1
00:00:00,630 --> 00:00:08,340
‫So another implementation problem is weak password recovery or reset solutions, so let's say that you

2
00:00:08,340 --> 00:00:09,420
‫want to change your password.

3
00:00:10,230 --> 00:00:13,920
‫So here you should have a look to see if the current password is confirmed or not.

4
00:00:15,130 --> 00:00:24,070
‫And as a password change form akin to CSR tech, which we are going to cover and the session management

5
00:00:24,070 --> 00:00:24,580
‫section.

6
00:00:26,110 --> 00:00:30,960
‫But the other thing is, well, that can happen, all of us, we all forget the password, right?

7
00:00:31,090 --> 00:00:31,540
‫I do.

8
00:00:32,810 --> 00:00:33,440
‫Sometimes.

9
00:00:34,230 --> 00:00:42,540
‫Now, what information is required to recover the password, so here come the secret security questions

10
00:00:43,020 --> 00:00:48,180
‫and maybe second communication channels that proves the real user.

11
00:00:49,200 --> 00:00:55,560
‫And again, the application should confirm the Rickover request on a second channel.

12
00:00:57,720 --> 00:00:59,820
‫So going to Cali and logging to be Web.

13
00:01:01,060 --> 00:01:07,030
‫From the drop down menu, open forgotten function under broken authentication.

14
00:01:08,670 --> 00:01:12,660
‫So I'm logged in as a user bee and the level is low.

15
00:01:14,050 --> 00:01:21,140
‫Now, what I expect to see here is to learn my secret or password, because I don't remember.

16
00:01:21,970 --> 00:01:26,420
‫So the application wait for my email address, but there's a problem.

17
00:01:27,040 --> 00:01:28,960
‫What if I don't know my email address?

18
00:01:30,280 --> 00:01:37,450
‫So I'm going to check from my P my admin interface user's table.

19
00:01:38,430 --> 00:01:39,600
‫Browser users.

20
00:01:41,070 --> 00:01:48,150
‫OK, so this is my email and I'm going to write it into the input field and click Forgot.

21
00:01:49,230 --> 00:01:51,510
‫Then it immediately prints it to the page.

22
00:01:52,880 --> 00:01:59,210
‫OK, so you see that this is a bad implementation because it obviously holds the secret or maybe even

23
00:01:59,210 --> 00:02:01,460
‫the password in clear text.

24
00:02:02,550 --> 00:02:09,060
‫Not good, but you know something, you know what's really bad is when you write the email address of

25
00:02:09,060 --> 00:02:10,170
‫another user.

26
00:02:11,710 --> 00:02:17,530
‫And you get the USA's secret, so if you know the e-mail of any user, you can learn their secret.

27
00:02:18,560 --> 00:02:20,960
‫Uh, is this terrible implementation?

28
00:02:22,740 --> 00:02:24,600
‫So now let's change the level of medium.

29
00:02:26,130 --> 00:02:28,590
‫OK, so I'm going to enter my users email address.

30
00:02:29,740 --> 00:02:32,860
‫And this time it sends the secret to my email.

31
00:02:34,180 --> 00:02:38,980
‫OK, so open up a new tab and go to mail and order dot com.

32
00:02:40,420 --> 00:02:47,250
‫So this application provides disposable e-mail boxes, you don't even need to create a real account,

33
00:02:47,980 --> 00:02:53,730
‫so just type the BWB into the open inbox for this user.

34
00:02:54,370 --> 00:02:57,450
‫And the first one is the latest message that's come up.

35
00:02:57,460 --> 00:02:58,180
‫So click it.

36
00:02:59,390 --> 00:03:00,980
‫And what do you know, here's the secret.

37
00:03:01,810 --> 00:03:03,430
‫And it's still in clear text.

38
00:03:04,430 --> 00:03:13,340
‫So why don't we try other email addresses, be Web user one and be Web user to go to mailing later again?

39
00:03:14,260 --> 00:03:16,810
‫Over the inbox for BWB user one.

40
00:03:17,960 --> 00:03:18,800
‫Here's a secret.

41
00:03:20,080 --> 00:03:24,250
‫And over the inbox for Bapu's user two, you've got mail.

42
00:03:25,370 --> 00:03:35,150
‫So this is really good to send each secret to the real person, but the sensitive information is in

43
00:03:35,150 --> 00:03:36,020
‫clear text.

44
00:03:37,070 --> 00:03:39,440
‫OK, so let's go back and open, Brad.

45
00:03:40,550 --> 00:03:41,780
‫Change the level of high.

46
00:03:43,500 --> 00:03:48,780
‫So now I'm going to enter my e-mail address, and this time I will send a reset code.

47
00:03:49,950 --> 00:03:51,060
‫Open mail, Nader.

48
00:03:52,090 --> 00:03:53,380
‫Go to inbox.

49
00:03:54,640 --> 00:03:55,990
‫Here is the latest mail.

50
00:03:57,850 --> 00:04:02,260
‫So as you can see, this time, there is a link attached with a reset code.

51
00:04:03,590 --> 00:04:06,830
‫But now go to my admin, refresh the page.

52
00:04:08,650 --> 00:04:13,690
‫The reset code is stored in the user's table in the corresponding user column.

53
00:04:14,970 --> 00:04:17,370
‫OK, so now click the link in the mail.

54
00:04:18,480 --> 00:04:21,330
‫And it will send us to a changed form.

55
00:04:22,610 --> 00:04:24,560
‫And then we can change the secret.

56
00:04:26,150 --> 00:04:30,530
‫So for this kind of option, of course, yes, the mechanism works well.

57
00:04:31,490 --> 00:04:35,930
‫But for instance, there's no time for the reset code, right?

58
00:04:36,810 --> 00:04:40,590
‫Also, the reset forum is not protected against brute force attacks.

59
00:04:41,590 --> 00:04:43,150
‫There's no capture protection.

60
00:04:44,010 --> 00:04:51,570
‫OK, so open up your terminal now, display the page, B.A. underscore forgotten that BHP.

61
00:04:53,080 --> 00:04:55,060
‫And it takes an email from the user.

62
00:04:56,690 --> 00:05:01,300
‫Then after validation, it queries the user table with us email.

63
00:05:02,680 --> 00:05:05,680
‫And if the security level is low, it just prints the secret.

64
00:05:07,390 --> 00:05:11,500
‫It's levels medium, it sends a secret in clear text to the user.

65
00:05:14,300 --> 00:05:18,140
‫And then on this line, when the level is high, it creates a random string.

66
00:05:19,960 --> 00:05:22,420
‫And that is the reset code for the end user.

67
00:05:23,470 --> 00:05:26,590
‫It creates a link containing the reset code.

68
00:05:28,280 --> 00:05:29,600
‫Then it sends it to the user.

69
00:05:32,000 --> 00:05:39,110
‫All right, so in this lesson, we analyze some really bad implementations of password forgotten functions.

70
00:05:40,120 --> 00:05:45,370
‫Now, of course, in the real world, you will face some others, you will face those go to.

71
00:05:46,300 --> 00:05:49,960
‫But I think you get the point right and you know where and how to look.