1
00:00:02,630 --> 00:00:11,210
OK so let's increase the security level to the high security which is fairly secure so sometimes it

2
00:00:11,210 --> 00:00:14,850
can be bypassed sometimes it can be bypassed.

3
00:00:15,200 --> 00:00:19,450
And in this lecture I'm actually just going to highlight something for you.

4
00:00:19,550 --> 00:00:23,420
So let's try and use the same exploit that we were using before.

5
00:00:23,780 --> 00:00:31,600
So if we copy this and we're going to turn on our interceptor and just I'm going to put a normal username

6
00:00:31,670 --> 00:00:32,930
and password for this now

7
00:00:38,200 --> 00:00:43,980
and then we're going to intercept it here and modify it like we did in the previous video.

8
00:00:50,360 --> 00:00:54,140
OK now we're going to for that.

9
00:00:54,280 --> 00:00:59,320
And as you can see it's telling us there is a bad username and password so obviously this is more secure.

10
00:00:59,540 --> 00:01:06,320
And actually in this particular case in this page this is not injectable anymore with this security

11
00:01:06,320 --> 00:01:07,280
level.

12
00:01:07,400 --> 00:01:13,170
It doesn't implement the best security practice but for this specific case it's secure enough.

13
00:01:13,280 --> 00:01:14,070
So I'm going to have a.

14
00:01:14,120 --> 00:01:18,500
We're going to have a quick look at it but it's not the best way to secure your website so we're going

15
00:01:18,500 --> 00:01:21,130
to talk about the security part at the end of the section.

16
00:01:21,260 --> 00:01:25,500
And we're going to talk about the best way to secure yourself against a secure injections.

17
00:01:25,580 --> 00:01:31,790
But for now this is noteworthy to see because it's a quick implementation and if you know what you're

18
00:01:31,790 --> 00:01:37,400
doing you can fix your problem quickly say for example if you had a problem and you don't have enough

19
00:01:37,400 --> 00:01:43,010
time to change the implementation to the most secure way which we're going to talk about later then

20
00:01:43,190 --> 00:01:49,030
you can just do it this way quickly just so that you could you are secure enough until you can implement

21
00:01:49,030 --> 00:01:52,120
it and change the code to be more secure.

22
00:01:52,430 --> 00:01:54,390
So what they're doing in this page now.

23
00:01:54,500 --> 00:02:00,790
This doesn't always secure you 100 percent again but it is in this particular case it is secure.

24
00:02:01,070 --> 00:02:09,230
So this is the code for the logon and right here we have the case one which is the arrogant or the Security

25
00:02:09,230 --> 00:02:09,970
number one.

26
00:02:10,130 --> 00:02:13,450
And here we have the code for security level five.

27
00:02:13,640 --> 00:02:16,790
So you can compare the two codes.

28
00:02:16,960 --> 00:02:21,080
The main the main difference is this select statement.

29
00:02:21,250 --> 00:02:26,110
So I'm going to delete everything and I'm just going to keep these two select statements so we can compare

30
00:02:26,110 --> 00:02:28,860
them.

31
00:02:28,890 --> 00:02:36,440
OK so you can see here in the not very secure statement we select start from accounts where the user

32
00:02:36,440 --> 00:02:41,030
name is dollar user name and the password is dollar password.

33
00:02:41,040 --> 00:02:50,230
So basically whatever you put in the text boxes for the username and password is being directly used

34
00:02:50,230 --> 00:02:50,920
in here.

35
00:02:50,920 --> 00:02:55,950
Now there was client site filtration and we were able to bypass that using the proxy.

36
00:02:56,080 --> 00:03:00,650
So whatever we input in the proxy was being substituted in here.

37
00:03:00,760 --> 00:03:09,700
So we could have we could modify the code by setting the user name is equal to or one is equal to one

38
00:03:09,710 --> 00:03:11,540
and then we added a comment.

39
00:03:11,540 --> 00:03:18,410
So basically what happened in this statement right here instead of the username that was substituted.

40
00:03:18,410 --> 00:03:22,180
So whatever the whatever we put in here was substituted.

41
00:03:22,370 --> 00:03:24,910
And this value was injected.

42
00:03:25,070 --> 00:03:35,970
So this was changed to a quotation and then or one equals one comment and all of this was basically

43
00:03:35,970 --> 00:03:41,220
ignored everything that comes after this was ignored which made our statement work.

44
00:03:41,220 --> 00:03:47,550
So as you can see here reclosed the quote that was already inserted and then we added or what is equal

45
00:03:47,550 --> 00:03:50,710
to one which is a true statement.

