OWASP

Course
Time
4 hours 32 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:01
Hi, everyone. Welcome back to the course. So in the last video, we wrapped up our discussion on X, X, E or XML external entities, as it's more commonly known
00:11
in this video, we're gonna go ahead and just do a practice lab on it. Now, I've already launched the lab environment. So as I mentioned before, often times it takes up to a minute for the labs to lunch. So I just want to go ahead and we'll start off with this screen here.
00:24
Now, the other thing to keep in mind is that coming up after we get logged in, we have a rather long command that we're gonna be typing in. So we'll go through that step by step. So if you're looking at the lab guy when you're kind of looking ahead, we'll go ahead and we'll type that command will do a step by step so everyone can follow along.
00:40
First things first. Once we launch our lab, we get this little papa boxes here. All we're gonna do is just click on next and OK to close those. And then it will take us to our log in screen for the Cali machine.
00:51
You'll also notice sometimes other pop ups here as well. So sometimes at the top, right or bottom left. Those were just related to the lab environment.
00:58
And now we're the Cali log in screen. So here we're gonna type in the user name of student and then also the password of students. So the type student, all of her case and then either click next or hit, enter on your keyboard
01:11
and same thing here, student all over case and again. Either hit intern a keyboard or just click the signing. But
01:19
it might take a moment of silver. Then it's gonna launch the Cali desktop for us again. If you're not familiar with Callie Lennox, it's commonly used for penetration, testing or ethical hacking, as you'll hear it called commonly in the media. But it's used by penetration testers to perform testing of your organization systems or just, you know, for newer people just practice their skills
01:40
so you'll see the Cali desktop is launched in the background. Now, as we've been doing with all of these labs, the first thing I'm gonna do is actually disable the auto screen lock feature. So that way we don't get our screen locked up as we're going through the lab. This one's a shorter labs show. It shouldn't take us too much time, but again, a lot of times in the virtual machines. If you
02:00
Paul's you know, go get something to eat or whatever come back to it. It may tying you out, so that's why I like to disable it up front. So that way we should not have that issue.
02:07
So the way we disable it, we just come to the top of right of our screen. There's a little
02:12
Errol Key there. Just click on that
02:15
and a pop up a little menu for us. Now I'm that menu at the bottom left. There's a settings icon here. It looks like a little screwdriver in a monkey wrench. Together, let's go ahead and click on that.
02:23
It's gonna open up another box for us. Another window for us. It's gonna take a moment or so it takes, like five seconds for soda toe open up. Once it does that, we're going to select privacy on the left side. So down here at the bottom left, just click on privacy. Then you'll see the screen lock here at the top is click on that. And then it'll Pulpit Oppa, Papa box
02:43
and then all you have to do just click your mouse and move this circle to the left.
02:46
Here it is. Click there and it should move that all the way to the left.
02:50
Once it does that, we're good to go. So all we have to do is just x out of those.
02:55
All right, so let's go back to our lab document and I will actually get started with our left. So we've already locked into Callie Lennox. We've already used to use the name of student and the password of student.
03:05
And we see our Kelly desktop screen here.
03:07
So what we're gonna do now is we're gonna launch fire Fox. So it says top left one here on this left side menu, this orange colored icon So orange and white. Just click on that and that'll launch fire Fox Force. Now it's gonna open us up to the main Mutilated a page again for all these laps. In this course, we're using Mattila Day,
03:25
which is a deliberately vulnerable
03:29
application from Ah Waas. Now you'll notice in a few videos. I've mentioned that you may possibly get this type of air message where it doesn't overtake you directly to the Web page. If you get that, as I mentioned before, just click here at the top left on the little Mattila Day icon. It's gonna basically refresh everything, and they don't take you to the money main page.
03:47
So as I mentioned before, you kind of get that glitch randomly.
03:51
There's no correlation with your particular actions. And there's no, you know, specific sequence of it. You know, as far as like, how long had you know how often that happens, Eh? So, you know, you may get it, and you may never see it. You know, when you're in, you know, or, you know, you might get 10 times in a row, so you just never know. But all you have to do to fix it is just click on them until today
04:10
I can hear it. It'll refresh it and taking to the main page here.
04:14
All right, let's go back to her lab document.
04:16
So now let's step seven here. So we're gonna do is we're gonna navigate to a lost 2017. We're gonna go to the A four XML External entities will select XML external entity injection and then we'll select XML validator. So just keep in your mind that we goto us 2017 we goto a four,
04:35
then we go to entity injection and then validator let it Probably the easiest way since all of them have XML in the title
04:42
to remember those for you. So just go on last 2017
04:46
Goto xml it'll click back on my screen here so it's easier.
04:48
Uh oh s 2017 a four xml external entities
04:54
XML external entity injection and then you'll see we have xml validator right there. It's going to click on that.
05:00
It's gonna give us this big box here to toe work with Well, I guess a little box, depending on your view of it, but we're gonna do is we're gonna take this long command. So this is that long command that I mentioned
05:11
and then what? We want it basically trying to do with this command and see if we get the output of what's in this file right here. So the c t c p a s s w d file. So the password file. If we can see what's in that? We know we're successful for this particular lap,
05:28
so let's go ahead and get started again. We're gonna be typing all this end together. You're welcome to just grab it from the lab guide and pasted in there If you want to, I'm gonna go ahead and just type everything in so you can follow along.
05:42
So first thing's first, we'll start with our tank that we had done it in a different lab. So again, this is these are gonna be generally speaking, located right above the period and the kama on your keyboard, especially if you're here in the U. S. So you just need to use the shift key, and then you can go ahead and access those
05:58
so we'll type that in,
06:00
uh, come in the next line down. So we're gonna talk this line here. We're gonna type in our
06:06
tag there, so it looks like again a little elevated alligator mouth. We'll talk that and we'll put a question mark and then we'll type XML space version. So that's what we'll do right now that will continue typing the rest of this particular command.
06:18
So we'll put a question mark there
06:21
will put XML space version.
06:28
All right, now we're gonna put an equal sign,
06:30
and then we're gonna put the quotation marks
06:33
and then 1.0, and then a quotation works. So let's go ahead and do that now.
06:38
So put zero quotation mark, 1.0 quotation marks.
06:43
You could put a space there.
06:46
Now we're gonna type in encoding and then the equal sign.
06:48
Let's go ahead and do that.
06:49
Have been encoding.
06:54
And if you don't fat finger, you'll be good. All right. Encoding. And then the equal sign.
06:59
Next, we're gonna type in
07:00
quotation marks Were typing around I s 0-88 59-1.
07:06
So it's going. Type that now.
07:09
So
07:10
put a space quotation marks. I s o
07:13
88.
07:15
You may have actually put in extra space in there yet. I didn't,
07:17
so don't put a space there. Back that out.
07:20
All right, so
07:23
no space in between the eyes. So the quotation marks and the equal sign.
07:27
So we'll type in I s 0-88 59-1 And then we'll end out our quotation.
07:33
And again if you want to pause the video and go through this a little slower. By all means. Feel free to do throw. That's why we incorporate the step by step lab guides for you.
07:43
All right, so we've tried that in. Now. We're just gonna finish out with a question mark, and then we'll end with that closing tank.
07:50
So we're just gonna end with a question mark in the closing tank there.
07:54
We'll move on down to our next line.
07:58
Let's go back to our lab document. So now we're gonna do We're gonna put our opening tag, and then we're gonna put the exclamation point, which I had actually talked earlier on that will type doc type.
08:07
So let's go and do that now.
08:09
So we put our opening tag exclamation point, and then Doc type all in capital letters,
08:16
and I'm gonna actually pause the video there. We'll pick this back up in the next video. I just want to make sure we stay on track for time wise. So in this video, we started out typing in our command for XML, and we're gonna go ahead and finish it out in the next video

Up Next

OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and resources to help organizations protect critical apps. Cybrary’s OWASP training course covers the organization’s popular “Top 10” risk assessment.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor