WEBVTT 00:00:00.000 --> 00:00:06.270 align:middle line:90% 00:00:06.270 --> 00:00:09.420 align:middle line:84% Welcome back to Sensitive Data Exposure session. 00:00:09.420 --> 00:00:11.430 align:middle line:84% In this second part, we will exploit 00:00:11.430 --> 00:00:13.230 align:middle line:84% our intentionally vulnerable application 00:00:13.230 --> 00:00:16.230 align:middle line:84% to get access to some sensitive data. 00:00:16.230 --> 00:00:19.080 align:middle line:84% We will jump straight to the hands-on exploitation. 00:00:19.080 --> 00:00:21.300 align:middle line:84% Before closing, we will review what's 00:00:21.300 --> 00:00:23.670 align:middle line:84% wrong with our target application. 00:00:23.670 --> 00:00:25.380 align:middle line:90% Let's hack. 00:00:25.380 --> 00:00:28.500 align:middle line:84% Before some shopping, let's configure our default address 00:00:28.500 --> 00:00:29.370 align:middle line:90% and payment methods. 00:00:29.370 --> 00:01:49.000 align:middle line:90% 00:01:49.000 --> 00:01:51.310 align:middle line:84% All right, we are now ready to buy some juice. 00:01:51.310 --> 00:02:06.770 align:middle line:90% 00:02:06.770 --> 00:02:11.820 align:middle line:84% Let's review our order and proceed to checkout. 00:02:11.820 --> 00:02:13.410 align:middle line:84% In the next step, we should be asked 00:02:13.410 --> 00:02:15.000 align:middle line:90% to select a payment method. 00:02:15.000 --> 00:02:16.680 align:middle line:84% Let's pop up developer tools so that we 00:02:16.680 --> 00:02:19.710 align:middle line:84% can inspect what data is exchanged between the browser 00:02:19.710 --> 00:02:20.730 align:middle line:90% and the backend server. 00:02:20.730 --> 00:02:32.800 align:middle line:90% 00:02:32.800 --> 00:02:36.440 align:middle line:84% See how credit card number is masked in the interface. 00:02:36.440 --> 00:02:38.530 align:middle line:84% However, if we look up the request 00:02:38.530 --> 00:02:41.050 align:middle line:84% to retrieve credit card details from the server, 00:02:41.050 --> 00:02:43.481 align:middle line:84% we will find something completely different. 00:02:43.481 --> 00:02:49.740 align:middle line:90% 00:02:49.740 --> 00:02:52.380 align:middle line:84% The credit card number was sent in clear text. 00:02:52.380 --> 00:02:54.840 align:middle line:84% Since the application does not use HTTPS, 00:02:54.840 --> 00:02:56.730 align:middle line:84% anyone between client and server will 00:02:56.730 --> 00:03:00.390 align:middle line:84% be able to see it as any malware installed on the client device. 00:03:00.390 --> 00:03:04.860 align:middle line:90% 00:03:04.860 --> 00:03:07.260 align:middle line:84% Let's complete our order and see how far we 00:03:07.260 --> 00:03:08.990 align:middle line:90% can go exposing sensitive data. 00:03:08.990 --> 00:03:27.670 align:middle line:90% 00:03:27.670 --> 00:03:30.640 align:middle line:84% On our first session, we exploited the SQL injection 00:03:30.640 --> 00:03:33.010 align:middle line:84% vulnerability to bypass authentication. 00:03:33.010 --> 00:03:35.080 align:middle line:84% In that case, we could not retrieve any data 00:03:35.080 --> 00:03:37.840 align:middle line:84% from the database since the backend server was just 00:03:37.840 --> 00:03:40.300 align:middle line:84% counting matched records instead of returning 00:03:40.300 --> 00:03:41.890 align:middle line:90% the actual results. 00:03:41.890 --> 00:03:45.250 align:middle line:84% If we find a vulnerable endpoint that asks for user inputs 00:03:45.250 --> 00:03:48.490 align:middle line:84% to merge with a query template returning phone records, 00:03:48.490 --> 00:03:51.310 align:middle line:84% then chances are we will be able to access arbitrary 00:03:51.310 --> 00:03:52.720 align:middle line:90% data on the database. 00:03:52.720 --> 00:03:56.020 align:middle line:84% Usually, search features are good candidates. 00:03:56.020 --> 00:03:58.650 align:middle line:90% Why not try our luck? 00:03:58.650 --> 00:04:01.800 align:middle line:84% Let's pop up developer tools and search for orange 00:04:01.800 --> 00:04:03.900 align:middle line:84% adding a trailing single quote character 00:04:03.900 --> 00:04:05.820 align:middle line:84% as we did in the injection flow session 00:04:05.820 --> 00:04:07.757 align:middle line:90% to exploit SQL injection. 00:04:07.757 --> 00:04:34.610 align:middle line:90% 00:04:34.610 --> 00:04:36.560 align:middle line:90% Apparently, nothing happened. 00:04:36.560 --> 00:04:38.870 align:middle line:84% Better opening to get request in a new tab 00:04:38.870 --> 00:04:41.960 align:middle line:84% so that we can easily modify the QUrl perimeter. 00:04:41.960 --> 00:04:46.670 align:middle line:90% 00:04:46.670 --> 00:04:47.570 align:middle line:90% Let's do it again. 00:04:47.570 --> 00:04:52.860 align:middle line:90% 00:04:52.860 --> 00:04:54.990 align:middle line:84% Okay, this time it looks promising. 00:04:54.990 --> 00:04:56.580 align:middle line:90% We now have a SQL error. 00:04:56.580 --> 00:05:08.170 align:middle line:90% 00:05:08.170 --> 00:05:10.060 align:middle line:84% The percentage character is a good sign 00:05:10.060 --> 00:05:13.060 align:middle line:84% that the SQL-like operator is being used, 00:05:13.060 --> 00:05:16.150 align:middle line:84% but think how the backend query template may look like. 00:05:16.150 --> 00:05:40.890 align:middle line:90% 00:05:40.890 --> 00:05:43.500 align:middle line:84% This could be the backend query template. 00:05:43.500 --> 00:05:46.620 align:middle line:84% Let's replace the input keywords with our current payload 00:05:46.620 --> 00:05:47.910 align:middle line:90% and see how it looks like. 00:05:47.910 --> 00:06:09.110 align:middle line:90% 00:06:09.110 --> 00:06:10.940 align:middle line:90% Another SQL error. 00:06:10.940 --> 00:06:13.010 align:middle line:84% This time, the query is incomplete. 00:06:13.010 --> 00:06:16.250 align:middle line:84% Maybe the query template tries to match our search keyword 00:06:16.250 --> 00:06:19.900 align:middle line:84% both in product's title and description. 00:06:19.900 --> 00:06:21.000 align:middle line:90%