1 00:00:06,573 --> 00:00:09,915 - [Instructor] The attack methodology for web applications 2 00:00:09,915 --> 00:00:13,877 is very similar to most types of attacks. 3 00:00:13,877 --> 00:00:17,237 Our first step is always recon. 4 00:00:17,237 --> 00:00:19,253 As an attacker, we need to find out 5 00:00:19,253 --> 00:00:22,536 as much information about the target as possible 6 00:00:22,536 --> 00:00:24,819 before we start attacking. 7 00:00:24,819 --> 00:00:27,795 This involves scanning for open ports 8 00:00:27,795 --> 00:00:30,899 and probing for more information 9 00:00:30,899 --> 00:00:33,621 to identify the actual web server 10 00:00:33,621 --> 00:00:35,360 and version that's running. 11 00:00:35,360 --> 00:00:37,738 This is important because if we find 12 00:00:37,738 --> 00:00:40,021 a web server that is vulnerable 13 00:00:40,021 --> 00:00:43,944 to an unauthenticated remote exploit, for example. 14 00:00:43,944 --> 00:00:45,845 We don't need to look any further. 15 00:00:45,845 --> 00:00:49,013 We can just exploit that service to gain access. 16 00:00:49,013 --> 00:00:53,269 At that point, there's no need for application hacking. 17 00:00:53,269 --> 00:00:56,469 If we don't find a vulnerable service, 18 00:00:56,469 --> 00:01:00,192 we would move on to the mapping and discovery phase. 19 00:01:00,192 --> 00:01:01,397 In the mapping phase, 20 00:01:01,397 --> 00:01:04,725 we will crawl or spider the application 21 00:01:04,725 --> 00:01:08,362 to determine the full attack surface. 22 00:01:08,362 --> 00:01:10,197 In the discovery phase, 23 00:01:10,197 --> 00:01:13,747 this is where we look deeper into the application 24 00:01:13,747 --> 00:01:16,329 and that we're attacking to uncover 25 00:01:16,329 --> 00:01:18,868 any holes in it's security. 26 00:01:18,868 --> 00:01:22,368 For instance, in WordPress or in PHP, 27 00:01:22,368 --> 00:01:24,437 we would look for specific vulnerabilities 28 00:01:24,437 --> 00:01:26,538 in those types of applications. 29 00:01:26,538 --> 00:01:28,789 If we can't find a vulnerability specific 30 00:01:28,789 --> 00:01:31,539 to the applications being served, 31 00:01:32,469 --> 00:01:35,552 we can use that as a way in. 32 00:01:35,552 --> 00:01:37,719 In our exploitation phase, 33 00:01:38,858 --> 00:01:41,375 we will validate the vulnerabilities 34 00:01:41,375 --> 00:01:44,832 identified in the mapping and discovery phases 35 00:01:44,832 --> 00:01:48,999 so when we find a vulnerability through discovery, 36 00:01:49,856 --> 00:01:54,023 we need to validate it and that's the exploitation phase.