Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,050 --> 00:00:09,120 Let's see how we can use a skin injection to bypass authentication of our bookshelf login page to test 2 00:00:09,120 --> 00:00:15,500 this, let's first verify if the login feature of this application is working as expected. 3 00:00:16,050 --> 00:00:21,420 So let's first login using valid credentials, Bob and Bob. 4 00:00:23,640 --> 00:00:26,430 And as you can see, we are able to login successfully. 5 00:00:27,150 --> 00:00:35,610 I'm logging out and now let's try to enter invalid credentials and see what happens. 6 00:00:37,440 --> 00:00:40,830 As expected, it is invalid username and password. 7 00:00:40,890 --> 00:00:43,770 So the login feature is working as expected. 8 00:00:44,280 --> 00:00:49,160 Now let's try to bypass authentication using an ESKIL injection payload. 9 00:00:51,060 --> 00:00:58,050 I will use X or X equals X.. 10 00:00:58,350 --> 00:01:00,670 This is a standard sequel injection payload. 11 00:01:00,690 --> 00:01:02,630 Let me quickly explain how this works. 12 00:01:04,500 --> 00:01:14,490 The existing query that we have here is select start from user stable, where the user name 13 00:01:17,130 --> 00:01:19,800 equals something in single quotes. 14 00:01:20,220 --> 00:01:24,920 And that's exactly the reason why we are just putting this payload here. 15 00:01:25,650 --> 00:01:31,800 We have an opening single code here for user name and we only have one closing single quote as well 16 00:01:31,800 --> 00:01:32,900 in the query itself. 17 00:01:33,240 --> 00:01:41,040 So we are not providing that first and last single code in our payload, but we are providing the rest 18 00:01:41,040 --> 00:01:43,260 of the stream similarly. 19 00:01:44,520 --> 00:01:49,350 And password equals this. 20 00:01:49,590 --> 00:01:57,670 This is the existing query once again and we are providing X or X equals X here as well. 21 00:01:58,230 --> 00:02:04,130 So if everything goes fine, the user name is going to be looking for X, which is going to fail. 22 00:02:04,590 --> 00:02:09,960 But the other condition which is with or is going to succeed because X is always X. 23 00:02:10,380 --> 00:02:15,340 Similarly here, the password is X is going to fail, but this is going to succeed. 24 00:02:15,660 --> 00:02:23,070 So overall, this query is going to succeed because this whole field is going to return to this whole 25 00:02:23,070 --> 00:02:23,390 part. 26 00:02:23,430 --> 00:02:26,550 He's also going to return to so the entire query returns. 27 00:02:26,560 --> 00:02:26,810 True. 28 00:02:27,300 --> 00:02:39,690 So let's go back to the browser and let's enter X or X equals X without those single codes in the beginning 29 00:02:39,690 --> 00:02:40,500 and ending. 30 00:02:41,490 --> 00:02:42,840 So that should be the payload. 31 00:02:43,320 --> 00:02:47,940 I'm just copying this and I'm going to paste it in the password field as well. 32 00:02:48,390 --> 00:02:49,710 And let's click login. 33 00:02:51,720 --> 00:02:56,860 There it is, if you notice, we have managed to bypass authentication of this login page. 34 00:02:57,540 --> 00:03:02,970 Now it is just speaking the user name from the user supplied user input string. 35 00:03:03,540 --> 00:03:07,800 In some cases you may just see the user who is at the top of the table. 36 00:03:08,740 --> 00:03:09,610 That doesn't matter. 37 00:03:09,640 --> 00:03:16,270 We have managed to bypass authentication and we can now use the features that are otherwise accessible 38 00:03:16,270 --> 00:03:18,280 only for authenticated users. 39 00:03:19,000 --> 00:03:23,680 So this is how authentication can be bypassed using a skill injection. 4013