OWASP

Course
Time
4 hours 32 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:01
everyone Welcome back to the core. So in the last video we started out, typing are actually mel Command that we're gonna be using for validation
00:08
in this video over to finish out typing that commander will actually execute it and see what kind of results we get back.
00:14
So we left off here on the second line. We have just talked in the opening bracket. Exclamation point doc type all in capital letters. And now we're gonna type in lower case example and then our left bracket.
00:28
So let's go ahead and do that now. So we're gonna put a space here, We'll type an example.
00:33
And then I left bracket,
00:35
and now we're just gonna hit, enter and go down to our next line. So again, you just want to take your time, all these command, and make sure you're entering everything correctly. So that way, the command is successful when we go ahead and running.
00:45
So on the third line down, we're gonna type in the opening bracket exclamation point and then the word element, all in capital letters. So let's go ahead and do that now.
00:53
So we'll type in our opening bracket exclamation point in an element.
00:58
All in capital letters.
01:00
We'll go back to our lab document.
01:03
Next, we're gonna put a space, will put attack all over case, and then we're gonna put another space and then the word any all capital letters, and then we'll put a closing bracket.
01:11
So let's go ahead and do that. Now. We'll put a space attack
01:15
space any,
01:18
and then we'll close it out with her bracket.
01:21
Let's go to the next line down.
01:25
So now we're gonna type in
01:26
our opening bracket exclamation point and then the word entity. So let's go ahead and take that in now.
01:34
So opening bracket, exclamation point and the word entity
01:41
There were two type in X, x e and then system. So we're gonna type in XXII all over case,
01:48
and then we're gonna type in system in all capital letters.
01:53
All right, so now we're gonna finish this out by putting the path to the etcetera password file. So we're gonna put quotation marks around that path there, so we'll type in fort slash e TC for its last P a s s w d. But we're gonna encapsulate that with question quotation marks.
02:08
So let's go and do that now.
02:10
So put our quotation mark or ford slash E T c four slash p a s s w d. And then we'll end that with quotation marks.
02:22
All right, so our last step on this line is we're just gonna put unending tag right there, so we'll go ahead and put a space, and then we'll close that out,
02:29
and we're gonna move on to our next line.
02:31
So on the next line, we're just gonna put our right bracket, and then we'll close this out as well.
02:37
So let's go ahead. Do that now.
02:43
And now we're gonna move on to our final line here, so we're gonna put this attack XXI attack. So we're gonna start out with just putting the brackets around attack.
02:51
So let's go ahead and do that now.
02:53
So we'll start here with this tag, and we'll come back here,
02:58
all right? Next, we're gonna type in the and symbol or the ampersand, as it's more commonly called, and then *** e semi colon will type this one right here.
03:08
So ampersand
03:12
*** e. And the semi colon.
03:15
All right, so next we're gonna type in our bracket, So we're gonna be closing the bracket here with our closing tag for the attack.
03:23
So we're just gonna put attack again? What we're gonna add in there is a Ford Slash than to come in. And that's you know, if you're not familiar with Web programming, that's that's a way we can close tags, for example, like a, uh, header tag or something like that.
03:38
All right, So we went ahead and entered our command here, and we're just gonna double check our sales, make sure everything looks okay. We didn't fat finger anything. Everything looks all right. We're gonna validate this and just see what kind of information we get back.
03:54
All right, So let's move back to our lab document. We have just one question in this particular lap. So question number one here, Do you see the contents of the file we're trying to access after running the command
04:08
are so the answer is yes. Right. So all of this stuff here is the output of what's in that particular file.
04:16
All right, so you'll see that was the last step in this video again. We were just trying to do this type of attack and see if we could potentially use this to get information about this e TC password file. If we get information and what kind of content is in that particular flower
04:31
now? We could potentially use the same exploit to get information about different files. For example, if we knew knew the path of certain files on this particular Web server, we could use this command to do so. However, it's pretty specific
04:48
s so we were not able to pass like information like XML, h E mail or even binary data
04:54
without a throwing an air message. So just keep that in mind as well. It is an attack that that can be exploited. However, it may not be something that that many Attackers used just because it might make. It might be more practical for them to use a different type of attack, so it is on the almost stopped, and it is something relevant.
05:12
It's not something necessarily
05:14
to the level of, like a sequel injection attack, for example, where that's more commonly used. So just keep that in mind as well.
05:20
Now, this video again, we talked about XML external entities, so we wrapped up our lab on it in the next module. We're gonna go ahead and talk about broken access control. We'll talk about what it is as we commonly doing. All these modules will talk about what it is, why you should care and what kind of impact it may have on the organization.

Up Next

OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and resources to help organizations protect critical apps. Cybrary’s OWASP training course covers the organization’s popular “Top 10” risk assessment.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor