Time
23 hours 21 minutes
Difficulty
Intermediate
CEU/CPE
14

Video Transcription

00:01
Hi. Welcome back to the course. So, in module nine, we wrapped up our discussion on session. Hi, Jackie.
00:07
Hear Module 10. We're gonna talk about Web servers and web applications and specifically talking about some attacks.
00:15
So what is a Web server? Well, basically, it's a server software hardware that can actually quote unquote serve content out to the Internet or the World Wide Web.
00:25
So it responds to request from a client. So, for example, I want to go to google dot com, Google's Web servers gonna give ah response to me and serve me up the particular pages that I want to see.
00:37
So the requests are generally gonna go through port 80 or http or port for 43 for https.
00:44
And again, the server waits until I or you or somebody sends to get request to get the content off that server.
00:53
So, http request methods we've got get head post put, delete, trace and connect, and we're gonna go through each one of those.
01:03
So they get method. Basically, that's gonna request data from a resource, and it can also send data, but the data date is gonna be tagged in the euro rail So, for example, if I was tryingto do something on this website and check out, it's gonna tag my credit card number when I go check out in the girl.
01:21
The head method is similar to get, but the server must not return a message body in the response.
01:27
And so it's basically a method that's used for requesting headers were meta data and then it can also be used for testing hypertext links for accessibility, modifications or validity
01:40
the post method.
01:41
So this is used to request the of the origin server to accept the idea of the entity and the request has a new subordinate. And so basically the function of the post is determined by the server itself.
01:53
This is a good method of submitting data to a resource for profit processing and safer than get. But basically, in the context of that, it's not supported the browser history you can. An admin can configure it that way.
02:07
The put method.
02:08
So this request that the sword entity be starting to the supplied request. U R i s So basically you are is gonna point to the existing resource s o. Then if there is an existing resource. The enclosed entity is gonna be considered a modified version that there's not an existing resource than it's gonna mark this one as the resource,
02:30
the daily method. So it requested the origin server. Delete the resource that's identified, identified. Excuse me by the request. You are right.
02:39
And then the trace method. So this is used to invoke a remote application layer loop back. So think of in context of a trace of the requested message
02:49
the connect method.
02:51
So this is reserved for use with a proxy that can is going to dynamically switch between two being a tunnel as well.
03:00
So Web server tax kind of the main one for Web server itself without applications is gonna be directory Traverse A ll on. And so basically, in that the Attackers trying to get to the root directory or some other type of directory. So what say we give him a directory of that where they can access, you know, the Grumpy cat pictures, right?
03:19
So now they're what they're going to try to do with the U. R L.
03:22
As do what's called the dot, dot slash attack. Essentially, like you see in this example here but it might be even. You no longer string there, but essentially they're trying to get back to the root level, and then they can access whatever they want to.
03:37
So some of the different tools we can use eso no display. It's kind of the for the Web server itself on. And then you've got, like, birth suite for the Web applications. Let's go anymore. So for that there's a lot of tools out there for Web application penetration, testing.
03:53
And then also another thing we could do is an attacker is Weaken Do website mirroring eso won to weaken do his A C D track. So basically what website marrying is this list? So you have a website and I want to attack you. So I go and I use one of these tools and I basically grab a copy of your entire website.
04:09
So, you know, I could go through that. I can look for difficult abilities. What software you're running.
04:14
I could find all these little loopholes and then I come back to your website and try him out. You know, I see if I can get into your stuff.
04:19
So that's really just website marrying In a nutshell. As the name implies, we're making a mirrored copy of that Web site. But it's something we can use offline to try to analyze, to look for different vulnerabilities.
04:30
So this video, it was just kind of a quick overview of Web servers, and the next video we're gonna jump into different Web application items. Specifically, we're gonna go through the whole los top 10.

Up Next

Penetration Testing and Ethical Hacking

Do you like breaking things or figuring out how things work? Join thousands of professionals who’ve entered the information security field by taking this class. Taking this ethical hacking course will give you the skills needed to become a professional penetration tester and prepare you for industry certifications, like the CEH.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor