OWASP

Course
Time
4 hours 32 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:00
Hey, everyone, welcome back to the course. So in the last video, we wrapped up our discussion on injection vulnerabilities and injection attacks
00:07
in this lab. We're gonna have three parts, and we'll start off here with sequel injection attacks. Part two will cover command ejection, and then Part three will have a hands on of HTML injection attacks.
00:18
So let's go ahead and get started. Now. I've already launched a lab here in the background may take up to a vendor, so to launch the lab, but in the catalog, just look for the lost Labs and specifically you'll click on the injection lab.
00:30
So once you do so it's going to give you these pop ups. Initially, it just gives you a little background about the lab itself. If you want to read through that, we're not gonna worry about that. I do have the step by step guide for you, and that's available to download on The supplemental resource is section, so you'll be able to find all the guides for all the lads that will cover in the course.
00:47
So to close these pop ups, all we have to do is just click on next and then. Okay,
00:51
well, that's gonna take us here to the Cali linens log in screen. Now you'll see a couple of their pop ups here that may show up. Basically, they're just telling me a little more about this particular lab environment. I've looked at those a 1,000,000 times, so I'm just gonna x out of those. But you're welcome to pause the video and read through those if you want to.
01:07
Here are the Cali Lennox log in screen. We're gonna log in with a user name and password of students. So, student, all over case
01:15
will be our using password.
01:18
And that is either click next here or just hit, Enter to keyboard. And then same thing for the password student all over case. And then you either click, sign in or just press enter under keyboard.
01:27
Now, before we get started with actually doing the lab, the one thing I'm gonna do is I'm gonna disable the screen lock feature that way as we're going through the lab, if we pause for a moment, it will not lock us out. I found that in these particular labs. If it locks you out a lot of times you just have to restart the Cali machine or just cancel the lab and started over again.
01:47
Neither of those is something that I personally like to do if I'm going through lab.
01:51
So I don't want you to have to do the same thing. So we're gonna go ahead and disable the screen lock feature, and then we'll move through the rest of the lab.
01:59
So the way we disable it is at the very top, right? Once we've logged into Kelly, licks were gonna click. This little arrow right here is gonna pop out a little menu for us and then down at the bottom left, there's this little settings icon. Looks like a little screwdriver and a wrench. We're just gonna go ahead and click on that
02:15
and it's gonna take about four or five seconds or so. But it's gonna open up another window for us.
02:21
And once it opens up that window, as you see here, we're just gonna select privacy down near the bottom left
02:27
and then we're gonna click on screen lock. That top option is gonna open up a little pop up box, and then all we have to do is make sure this circle goes to the left, so we just either click on it or you can also click and drag it. Whatever you want to do. You just want to make sure this is showing on the left side. Just like that.
02:43
Once you do that, the screen locks should be turned. Also, weaken his ex out of that, your necks out of that. And now we'll go ahead and move through the rest of our lab.
02:50
So again, this lab is gonna be sequel injection attacks, and that will do several videos for those other portions of the lab.
02:57
So we've already loving the cyber. Very. We've launched our lab. We've loved other Kelly desktop, and that's where we're at right now. And we went ahead and, uh, disable the screen lock. But we're not actually covering that in the step by step guide. Our next step here we're at step eight in the step by step guide. We're gonna launch Fire Fox so that when we do that, we just click this orange colored icon
03:16
here on the top left,
03:17
and I might take a few seconds or so to pull up for us.
03:22
Now, throughout this entire course we're using ah, vulnerable Web application from a loss which is called New till a day on guy maybe pronouncing that wrong. So forgive me if you know the correct pronunciation, but that's how I pronounce.
03:35
So until the day is basically I guess I mentioned ah, vulnerable web application s so that way we contest these different things. We're going to do, for example, like our sequel, injection attack, and we can actually get results back and learn what we're doing here without us having to go. You know, like Hackett, Microsoft or Google or something like that.
03:50
So it keeps us out of jail, which is always a good thing.
03:53
Her Let's go ahead and go back to our lab documents. We've launched Firefox here
03:57
and we see we're at the Mattila Day. Paige. Now, if you ever get an air message, for example, may say, like, you know, unable to load or something like that, then just click this little Mattila Day icon at the top of left. And that was especially refresh the page and then take you to this main page that we're looking at right now.
04:13
All right, so now we're at step nine here. So we're gonna go on the left side here. We're gonna select a lost 2017 will then select a one injection sequel, and then SQL I
04:25
bypass authentication and then finally, the log in.
04:29
So let's go ahead and do that. Now
04:30
we're into the old lost 27 team
04:33
sequel. Injection?
04:35
Yeah, let me click over here. So it's easier for you to see.
04:38
It's always 2017 sequel injection right here.
04:42
Bypass authentication and then log in. No, take us to the log in page
04:46
and again, it may take a moment or so to pull up. We're working inside of a virtual sandbox here, so some things are a little slower than you or I may be used to out in the real world of things.
04:57
All right, So, and the user name and password box, We're gonna fill that out so we'll type admin for the user name, and they will come to this in just a second.
05:03
So in the use of named feel, just go ahead and type in admin all over case.
05:08
And then now we're gonna type in the password fields. We're gonna type in whatever a single quotation mark
05:14
space or
05:15
Space
05:16
One equals single quotation. Mark the number one. So we'll just take that nice since level this type of whatever single quotation mark first. So let's go and do that now. So in the password field, just type whatever
05:29
and single quotation Mark.
05:30
Okay, you're gonna put a space,
05:32
so just put a space there.
05:34
Now we're gonna put or and then another space. So let's just do that. Now
05:40
we'll put or we'll put another space.
05:43
And then finally, we're gonna put one equals single quotation, mark
05:46
one. So one equals single quotation, Mark one.
05:50
Let's go and take that in there. Now. So one equal, single quotation mark and then the number one.
05:57
All right, Once you enter that in there, just go ahead and either click lobbying or hit the enter key on your keyboard.
06:02
And if you get this papa box here using his ex out of that, you could even say remember the password? It doesn't matter too much since we're in a sandbox.
06:11
All right, so question everyone here. So we've got through Step 13. Question number one.
06:15
If we look at the top of writing the page, are we now loved in as the administrator user. So are we loved in his admin or the route user. So take a look at the top of the page. And what do you see?
06:27
All right, so of course we see right there. It says admin. And we also say, you know, see a notation to route. So we know that we are loved in s administrator.
06:35
All right, let's go on with our lab document here. So now we're gonna go ahead and lock out as he admin, and then we're gonna go back to the log in page, So let's go and do that now. So we're just gonna say, log out here
06:46
and the Texas back to her log in page.
06:48
So now what we're gonna do, we're gonna type in just in the use of name field. We're gonna type in admin,
06:55
single quotation,
06:57
semi colon,
06:59
and then the pound symbol. So admin, single quotation, semi colon in the pound. Simple. So let's go and type that now. So admin all over. Case.
07:06
Quotation.
07:08
The semi colon, and then the pound symbol. Now leave the password field blank. But all you have to do now is either hit, enter in a keyboard or just click on Log in
07:17
and I would see a couple questions here. So we've left that blank. We're gonna head on lobbying. So question question number two here doesn't allow you to log in, so we'll take a look at that in just a second on that question. Number three. What account shows? Logged at the top right of the screen. So number one did it, let you log in
07:32
and we see here. That minded. Yes, I see that. I'm logged in on the number two. What account is at the top right of the screen.
07:40
So what accounts shows love into the top right of the screen.
07:44
All right, so we see, at least on my end, and you should have gotten the same result. We see that the admin account against we've loved and successfully as the administrator account
07:54
her. So I'm gonna go in, pause the video there before we finish out the rest of this part of the lap. I'm gonna go ahead. Policy video will pick things back up and finish out the sequel injection portion in the next for you

Up Next

OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and resources to help organizations protect critical apps. Cybrary’s OWASP training course covers the organization’s popular “Top 10” risk assessment.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor