1 00:00:01,090 --> 00:00:03,490 Hello, everyone, and welcome to this video. 2 00:00:04,360 --> 00:00:10,240 So in this video, we are going to see a lot of attacks with whitelist based input filters. 3 00:00:11,170 --> 00:00:18,280 So some developers use whitelist filters to block certain characters as an input and only allows certain 4 00:00:18,280 --> 00:00:19,570 characters and numbers. 5 00:00:21,350 --> 00:00:22,770 Into the Web application. 6 00:00:23,540 --> 00:00:29,660 Apart from that, if any of the characters are being supplied, the request has been rejected or it 7 00:00:29,660 --> 00:00:31,130 does not get processed. 8 00:00:32,120 --> 00:00:40,730 Many applications block host names like the Lubeck IP address or localhost or even time special characters 9 00:00:41,570 --> 00:00:49,460 or sometimes sensitive yardings like Slash Admin or ETrade, which can be used for embedded credentials 10 00:00:49,850 --> 00:00:51,230 or hash. 11 00:00:52,700 --> 00:00:59,660 Let us understand the principle of a whitelist filter bypass using SRF with the help of an animation 12 00:01:00,440 --> 00:01:05,720 you can see on your left is the attacker and on the right is the one labeled web application, which 13 00:01:05,720 --> 00:01:06,920 is example dot com. 14 00:01:07,860 --> 00:01:14,610 That I can send the request of a get slash admin dashboard, the hostess example dot com and into the 15 00:01:14,610 --> 00:01:22,050 body parameter, there is a quarrel with these Lubeck IP address, 127, not zero, not one. 16 00:01:22,530 --> 00:01:27,980 And the server sends a response to that occurred with four zero three forwarding. 17 00:01:28,590 --> 00:01:37,680 Now, the attack, it bypasses this whitelist of filtering in which the Web server, which is example 18 00:01:37,680 --> 00:01:43,620 dot com checks, if there is a Lubert IP address which is passed. 19 00:01:44,010 --> 00:01:50,700 But in case we made that using the embedded credentials Stickney, then we are able to bypass it. 20 00:01:51,670 --> 00:01:54,510 And we successfully get a 200 OKing. 21 00:01:55,830 --> 00:02:01,440 So what does the impact impact a similar to the previous videos that we have seen, that attack that 22 00:02:01,440 --> 00:02:08,190 is able to get sensitive actions onto the server and he can bypass access, control and authentication 23 00:02:08,190 --> 00:02:12,200 to protected resources and also get access to that computer. 24 00:02:14,230 --> 00:02:19,780 What are the steps that we are going to perform, we are going to bypass the whitelist filters in order 25 00:02:19,780 --> 00:02:26,260 to perform this SRF, if we are successful to perform sensitive actions as indicated, use it, then 26 00:02:26,260 --> 00:02:27,580 I will attack a successful. 27 00:02:28,640 --> 00:02:33,950 So it is a practical time and let's quickly jump into the practical and understand how can we bypass 28 00:02:33,950 --> 00:02:41,150 the whitelist based filtering, there is the application which is necessary for whitelist based input 29 00:02:41,150 --> 00:02:41,540 filter. 30 00:02:42,230 --> 00:02:46,090 Let's quickly start the application and solve the lab. 31 00:02:46,520 --> 00:02:53,580 We have to change the structure, order to access the admin interface and HGP Golan's localhost slash 32 00:02:53,600 --> 00:02:54,070 admin. 33 00:02:54,080 --> 00:02:59,300 There is no board specified, so it is running on the default mode as it is mentioned. 34 00:02:59,300 --> 00:03:05,000 Actually, DP will assume it is running on Portelli and we have to delete the user, which is Carlos 35 00:03:05,510 --> 00:03:08,340 developer has also deployed an entire society of defense. 36 00:03:08,480 --> 00:03:11,450 So we are going to bypass that as well. 37 00:03:12,020 --> 00:03:12,460 All right. 38 00:03:12,470 --> 00:03:15,770 So our Web application has successfully deployed. 39 00:03:16,270 --> 00:03:23,900 Let's quickly jump over here and let's click on this couple umbrella's picture and let's quickly click 40 00:03:23,900 --> 00:03:25,040 on check stock. 41 00:03:25,460 --> 00:03:27,750 And you can see we are able to get a response. 42 00:03:28,370 --> 00:03:34,580 Now, let's capture this request into our boxwood for further inspection. 43 00:03:35,410 --> 00:03:38,320 So let me just skip these requests. 44 00:03:38,350 --> 00:03:46,570 No, I do not want them again, let's click over here, check stock and wait for the link at the request 45 00:03:46,570 --> 00:03:47,200 over here. 46 00:03:47,200 --> 00:03:49,220 And we have got it now. 47 00:03:49,510 --> 00:03:55,670 The request is into our repeated time, and this is what we get into the stock epper parameter. 