I had the goal that every problem would have one solve and not any team having all solved. Solve one problem. Yeah, there was two problems just one solved. It's hard to tell on this. There's two problems with one solve. Yeah. That's cool. Yeah. Probably mute my recording for a second. So I get to the end of that one and they're like, Oh, man, I put so many hours into this. You know, I can't wait to see Profs solve? Please explain this. I spent 5 hours on it. I couldn't figure out how to efficiently backtrack. In. Yeah, so we were trying just before we got there. Mike. There we go. Yeah. We were trying like before launching it. And it was an interesting one because I had forgotten that I wrote it. And so Jacob took the time to take all of the problems that anybody had written in our discord and collect it into one big spreadsheet or whatever because he had like 55 problems. Yeah I was good. But it left me with the feeling that he wrote it. And so, I spent all week being like, Jacob. Are you gonna get on Hogwarts stairs? I don't know if we can set it or not or whatever. L Right. So like, I'm thinking, like, I don't know what this problem is, whatever, but somebody's got it. Yeah. Yeah, I wrote it ages ago. And it's beautiful. Like, I don't think I should take the time to explain. Like, so one of the things that's cool about CTF is that the way I was describing it, it's like drawings like painting the Mona Lisa and then hiding it under this table. You know, and you're just like if anybody happens to be on the floor crawling over there, they're going to see the best painting I've ever done. Like And there's so much beauty in it, you know, but you have to fight to see the beauty. And it's like the exact opposite of the way I see most academics, which is like, I'm going to do nothing, and I'm going to make billboards about it, you know, right? It's like, instead, I'm going to do the most beautiful thing in the world, and only ten people will ever know. I'll be Yeah, love the reader. Yeah Yeah, e. So, I think it's really beautiful, and a lot of them are really beautiful. Well actually solve that problem. So the way it got solved is I can show you without showing you too much because I school. School. CTF UD 24? Said he wrote it ago, but you write it earlier this year or was it literally ago? Two months ago, two months ago. But that's so much time. Yeah. Yeah. That was the part I muted. I'm no longer muted. O. Yeah. Yeah. It's like I think this will be really cool, and CTFs are really clever, so they'll figure it out. Here's how it worked. It was a very weird little SO lang where every pass through the code, it substitutes one part of the string with something else, and then what it substitutes tells it where in the code to jump. So that's the way the SO lang works. The lines of code look like this, we like, if I get to this line of code, if I have an F, I'm going to replace it with a four and then jump to the label for four. So it's like replace and go two. That's the entire language in some way. Which means that in my sort of debugging, I put in the flag, and I ran it for 1,337 times, and then basically just told them the output here. Okay, cool, here's my output. If you can ever find what input would get me to that output after 1,337 loops of this thing, then it'll say correct and you've gotten the flag. So like, there was a player from Michigan And I'm calling them a she, but I don't actually know their gender, but whatever. She wrote kind of a reverser that after each iteration from the back was saying how many viable solutions there are. And it starts to collapse at some point, but it's like growing. It's not quite exponential or whatever, something like that. And so this has to basically run until this iteration counter gets to, like, 600, and it was just like, stalling out at around about two. And then it was just hours of that script running or whatever, something like that. I'm like, Okay. All right. So at the last hour of the CTF, I released this as a hint to be like, Hey, 32 iterations deep, here was the state. Basically just slicing the difficulty of the problem by 20. But if you were like in India or something like that, you were long since asleep or something like that. So like, This is probably the thing that I would consider the biggest, like, you know, fail or whatever. She's like, Okay. Maybe I don't release it. I think it's a beautiful problem. And I think the people who played it enjoyed it despite that. And in my mind, it's like, Yeah, okay, I think this is, like, conceivably doable. They'll figure it out. But I had to release, like, this hint way up here in order to get a flag across the finish line. Now, the team at Maryland, they had a script that was faster than the kid from Michigan, and theirs did this really quickly. And I think they had made it maybe the iteration of like 90 or something like that, still. I put it at 1,337. My initial version was 133,700 Like. You know, because I thought this is going to be way too easy, 'cause it's very patterned the way it works it. I was wrong. I know why I was wrong. So yeah. Anyhow, That's the only negative, I think. But here's like the flip side. I don't know. I'm getting all these DMs and folks of people who are just, like, you know, Hey, it was really beautiful, and I want to learn how to make these beautiful things or whatever. This student was like, Hey, I was in Dubai participating in the CSAw finals, and they're like, Your problems are so beautiful, and their problems are like not good. It's like, Yeah, k, k. You know, there's a lot of people who are like, my God, those are such beautiful problems. Yeah. Yeah, a ER schools like a whole thing. And I almost think that it'd be worth doing like in this class. Like you could totally talk me into like an XOR day. Plus. I honestly might run a CTF entirely on XOR problems rite 40 XR problems that are all a little bit different. Just X, like the X CTF and just run that once a year. Anyway, anyway. Okay. Thank you for indulging that conversation between four of us for everyone else. Something. But hell, this is a focus of my entire year. My life has three things in it. CTF, mentoring young founders and my family. That's it. Like business, CTF family. That's it. This is one of the pillars of the years. This is one CTF that runs once a year. So I didn't sleep at all. And like I was really excited to finally get a good night sleep last night. And, like, there's no school today. And so my wife's best friend sent their two rambunctious kids to send the night at my place or whatever. And like, when our daughters are hanging out, they just go nuts. And so, like, they're up late, and they were up at like five you know, or whatever. It's like, Alright, cool. So I still have no sleep. Um, we'll catch up one day. Maybe. Okay, Alright, o, go. Back in webland. And by the way, we now have, like, strangers kind of popping in. There are people from the CTF from random countries or whatever. Just here to soak up some of this crap. We got nine lectures left. I just started, like spewing out concepts that I think would be worth talking about. I think my shirt. Alright, sorry. You know, my wife's probably the hardest working person like on the planet right now or whatever besides Catina. But sometimes the stuff gets left in the wash for I don't know, a day or something. I got busted, you know. It's like, Alright, it's clean, but, like, it's st too long wet. Anyway, sorry. But that's the sign. Like wear it is a badge, like, you know, reproductive family. I you like superado pets. Okay. So I think I'm gonna do this guy. Um And the reason I'm going to do this is twofold. So just to remind you, like, we are in the thick of, you know, the rest of the class is kind of you getting into CTF. And this guy and this guy. I should update that to say 2023 or 2024 and stuff. But let's take a look at how I think this is a good segue into the rest of what you need. U video panel, et cetera. One, you can get up to five extra points or actually up to, like, ten extra points or whatever by solving a problem using Burp Suite. So I'll show you that, so it's extra free points, you know, whatever. Um Two, I think the port Swigers are on here. So these labs that I'm about to show you how to do are just like free points. But generally, in terms of the strategy on how to tackle this kind of project, which I say this kind of project. There's another project like it, whatever, how to tackle this particular project. These ones on this side, you will have write ups on the Internet that exist that you can use to just learn the mechanics of how to do that thing. To the right of this line, you will not have write ups that exist on the Internet. And so to some extent, you're taking the skills from the left hand side and applying them on the right hand side. Now, you know, given that you're going for 50 points, you could sit and do 25 problems that you're recording a video of or whatever, something like that. And you can do that kind of mechanically. And I think that you would probably hate it. You know, like, it's okay, but, like, that's kind of That'll be what happens if you put this off to the last seconds the day before grades are due or it's like the last, you know, like, Hey, get this crap in. And it's like, Oh, I never paid any attention to that. I'm just going through Tutorial after Toral a Tutorial, and you'll sit there and you're gonna waste so many hours, and it'll be feel like boring data entry or whatever. Alright. As much as I tried to make it cool, it will feel lame. Um, But I think if you go straight to the good stuff, like, All right, I'm just going to do problems that have no solutions or whatever, something like that, you probably won't feel fully prepared for that either. So, now, I think writing a problem is sort of a cheat code on this like you write a problem. Would've be nice for you to write it before the CTF looks a lot. You write a problem for next year. Yeah, you won't care for next year, you know, you write me a problem. And it's okay. But most of the student problems made in this class are not going to be that good. Like, we got shot on by some cyber bully. It was like, you know, Prof Ninja put CTFs into his classes in order to, like, get their team you know, to get to give grades for getting solves in CTFs. And it's like, Dude, if you looked at any of the crap, it'd be nice. I'm not worried about what the classes make. Those problems sucks. That's okay. You problems will suck, and that's just like part of it. Maybe you make a really good one, probably not. That's fine. You've got to accumulate 1,000 failure. This is all about like grit building and facing the unknown and all that stuff. Okay, so probably the right strategy is to take some number of stuff that has write ups, maybe just pick a concept and do one that has one and then find one over here that doesn't, or maybe even log into a live CTF somewhere. And see what the concepts are in that problem, you know, then go do a lab that has that concept in it, and then go do the problem. And then you're kind of getting a small free point plus a big giant point for applying the stuff that you learned in the tutorial directly to a real thing. I think if you sat and did all of these, you'd be more prepared for a larger number of these, but probably just in time learning is more correct. But these things tend to run for 24 to 48 hours, which means you have to be like you have to look at ctf.org. Look at, like, what's coming up. So there's one that starts Wednesday at 8:00 A.M. And runs until Friday at two. There's another one that's Wednesday at 5:00 and runs till Thursday at 5:00. That's like a 24 hour thing. Wait. Formerly Square. Oh, no. Square is always one of my favorite ones. Oh. Okay. Let's do it. Yeah, we're in. So Wednesday five till Thursday at five. We'll do the square set chip. I's always been one of my favorites. U And I guess it's sad. It used to run for like seven days and they'd released one problem every 12 hours. So it was like, the whole team did one problem. And then, like the next one and the next one and the next one. So it was like this kind of collective tribal thing. So I think I did a lot to bond our culture. Anyway, so you jump into this 24 hour CTF, which means that you've got to kind of log in at five, look for a problem, go identify what type of problem it is, then go do some labs to learn that kind of thing, and then come back before and closes Thursday at five. So, you know, a little bit of a rush job or whatever, but I think I think that's probably the right strategy. So, So let's do today's like gift to you. Not this one. That would be a fine lecture too. Yeah, whatever. Oh, I see. Ably was that one. So Burp Suite and the Port Swiger labs. All right. Now, I'll say this. I don't use a lot of burp Sweet myself. And so I kind of look at it every once in a while with Oh. Dude me? Well, that makes me sad. Is that today's flag? Is today's flag just dead? No. All right. Fine. That's okay. I'll just skip that then. And But that's my point. I was going to say, I like to do this one as like unprepared as possible, which is not the normal public speaking technique. The normal public speaking technique is to like, I know all the gotchas, and I'm going to guide you through this like Yoda to Luke Skywalker or whatever. That's the normal way for public speaking. Here, I prefer to do this one where it's like, Okay, I'm not going to be overly expert on this because to make the approachability correct. What I'm actually after is the metacognition of how you pick up this crap on your own. Because again, the whole class is designed this way where it's like, you Don't need to have studied everything. You just need to get active. So here we go. This tool is a powerful little thing. We want the Burp Sweet Community edition. I am no longer Intel. I Apple silicon. Down Load. Where do I want you to live? Download suns. A. B. Okay. Yeah. These things are cool. Alright, we start burp. All right. So here's the concept of this thing. What we get is I will say a set of tools for, like, fuzzing web traffic, inspecting everything, altering it, things like that. So this little open browser, if I click Open browser there, it's going to spin up ask browser. That runs all network requests through the Burp Suite program, and we can pause them, edit them, set them up to send 1 million different copies of it with different payloads or whatever, inspect and analyze each of the network request. We've been doing that the whole time anyway by opening up the network tab and just looking at stuff. But here, everything is going to run through this thing and I can fuzz All of the end points well. So it's a very cool tool for that kind of thing. A lot of the pen testing work is like API scanning, where it's like, Okay, we've made this API. Can you like, you know, figure out how to break it and things like that or whatever. So all this stuff is fun for that kind of thing, the network side of web stuff. I'm not normally the network guy. I learned networking. By building the Internet and Minecraft, you know, like, not the normal way of, like, working on in a sock desk or whatever as an incident responder or something like that. You know, I like, built it from scratch in my own weird way. So like, I have a good concept of networking, but, like, not the way that people who are looking at splunk terminals all day do. To build the Internet, Microft? Probably two years, I think, like I was a little nutty. But, because if you're going to build the Internet, first, you have to understand like you need a computer. So I had to first build a personal computer in MinCraft. And then you need some concept of like sockets and like, ports and stuff. And then, like routing, and you got to, like, build, like, you know, whatever sorts of things or whatever, blah blah. But that process was really, really educational. Like, you know, I wouldn't recommend learning it that way. Yeah. What? Yeah, that was a cool part is that it's like vanilla for anyone. So what I did is I put the whole computer in a copy paste so that you could just give yourself a command block, put it in there, and you'd have the computer. And the idea is that you could take any build you've got. Kind of upload it, and somebody else can kind of browse the Internet and just download your build into their world. So instead of going to this map, it's more like whatever server you've got, play tick Tete with your buddies, by just like, here's the thing. So I can show you some of that stuff. We did it when the Hermits were doing TCG on Hermit craft. Anyway, so we built a whole working TCG stadium because people couldn't play it yet in their own servers and stuff. Away. But I didn't tell anybody about it. Just like my Mona Lisa onto the table. It's really beautiful, really dep. Nobody knows. Yeah, I'd haply show you my weird Mccraft in Internet one day. Yeah. It's very small, right? So, like, Okay. Fine. If you go MC 86 Computing Minecraft, I think, something like that, Here's my simple and practical vanilla Minecraft computer. Brand new type of computer is practical. The computer itself is about that big. It's sort of the chip in your computer. Yeah, Command blocks or cheeky, or whatever. But, I hate the big giant red stone that's got 8 million chunks or whatever, something like that. Interact the Internet, I think that, we could totally, absolutely. But the thing about, because with this or something, like, Sorry, I'm sorry, everybody. I'm I'm like having all these little personal conversations as part of your, like, college lecture. You okay with this? All right. My concept of a personal computer, like, what makes a computer computer, you know, turing and made it at a wires and crap like that or whatever in order to crack the enigma? So the idea is that I need to just do brute forcing, right? So, I need to do lots and lots of operations per second. What we get accustomed to, like, what your CPU is is just a machine that does a whole lot of stuff per second. So, like, When people build our computers in mine craft, they're sort of doing a weird exercise in futility. They're not doing the essence of computing. They're like making a purposefully stupid thing kind of in order to prove mastery of this world. They're like computer engineering students or electrical engineering students who are like understanding X or gates or something. But that's not what the computer is. The computer is trillions of operations per second. So what this thing does is you can put a book in here, any book you want into that little chest, and then just hit the button. And it will execute every page of the book as a command, you know, 1,000 commands per second or whatever, right? Just go. And so the architecture of my computer is Mincraft commands, because that's the most natural architecture for a mincraft world, rather than like the architecture is going to be gates and flip flops or whatever. No, like, we're in a world where I can issue commands 20 times a second or whatever. And so to me, it's more like almost like abstractly what a computer is, which is to say, and I'm an abstract person. So what that means is that in this kind of environment, so yeah, here I'm coding something from my computer. This is sort of the assembly of the computers Bncraft commands, right? And so if you just like plop that in, this thing in there, and then click the thing, it'll say say hi one, high two. Boom, whatever. Because that's how computers work. And so to code in it is whatever sets of commands you want to put into a book or whatever. So we invented kind of like a file format where you can just kind of copy and paste a thing into a command block hit thing, and it'll throw a book at you that has a program in it. And then we made like an operating system so you could kind of like flip through an electron to pick like programs to run for you or something, and then like routers and then, other stuff that would help you identify which box is doing the command so that when you issue the command, it like run on that box. And so each server is kind of like a local area network. So different. Yeah. So here's a command that will give me a book full of things. This is like what a program, an executable in MC 86 would look like. Yeah, it's just like you just copy and paste it in. So I don't need to go to some map or whatever. Here's the file, right in your own world. It's a little bit like the first microprocessors or whatever, but now that thing is sort of like printing an image, things like that. To some extent, in order to have the Internet, you've got to have programs and programs, you got to have sockets and stuff or whatever. And so implementing list in this means that you've got to do like string manipulation and stuff or whatever and all these things. But you get to do all of computer science again on a different architecture. And that process, I think is for me really fascinating, because I'm an abstract algebra guy, right? It's Hey, once it's a cycl group, then just move it over to lit the curves. Who cares? Right? Like I get si groups. And so here it's sort of like once you get the heart of what a computing is, it doesn't matter that it happens to be the Intel chip or an arm chip or whatever. It's trillions of dump things per second. How you make that and do what you needed to do. Anyhow, So That I think I've got one. So like after a few years. And I tried showing the hermits this. They like ignored it. This guy this channel. The first page of the book and throw it into this command block. They might have the first page of the book? They might have kicked me out of that channel. It. So I haven't been active in a long time. There was kind of not a coup per se, but Yeah, whatever. Like the guy who originally designed it kind of dropped off and he and I were friends and things like that partner Anyway, Okay, fine. Architecture There's a lot of Microft floor. Yeah. It's not and little registers and stuff. It is Micra commands, which have lots and lots of power. Limitations and things like that. The Inventor Site. In sence. Burp See? JDs. Sorry. I missed your question in the right way. He had a video I can't find it. Fine. He had a video of the thing working to generate a whole TCG server. I don't think we uploaded it to the Internet yet. Anyway, All right, fine. Hole, beautiful things. But you have to build a computer before you can build the internet. It's like if you want to build an apple pie from Scratch, first, you have to invent the universe or like, create the universe, right? Where does Scratch start? Okay. Sorry. That's not at all the topic. I'm sorry. I'm wasting your dollars again. Okay. Let's go to the Port Swigger Academy. Port Swigger Academy. Pop. And sign up. Goop. I'll log in. Academy. View all topics. There you go. Okay. So these kind of look a little bit like the index page to my notes. It's like, Okay, cool. Here's a bunch of, you know, common things. And these make it seem like less material than it really is. Um, Like, if you want to fart around with SQL injection or something like that, you know, there's 18 different labs on it, right? And so what that means is basically like 18 little servers. Here's their like guide on how SQL injection works and some videos and stuff. And then each one of these things is like a lab that you can go solve to level up at SQL injection from beginning to end. So a lot of times, like, if you I don't know, have a group of people who want to learn web security or whatever, you can just like Log all these things, you know, that's fine. And part of the reason why I'm doing this today is that you don't need to be bottlenecked by me to get through all of this stuff, right? So you can say, like, Okay, cool, I've got my list of topics, but you can pick it in whatever order you want, right? So, here's these things, and a lot of these will be overlap, but you can just kind of, like, jump in and do stuff. Okay. So my plan here, wrong one. My plan here is to I want to say, do the SSRF lab together. And just talk out what that feels like or whatever. I really didn't expect that to be busted. I don't quite know why it's busted. I could maybe did bug that real quick, but we got more to do, I think. Let me take a look at my dashboard real quick and just see, like, did they kill my project? The name of the project was like screeching. There it is. Okay. Status fine. Oh, wait. It's happy now. The URL is not. Why? Connection was reset. Your app is listening on 3,005 vulnerabilities, that's some purpose. I guess, maybe not. We'll see. I wonder if it's just 3,000 instead of 80 80. Oh, wait. Oh, no, it's got processed at port. I don't see anything in the logs that would say why it's failing. But this thing over here is definitely not like responding. So listening on this thing, I be a change with that broke it as close to. Red. Yeah, I mean, I just used, glitch code on it really. I guess the index HBS pages index HPS should do this thing. Yeah. All right, fine. That will take me too long to figure out. Let's do the SSRF together. Okay. SSRF will be Mm. Third one on the left. Got it. Thank you. Okay. Here's the concept. And this shows up a good bit in problems. JD wrote one of these. Is a DNS problem, things like that, or whatever, where you know, here's your website. Your website is being served and run on this computer out there on the Internet, static code, and things like that, or whatever. On the other hand, it is talking to your databases. It's talking to your, like, internal processes, it's talking to node or whatever, and all that kind of stuff like that. These things are on servers run by the company behind the firewall. Okay. So SSRF is server side request forgery, and the job is to trick the website into getting these servers to make a request on your behalf and show you the results of the request. Why would that matter? Well, if you made the request to that resource, you wouldn't have access because of the firewall. The servers on the other hand on the other side of the firewall. So this is sort of like an X fill thing, where, like, I'm behind the firewall. I'm going to make a request to internal records and exfiltrate them through the website. That's the job of SSRF. So, You're kind of like anticipating it. I ever you see like a 127001 or a local host or something like that. What it's