OWASP

Course
Time
4 hours 32 minutes
Difficulty
Beginner
CEU/CPE
24

Video Transcription

00:01
everyone Welcome back to the core. So in the last video, we cover door busters who went ahead around the tool. We want to find out if we find any files with this tool, which we noticed that we did actually find files and directories with the tool. Now you'll see I still got it pulled up in the background. If your skin is still running, go ahead. Click to stop under the bottom that will stop the scan were actually all done with Third Buster
00:20
in this video. Where to cover their messaging. So we're gonna take a look at a particular air message. We'll try to see if there's any sensitive information being sent back out from the air message. So potentially that's something that an attacker could do something.
00:34
Then get air message back that may tell them a lot of information about our system.
00:38
So here we could go and just x out of the door, buster. And also our terminal window. We're not gonna need that anymore as well, but we'll go back to our fire fox. I just go and click back on the icon. If you haven't close the browser and then we just want to go back to the main page of me, Attila Day. So again, the way we do that, it's We just click on the Mattila Day icon at the top left,
00:57
and they'll take us back to the main page here.
01:00
All right, So what we want to do now is worried and navigate to a lost 2017.
01:06
The injections of the A one injection the sequel injection SQL. I extract data and then use her influence. We're going to the user info page.
01:14
So let's go and do that. Now.
01:15
We lost 2017 injection sequel
01:19
SQL. I extract data, and then the user info page he's going click on that might take a second or so it'll launch doesn't usually take too long to redirect you to that page.
01:30
All right, so all we're gonna do here is we're just gonna actually type a single quote
01:34
in the name field, and then we're just gonna either hit enter our keyboard or click the view accounts view account details button. So just put
01:42
single quotation in there, and then either a press enter or click the button at the bottom and we're gonna see what kind of information we may get back.
01:51
All right, so we see some information down there, Let's scroll down just a little bit. All right? So
01:55
several questions here. So look through this data
01:59
course number one, do you see an air message on the page?
02:02
All right, so we that was this one is pretty easy. We see an error message that says right there. So obviously we haven't the error message right here.
02:09
All right. Question Number two is a page vulnerable to a sequel. Injection attack.
02:15
Well, what I see is I see right here says you haven't Aaron your sequel, syntax. So that indicates to me that it's potentially vulnerable to a sequel. Injection attack.
02:25
All right. Course number three doesn't air Miss it. Show you how the actual sequel queries should be used.
02:31
Well, that's another. Yes, right. We're able to see that. Here's our queries. Were able to see that. Okay, We need to put select, and we need you selected from where, you know, accounts. And then also there's something else named user names and passwords, etcetera. So it does tell us information about how things are structured.
02:50
What other information do you see in their message. So is there any other information that you see in this particular air message?
03:00
All right, so one thing that jumps out at me is I see client information here, So that tells me the operating system early. Excuse me? The version of the software and use so that my sequel server, it's telling me this is a version and you. So if I know exploits for that version, I should be good to go as far as compromising this particular system.
03:19
So that actually wraps up our lab on looking at the air messages. Now you'll notice on my screen. I've got a little pop up talking about. Hey, you've got 10 minutes left. So you may see that as you go through these labs always just say yes to that, like, I'll take extra time. That's great. And then it gives you a notification that you actually have extra time available
03:38
and if you're not familiar with it at the very top, right? And tell you how many minutes you have remaining in the lab. Generally speaking, in most cases, once you get about 10 down to like 10 minutes, they'll send you those little alerts and say, Hey, you need to you know you need to add more time or do you want to look out?
03:53
All right, so in this video, as I mentioned, we wrapped up our discussion on sensitive data exposure. So in this particular video, we went ahead and looked air messaging to see if they're sensitive information being leaked out
04:03
in the next module order to cover XML external entities.

Up Next

OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and resources to help organizations protect critical apps. Cybrary’s OWASP training course covers the organization’s popular “Top 10” risk assessment.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor