web application is hosted on the 76 00:02:54,479 --> 00:02:57,799 domain example.com 77 00:02:56,000 --> 00:02:59,598 the image is loaded from 78 00:02:57,800 --> 00:03:02,800 silesiassecuritylab.com so we've got 79 00:02:59,598 --> 00:03:03,199 two different domains cool so this 80 00:03:02,800 --> 00:03:05,200 problem 81 00:03:03,199 --> 00:03:06,560 should happen and now i'm gonna show you 82 00:03:05,199 --> 00:03:08,639 how you can check 83 00:03:06,560 --> 00:03:10,878 on your own if this problem happens in 84 00:03:08,639 --> 00:03:13,679 the web application or not 85 00:03:10,878 --> 00:03:15,518 so what i'm going to do right now is i'm 86 00:03:13,680 --> 00:03:17,680 going to go to the network 87 00:03:15,519 --> 00:03:19,280 tab right now in the dev tools you've 88 00:03:17,680 --> 00:03:21,920 got also the network tab 89 00:03:19,280 --> 00:03:22,640 and network tab is really cool because 90 00:03:21,919 --> 00:03:26,479 in the 91 00:03:22,639 --> 00:03:28,798 network tab you can just 92 00:03:26,479 --> 00:03:29,518 see the outgoing requests from the 93 00:03:28,799 --> 00:03:31,760 browser 94 00:03:29,519 --> 00:03:32,719 and this is exactly what i want to do so 95 00:03:31,759 --> 00:03:36,639 i want to 96 00:03:32,719 --> 00:03:38,878 reload this web page so this is like 97 00:03:36,639 --> 00:03:40,079 clicking the password reset link again 98 00:03:38,878 --> 00:03:41,840 from the mailbox 99 00:03:40,080 --> 00:03:43,680 i'm going to reload it and i'm going to 100 00:03:41,840 --> 00:03:45,920 observe the outgoing 101 00:03:43,680 --> 00:03:47,360 request from the browser so let me do it 102 00:03:45,919 --> 00:03:49,919 and that's why i'm using 103 00:03:47,360 --> 00:03:51,440 network tab in the devtools so let me 104 00:03:49,919 --> 00:03:55,359 reload it 105 00:03:51,439 --> 00:03:58,400 right and cool you see that 106 00:03:55,360 --> 00:04:01,840 for requests have been sent 107 00:03:58,400 --> 00:04:06,799 free requests to domain example.com 108 00:04:01,840 --> 00:04:06,799 and the one request to domain 109 00:04:07,080 --> 00:04:11,040 silesiasecuritylab.com 110 00:04:08,639 --> 00:04:15,039 and this is this is the request that was 111 00:04:11,039 --> 00:04:17,120 sent to fetchimage.png from this domain 112 00:04:15,039 --> 00:04:18,478 so let me now click this request and see 113 00:04:17,120 --> 00:04:20,560 the details right 114 00:04:18,478 --> 00:04:21,839 because i want to show you the referrer 115 00:04:20,560 --> 00:04:25,040 header out there 116 00:04:21,839 --> 00:04:25,519 let me make it a little bit bigger right 117 00:04:25,040 --> 00:04:28,479 now 118 00:04:25,519 --> 00:04:30,399 and yeah this request let me go down and 119 00:04:28,478 --> 00:04:33,039 i want to show you 120 00:04:30,399 --> 00:04:34,799 the request headers so as you can see 121 00:04:33,040 --> 00:04:38,479 here 122 00:04:34,800 --> 00:04:41,680 the host is silesecuritylab.com 123 00:04:38,478 --> 00:04:44,319 and now let me show you the refer header 124 00:04:41,680 --> 00:04:47,439 can you see that what we've got in the 125 00:04:44,319 --> 00:04:50,959 refer header is the password reset link 126 00:04:47,439 --> 00:04:53,600 example.com reset dot php 127 00:04:50,959 --> 00:04:55,439 question mark token and the value of my 128 00:04:53,600 --> 00:04:58,720 password reset token 129 00:04:55,439 --> 00:05:01,000 so my password reset token 130 00:04:58,720 --> 00:05:03,280 my password reset link has been 131 00:05:01,000 --> 00:05:06,319 automatically disclosed 132 00:05:03,279 --> 00:05:07,198 to the external domain at the time of 133 00:05:06,319 --> 00:05:10,000 fetching the 134 00:05:07,199 --> 00:05:11,120 image from the external domain this is 135 00:05:10,000 --> 00:05:14,560 how it works 136 00:05:11,120 --> 00:05:16,240 now i believe that this is clear and now 137 00:05:14,560 --> 00:05:19,120 you also know how you can 138 00:05:16,240 --> 00:05:21,519 check if this problem exists in in the 139 00:05:19,120 --> 00:05:23,519 web application so you can go 140 00:05:21,519 --> 00:05:25,599 take your program take the web 141 00:05:23,519 --> 00:05:28,000 application and now just 142 00:05:25,600 --> 00:05:29,439 follow the steps and so you can find out 143 00:05:28,000 --> 00:05:32,240 whether this problem 144 00:05:29,439 --> 00:05:33,439 uh happens uh or not so this is how it 145 00:05:32,240 --> 00:05:36,639 works you see that this is 146 00:05:33,439 --> 00:05:39,759 a a really severe problem and 147 00:05:36,639 --> 00:05:42,319 yeah very nice uh very nice bug this is 148 00:05:39,759 --> 00:05:43,840 basically it in in this demo i believe 149 00:05:42,319 --> 00:05:46,879 that everything is clear 150 00:05:43,839 --> 00:05:47,519 i i hope that you like it so let me 151 00:05:46,879 --> 00:05:53,839 right now 152 00:05:47,519 --> 00:05:53,839 jump to the second bug from our list 10309