1
00:00:01,450 --> 00:00:08,620
‫CAPTCHA problems, so capture stands for completely automated public Turing Test to tell computers and

2
00:00:08,620 --> 00:00:09,480
‫humans apart.

3
00:00:10,330 --> 00:00:11,530
‫But you didn't know that, did you?

4
00:00:12,310 --> 00:00:18,790
‫So basically it's implemented to distinguish users and any entity that makes automated requests.

5
00:00:19,910 --> 00:00:26,040
‫So there are several capture types, such as visual aural, arithmetic and so forth and so on, but

6
00:00:26,090 --> 00:00:30,260
‫the most known ones of these is the visual one.

7
00:00:31,260 --> 00:00:38,220
‫So many times capture is an image, it contains a human readable text or maybe some numbers or recognizable

8
00:00:38,220 --> 00:00:43,710
‫image the user must solve in order to prove he is not a bot.

9
00:00:44,560 --> 00:00:52,270
‫And boy, doesn't it feel good to know that you're not a bot, so capture is not in authentication control,

10
00:00:53,170 --> 00:01:00,700
‫but by using a captcha can be a very efficient way to mitigate against the enumeration of attacks and

11
00:01:00,700 --> 00:01:07,050
‫any process that submitting that can be automated within Web application.

12
00:01:08,290 --> 00:01:15,760
‫So capture images don't protect against a pure brute force thing and just put a layer of complexity

13
00:01:16,150 --> 00:01:18,670
‫over the form on which they are added.

14
00:01:19,790 --> 00:01:26,030
‫So that means that you can generally see captains implemented and log in registration as well as reset

15
00:01:26,030 --> 00:01:34,280
‫and forgot forms, so this will barely protect against account takeover, username enumeration and fake

16
00:01:34,280 --> 00:01:35,330
‫accounts creation.

17
00:01:36,230 --> 00:01:37,130
‫But let me show you this.

18
00:01:39,230 --> 00:01:42,290
‫So open up Caleigh and login to be web.

19
00:01:42,950 --> 00:01:46,550
‫And from the drop down menu, open captcha bypassing.

20
00:01:48,140 --> 00:01:51,050
‫And this is a capture contained authentication form.

21
00:01:52,270 --> 00:01:57,160
‫So this time I'm going to do only high level, so change the level of high.

22
00:01:58,030 --> 00:01:59,920
‫And there's no difference in The View.

23
00:02:02,700 --> 00:02:05,970
‫OK, so let's see the page source and see if there's anything interesting.

24
00:02:07,240 --> 00:02:12,760
‫So this is the form that contains a capture and the capture image is included in an iFrame.

25
00:02:14,130 --> 00:02:20,580
‫The source page is a capture box, and this page contains the produced capture image.

26
00:02:21,840 --> 00:02:22,400
‫OK.

27
00:02:23,460 --> 00:02:26,870
‫So now open burp in interception mode.

28
00:02:28,210 --> 00:02:36,500
‫And I will make the browser have a better view of the screen, and now we can enable Foxe proxy.

29
00:02:37,150 --> 00:02:41,450
‫So now we need to understand the behavior of the form and capture.

30
00:02:42,220 --> 00:02:45,490
‫So there may be an implementation problem here.

31
00:02:45,940 --> 00:02:53,890
‫OK, so I'm going to enter the right values into input fields, B bug and the capture text.

32
00:02:55,180 --> 00:02:59,080
‫And while the request is inverted, so forward it.

33
00:03:00,440 --> 00:03:06,410
‫And here's the response now, let's have a look at the response, it contains a successful Log-in message.

34
00:03:07,460 --> 00:03:13,190
‫Right, so this message comes up when everything is correct, so forward it.

35
00:03:14,730 --> 00:03:21,370
‫Now, after we get the response or capture contained, iFrame sends the request to get a new capture

36
00:03:21,370 --> 00:03:21,820
‫image.

37
00:03:23,030 --> 00:03:27,140
‫And a source of the iFrame sends a new request to the image page.

38
00:03:28,290 --> 00:03:30,690
‫And the new image is presented on the page.

39
00:03:31,870 --> 00:03:36,550
‫So this new CAPTA image request will always perform the exact same way.

40
00:03:37,330 --> 00:03:40,470
‫So now let's try the wrong log in information.

41
00:03:41,520 --> 00:03:42,900
‫Right, capture text.

42
00:03:44,710 --> 00:03:45,790
‫Forward the request.

43
00:03:47,960 --> 00:03:49,220
‫Now, look at what we have.

44
00:03:50,760 --> 00:03:54,960
‫A new message, and this time only the capture was true.

45
00:03:56,120 --> 00:03:58,070
‫OK, so forward it and the rest.

46
00:03:59,520 --> 00:04:04,110
‫And now the true login information and type of wrong captcha text.

47
00:04:07,220 --> 00:04:10,730
‫And a new message appears and says, incorrect capture.

48
00:04:12,070 --> 00:04:13,570
‫And forward the rest.

49
00:04:15,620 --> 00:04:22,520
‫Now, this time, I'm going to fill in all of the fields with wrong values and forward the request.

50
00:04:24,110 --> 00:04:27,320
‫Let's look at the message it comes back in correct capture.

51
00:04:29,110 --> 00:04:35,370
‫So we can understand that it first checks capture, then the login information, right?

52
00:04:37,190 --> 00:04:38,540
‫And for the rest.

53
00:04:39,810 --> 00:04:46,380
‫All right, so now we're ready to shape our attack, so I'm going to perform a replay attack and I'm

54
00:04:46,380 --> 00:04:51,900
‫going to get a capture image and then I will try further requests with it.

55
00:04:53,290 --> 00:04:59,830
‫So I will assume that I don't know, login credentials and created a dictionary file before.

56
00:05:01,260 --> 00:05:04,470
‫And I fill the form with a correct capture and send.

57
00:05:05,700 --> 00:05:07,110
‫Now the request is in berp.

58
00:05:08,180 --> 00:05:13,100
‫And before forwarding it, send it to repeater and intruder.

59
00:05:14,330 --> 00:05:14,930
‫Then for.

60
00:05:16,300 --> 00:05:21,870
‫And look at the response, so the application checks the capture, but the credentials fail.

61
00:05:22,860 --> 00:05:24,300
‫So forward it to the browser.

62
00:05:25,910 --> 00:05:27,740
‫OK, so now we're at a critical point.

63
00:05:28,800 --> 00:05:31,440
‫I'm going to drop this new cap to request.

64
00:05:32,310 --> 00:05:34,710
‫So there are no more requests after this.

65
00:05:36,160 --> 00:05:37,840
‫Now open the repeater tab.

66
00:05:39,480 --> 00:05:40,560
‫And send it again.

67
00:05:42,300 --> 00:05:44,940
‫And the response still says invalid credentials.

68
00:05:46,040 --> 00:05:48,440
‫That means that the capture is still valid.

69
00:05:49,690 --> 00:05:52,350
‫So let's prove it one more time with false credentials.

70
00:05:55,230 --> 00:05:56,700
‫And sure enough, still the same.

71
00:05:58,110 --> 00:06:00,480
‫OK, so now go to the intruder tab.

72
00:06:01,690 --> 00:06:07,690
‫I've already told you about these tabs, right, so go to the positions tab, clear the parameters and

73
00:06:07,690 --> 00:06:10,240
‫add username and password as parameters.

74
00:06:11,710 --> 00:06:14,620
‫Then the attack type is cluster bomb.

75
00:06:16,890 --> 00:06:21,810
‫And here we have just a two payload said one for username and one for password.

76
00:06:23,130 --> 00:06:25,620
‫Payloads set one is a simple test.

77
00:06:26,930 --> 00:06:32,120
‫Quick to load the word list that we created in a previous lesson, and was it?

78
00:06:33,640 --> 00:06:36,640
‫And do it for the payload, too, as well.

79
00:06:38,870 --> 00:06:41,690
‫So now open the options tab.

80
00:06:43,680 --> 00:06:48,930
‫You don't need to change anything here and scroll down to grep match section.

81
00:06:50,470 --> 00:06:51,760
‫Now, clear these input's.

82
00:06:53,350 --> 00:06:58,090
‫Now we need to provide a message to differentiate the successful longans.

83
00:06:59,360 --> 00:07:03,110
‫And that message happens to be here, so copy that.

84
00:07:04,870 --> 00:07:06,010
‫Then added here.

85
00:07:08,790 --> 00:07:13,070
‫And Casey, give me a second to have a look, see if we missed anything.

86
00:07:14,090 --> 00:07:19,550
‫No, I don't think there's anything that we need to configure anymore, so if you're ready, I'm ready.

87
00:07:19,550 --> 00:07:20,690
‫Let's start the attack.

88
00:07:22,600 --> 00:07:26,700
‫And their requests start to list in the attack window.

89
00:07:27,640 --> 00:07:29,200
‫Let's wait for it to finish.

90
00:07:31,240 --> 00:07:37,750
‫All right, so our base request is just like that and the associated response.

91
00:07:38,940 --> 00:07:42,180
‫As you can see, so now let's go to this wine.

92
00:07:43,200 --> 00:07:44,220
‫Look at the response.

93
00:07:45,600 --> 00:07:48,060
‫And sure enough, we are successfully logged in.

94
00:07:49,600 --> 00:07:57,990
‫OK, so now let's see, because we can quickly check the code, so let's open up your terminal and Vukovich

95
00:07:58,000 --> 00:07:59,860
‫bypass at all page.

96
00:08:01,910 --> 00:08:07,970
‫So this line checks the security level, if the level is high or medium, then it will execute the following

97
00:08:07,970 --> 00:08:08,350
‫lines.

98
00:08:09,690 --> 00:08:15,570
‫Which compares the capture value sent by the user and the value in the session variable capture.

99
00:08:17,830 --> 00:08:23,020
‫And as you can see, there is no code to assign a new value to the capture variable in session.

100
00:08:24,610 --> 00:08:26,230
‫So you see, this is the main problem.

101
00:08:27,760 --> 00:08:31,570
‫This new value adds in a separate request.

102
00:08:33,540 --> 00:08:39,150
‫And that's what helps us to replay the correct capture in the session variable.