1 00:00:01,160 --> 00:00:03,590 Hello, everyone, and welcome to this video. 2 00:00:04,530 --> 00:00:12,010 So in this video, we are going to see the steps and approach towards identification of SRF based on 3 00:00:12,030 --> 00:00:12,670 the abilities. 4 00:00:13,560 --> 00:00:21,410 So the first step is that we will exploit a Web application to induce the request to the attackers controlled 5 00:00:21,420 --> 00:00:21,960 server. 6 00:00:22,530 --> 00:00:23,040 All right. 7 00:00:24,260 --> 00:00:27,680 This is what we have understood into the principal as well. 8 00:00:28,800 --> 00:00:36,270 Moving ahead to the next step, we are going to configure the collaborator as a third party surfer in 9 00:00:36,270 --> 00:00:42,370 case you have any of your VPs or any of your website, you can use that as well. 10 00:00:43,020 --> 00:00:49,770 I assume that many of you would have your own Web application or your own VPs, which can be used as 11 00:00:49,770 --> 00:00:52,750 a third party server in case you do not have it. 12 00:00:52,890 --> 00:00:53,710 No need to worry. 13 00:00:54,120 --> 00:00:57,030 We are going to use the collaborative. 14 00:00:58,570 --> 00:01:04,840 In case you also do not have collaborated, then I'm going to tell you a very, very simple trick and 15 00:01:04,840 --> 00:01:10,630 a very good resource that you can utilize as your third party attacker controlled server. 16 00:01:11,850 --> 00:01:19,020 So the third step is wait for the interaction from the target of application to identify if it is vulnerable 17 00:01:19,020 --> 00:01:19,580 or not. 18 00:01:20,520 --> 00:01:28,200 Once have identified it to be vulnerable as we get a successful interaction, then we will do the attack 19 00:01:28,230 --> 00:01:32,020 on that Web application and complete the successful attack. 20 00:01:33,120 --> 00:01:41,590 So let's quickly jump on to the practical aim to successfully do a SRF attack on a target application. 21 00:01:42,270 --> 00:01:51,510 So for this example, we are going to take a test, BHP in Web.com as our target application to identify 22 00:01:51,550 --> 00:01:54,080 SRF based vulnerabilities. 23 00:01:55,080 --> 00:02:00,000 So the first thing that I'm going to do is I need an injection point to identify. 24 00:02:00,420 --> 00:02:04,200 For that, I'm going to use Bob's in the Bob suit. 25 00:02:04,200 --> 00:02:12,120 First, I'm going to spider the application to identify entry points and increase the scope of my target 26 00:02:12,120 --> 00:02:20,100 of application as I'm running on Version 2.0 in which the spider has changed its name. 27 00:02:20,550 --> 00:02:28,070 So I'm going to show you what is the change name of Bob Spider into the version 2.0 X. 28 00:02:28,830 --> 00:02:33,590 So let's quickly go back to the application loaded so we get a request over here. 29 00:02:35,130 --> 00:02:37,200 Now, I'm just going to right click first. 30 00:02:37,200 --> 00:02:39,390 Send this to repeated again. 31 00:02:39,390 --> 00:02:45,510 I'm going to right click and I'm going to click on Engagement Tools and I'm going to click on Discover 32 00:02:45,510 --> 00:02:46,110 Content. 33 00:02:46,960 --> 00:02:57,270 Remember, Bob Spider has changed its name to content, discovery or discover content in all the versions 34 00:02:57,270 --> 00:03:00,170 of Bob Suit with starts from 2.0. 35 00:03:00,930 --> 00:03:07,350 So we just need to click on Section is not running and it will start your session and it will start 36 00:03:07,350 --> 00:03:15,030 identifying or scrolling the target application for a lot of you are and parameters. 37 00:03:15,030 --> 00:03:21,990 As you can see over here, you can simply go to site map and also see the target audience that are loading 38 00:03:22,170 --> 00:03:27,570 here now as we want a few of the audience which contains the parameters. 39 00:03:27,600 --> 00:03:33,180 So I'm just going to double click on patterns and you can see we have successfully got all the parameters 40 00:03:33,180 --> 00:03:33,720 over here. 41 00:03:35,130 --> 00:03:35,700 Perfect. 