6.2 Security Misconfiguration Lab Instructions Part 1
12 hours 9 minutes
Hey, everyone, welcome back to the course. So in the last video, we wrapped up our discussion on security, Miss Configurations. Specifically, one of the things you'll notice in the media lot is Miss Configured Cloud Instances. So, for example, like Amazon aws buckets, you'll notice you'll hear that in the media. A lot of saying no, it was miss Configure. And that's why all your data is gone.
hopefully you understand the importance of
preventing against security, Miss Configurations at least as much as we can, because that'll help secure your data a little better.
So this lab work is gonna go for a quick example of it again, were kind of hitting these labs pretty light. We're not gonna go in depth where you'll need a huge amount of knowledge. But as I mentioned, you know, in the start of the course, it's good to have a foundation in, like computers in some capacity. So whether that's networking, operating systems, et cetera, I just helped you understand things a lot better,
so you'll notice I already got the lab pulled up in the background here, as I mentioned before. It sometimes takes upto a minute for these labs to launch, and we'll go ahead and get log it. Now we see our pop ups back here like we normally do. We're just gonna click next and okay, Too close.
And then we have some other problems that occasionally show Oppa's. Well, we're just x out of those as well.
So now we're at our log in screen here. I'm saying, with all the other labs, the user name is gonna be student, and the password is gonna be student as well. So against student, all over, case
from both user name and password. Now they're just gonna pull up our Callie machine for so it might take a moment or so to see the desktop there.
So while it's pulling that up, let's go back to our lab document here.
So the first thing we're gonna do before we launch Firefox is as we've been doing, we're gonna go ahead and disable the screen lock feature, so that way we can do our lab. And that way, if you're taking a little longer to do the lab on your end, you can take your time and not worry about it locking you out where you have to restart everything or cancel out the lab.
You know, you could actually just go through everything at your own pace
and be successful in it,
so that when we turn off the screen lock feature as we've seen in other videos as we just click this little arrow at the top right
now, then it gives us a little menu Here at the very bottom left, we have the settings. Icon Looks like a little screwdriver with a monkey wrench.
Just click on that. It's gonna take about, you know, roughly about 45 seconds or so, and it'll pull up a new window for us.
Now, when it does that in the new window over to click on the privacy option so you'll see a here near the bottom left.
Then we're gonna click on screen luck,
and then it's gonna open up a little pop a box for us, and we're gonna just move this circle to the left here. So we just want to move that little circle to the far left. Once we've done that, that will turn off the screen lock. So all we have to do now is just x out of these couple of boxes, and we're good to go.
All right, so let's go ahead. Move on with her lab now. So we're gonna launch fire Fox. So that'll be this top left icon hear about on the the menu bar here.
And once we launch Firefox's should pull us up to the Mattila day. Paige again, as I've mentioned before, if you get like, an air message, then just go ahead and just click on them Attila Day icon. And that will refresh the page and take you to the main page.
So you'll see Mine took me to the main page again. That's the icon right here at the top of left. So here, for some reason you get an air messages.
Get back to this page right here.
All right, let's go back to our lab document.
So now we're gonna type this in the U R l bar. So once we do that and we press enter, I want you to think about does it look like directory indexing is allowed on this particular web application server.
So we're gonna type in http till today, Mathilde and then includes
Let's take that in now. So, http Colon force last four slash Mattila day,
So m u t i l l i d e will put another fort slash Just type the same word against him until today,
And then our final part is gonna be includes four slash and then we're gonna press enter once we type that in.
All right, so this press enter into keyboard.
All right, so the question again is doesn't look like directory indexing is allowed. Is that a yes or a note?
All right, so the answer is yes, I know it. Pause for just a vory fraction of a second there, but the answer is yes. And we can see So by getting this information right here in the background
now, ideally, if somebody type this type of thing in, they will get an air page saying, like, forbidden or some like that. Look, I 403 air message saying, Hey, it's forbidden for you. Access this, but this particular application is vulnerable. We already know that. So it's okay to see that There.
So now we're gonna go back to the main page. So just again. Click the icon here. The top left. That'll take us back to our main page.
Once you get back on the main page, we're gonna goto all lost 2017. We're gonna go to the A six security Miss Configuration, and then we're gonna click on Method Tampering, and then we're gonna click on where says pull questions. So let's go ahead and do that now.
So it's gonna be the last 2017.
We'll do the A six. So scared, Miss Configuration,
we'll do the method tampering, get four posts,
and then we're going down to the pool question. So the 2nd 1 from the bottom there, go ahead and click on that.
All right, so now what we're gonna do, we're to use birth sweet again in this lab. So we're gonna minimize firefights. We're gonna go back to Berk, sweet
and get that all set up, and then we're gonna uncheck The intercept is on button
because we want to turn off the intercept feature for now. So first things first, let's minimize fire Fox that we're gonna go on the left side here to burp. Sweet. Going to click on that. That's an orange colored a great color icon.
It's gonna take a moment to sort of pull up
and then once it does, it's gonna make us agree to the license agreement. And then also, we'll have a couple of default settings and we just leave alone. And the washer launched the tool
you'll see there. We have the license agreement. I always just uncheck the box about sharing. I guess it doesn't matter too much since we're in a virtual environment here. But I was just on check it out of habit because I do use birth sweet on my own systems and then just click. I accept. I accept the license agreement
and then at these next couple of screens here, just click next and then start burp. And that'll actually start up the application for us
and you'll see as I mentioned, it takes a moment, so to actually launch for us. So while it's doing that in the background, let's go back to our lab document.
So we just did step 20 here. So we're starting a Bird PLC. It's pulling up there. Finally, now, then we're in step 21 so we're gonna click on the proxy tab and then we're gonna turn off the intercept features. Let's go and do that now. So just click on proxy at the top left, and then you click the button that says Intercepted on and then you'll notice Now it changes it to say, Hey, the intercept is off,
so we know we're good to go there. Let's go ahead and minimize burps. We know,
and we'll go back to our Firefox browser. Just go ahead and click back on your Firefox.
Let's go back to our lab document here. So now we're gonna go back to that if you remember in a previous lab within the foxy proxy icon. So we're gonna go back to that and we're gonna right click on it, and we're gonna select the top option again the use proxies based on Predefined Patterson priorities.
So let's go and do that now.
So we're just gonna right click on it's it's one of the top right here. And they were to select use proxies except etcetera, etcetera. So that'll change that for us.
All right, so now what we're gonna do is we're gonna go back to the easier pole page. So that's this page here. We're gonna select kids mitt, and then anything that you want to type in the initials box here, So I'm gonna click on kids Met. So it's about halfway down or so. And then whatever initials you want to type in, um, I'm just gonna type in cyber. You're welcome to type whatever you want to,
and then we're gonna go ahead and submit our vote.
All right, So now what we're gonna do is we're gonna minimize Firefox. We're gonna go back to burbs, Sweet. And we're gonna look at the http history tab.
So let's go ahead and do that now.
You wanna minimize fire? Fox,
We're gonna launch Burke Sweet again. So down here at the bottom
and we want to go to the http history tab
so you'll see we've got some information back. I'm gonna go ahead on pause. The video there will finish out the rest of this lab in the next video. Where basically is gonna modify some of the information
The OWASP Online test is a premium Cybrary assessment test created by iMocha. It is ...
OWASP Top 10 - A4:2017 - XML External Entities
The OWASP Top 10 features the most critical web application security vulnerabilities. This part covers ...
3 CEU/CPE Hours Available
Certificate of Completion Offered