really saying is that the other side is expecting the request to be from an internal server. But something in the web app is misconfigured or something in there allows you to get it to make an arbitrary request on your behalf and tell you the answers. Okay. So let's go to this first lab. Access the lab. Blue Ink mystery is going to hunt me. A. Here we are. Now, let's see what the actual thing is. The lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the Admin interface at Local Host Admin, and then delete the user Carlos. Alright? So, let's fart around with this thing, but let's fart around with it from inside of Berp Suite. So I opened a browser. I've got this thing over here. Now, I can I want to say go to proxy and turn on intercept. Whenever you do turn on Intercept, you're going to realize just how many network requests every page you've ever loaded has. So, I might turn it off until it's time. So I put this thing in here. Yeah, that's fair. That's fair. So they're telling me that there's a check stock feature, fantastic. So I could like check the stock in Paris. Great. We do have a product ID equals one up here, you know, whatever. I'm now going to turn on the Intercept and send that request. And you'll see Boom over here is the post request to the server. Oh, yeah. Clearly, This is me sending a post request to them from the client side. Okay. I have a session ID. Maybe there's some session hijacking. We talked about that in the past, fine, but there's one parameter. What is the one parameter I'm setting? It's, It's the API end point. Okay. So this is as easy as SSRF gets, which is to say, I'm sending it a payload. The payload is a URL. They will run the results of that URL. So now let's like forward this on and see the results. I got a ping HCTP history, there we go. And the response came back with five oh three. So, I sent them this. Which is really this thing. They send back five oh three. Okay, cool. So we do need to like, tell them to access Carlos and do something. The presumption is that they're reading this URL from me, making the request on the other side to figure out, I don't know, what the stock is in London for that product and sending me back my five oh three, you guys with me on that little concept. And the vulnerability here is, I'm the client. I can control the URL that they're pointing at, so I can get them to request something on my behalf. SSRF is, like, never this well packaged up. Normally, you got to do a lot of work to get it to do that thing, but here, tell me the end point. I'll hit it for you. It's like, Alright, cool. Fine. So now, how do we, alter that? Well, we have a repeater and an intruder. So we can just get started. T similar. Right click. Send to intruder. There we go. All right. So I can right click Send to intruder. And now here's this thing over here. Now, what does this do? This will let me load in something like rock dot TXT or a whole lot of other things and say, Hey, I want to alter this guy. So this will be a payload position, and I want to replace it. So you see how it just added those little like I don't know how to describe those. They're not quite $1 sign. They're almost like a game of thrones Runic language or something, but What? Yeah, dollars without money? But like double Ss. Maybe it's one of those Pokemon one of the letter pokemon. Un Unknowns. Yeah. So the little unknowns on the left and right. All right. So I can replace that. So this I can put in whatever I want and try those out. Now, I think I want to do just a tiny bit more like, scouting, I guess. Oh, let's turn off the interceptor again. Intercept off fine. Okay. So, like, I've got a username and a password in here. Our job is to delete Carlos. So we kind of have to kind of have to see, like how Edmun works, but we won't be able to see Edmund from here. So So I'm wondering well, let's just try it. If we go home, we go to this thing, go down here, fine. And I want to hit this intruder thing. I want to hit that endpoint with the stock API. And I think what I want to do is Can I just Repeater is better. Okay. Can I send it to Repeater from here? Repeater. Okay. Send to Repeater. Got it. Okay. Now I can send C 721. Yeah. Okay, this is good. So let's first start by replacing product with Admin. And I think that percent three F is like the question mark. Okay. And probably none of this stuff is going to matter to me, but it'll probably be something like user ID. And we'll figure out from there. This will probably be Carlos somehow. I don't know how. Let's send it. Missing parameter pool. Good. I think I did just put the admin in there. Let's see. Local host Admin. Yeah. Look at that. Beautiful. Render it. Could not connect to W, you're saying here. I think I did try to go Admin here. Is that what you're saying? URL, send this URL into that thing. Okay. I think the encoding was fine. Yeah, this is the loop back. But I think that needs to be I thought they had to be local host S Admin, which is what I was sending before. And now that's okay. It's got like internal service error. Oh. 116. Okay, okay. Okay. Yeah. Oh, I do have an HTTP S, and I think it's HTTP local host. Yeah, look at that. Wiener Delete. So what does that source do on Delete? No, but I might be able to look at, what clicking it would do. So Link Ba There's Carlos. User Name equals Carlos, Admin delete. Okay. Yeah. Delete que, er name equals Carlos. Send it. Okay. Congratulations. You sold one. All right. Cool. So Soca Carlos, you're dead to this web app or whatever? No. That would be pretty hardcore. This is probably a felony, too. What? Yeah. They have a lot of them. Yeah. Board lawyers are the worst. Okay, cool. So I remember loving this. This is like? No. That was McDonald's. That was McDonald's. The Hamburg players. Yeah. Yeah. Yeah. Fine. Okay. But what I was after in that is like three things. One. Burp Suite as a tool. You can sort of, like intercept things, edit them, whatever, things like that. It's like, postman for hackers. So grab the thing, do that, whatever, et cetera. The Port Swiger Academy one, every one of those labs, like you can do for the Bingo card. And that Port Swiger Academy, you can pick up any one of these topics over here. All of them are interesting. Like, for instance, I ended a lecture with like, Hey, deserialization, easy to make an e mail. You got one sentence out of it. We didn't really have time to go into it. You know, I'm gonna take a whole lecture to do it? Maybe, probably not, whatever. Jump on, figure it out. So like, to some extent, I see, you know, Internge stuff is like, here's exposure to all these concepts that you will Google when it's time to need them. And so this is there is this, like, you know, hacker wikipedia with working examples for going through the stuff. Okay. Cool. We could maybe do one more. I was thinking about doing CSRF. So, like, But I've got 2 minutes. So maybe let me see the thing is. I can just talk about what CSRF is for a second. I put a CSRF problem kind of inside of our CTF this weekend. Up. Here's the concept. Imagine that I go to an secure website here. That secure website makes requests to web sit dot profit at Ninja from this console, but on my behalf. The idea is that if I'm logged in, I wonder how that would go, actually. If I go over here and just say, requires the user to click on URL, correct. Authenticated user click URL. Um. Well, that is correct. But I think the amount of user engagement you need is not as high as you think. So like, if I can get you there, cool. Once you're there, you might not have to do as much as you think. Okay. I don't have my Jake query there, so I'd have to do, like That sue, whatever. I don't want to do that. So imagine that there's malicious Java script on this thing. It's making a request of Bank of America. Will it have my cookies? Yes. It will, like, know my identity from this computer. So the tabs are not like super sandboxed from each other. Which means that Bank of America could get requests from For Chan on my behalf. So they should block that. CSRF is cross site request forgery. So we just did server side request forgery. That's where I get the server to make a request on my behalf and send me back malicious data. Cross site request forgery is where I ack Katina. I get cross site scripting running on her thing, and she makes a request to the server, and I'll exfiltrate the results. So the way that that gets blocked is Bank of America will often put in a CSRF token, which is like some random heck crap that it put in from its server, and it'll put it into the source code to the page. When the requests come, they're going to check to see, did you have the same CSRF token that I put there? So it's sort of like, I only want requests from my tab. So here's my little token, to guarantee that that's the way it goes. Um So I don't know how this lab will be set up. We can figure out or not or whatever, you can just go do it yourself. But the concept is, I don't want Tab A to make requests from this computer to Tab B. And Tab B therefore needs to have these defenses in place. There's a lot of ways around that, things like that or whatever. It's probably worth time to go learn that. I think things have changed. So in 2013, 2014, there was a lot of CSRF talk. I've not heard CSRF talk in the last five years, you know. So I think probably cores is why not? There's a lot less of that kind of stuff going on as the cores policy have gotten stronger. That's one of the things that there's very much a wackomle effect to web security, where it's like, in this year, this is what mattered. Oh. We fixed that. Now it's this thing over here, you know, whatever. So that wacole effect keeps happening, which makes all textbooks and web app security wrong the mediate they're published. Another reason just CTF is important to this thing is you go like, what are the vulnerabilities this year? Okay, Anyway, CSRF, maybe it's a little bit old school at this point. But it's because there are a lot of companies that still run legacy. No doubt. Go away. Never. Just like cross site scripting and SQL injection. They like happen. Is that manufacturing company still running code from 2005 strip process?
Burpsuite, Portswigger Labs, and SSRF
From Andrew Novocin November 11, 2024
10 plays
10
0 comments
0
You unliked the media.
Zoom Recording ID: 4159319948
UUID: iEU57looSg+QtoPGYtCPcQ==
Meeting Time: 2024-11-11 02:15:44pmGMT
- Tags
- Department Name
- ECE
- Department Division
- Date Established
- November 11, 2024
- Appears In
Link to Media Page
Loading
Add a comment