1
00:00:03,510 --> 00:00:08,130
‫In this section, we're going to learn about the app as much as we can.

2
00:00:09,310 --> 00:00:16,450
‫While discovering the app, we analyzed the configurations of the mechanisms used, we collect everything

3
00:00:16,450 --> 00:00:19,720
‫we find and try to use them to hack the app.

4
00:00:20,350 --> 00:00:27,940
‫The first step of information gathering is to surf the app as long as we can visit each page, try to

5
00:00:27,940 --> 00:00:30,310
‫click on all the links you see all that.

6
00:00:30,820 --> 00:00:37,600
‫We can gather a lot of information about the app and the server while analyzing http headers of the

7
00:00:37,600 --> 00:00:41,770
‫requests and responses engaged between the server and the browser.

8
00:00:42,800 --> 00:00:49,340
‫In addition, we can find some clues, especially for the data manipulation section, while analyzing

9
00:00:49,340 --> 00:00:53,240
‫responses which are sent for our targeted requests.

10
00:00:54,520 --> 00:00:57,280
‫Also, we should look for the open ports of the server.

11
00:00:57,790 --> 00:01:02,770
‫For example, there might be a content management system hosted by another port of the server where

12
00:01:02,770 --> 00:01:09,040
‫we can get the management of the entire app after serving the whole app and learning its purpose and

13
00:01:09,040 --> 00:01:09,820
‫mechanisms.

14
00:01:10,120 --> 00:01:15,520
‫First, we should intercept the connection between the browser and the server and analyze the headers

15
00:01:15,520 --> 00:01:17,260
‫of the requests and responses.

16
00:01:17,920 --> 00:01:22,720
‫We can find some information about the server, the technology used, etc..

17
00:01:23,710 --> 00:01:31,270
‫In addition, we can find some clues for the flaws of the app, for example, the cookie in the slide.

18
00:01:32,240 --> 00:01:36,710
‫Contains an attribute value pair, which is security equals high.

19
00:01:37,220 --> 00:01:41,210
‫What if I just replace high with low or none?

20
00:01:41,510 --> 00:01:42,440
‫Look at the header.

21
00:01:42,920 --> 00:01:50,090
‫If there is any header specific to this app, if there is no debt header, because that's the one you're

22
00:01:50,090 --> 00:01:50,900
‫going to tamper with.

23
00:01:52,040 --> 00:01:55,550
‫So far, we've gathered as much information as we can.

24
00:01:56,500 --> 00:02:02,590
‫Now is the time to look for the known vulnerabilities of the server or the technologies that are used

25
00:02:02,710 --> 00:02:06,280
‫frameworks, plugins, software, languages, et cetera.

26
00:02:06,430 --> 00:02:12,950
‫You can use the vulnerability databases and exploit databases to find the known vulnerabilities.

27
00:02:12,970 --> 00:02:16,390
‫One of the most famous databases is exploit database.

28
00:02:16,480 --> 00:02:19,420
‫The URL address to visit exploit databases.

29
00:02:19,630 --> 00:02:21,900
‫HTTPS Collins Exactly.

30
00:02:21,910 --> 00:02:23,830
‫WW dot exploit.

31
00:02:23,830 --> 00:02:24,310
‫Dash.

32
00:02:24,400 --> 00:02:32,530
‫DB ICOM Exploit Dash DB is the exploit database archive of offensive security who are the producers

33
00:02:32,530 --> 00:02:34,240
‫of Kali Linux distribution.

34
00:02:35,210 --> 00:02:44,270
‫So suppose that we realize the server is Apache2 2.0 4.3, visit a vulnerability database and search

35
00:02:44,270 --> 00:02:47,330
‫if there are known weaknesses of that version of server.

36
00:02:48,940 --> 00:02:54,290
‫Crawling or spidering is traveling through the website and collecting data about it.

37
00:02:54,610 --> 00:03:01,150
‫We can pull data from the application like email addresses, sensitive data backup or forgotten pages,

38
00:03:01,300 --> 00:03:09,460
‫etc. Now, because we have to send a lot of HTTP request, automated tools and scripts that are called

39
00:03:09,460 --> 00:03:12,820
‫crawlers or spiders are used to crawl a website.

40
00:03:13,210 --> 00:03:19,420
‫All the automated tools have their own crawlers Burp Suite that we use as its own spider, too.

41
00:03:19,450 --> 00:03:22,240
‫You may encounter interesting situations during crawling.

42
00:03:22,540 --> 00:03:29,350
‫For example, software developers create a copy of the file in the same directory for backup, or they

43
00:03:29,350 --> 00:03:33,430
‫may have a test version of the file, which contains a valid credential in it.

44
00:03:33,910 --> 00:03:40,300
‫In some cases, they just turn the line, which contains credential values into a comment line.

45
00:03:40,750 --> 00:03:43,930
‫But those comment lines are visible at the client side.

46
00:03:43,990 --> 00:03:50,560
‫That means when you look at the page source in the browser, you see the comment line, which contains

47
00:03:50,560 --> 00:03:52,150
‫a valid credential.

48
00:03:52,360 --> 00:03:58,090
‫You can find an administrative interface that does not have a link through the website.

49
00:03:59,000 --> 00:04:03,590
‫And having no link to the interface does not mean that it's unreachable.

50
00:04:04,670 --> 00:04:05,540
‫So here's a demo.

51
00:04:05,840 --> 00:04:08,780
‫Let's see the spider tool of Burp Suite in action.

52
00:04:10,030 --> 00:04:15,910
‫Run Burp Suite, turn the intercept off, we just want to have some links under the FTP History tab.

53
00:04:16,240 --> 00:04:21,190
‫Go to the browser, configure the proxy settings to use Burp Proxy.

54
00:04:21,400 --> 00:04:23,140
‫Visit the website you want to crawl.

55
00:04:23,260 --> 00:04:24,370
‫And this example?

56
00:04:24,370 --> 00:04:30,550
‫Use NHS Dot UK now go to HTTP History tab under proxy tab.

57
00:04:30,640 --> 00:04:32,080
‫Select the Route request.

58
00:04:32,080 --> 00:04:34,870
‫Right Click and select Spider from here.

59
00:04:35,140 --> 00:04:37,540
‫You can answer yes if you're faced with a question.

60
00:04:38,140 --> 00:04:43,360
‫And when you select the option, the font color of the Spider tab turns orange.

61
00:04:43,510 --> 00:04:46,750
‫That means there are changes in the tab since your last visit.

62
00:04:46,990 --> 00:04:54,400
‫Go to the Spider tab since you see some statistical information, request made, request queued, forms

63
00:04:54,400 --> 00:05:01,540
‫queued, etc. When you go to Site Map tab under the Target tab, you will see the current results,

64
00:05:01,750 --> 00:05:04,210
‫files and folders of the application.