OWASP

Course
Time
12 hours 9 minutes
Difficulty
Beginner
CEU/CPE
12

Video Transcription

00:00
Hey, everyone, welcome back to the core. So in the last video, we covered
00:04
a command ejection attacks. So again, we were looking for a specific I p address information. We took a look at the I P addresses. We also did an anise look up of the I p of the domain name to compare that to the I. P address. And we were able to see that that was the same information we obtained by doing it inside of our mutilate day vulnerable application.
00:22
We also took a look at the P A S S W D. File. We noticed that we were able to actually access the file. We were able to take a look at some of the information that might be found in that particular file.
00:32
In this video, we'll uncover an HTML injection attack. So I've actually continued on from the last lab. So you'll notice that I don't have to log into the lab environment. But if you went ahead and closed your previous lab, then by all means, go ahead and get long back into Callie clinics, get loving to the lab and launch fire fox, and then you'll be where we're at right now.
00:50
So you will notice that as we continue on in the lab as it moves into another section and may give us a puppet box here, just click on Continue and that lets you move through the next section of the lab.
01:00
Now, as you're going through the lab to get full credit, I want to mention that you want to make sure you click done and go through all these steps at the bottom were doing all these steps in a step by step guide as we walk through things so literally, if you're done with the lab and gunning doing all the task, you can just click through. Done, done, done all the way through all of these to get full credit for the lab and make sure it's sage in your profile.
01:21
If you don't do that, if you just can't stay out of the lab, then you don't actually get credit for completing it. And that's never a good thing, right? We all want to get 100% on things, so make sure you click that done option here through all the labs in this course. That way you can get full credit and have it register in your account has completing this particular lap.
01:38
All right, so let's go to our step by step guide here. So we've already logged in again. We've continued on from the previous lab.
01:45
The next step we're gonna do is we're gonna click The View log option is gonna be on the top right of the screen. So if we scroll back up here on my particular page, you'll see the view log option right there. We're just gonna go ahead and click on that
01:56
and you see, that's gonna show us all the log, at least the log information that's relevant. It doesn't capture everything that's ever transpired, but it shows us the last couple of logs here, the last 13. In this particular case,
02:07
let's go back to our lab document here.
02:10
So what we're gonna do now, we're just gonna enter this. You are Elena's. I mentioned this is pretty quick lab. It's pretty simple command. We're gonna run. We're gonna run this beautiful particular command here.
02:21
Now, what we should get is we should get an air message that hang in the pages not found, because this is actually a za name implies it's a fake page,
02:29
but then we're gonna come back to view the log, and we're going to take a look and see what phrase is gonna be listed in a large, bold fought. So, uh, let's go ahead and run this now. And if anyone has any web development experiencing, probably can take a look at this and quickly see what what the answer is gonna be. But let's just run through the lab and do it together.
02:49
All right? So again, in the address bar here, we're just gonna type in. Http Colon Ford's last fourth slash me till today,
02:54
Port slash Mattila day,
02:58
and then we're gonna come here and we're just comes happen. The rest of this, the ford slash index dot PHP is what we're gonna go to next. And then we'll finish out with the rest of these items in just a moment.
03:07
So just to foreign slash
03:09
index, stop here to pee.
03:13
Now, if I go too fast for you at all, if you want to take the slower, go ahead, pause the video and just go through this step by step guide in your own and feel free to play the video once you feel comfortable doing so something. If if you feel like I'm going to slow, then by all means, feel free to Paul's video. We're fast forward it and just use a step by step guide to walk through this particular lap.
03:30
And that actually goes for all the labs in this course Asai mentioned many times throughout the course. I try to keep my pace for most the majority of students. But again, that's not gonna hit every single person s. So that way you know it again if you're going to. If it's too fast for you are too slow for you. Just make sure you adjust the video and your particular approach
03:51
based on what works best for you.
03:53
All right, so the next thing we're gonna type in here in the u r l is gonna be this question mark page in the equal sign.
03:58
So let's take that in. Now. What is question Mark? Cajun equal sign.
04:03
All right, so now we're gonna type in the basically these brackets here the closing of the opening of closing tax. We're gonna put that in with H one and will also take the word fake.
04:14
And so these brackets right here I call a little alligators that are fighting. But there are the brackets above the comma and the period on most keyboard. So if you just use the shift key, you'll see those ones right there. If you're not familiar with how to do those s o, we're gonna attack those in along with fake as well.
04:30
Let's do that. Now
04:33
we're typing those tags with the H one.
04:36
It will close it. And then we're just gonna type in the word fake with a capital F just like that, and then just put a space there
04:44
and we'll move on to the next part of it. We're gonna type in the page, and they were to close out with the H one again. So you'll do the page and the H one again.
04:51
So let's go and do that now
04:55
review page. And then we're just gonna close that out with the H one
04:58
just like that and what you're done entering that just double check yourself and then go ahead and hit and turn a keyboard to run it.
05:03
As I mentioned, we should get this particular air message, which is a 404 air page not found. You may have seen these before. If you're out there searching the Web and trying to go to a certain page on a website, maybe they don't have a link properly or the links broken or the pain does not exist anymore on that, that's where you're going to see that particular air message, Jack,
05:21
for this particular video in this course, that's not a relevant thing. We're just trying to go through the steps here. And so we do see that we're successful as far as getting the 44 air message.
05:30
So the next step in our lab is gonna be clicking back on the view log page and then we'll go back to question number one here in just a second. So we'll click on view long.
05:40
All right, so on this particular page, question number one What phrase is listed in large, bold font on the logs. If you look at the log file here,
05:49
what do we see? Listed in large, Bold, fought. Now again, this is pretty easy, right? But but Human re and scroll through the rest of these ones here just to see if you notice any elf? Anything else?
06:01
All right. So we all were able to quickly see the answer is fake space page. We see. That's the only item here in this ridiculously large front, and that's bold as well
06:11
are. So in this video, we just did a quick HTML injection attack. So again, what we're doing here in the u. R. L is we're just adding and the particular tags
06:20
here and just think about in the aspect of this could have been some kind of malicious code. Or, you know what, redirect to a different website or something like that. So there's many, many ways we could potentially do this attack, but for our purposes, we just wanted to display a fake page forests.
06:40
So in this video, we discovered a female injection attacks in the next module. We're gonna talk about Brooklyn authentication

Up Next

OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and resources to help organizations protect critical apps. Cybrary’s OWASP certification training course covers the organization’s popular “Top 10” risk assessment.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor