1
00:00:06,592 --> 00:00:09,149
- So Ron, we have an
entire lesson dedicated

2
00:00:09,149 --> 00:00:10,754
to hacking web applications,

3
00:00:10,754 --> 00:00:13,315
why are we focusing so much on the web?

4
00:00:13,315 --> 00:00:15,631
- Well, I'm sure you know

5
00:00:15,631 --> 00:00:17,756
every day a new website comes online,

6
00:00:17,756 --> 00:00:20,756
a new web application is being used.

7
00:00:22,610 --> 00:00:23,761
Just think about Facebook.

8
00:00:23,761 --> 00:00:26,615
Years ago Facebook was very
small, it was not being used.

9
00:00:26,615 --> 00:00:28,886
Now millions and millions of people use it

10
00:00:28,886 --> 00:00:30,754
across the internet, right?

11
00:00:30,754 --> 00:00:34,717
The other part of it too is
that a lot of these sites

12
00:00:34,717 --> 00:00:37,571
are not as secure as they should be

13
00:00:37,571 --> 00:00:41,571
and that's why they lead
to major data breaches.

14
00:00:43,115 --> 00:00:45,562
Because usually the data, the content,

15
00:00:45,562 --> 00:00:48,736
is stored in a back-end
database and that can be

16
00:00:48,736 --> 00:00:52,160
accessible through the web
application if it's vulnerable.

17
00:00:52,160 --> 00:00:56,300
Thinking of that, web applications
have been around forever.

18
00:00:56,300 --> 00:00:57,968
Websites have been around forever,

19
00:00:57,968 --> 00:00:59,852
as long as the internet just about.

20
00:00:59,852 --> 00:01:03,405
Why are we still dealing with
vulnerabilities like this?

21
00:01:03,405 --> 00:01:05,766
- That is a good question.

22
00:01:05,766 --> 00:01:08,244
Every year, every day,

23
00:01:08,244 --> 00:01:11,699
we're adding more functionality
to these websites.

24
00:01:11,699 --> 00:01:13,339
So as we add more functionalities

25
00:01:13,339 --> 00:01:15,655
there is more risk involved as well.

26
00:01:15,655 --> 00:01:16,924
A lot of times these applications

27
00:01:16,924 --> 00:01:19,401
are developed and pushed out before

28
00:01:19,401 --> 00:01:22,073
security teams have a
chance to review them.

29
00:01:22,073 --> 00:01:23,867
More and more people are using them

30
00:01:23,867 --> 00:01:27,292
so the demands are keep
adding more functionality

31
00:01:27,292 --> 00:01:30,184
and pushing out faster as is happening

32
00:01:30,184 --> 00:01:32,239
more and more rapid,

33
00:01:32,239 --> 00:01:35,630
so it's hard to actually get
a chance to secure them all

34
00:01:35,630 --> 00:01:37,348
before they're actually put out there.

35
00:01:37,348 --> 00:01:39,855
Additionally, a lot of these websites,

36
00:01:39,855 --> 00:01:42,316
once the single one is compromised,

37
00:01:42,316 --> 00:01:45,392
people always reuse their
passwords on other sites as well.

38
00:01:45,392 --> 00:01:50,140
So if your account was
compromised in the Adobe breach

39
00:01:50,140 --> 00:01:51,855
or the LinkedIn breach,

40
00:01:51,855 --> 00:01:54,105
chances are you probably
reused that password

41
00:01:54,105 --> 00:01:55,711
on one of the other websites,

42
00:01:55,711 --> 00:01:59,145
so that's how once one
website is compromised,

43
00:01:59,145 --> 00:02:01,893
others tend to follow suit as well.

44
00:02:01,893 --> 00:02:03,060
- That's true.

45
00:02:04,675 --> 00:02:08,808
Before we begin to talk about
hacking a web application,

46
00:02:08,808 --> 00:02:13,592
we first need to understand
what it is that we're hacking.

47
00:02:13,592 --> 00:02:15,856
A web application is a GUI front-end

48
00:02:15,856 --> 00:02:20,500
to a web service that's
running on a web server.

49
00:02:20,500 --> 00:02:22,833
It's the graphical interface

50
00:02:23,690 --> 00:02:28,214
you see rendered in your
browser when you surf the web.

51
00:02:28,214 --> 00:02:31,364
On the other hand, a web service is

52
00:02:31,364 --> 00:02:34,653
an interface for a web server to

53
00:02:34,653 --> 00:02:38,863
programmatically inter-operate
between different servers,

54
00:02:38,863 --> 00:02:41,030
mobile applications, APIs.

55
00:02:42,480 --> 00:02:44,904
From a web services perspective,

56
00:02:44,904 --> 00:02:46,703
they're typically used for

57
00:02:46,703 --> 00:02:51,150
transferring pieces of
data between applications.

58
00:02:51,150 --> 00:02:53,033
The data is rendered elsewhere or

59
00:02:53,033 --> 00:02:55,909
used in some other fashion.

60
00:02:55,909 --> 00:02:59,275
Web applications are intended to be

61
00:02:59,275 --> 00:03:03,442
the full GUI-based application
accessible via a browser.

62
00:03:05,762 --> 00:03:09,093
The data is actually rendered
in the browser itself.

63
00:03:09,093 --> 00:03:12,612
Whereas with web services,
you can also provide

64
00:03:12,612 --> 00:03:16,392
APIs that can be used to
programmatically inter-operate

65
00:03:16,392 --> 00:03:20,225
with web applications
and mobile applications.

66
00:03:22,946 --> 00:03:26,625
The web application will
normally have a GUI front-end

67
00:03:26,625 --> 00:03:29,015
and a database back-end.

68
00:03:29,015 --> 00:03:32,825
It will include buttons
for submitting commands,

69
00:03:32,825 --> 00:03:34,921
it will also have input fields

70
00:03:34,921 --> 00:03:38,354
to enter information into the database,

71
00:03:38,354 --> 00:03:41,376
as well as a way to search and

72
00:03:41,376 --> 00:03:44,584
pull information from the database.

73
00:03:44,584 --> 00:03:48,487
From an attacker perspective,
these are all targets.

74
00:03:48,487 --> 00:03:50,644
In this demo, we're going to take a look

75
00:03:50,644 --> 00:03:53,010
at a typical web application.

76
00:03:53,010 --> 00:03:55,006
This is actually a web application

77
00:03:55,006 --> 00:03:59,601
that we'll be using in our
demo labs going forward.

78
00:03:59,601 --> 00:04:03,020
It's a typical web
shopping cart application.

79
00:04:03,020 --> 00:04:06,777
However, this one is a
purposely vulnerable application

80
00:04:06,777 --> 00:04:10,974
that was built for testing
and demonstration purposes.

81
00:04:10,974 --> 00:04:14,463
It is built and maintained by Rapid7.

82
00:04:14,463 --> 00:04:16,692
You can actually download the source code

83
00:04:16,692 --> 00:04:19,953
and install it on your
own lab for testing.

84
00:04:19,953 --> 00:04:24,120
So as you can see, it looks
like a normal shopping site.

85
00:04:25,412 --> 00:04:28,444
It has search capabilities,

86
00:04:28,444 --> 00:04:32,559
as well as user input in
a few different forms.

87
00:04:32,559 --> 00:04:35,142
For instance, the contact form,

88
00:04:36,891 --> 00:04:37,724
here.

89
00:04:38,736 --> 00:04:41,569
We can enter our information here.

90
00:04:42,912 --> 00:04:47,079
There's also a place to add
reviews to the different items.

91
00:04:48,734 --> 00:04:53,514
And the shopping cart gives
us the ability to change

92
00:04:53,514 --> 00:04:56,614
the quantities before we add to the cart.

93
00:04:56,614 --> 00:04:59,172
So we'll keep this in mind,
because this is something

94
00:04:59,172 --> 00:05:02,025
that we may want to
look at attacking later.

95
00:05:02,025 --> 00:05:04,445
So from an attacker perspective,

96
00:05:04,445 --> 00:05:07,214
these are all things that we can target.

97
00:05:07,214 --> 00:05:10,516
Every input, every
modification that we can make

98
00:05:10,516 --> 00:05:14,602
in the application that's
sent back to the web server,

99
00:05:14,602 --> 00:05:17,537
is something that we
can modify and target.

100
00:05:17,537 --> 00:05:20,331
From an application security perspective,

101
00:05:20,331 --> 00:05:23,748
this is a large attack surface to defend.