Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,599 --> 00:00:06,080
okay welcome back
2
00:00:03,279 --> 00:00:07,039
uh let me discuss the first bug from a
3
00:00:06,080 --> 00:00:10,480
list
4
00:00:07,040 --> 00:00:13,839
automatic leakage of password reset link
5
00:00:10,480 --> 00:00:15,120
so i'm going to focus on forgot passport
6
00:00:13,839 --> 00:00:17,440
functionality
7
00:00:15,119 --> 00:00:18,719
and what is related to forgot password
8
00:00:17,440 --> 00:00:21,600
functionality
9
00:00:18,719 --> 00:00:22,399
is actually uh password reset links
10
00:00:21,600 --> 00:00:25,599
right
11
00:00:22,399 --> 00:00:27,679
when you have forgotten your password
12
00:00:25,599 --> 00:00:29,679
then you can just use forgot password
13
00:00:27,679 --> 00:00:31,278
functionality and then the so-called
14
00:00:29,678 --> 00:00:34,399
password reset link
15
00:00:31,278 --> 00:00:34,960
is sent to your email so this is how it
16
00:00:34,399 --> 00:00:37,759
works
17
00:00:34,960 --> 00:00:39,039
this is very common functionality in the
18
00:00:37,759 --> 00:00:42,320
web applications
19
00:00:39,039 --> 00:00:44,719
and this is how a password reset link
20
00:00:42,320 --> 00:00:45,359
looks like of course the exemplary one
21
00:00:44,719 --> 00:00:48,719
we've got
22
00:00:45,359 --> 00:00:51,359
example.com reset.php
23
00:00:48,719 --> 00:00:53,359
question mark token equal sign and the
24
00:00:51,359 --> 00:00:54,640
value of this token right this is the
25
00:00:53,359 --> 00:00:56,960
password reset
26
00:00:54,640 --> 00:00:58,799
token it should be long and
27
00:00:56,960 --> 00:01:01,039
unpredictable
28
00:00:58,799 --> 00:01:03,358
so and this is how it works and i
29
00:01:01,039 --> 00:01:05,198
believe that you know how it works from
30
00:01:03,359 --> 00:01:06,560
your own experience
31
00:01:05,198 --> 00:01:09,599
and now i'm going to show you very
32
00:01:06,560 --> 00:01:11,439
interesting attack scenario
33
00:01:09,599 --> 00:01:14,000
let's assume that you have forgotten the
34
00:01:11,438 --> 00:01:14,879
password you requested password reset
35
00:01:14,000 --> 00:01:18,079
link
36
00:01:14,879 --> 00:01:18,478
and then you just decided to click this
37
00:01:18,079 --> 00:01:20,560
link
38
00:01:18,478 --> 00:01:24,000
or in other words the password reset
39
00:01:20,560 --> 00:01:26,719
link is visited by you right
40
00:01:24,000 --> 00:01:27,200
so you click the password reset link and
41
00:01:26,719 --> 00:01:29,438
then
42
00:01:27,200 --> 00:01:31,359
what's going to happen is the web page
43
00:01:29,438 --> 00:01:34,158
is actually loaded
44
00:01:31,359 --> 00:01:34,879
and you are asked to enter a new
45
00:01:34,159 --> 00:01:37,680
password
46
00:01:34,879 --> 00:01:40,158
this is how it works well the web page
47
00:01:37,680 --> 00:01:43,040
is loaded but what you've got in the url
48
00:01:40,159 --> 00:01:44,000
bar is the password reset link keep it
49
00:01:43,040 --> 00:01:46,000
in mind
50
00:01:44,000 --> 00:01:47,920
and now let me discuss an and
51
00:01:46,000 --> 00:01:51,118
interesting scenario of
52
00:01:47,920 --> 00:01:54,320
what can happen what bad can happen
53
00:01:51,118 --> 00:01:56,399
and with your password is a link so here
54
00:01:54,319 --> 00:01:59,438
is the story
55
00:01:56,399 --> 00:02:02,079
when there is a resource from an
56
00:01:59,438 --> 00:02:03,519
external domain that is loaded on the
57
00:02:02,078 --> 00:02:06,718
web page
58
00:02:03,519 --> 00:02:07,599
and again keep in mind that the password
59
00:02:06,718 --> 00:02:10,799
reset link
60
00:02:07,599 --> 00:02:14,000
is in the url bar then
61
00:02:10,800 --> 00:02:17,360
the password reset link is sent in refer
62
00:02:14,000 --> 00:02:19,759
header to the external domain
63
00:02:17,360 --> 00:02:21,360
let me repeat this when the resource
64
00:02:19,759 --> 00:02:24,318
from an external domain
65
00:02:21,360 --> 00:02:26,800
is loaded on the web page the password
66
00:02:24,318 --> 00:02:29,759
reset link is sent in refer header
67
00:02:26,800 --> 00:02:30,239
to the external domain this is exactly
68
00:02:29,759 --> 00:02:33,679
how
69
00:02:30,239 --> 00:02:34,640
referrer header works so we've got our
70
00:02:33,680 --> 00:02:36,400
web page
71
00:02:34,639 --> 00:02:37,839
in the url bar we've got a password
72
00:02:36,400 --> 00:02:40,959
reset link
73
00:02:37,840 --> 00:02:43,360
if this web page needs to fetch a data
74
00:02:40,959 --> 00:02:46,400
from an external domain like for example
75
00:02:43,360 --> 00:02:47,360
an image then the browser sends out the
76
00:02:46,400 --> 00:02:49,840
request
77
00:02:47,360 --> 00:02:50,480
and in this request there is a refer
78
00:02:49,840 --> 00:02:53,039
header
79
00:02:50,479 --> 00:02:54,159
and the browser takes the url from the
80
00:02:53,039 --> 00:02:56,400
url bar
81
00:02:54,159 --> 00:02:57,680
puts this data so our password reset
82
00:02:56,400 --> 00:03:00,000
link in the
83
00:02:57,680 --> 00:03:02,080
into the referrer header and then the
84
00:03:00,000 --> 00:03:04,479
request goes out to the external domain
85
00:03:02,080 --> 00:03:05,360
external domain can take a look at this
86
00:03:04,479 --> 00:03:08,000
request
87
00:03:05,360 --> 00:03:08,879
and the external domain can ask a
88
00:03:08,000 --> 00:03:10,639
question hmm
89
00:03:08,878 --> 00:03:12,000
who wants to fetch the data from my
90
00:03:10,639 --> 00:03:14,318
domain so
91
00:03:12,000 --> 00:03:15,280
the external domain takes a look at the
92
00:03:14,318 --> 00:03:17,199
referral header
93
00:03:15,280 --> 00:03:19,280
and here is the answer here's the answer
94
00:03:17,199 --> 00:03:20,639
who is asking about this data who wants
95
00:03:19,280 --> 00:03:21,519
to fetch the data from the external
96
00:03:20,639 --> 00:03:24,399
domain right
97
00:03:21,519 --> 00:03:27,200
so this is how referral header works and
98
00:03:24,400 --> 00:03:30,319
the the interesting part here is that
99
00:03:27,199 --> 00:03:32,639
we definitely don't want our
100
00:03:30,318 --> 00:03:33,679
password reset link with the password
101
00:03:32,639 --> 00:03:36,958
reset token
102
00:03:33,680 --> 00:03:39,599
to be disclosed automatically
103
00:03:36,959 --> 00:03:40,239
via referral leakage to an external
104
00:03:39,598 --> 00:03:42,798
domain
105
00:03:40,239 --> 00:03:43,920
or to external domains right we don't
106
00:03:42,799 --> 00:03:46,400
want it to happen
107
00:03:43,919 --> 00:03:47,839
because when it happens then we are
108
00:03:46,400 --> 00:03:50,480
actually talking about
109
00:03:47,840 --> 00:03:52,120
disclosure of sensitive data very
110
00:03:50,479 --> 00:03:55,280
sensitive piece of data gets
111
00:03:52,120 --> 00:03:58,480
automatically disclosed to
112
00:03:55,280 --> 00:04:00,080
external domains and yeah it happens
113
00:03:58,479 --> 00:04:03,119
automatically because this is how
114
00:04:00,080 --> 00:04:06,159
browsers work right they just
115
00:04:03,120 --> 00:04:06,959
you know fetch the data from from other
116
00:04:06,158 --> 00:04:10,079
domains
117
00:04:06,959 --> 00:04:13,598
and this kind of problem uh can
118
00:04:10,080 --> 00:04:16,720
happen so now i believe that uh
119
00:04:13,598 --> 00:04:17,599
you understand how this attack works
120
00:04:16,720 --> 00:04:20,160
you've got a
121
00:04:17,600 --> 00:04:20,639
kind of you know understanding and you
122
00:04:20,160 --> 00:04:23,120
see
123
00:04:20,639 --> 00:04:24,240
the risk you see the impact the impact
124
00:04:23,120 --> 00:04:27,040
is really high
125
00:04:24,240 --> 00:04:28,000
because well it leads actually uh to
126
00:04:27,040 --> 00:04:30,560
account takeover
127
00:04:28,000 --> 00:04:31,680
right if the password is that link gets
128
00:04:30,560 --> 00:04:34,639
disclosed
129
00:04:31,680 --> 00:04:36,560
uh to external domain then everyone from
130
00:04:34,639 --> 00:04:39,199
this external domain can
131
00:04:36,560 --> 00:04:40,319
you know take this password reset link
132
00:04:39,199 --> 00:04:43,439
and they can
133
00:04:40,319 --> 00:04:45,599
change your password and and that's it
134
00:04:43,439 --> 00:04:48,478
right so this is an account takeover
135
00:04:45,600 --> 00:04:50,240
so now let's uh jump to the demo because
136
00:04:48,478 --> 00:04:53,439
i want to show you
137
00:04:50,240 --> 00:04:55,120
how you can find if this kind of problem
138
00:04:53,439 --> 00:04:58,240
exists in a web application
139
00:04:55,120 --> 00:05:00,079
or not so you are not only going to see
140
00:04:58,240 --> 00:05:03,280
this attack in action but
141
00:05:00,079 --> 00:05:05,038
you also learn how to check if the web
142
00:05:03,279 --> 00:05:08,638
application is vulnerable
143
00:05:05,038 --> 00:05:14,000
to this kind of problem and and yeah
144
00:05:08,639 --> 00:05:14,000
let's let's jump straight to the demo
9611
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.