42 00:03:35,700 --> 00:03:38,510 So I'm going to pick one off the parameter from here. 43 00:03:38,820 --> 00:03:43,170 So let me just minimize this, because I do not want to stop spidering. 44 00:03:43,440 --> 00:03:51,240 I want a lot more request because, you know, the more you spider, the more assets or scope increased 45 00:03:51,240 --> 00:03:56,790 you get, which means that you are increasing your chances of getting a valid venerability. 46 00:03:57,690 --> 00:04:03,510 Now, for instance, for now, I'm going to close this because we have already identified a lot of you 47 00:04:03,510 --> 00:04:04,410 are right now. 48 00:04:04,410 --> 00:04:11,790 And I'm going to choose anyone from this into a real time scenario, onto a bug bounty program that 49 00:04:11,790 --> 00:04:17,630 in your hunting on a Web application, you can keep it running so you get more number of requests. 50 00:04:18,420 --> 00:04:20,310 Alright, so let me just exit this. 51 00:04:21,390 --> 00:04:28,920 Now you have to go to your target and from here let's pick any of the target. 52 00:04:28,920 --> 00:04:29,650 You are it. 53 00:04:29,730 --> 00:04:39,330 So let's say we are going to pick one of the URL, which is for example, let's pick a u r l which starts 54 00:04:39,330 --> 00:04:42,420 or it is file equals two. 55 00:04:43,080 --> 00:04:46,110 So let me see if I can see you are like this. 56 00:04:46,920 --> 00:04:47,790 Let me just right. 57 00:04:47,820 --> 00:04:50,250 Click over here and click on add to scope. 58 00:04:50,610 --> 00:04:55,830 I can filter this based on scope as well as I do not want to see any clutter over here. 59 00:04:56,460 --> 00:04:57,060 Again, again. 60 00:04:57,060 --> 00:04:57,630 Right click. 61 00:04:57,990 --> 00:05:06,390 I can go to engagement tools, I can again click on discover content and start and it will start identifying 62 00:05:06,390 --> 00:05:07,920 and crawling the target again. 63 00:05:08,260 --> 00:05:18,360 OK, now if I want to identify a specific set of parameters from the given discovered content, I can 64 00:05:18,360 --> 00:05:19,140 also do that. 65 00:05:19,620 --> 00:05:22,370 For that you just need to go to Bob and you to search. 66 00:05:23,010 --> 00:05:26,390 So now I'm going to search for something or less file. 67 00:05:27,120 --> 00:05:33,000 Now you can just take this option as well in which you have to choose in scope only, which will only 68 00:05:33,000 --> 00:05:38,040 search the parameter file into your in scope domains as well. 69 00:05:38,640 --> 00:05:45,000 So I'm just going to go and you can see I have got a lot of your URLs, which contains a file already. 70 00:05:45,000 --> 00:05:48,390 So I'm going to choose one of which is this. 71 00:05:48,900 --> 00:05:49,500 So let me just. 72 00:05:49,500 --> 00:05:49,680 Right. 73 00:05:49,680 --> 00:05:51,390 Click and send this to repeater. 74 00:05:51,720 --> 00:05:52,170 Perfect. 75 00:05:52,740 --> 00:05:54,630 Now we have one of the U. 76 00:05:54,630 --> 00:05:58,660 All which I'm going to try for a successful SRF. 77 00:05:58,680 --> 00:06:03,750 So let me first let go and see what is this which it contains. 78 00:06:04,470 --> 00:06:11,090 So I think it contains a picture, which is why not let us render and you can see it contains a picture. 79 00:06:11,810 --> 00:06:12,420 All right. 80 00:06:12,660 --> 00:06:19,890 So now we are going to test the parameter file equal to if it is vulnerable to SRF or not. 81 00:06:20,420 --> 00:06:25,790 So, as I already mentioned, that we are going to use Bob collaborator's, so you for that, you just 82 00:06:25,790 --> 00:06:30,410 simply need to click on Bob and you can choose the Bob collaborator client. 83 00:06:31,910 --> 00:06:39,650 Now, you can see over here, this is number to generate, which means how many collaborative payloads 84 00:06:39,650 --> 00:06:40,440 we want to generate. 85 00:06:40,460 --> 00:06:41,920 So I just want to generate one. 86 00:06:42,050 --> 00:06:50,420 You can also choose one and click on copy to ClipArt and it will copy the collaborator client payload, 87 00:06:50,420 --> 00:06:53,840 which is nothing but your third party source name. 88 00:06:54,730 --> 00:07:01,150 Or the address poll, every 60 seconds, you can choose or you can make it to one second, which means 89 00:07:01,150 --> 00:07:07,820 it is going to refresh and check if there are any interaction requests that have come or not. 90 00:07:08,200 --> 00:07:12,500 So let's click on Copy to Clipboard and go back over here. 91 00:07:13,150 --> 00:07:20,500 Now, let's just remove this and we start over here now as we want the request to be sent. 92 00:07:20,530 --> 00:07:28,390 So let me just add HDB in front of it to make the request go to our collaborative server, which is 93 00:07:28,390 --> 00:07:31,690 our third party server, and make the application. 94 00:07:31,930 --> 00:07:34,180 It is HDB based server. 95 00:07:37,160 --> 00:07:43,700 All right, so now let me just let go and let's see if we get something in the response and you can 96 00:07:43,700 --> 00:07:50,900 see I got a 200 and something in response, go back to your collaborator and see if we have got something. 97 00:07:51,500 --> 00:07:57,080 And you can see, yes, we have got a couple of requests over here to let let's see the request that 98 00:07:57,080 --> 00:07:58,540 we have received over here. 99 00:07:58,700 --> 00:08:01,820 And you can see this is the request which has been received. 100 00:08:02,090 --> 00:08:04,880 The collaborators are had received and HDB request. 101 00:08:05,450 --> 00:08:08,910 The request was received from the IP address, which is this IP address. 102 00:08:09,440 --> 00:08:13,030 Now, let's verify if this IP address belongs to whom. 103 00:08:13,790 --> 00:08:17,980 For that, let's go back to O'Haire based IP address over here. 104 00:08:18,410 --> 00:08:24,500 And you can see the IP address belongs to accountings, which is test BHB. 105 00:08:24,890 --> 00:08:25,360 Perfect. 106 00:08:25,700 --> 00:08:34,880 So we have identified a valid SRF over here as it is making interaction with attacker control third 107 00:08:34,880 --> 00:08:35,840 party domain. 108 00:08:36,470 --> 00:08:41,470 Let let me show you the collaborator client and let me see where is the collaborative client. 109 00:08:41,480 --> 00:08:44,100 It is over here now. 110 00:08:44,180 --> 00:08:46,750 This is the spider which is running. 111 00:08:46,760 --> 00:08:49,220 So the collaborator client should be. 112 00:08:53,010 --> 00:08:59,960 So I think so I'm just going to start a collaborator client again, I have closed the previous window. 113 00:09:00,300 --> 00:09:07,830 So now again, I'm going to make one over here because you want to pull it in once again or copy this 114 00:09:07,830 --> 00:09:11,290 over here, pasted over here and let's see if we get any traction. 115 00:09:11,630 --> 00:09:18,330 Now, remember, you need to add GDP and pasted over your head. 116 00:09:18,330 --> 00:09:20,430 Go wait for the interaction. 117 00:09:20,440 --> 00:09:22,470 Let's verify if we got the interaction over here. 118 00:09:22,650 --> 00:09:28,530 And again, see, we have got a successful interaction from the IP address, which is belonging to a 119 00:09:28,530 --> 00:09:29,070 target. 120 00:09:29,460 --> 00:09:30,780 As you can see over here. 121 00:09:31,650 --> 00:09:35,310 This is the response that we have got from our target. 122 00:09:35,850 --> 00:09:44,150 So this is how you test for SRF based one liabilities on onto any target of application. 123 00:09:45,540 --> 00:09:52,680 So we will end for this video into the next video I'm going to show you if you do not have Bupp collaborator. 124 00:09:53,070 --> 00:10:01,080 But is this option for a third party services or third party attacker control domain, how you can utilize 125 00:10:01,080 --> 00:10:03,630 any of the free and useful resource? 126 00:10:04,380 --> 00:10:05,630 So I hope you guys understood. 127 00:10:05,820 --> 00:10:06,330 Thank you.