Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

This is this lesson, participants how to use mulillidea to see if a web server is configured in a secure manner. Using Burp Suite, participants learn how to spider a web site to see if they can view directories that should not be view-able. It is very easy to traverse an entire web site.

Video Transcription

00:04
Hello and welcome to the cyber. Very secure coding course. My name is anywhere and this is a WASP. Top 10 for 2013 a five security Miss Configuration Dello Directory Browsing.
00:21
This is the demo for Security, Miss Configuration Directory browsing.
00:26
So we're using Mattila Day here, and basically it lets us know that the Web server is not configured very securely. And so we might be able to browse very interesting pages, or you are Els on this particular Web server. So just to show you how you get here,
00:47
you're going to choose from the OSS directory Security, Miss Configuration Directory browsing.
00:56
Now, I'd like to show you in burbs Sweet. How to spider this particular website.
01:03
And then from there we can determine whether we can go ahead and view directories that should not be viewable to us.
01:15
So I'm gonna turn the interceptor off
01:19
and I'm gonna go to my target.
01:22
Now you need to go ahead and add
01:26
the location where you're running
01:29
in this case Mattila Day or you're vulnerable Application.
01:44
So and I'm running it on Port 80
01:48
snow. Have this
01:49
as my target scope.
01:53
And in order for something to appear here on the site map. Since I had actually gone to that page, I'm now able to
02:02
to see that. But if you have nothing here,
02:07
just go ahead and
02:08
click something in the menu and go to that page, and then it'll actually bring up an item for your site map.
02:19
Now the Spider Host, you just right click and spider this host
02:23
and you'll see the spider tab light up.
02:28
And basically it's gonna send a bunch of requests and go through and figure out all the links that are available.
02:38
It'll actually go all the way back to the Web server so it won't just be your application. It will actually be everything under the Web server as well. Spider takes quite a while to run,
02:52
so I'm gonna pause the video and come back to this.
02:55
Okay? The spider is still running. It's sent a lot of requests, but it's still
03:01
still doing some work here. If we go back to the target tab, you can see
03:08
that there are links
03:10
that are even extended beyond the local host. And so, if you want to get rid of those and really clean up
03:19
just the target that you're interested in. You can do that by
03:23
right clicking this area here
03:27
and then
03:29
check the box that says, Show on Lee in scope items and then click out of it
03:35
and it'll start cleaning this up.
03:39
So after it cleans up a bit,
03:43
you can start to see the various folders available. And here's our Mattila Day. This is our
03:51
where applications,
03:53
but we can also see some other interesting things here. There's a folder PHP, my admin. That looks pretty interesting.
04:02
There's also a security folder here,
04:05
and so once you have Spider Dhe, the website, it makes it really easy to start doing directory browsing.
04:16
All we need to do then is just try to view this directory.
04:21
It's right off of the Web server,
04:28
so let's just see what we get
04:34
and looks like we get
04:38
the admin page for Samp.
04:43
So this is pretty interesting here
04:46
and shows how easy it is to
04:49
to traverse an entire
04:54
website
04:55
and then to determine which directories and files are viewable through the browser

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor