Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,520 --> 00:00:06,398 welcome back guys the 2 00:00:03,198 --> 00:00:09,759 second bug from our list of 3 00:00:06,399 --> 00:00:11,440 five carefully selected bugs how to get 4 00:00:09,759 --> 00:00:14,718 access to the account 5 00:00:11,439 --> 00:00:19,439 of the logged out user 6 00:00:14,718 --> 00:00:22,719 so let me make some kind of introduction 7 00:00:19,439 --> 00:00:24,000 when the user has been authenticated to 8 00:00:22,719 --> 00:00:25,919 the web application so the 9 00:00:24,000 --> 00:00:28,719 authentication is typically 10 00:00:25,920 --> 00:00:29,599 you know providing email and password 11 00:00:28,719 --> 00:00:31,839 then the only 12 00:00:29,599 --> 00:00:32,880 piece of data that is used by the web 13 00:00:31,839 --> 00:00:36,000 application 14 00:00:32,880 --> 00:00:37,120 to recognize the user is a cookie with 15 00:00:36,000 --> 00:00:40,238 session id 16 00:00:37,119 --> 00:00:42,640 the so-called authentication cookie 17 00:00:40,238 --> 00:00:44,078 and this is what you let's say have to 18 00:00:42,640 --> 00:00:47,120 know at the very beginning 19 00:00:44,079 --> 00:00:49,439 of our journey in this case now 20 00:00:47,119 --> 00:00:51,280 i'm gonna tell you something about log 21 00:00:49,439 --> 00:00:54,640 out functionality right 22 00:00:51,280 --> 00:00:58,079 so the user is going to log out 23 00:00:54,640 --> 00:01:00,000 and what typically happens in in web 24 00:00:58,079 --> 00:01:01,679 applications is like this 25 00:01:00,000 --> 00:01:03,119 when the user logs out the 26 00:01:01,679 --> 00:01:07,118 authentication cookie 27 00:01:03,119 --> 00:01:09,118 is deleted from the user's browser 28 00:01:07,118 --> 00:01:11,599 well it's deleted from the user browser 29 00:01:09,118 --> 00:01:14,478 so the user can no longer 30 00:01:11,599 --> 00:01:16,559 go to his profile because well the user 31 00:01:14,478 --> 00:01:19,359 seems to be no longer logged in 32 00:01:16,560 --> 00:01:21,680 right because there is no authentication 33 00:01:19,359 --> 00:01:24,400 cookie it has been deleted 34 00:01:21,680 --> 00:01:25,360 but the question is right now does it 35 00:01:24,400 --> 00:01:29,040 actually mean 36 00:01:25,359 --> 00:01:30,799 that the user is really locked out well 37 00:01:29,040 --> 00:01:32,079 the cookie was deleted from the user's 38 00:01:30,799 --> 00:01:35,200 browser but 39 00:01:32,078 --> 00:01:38,319 is it enough the answer is no 40 00:01:35,200 --> 00:01:39,200 it's not enough it's it's definitely not 41 00:01:38,319 --> 00:01:42,559 enough 42 00:01:39,200 --> 00:01:45,840 because the authentication cookie has to 43 00:01:42,560 --> 00:01:48,799 be invalidated on the server side 44 00:01:45,840 --> 00:01:49,439 at the time of logging out in other 45 00:01:48,799 --> 00:01:51,920 words 46 00:01:49,438 --> 00:01:53,839 it doesn't matter what happens on the 47 00:01:51,920 --> 00:01:55,280 client side so what happens in the 48 00:01:53,840 --> 00:01:57,520 browser of the user 49 00:01:55,280 --> 00:01:58,399 like you know deleting the cookie with 50 00:01:57,519 --> 00:02:01,359 session id 51 00:01:58,399 --> 00:02:03,439 it doesn't matter what matters is what 52 00:02:01,359 --> 00:02:06,478 happens on the server side 53 00:02:03,438 --> 00:02:08,799 so you have to invalidate the 54 00:02:06,478 --> 00:02:10,560 authentication cookie on the server side 55 00:02:08,800 --> 00:02:15,280 at the time of logging out 56 00:02:10,560 --> 00:02:19,120 then the user is really logged out 57 00:02:15,280 --> 00:02:21,199 if it doesn't happen then the attacker 58 00:02:19,120 --> 00:02:24,480 can get access to the account 59 00:02:21,199 --> 00:02:27,119 of the logged out user 60 00:02:24,479 --> 00:02:28,799 and now let me explain even more when 61 00:02:27,120 --> 00:02:30,719 you just delete 62 00:02:28,800 --> 00:02:32,560 the authentication cookie from the 63 00:02:30,719 --> 00:02:35,039 browser of the user 64 00:02:32,560 --> 00:02:36,318 then the user seems to be locked out but 65 00:02:35,039 --> 00:02:38,479 from the point of view 66 00:02:36,318 --> 00:02:39,839 of the server from the point of view of 67 00:02:38,479 --> 00:02:43,518 the web application 68 00:02:39,840 --> 00:02:46,560 the user is still logged in 69 00:02:43,519 --> 00:02:49,200 right so this is it 70 00:02:46,560 --> 00:02:50,959 this is a kind of maybe mysterious at 71 00:02:49,199 --> 00:02:51,439 the very beginning that the user seems 72 00:02:50,959 --> 00:02:54,640 to be 73 00:02:51,439 --> 00:02:56,560 logged out but in fact he is still 74 00:02:54,639 --> 00:02:58,799 logged in but this is how it works 75 00:02:56,560 --> 00:03:00,000 now i believe that you follow my 76 00:02:58,800 --> 00:03:02,879 reasoning 77 00:03:00,000 --> 00:03:04,239 and i have seen quite many web 78 00:03:02,878 --> 00:03:06,959 applications 79 00:03:04,239 --> 00:03:08,000 that were vulnerable to this kind of 80 00:03:06,959 --> 00:03:09,680 attack 81 00:03:08,000 --> 00:03:11,120 and of course the impact here is very 82 00:03:09,680 --> 00:03:13,519 nice it's like you know 83 00:03:11,120 --> 00:03:14,480 getting access to the account of the 84 00:03:13,519 --> 00:03:17,920 logged out user 85 00:03:14,479 --> 00:03:18,878 very nice very very cool so now without 86 00:03:17,919 --> 00:03:21,359 further delay 87 00:03:18,878 --> 00:03:22,959 let me jump to the demo let me show you 88 00:03:21,360 --> 00:03:25,519 how it really works 89 00:03:22,959 --> 00:03:26,479 i really want you to understand all the 90 00:03:25,519 --> 00:03:29,599 details here 91 00:03:26,479 --> 00:03:31,039 and i want you to be able to check if 92 00:03:29,598 --> 00:03:33,839 the web application 93 00:03:31,039 --> 00:03:34,878 of your own choice is vulnerable to this 94 00:03:33,840 --> 00:03:40,400 problem or not 95 00:03:34,878 --> 00:03:40,399 so let's jump right now to the demo 6375