1.3 Web Application Basics

00:00

Hey, everyone, welcome back to the course. So in the last video, we talked about a very basic introduction to day basis, So I want to stress very basic introduction. There's a lot of stuff you can learn about databases again. I mentioned it a new course that's coming out on the cyber, a site called Intro to Sequel. I definitely recommend you take that if you want to learn more about databases

00:18

and, specifically sequel in general.

00:21

We also talked about some basic sequel commands. We mentioned things like the Select Command, the create table command dropped table, as well as things like the Delete Command insert into

00:31

and also the Union Command. Now, again, we talked about those from a concept of the attacker side. So we talked about, like why an attacker might use those on some of the examples there, as well as the fact that we're gonna be doing some various injection attacks As we move throughout this course

00:49

now in this video, I want to give you just a very basic introduction to Web applications. So kind of communication is for assholes. They're concerned now again, really. People needed to be in at an intermediate level to be successful, this course, but I assume that some, as many with, is with many of my courses.

01:07

Um, we'll have some beginners in here, and I want to provide you atleast a basic foundation.

01:11

So things make more sense as you move into the actual labs of the course. And it's kind of a refresher for those that maybe our experience and have for gotten some of these concepts.

01:23

So Web applications. I like to explain this. You know, again, I didn't want to do a death by Power point in this particular course. So if you watch some of my other courses, you notice I like to try to draw. Um, I say try because it's not very successful in most cases, but hopefully it explains the concepts, and that's kind of the overarching thing there.

01:42

As you can see, I went into cybersecurity and not art.

01:45

Um, and you'll see why in just a moment if you're not familiar with my other courses.

01:49

So with applications, well, of course, we all know that we can go to let Google and search for something right. We go to Amazon, we buy something or, you know maybe eBay for using that side or whatever. Right? We go watch stuff on YouTube or World Star hits hips. Excuse me, World Star Hip hop way. Go on, Cyber. Right. We watch some courses on cyber Re

02:08

in any capacity there. Basically, we're using a browser,

02:13

so we'll just put a big B over here. Well, to say, that's our browser right here. That's us over here. Where? The client. So we're here. We're the browser, right? And we're accessing

02:23

basically a web server, right? For our purposes, we're just gonna focus on kind of Web application. But

02:28

we're gonna be accessing a Web server on, and that's gonna host multiple applications. Right? So in may, you know, like, for example, cyber. That's a good, good example. So cyber is gonna be hosting courses. There's also gonna be, you know, articles on the side. There's gonna be blocked post,

02:44

you know, various things that we can access to learn, right? There's gonna be labs that we can launch and learn from.

02:50

So there's a lot of different things different applications that we can access through the web server. Right. So we can access all these things through the website essentially

03:00

so our Web client, you know, And it's basically called the user agent in many circles there. So that might be things like Curl, tell Met or, you know, again, just our browser here. And so the communication between our web client is gonna

03:15

take place to the Web application of the Web server through different protocols. The most common one problem being like http or https, basically making requests were saying, Hey, give me that course or give me that. You know, content give you that lab,

03:31

give me that YouTube video, whatever the case might be, making those requests and then getting some kind of response in return.

03:38

So we the client or the you know, in this case, we're using the browser.

03:43

We're gonna make a request to our, you know, Web server. Web application will just make that a capital w there.

03:49

So we make this request, I'm gonna change colors well equipped to make that different.

03:53

So we make this request. Here's and give me Give me. Give me right. Give me whatever I want. I want to watch that funny cat video. You know, I want to watch, you know, the eulogy of grumpy cat who passed recently. Um, you know, I want to watch cyber recourse. I want I want I want I want, right, I want this stuff. So give me it.

04:10

Now what? This, uh, Web server Web applications going to do is basically, you know, number one Say, like, you know, should you have this right? Are you authenticated for this? Because as you'll see with different types of attacks that we can do, we could basically send out and say, Hey, send me the user name,

04:28

you know, for the admin or something, right? Or sent me

04:30

these database files. You know, something like that. So

04:34

on your web application side web server side, you need to make sure that you're filtering these types of requests of these. Http requests need to make sure that you're filtering these in some capacity. So that way, information that shouldn't come back to whomever this might be

04:48

is not coming back to whomever this might be. Right. So we just wanted to be like, for example, Yes, here's your you know, here's your cyber recourse video. You can go ahead and watch it, but we don't want you to pull the database of, you know, whatever rights all we don't want you grabbing all the user names from the site or we don't want you, you know, grabbing like bank account information or credit card information, whatever.

05:08

We don't want you getting that stuff. So we're gonna block you that, you know. So if your request comes through and it's basically asking us, Hey,

05:14

give me some credit card information and we say, Wait a minute. Now, that's not for you, right? That's only for you know, these people over here internally. Then we're gonna block that request essentially, right. We're gonna keep you from getting that information.

05:26

So this is basically a very high level overview of like how the communication is gonna work. So when we send a request out to the web application, it's going to say basically a Ernie that you are allowed to have this, and it's going to send you whatever content back based off, you know, whether you actually should access that or not. Right?

05:45

So it becomes a problem if your Web servers not properly secured our web applications not properly secured and you're sending back, you know, information, whether it's credit card you know, username, password. Whatever the case might be, if you're allowing improper http request in from somebody over here,

06:02

then that can allow an attacker to steal your data or get access to your data bases

06:06

and steal whatever they want to essentially. Right. So we don't want that to happen. So again, very high level overview the communications dream here. But hopefully this will help you understand? You know, we're tryingto

06:17

make some essentially Legos, right? So building blocks here. So, you know, we start out with some basic information about databases. We talk about the web communication a little bit. And then as we move into our lab, so the next the next video, we'll actually talk about the sequel injection, the different type of attacks. We can do the different types sequin Jackson attacks, and then

06:36

we're gonna move into our last war, actually do some hands on. So hopefully we were kind of building things up for you a little bit

06:42

again. This course is kind of a high level overview of sequel injection attacks in general and gives you a little hands on skills. It's not a deep dive by any means, but I wanted to kind of give you a build up if you're not familiar with stuff of how things kind of work. So we started off talking about databases in the last video. We got a good kind of sell, a foundational understanding that

07:01

we're basically storing information in the database and then

07:03

trying to retrieve that. And as an attacker, we're trying to get information that we shouldn't have access to.

07:09

And then here we're just talking again about the Web applications, Web servers and how the client server relationship works. So, you know, as a client,

07:16

I sent a request over saying, Give me, you know, whatever it is, give me a cat video. Give me, You know, a cyber, of course, Whatever. And you know, the Web server says Okay, yeah, you can have that. But in the other example, I send a request saying, Give me the username, give the password. Whatever and Web Service says, Well, wait a minute. You shouldn't have that Right.

07:34

So that's how the communication stream works for Web servers, applications, client server, our relationship there again in the next video, we're gonna talk about sequel injection itself. So what is it We're also gonna talk about the different types of sequel injection attacks, and there will actually move into our laps

07:50

again. I want to kind of mentioned in most of videos in this course that there's a lot of supplemental resource is for you, so you'll notice a lot of external links and documents for you to go ahead and click on. So these air these at least of the time the filming of this course are safe links to click on, and hopefully nobody's attacking them after they get them.

08:11

But go ahead, click on the links.

08:13

Use all the resources possible to become better at sequel injection attacks and that way as a penetration tester, you could be better at doing these a time such attacks and help your clients more efficiently.