46
00:03:50,730 --> 00:04:01,730
We put the user name is Ogmund Actually that's what we did so this would be admen as well here so basically

47
00:04:01,730 --> 00:04:06,750
it's selecting anything where username is equal to admin and doesn't care about the password which was

48
00:04:06,770 --> 00:04:09,050
given us access to the admin account.

49
00:04:09,200 --> 00:04:13,430
Now we could have injected also in the password saying or one is equal to one.

50
00:04:13,430 --> 00:04:15,230
Again it gives us a true statement.

51
00:04:15,320 --> 00:04:24,610
And this was getting executed in this particular case here in the secure one.

52
00:04:24,630 --> 00:04:29,260
What they're doing is they're doing a function which is called Real scape string.

53
00:04:29,280 --> 00:04:35,520
And what this does it basically removes characters such as the newline character the break character

54
00:04:35,880 --> 00:04:40,400
and the quotations or single code or double code so it scans.

55
00:04:40,480 --> 00:04:46,410
It scans the input that we put right here and it removes any quotations that we put.

56
00:04:46,410 --> 00:04:52,530
So we put the single code right here or when we were put in the double code and was removing that.

57
00:04:52,770 --> 00:04:57,410
So when it moves it it basically renders everything inside it as a strength.

58
00:04:58,910 --> 00:05:00,590
Another problem with this now.

59
00:05:01,160 --> 00:05:07,970
I said this is only secure in this particular case because they're also in a quotation right here before

60
00:05:08,840 --> 00:05:11,450
and after the input.

61
00:05:11,450 --> 00:05:17,490
So if there was no quotation then our inject injection what we need to inject will not need to contain

62
00:05:17,570 --> 00:05:23,780
a quotation and that we will be able to bypass this function but because they're using they're actually

63
00:05:23,780 --> 00:05:30,070
hard in quotations in here right here and right there at the end at the start and at the end of the

64
00:05:30,070 --> 00:05:33,500
input and then they're also escaping any causation.

65
00:05:33,500 --> 00:05:40,270
So if the input contains any quotations they remove and then whatever we inject whatever text you put

66
00:05:40,270 --> 00:05:44,380
in there will be considered as a strength.

67
00:05:44,410 --> 00:05:50,200
So it will only be considered as normal text and it will never be considered as code therefore it will

68
00:05:50,200 --> 00:05:52,630
never be executed on the server.

69
00:05:52,630 --> 00:05:55,100
Only in this case.

70
00:05:55,340 --> 00:05:58,210
So let's just have example so we have our ID here.

71
00:05:58,210 --> 00:06:04,320
So this is the injection that we're always using So forget to put this.

72
00:06:04,330 --> 00:06:06,140
So this is our user name here.

73
00:06:06,160 --> 00:06:12,220
So basically what's happened is this is coming up to the code and then the code is going to scan this

74
00:06:12,490 --> 00:06:15,300
and it will notice that there is a quotation right here.

75
00:06:15,640 --> 00:06:17,880
And because there is a quotation it's going to remove it.

76
00:06:17,890 --> 00:06:20,220
This particular function will remove it.

77
00:06:20,290 --> 00:06:24,510
So after the function is applied the this will disappear.

78
00:06:24,640 --> 00:06:26,410
And also the function will disappear.

79
00:06:26,410 --> 00:06:30,250
So this is what it's going to look like to the code to the computer.

80
00:06:30,250 --> 00:06:33,410
This is what's going to see.

81
00:06:33,470 --> 00:06:40,800
It'll basically just be a normal strain which is contained within two quotes as well.

82
00:06:40,800 --> 00:06:43,050
So we need to move the dots here.

83
00:06:46,860 --> 00:06:51,220
And notice that they are already hard coded these two quotes.

84
00:06:51,290 --> 00:06:55,060
So because of that our injection will never work.

85
00:06:55,070 --> 00:07:01,310
Now if they didn't include these codes if they didn't hurt them here if they didn't exist even though

86
00:07:01,310 --> 00:07:04,190
they used the function this injection would work.

87
00:07:06,340 --> 00:07:12,040
But because they use the quote whatever that's going to come in inside the quotes will be considered

88
00:07:12,100 --> 00:07:13,470
as streng.

89
00:07:13,570 --> 00:07:20,320
And because they're checking that our input should not contain quotes on the server side then whatever

90
00:07:20,320 --> 00:07:27,610
we pull it will be stripped out from the quote and it it'll never be considered as code.

91
00:07:27,700 --> 00:07:30,760
Again this isn't the best way to secure your website.

92
00:07:30,760 --> 00:07:32,340
I'll explain the best why.

93
00:07:32,390 --> 00:07:34,670
At the last lecture of the section.

94
00:07:34,690 --> 00:07:39,150
But this is a good way to temporarily secure your website.

95
00:07:39,160 --> 00:07:42,700
If you didn't have time to implement the proper procedure.