48 00:03:56,160 --> 00:03:59,860 Let's quickly send this to Decoder and see what is it. 49 00:04:00,340 --> 00:04:07,780 And again, see, there is a you are Elvis's stock that we like to shop dot net bought AT&T product, 50 00:04:08,380 --> 00:04:11,580 stock check, product ID and store any. 51 00:04:12,310 --> 00:04:16,290 But as we mentioned into the question, there was no port AT&T. 52 00:04:16,300 --> 00:04:21,370 So we are not going to consider it anymore and make all our payloads on board. 53 00:04:21,370 --> 00:04:22,150 Eddie only. 54 00:04:24,080 --> 00:04:31,040 OK, so first, let's try the basic one that we're going to put a localhost and hit send, it was obvious 55 00:04:31,040 --> 00:04:37,340 that it is going to throw our external stop check host must be stopped. 56 00:04:37,380 --> 00:04:39,970 What we like to shop dot net. 57 00:04:40,520 --> 00:04:45,760 So it says it wants the host, which is stock that we like to shop dot net. 58 00:04:46,070 --> 00:04:47,720 It is not going to take this. 59 00:04:47,720 --> 00:04:51,860 They have waitlisted this and we need this particular. 60 00:04:51,860 --> 00:04:53,840 You are allowed into our payload. 61 00:04:53,960 --> 00:04:54,380 All right. 62 00:04:54,380 --> 00:04:56,540 So let's do something like this. 63 00:04:56,900 --> 00:04:59,260 Let's make a subdomain out of it and let's see. 64 00:04:59,900 --> 00:05:03,470 And you can see we still get an error, which means this is not working. 65 00:05:04,130 --> 00:05:04,480 All right. 66 00:05:04,490 --> 00:05:06,100 So let me address it. 67 00:05:07,070 --> 00:05:11,030 And you can see we got a different error that is missing parameter. 68 00:05:11,480 --> 00:05:18,380 And that is if you tried this into your Web browser rating, anything at the rate something it is going 69 00:05:18,380 --> 00:05:24,980 to redirect after whatever is written after the aderet, if you want to see. 70 00:05:25,100 --> 00:05:26,920 Let me just show you as well. 71 00:05:27,350 --> 00:05:39,870 Let's go to Google dot com or let's say Yahoo dot com, ETrade Google dot com. 72 00:05:40,250 --> 00:05:43,190 So it is going to redirect to Google dot com. 73 00:05:43,580 --> 00:05:44,090 Perfect. 74 00:05:45,060 --> 00:05:46,970 Let's get back over here. 75 00:05:49,870 --> 00:05:55,120 And now let's say we write admin at the rate maybe we are able to bypass it. 76 00:05:55,240 --> 00:05:55,710 No. 77 00:05:56,260 --> 00:06:00,470 So let's change this and let's try one more thing, Audur. 78 00:06:00,490 --> 00:06:02,230 Let's keep it to localhost again. 79 00:06:03,320 --> 00:06:06,810 And let us simply remove all this stuff. 80 00:06:06,860 --> 00:06:07,910 We do not want it. 81 00:06:08,710 --> 00:06:14,670 Let's try just reported and it and it gives the same error, which is missing parameter. 82 00:06:15,920 --> 00:06:23,180 Now, when we removed the error estimate and it is giving an internal server error. 83 00:06:24,450 --> 00:06:32,280 Let us look at it again and again, see missing barometer, let's add a slash admin over here and observe 84 00:06:32,280 --> 00:06:33,090 what happens. 85 00:06:33,090 --> 00:06:36,450 And you can see we get the same error and it is not working. 86 00:06:36,690 --> 00:06:44,520 Now, what we can do is we can add a hash over here, but fragment and absorb what happens. 87 00:06:45,120 --> 00:06:48,480 Let it send and you can see it worked. 88 00:06:49,230 --> 00:06:50,070 It worked. 89 00:06:50,390 --> 00:06:57,150 When we have double encoded our part fragment, that was hash. 90 00:06:57,180 --> 00:07:03,090 So you need to keep in mind that hash was not working, but when we encoded it basically double encoded, 91 00:07:03,090 --> 00:07:03,600 it worked. 92 00:07:04,440 --> 00:07:05,880 And you can see the response. 93 00:07:06,330 --> 00:07:10,720 We have got the endpoint, which is the delete username. 94 00:07:11,280 --> 00:07:11,760 Perfect. 95 00:07:12,510 --> 00:07:14,700 Now let's send this to Decoder. 96 00:07:15,000 --> 00:07:17,130 And you can see when we. 97 00:07:18,680 --> 00:07:25,440 Smartly got this, and you can see it just comes back to the part fragment, which is hash. 98 00:07:26,120 --> 00:07:30,110 So this is first and this is second encoding. 99 00:07:32,460 --> 00:07:32,950 Perfect. 100 00:07:33,270 --> 00:07:40,530 Now, let's copy this end point as we need to delete the user, which is Carlos, add it over here and 101 00:07:40,530 --> 00:07:41,370 hit send. 102 00:07:42,880 --> 00:07:49,630 Just remove it and hit send before hitting send, let let's see that we are locked in into the admin 103 00:07:49,630 --> 00:07:53,720 panel and these are all the users hit send and perfect. 104 00:07:54,100 --> 00:07:56,400 We should have been sold a lot. 105 00:07:56,410 --> 00:08:02,950 And you can see we are successfully able to sell the lab with the help of bypassing of a white listing 106 00:08:02,950 --> 00:08:03,970 based input filter. 107 00:08:04,150 --> 00:08:05,240 I hope you guys understood. 108 00:08:05,800 --> 00:08:06,370 Thank you.