Time
1 hour 43 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
Hey, everyone, welcome back to the core. So we're gonna go ahead in this video and start our first lab again. I want to stress the labs in this particular course, Ivory fundamental there just to show you potential attacks to someone could use to help. You better understand why we should be securing our AP eyes and why we should also be paying attention to the OSS top 10
00:19
for FBI security
00:21
and this particular lab. We're gonna talk through and work through a security miss configuration. So just searching the catalogue for thes security Miss Configuration Lab. And we've also included step by step guide, so you'll find those in the resource section of the course. So if you want a pause a video and go through the lab on your own, you could you are welcome to do so.
00:40
One other important thing I want to mention about these particular labs is on the right side. Here. You'll see some instructions and you'll see the next option. You'll also see check boxes. Now, if you want to get credit for this lab in your account, you'll need to make sure as you go through the steps to check those boxes. You notice there's a task bar that starts filling in
00:59
as I checked those boxes. So very important
01:00
you want to make sure that you check those boxes Azure going through this lab.
01:07
And as I mentioned already, there is a step by step guide in the resource section of the course. Let's go ahead and get log in here.
01:11
And what is to use the user name of student all over case. And then same thing with the password is gonna be student all lower case and we just logging into Kelly Lennox if you don't know what we're looking at here,
01:23
take a moment. Soda, Laugesen.
01:25
All right, Once we're logged and it's gonna go, we want to go ahead and launch Firefox. So it's gonna be this orange colored icon at the top left here.
01:32
Okay, So when Firefox opens up, we're gonna type the following into the address bar here at the top running type in. Http ford slash ford slash Mattila day four slash Mattila day ford slash Includes. So we're gonna go ahead and do here is just add in a little bit at the front end
01:49
and make it our lives a little easier instead of having a type, all that stuff it again.
01:53
And then at the end of this will just add in the includes
01:57
and afford slash.
02:00
Now, if you're following along the step by step guide, you'll see that I have a question there for you.
02:05
So basically, the question is, doesn't look like indexing is allowed.
02:10
Well, the answer is yes. Right. We could see an index of the various files on this particular server.
02:16
All right, so next we're just gonna go back to that main Mattila day. Paige,
02:21
you can either click the back arrow or just cook this little home option right here. Either way, we'll take you back to this page right here.
02:29
So the next thing we're going to do is navigate to a Lost O S 2017 here at the top left.
02:35
We're gonna go down to the A six to Security, Miss Configuration. Since that's a lab we're in right now, we're gonna select a method tampering. So for the getting post request, we're going to select the poll question as our last option there. So again, you'll find that in the step by step Guide of the course, and also the instructions were going through are also here on the right side as well.
02:54
Okay, so you see, were taken to the user poll page. Now, we're just gonna go ahead and minimize our Firefox window here,
03:01
and then we're gonna navigate over to our birth suite icon. So it's about halfway down. Kind of looks like a little orange face. We're gonna go ahead and launch your burps week.
03:09
Once it launches is gonna give you a license agreement. I always like to uncheck this box just out of habit so you can send anonymous feedback. I never do that to out with applications. So I'm just gonna uncheck that box here, and then you can read through the license agreement if you want to. Your in a virtual lab so it doesn't really matter. And then I'm just gonna select the I accept icon right there.
03:30
And so that's going to take us into burb. Sweet.
03:35
So once we're inside burps, we were just gonna leave it as a temporary project and select next,
03:39
and we're gonna leave the defaults suburb's sweet defaults there. What is going to select this start? Bert button at the bottom.
03:46
Okay, so once birth suite has opened up, we're just let this proxy tab here at the top left,
03:52
and then you see where it says intercept his own. We're actually going to select that to turn off the intercept.
03:58
Right? Next step is just minimising burb sweet. We're gonna go back to our Firefox window.
04:01
So once we're back on fire, Fox, we're just going right Click on this foxy proxy icon. It's just to the right of the u R L bar and used to see the same thing on your lap.
04:11
And then we're gonna select this. Use proxies based on pre defined patterns and policies. Option.
04:16
Excuse me. Patterns and priorities were just like that. Top one there.
04:20
So once you sent the foxy proxy icon where next get and come back to our user poll page, and we're just gonna select kismet is about halfway down here,
04:29
and then we're just gonna put in some random initials. So I was put some random letters in there,
04:33
and next you're just click the submit vote button.
04:36
All right. Wallace doing that? We're just gonna minimize Firefox again, and we'll go back to burp. Sweet
04:41
so you can navigate back to burp sweet. Just by clicking the icon on the left side Here,
04:46
that'll open it back up.
04:46
And now we're gonna be clicking on this. Http. History tab here at the top left.
04:51
Next, we're going to right click here where? It says http colon Ford's last four slash Mattila date.
04:58
They were to select a send to repeat her options.
05:00
Next, we're gonna click the repeater tab here at the top. It's you notice it's highlighted.
05:04
Now, you could see information from the polls when we submitted that pull what you could see. As you could see, we chose kismet and that our initials are also P p. P.
05:14
So so far in this video we've gone through re logged into the lab, we went ahead and submitted the poll information. We made a few changes on fire Fox and we've launched burb Sweet. And now we've captured that information in the next video. Where to go ahead and wrap it this lab wearing and go through and trying to change our request. So we'll try to change that post request
05:33
and see if we're able to. We're also gonna send some more information and see if we're able to capture it. And we're also going to try to upload a malicious file and see if we're able to upload it to the server.

Up Next

Introduction to the OWASP API Security Top 10

The Introduction to the OWASP API Security Top 10 course will teach students why API security is needed. Students will get a brief refresher on the CIA triad and AAA, then move into learning about the OWASP Top 10 from an API security perspective.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor