Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,599 --> 00:00:06,080 okay welcome back 2 00:00:03,279 --> 00:00:07,039 uh let me discuss the first bug from a 3 00:00:06,080 --> 00:00:10,480 list 4 00:00:07,040 --> 00:00:13,839 automatic leakage of password reset link 5 00:00:10,480 --> 00:00:15,120 so i'm going to focus on forgot passport 6 00:00:13,839 --> 00:00:17,440 functionality 7 00:00:15,119 --> 00:00:18,719 and what is related to forgot password 8 00:00:17,440 --> 00:00:21,600 functionality 9 00:00:18,719 --> 00:00:22,399 is actually uh password reset links 10 00:00:21,600 --> 00:00:25,599 right 11 00:00:22,399 --> 00:00:27,679 when you have forgotten your password 12 00:00:25,599 --> 00:00:29,679 then you can just use forgot password 13 00:00:27,679 --> 00:00:31,278 functionality and then the so-called 14 00:00:29,678 --> 00:00:34,399 password reset link 15 00:00:31,278 --> 00:00:34,960 is sent to your email so this is how it 16 00:00:34,399 --> 00:00:37,759 works 17 00:00:34,960 --> 00:00:39,039 this is very common functionality in the 18 00:00:37,759 --> 00:00:42,320 web applications 19 00:00:39,039 --> 00:00:44,719 and this is how a password reset link 20 00:00:42,320 --> 00:00:45,359 looks like of course the exemplary one 21 00:00:44,719 --> 00:00:48,719 we've got 22 00:00:45,359 --> 00:00:51,359 example.com reset.php 23 00:00:48,719 --> 00:00:53,359 question mark token equal sign and the 24 00:00:51,359 --> 00:00:54,640 value of this token right this is the 25 00:00:53,359 --> 00:00:56,960 password reset 26 00:00:54,640 --> 00:00:58,799 token it should be long and 27 00:00:56,960 --> 00:01:01,039 unpredictable 28 00:00:58,799 --> 00:01:03,358 so and this is how it works and i 29 00:01:01,039 --> 00:01:05,198 believe that you know how it works from 30 00:01:03,359 --> 00:01:06,560 your own experience 31 00:01:05,198 --> 00:01:09,599 and now i'm going to show you very 32 00:01:06,560 --> 00:01:11,439 interesting attack scenario 33 00:01:09,599 --> 00:01:14,000 let's assume that you have forgotten the 34 00:01:11,438 --> 00:01:14,879 password you requested password reset 35 00:01:14,000 --> 00:01:18,079 link 36 00:01:14,879 --> 00:01:18,478 and then you just decided to click this 37 00:01:18,079 --> 00:01:20,560 link 38 00:01:18,478 --> 00:01:24,000 or in other words the password reset 39 00:01:20,560 --> 00:01:26,719 link is visited by you right 40 00:01:24,000 --> 00:01:27,200 so you click the password reset link and 41 00:01:26,719 --> 00:01:29,438 then 42 00:01:27,200 --> 00:01:31,359 what's going to happen is the web page 43 00:01:29,438 --> 00:01:34,158 is actually loaded 44 00:01:31,359 --> 00:01:34,879 and you are asked to enter a new 45 00:01:34,159 --> 00:01:37,680 password 46 00:01:34,879 --> 00:01:40,158 this is how it works well the web page 47 00:01:37,680 --> 00:01:43,040 is loaded but what you've got in the url 48 00:01:40,159 --> 00:01:44,000 bar is the password reset link keep it 49 00:01:43,040 --> 00:01:46,000 in mind 50 00:01:44,000 --> 00:01:47,920 and now let me discuss an and 51 00:01:46,000 --> 00:01:51,118 interesting scenario of 52 00:01:47,920 --> 00:01:54,320 what can happen what bad can happen 53 00:01:51,118 --> 00:01:56,399 and with your password is a link so here 54 00:01:54,319 --> 00:01:59,438 is the story 55 00:01:56,399 --> 00:02:02,079 when there is a resource from an 56 00:01:59,438 --> 00:02:03,519 external domain that is loaded on the 57 00:02:02,078 --> 00:02:06,718 web page 58 00:02:03,519 --> 00:02:07,599 and again keep in mind that the password 59 00:02:06,718 --> 00:02:10,799 reset link 60 00:02:07,599 --> 00:02:14,000 is in the url bar then 61 00:02:10,800 --> 00:02:17,360 the password reset link is sent in refer 62 00:02:14,000 --> 00:02:19,759 header to the external domain 63 00:02:17,360 --> 00:02:21,360 let me repeat this when the resource 64 00:02:19,759 --> 00:02:24,318 from an external domain 65 00:02:21,360 --> 00:02:26,800 is loaded on the web page the password 66 00:02:24,318 --> 00:02:29,759 reset link is sent in refer header 67 00:02:26,800 --> 00:02:30,239 to the external domain this is exactly 68 00:02:29,759 --> 00:02:33,679 how 69 00:02:30,239 --> 00:02:34,640 referrer header works so we've got our 70 00:02:33,680 --> 00:02:36,400 web page 71 00:02:34,639 --> 00:02:37,839 in the url bar we've got a password 72 00:02:36,400 --> 00:02:40,959 reset link 73 00:02:37,840 --> 00:02:43,360 if this web page needs to fetch a data 74 00:02:40,959 --> 00:02:46,400 from an external domain like for example 75 00:02:43,360 --> 00:02:47,360 an image then the browser sends out the 76 00:02:46,400 --> 00:02:49,840 request 77 00:02:47,360 --> 00:02:50,480 and in this request there is a refer 78 00:02:49,840 --> 00:02:53,039 header 79 00:02:50,479 --> 00:02:54,159 and the browser takes the url from the 80 00:02:53,039 --> 00:02:56,400 url bar 81 00:02:54,159 --> 00:02:57,680 puts this data so our password reset 82 00:02:56,400 --> 00:03:00,000 link in the 83 00:02:57,680 --> 00:03:02,080 into the referrer header and then the 84 00:03:00,000 --> 00:03:04,479 request goes out to the external domain 85 00:03:02,080 --> 00:03:05,360 external domain can take a look at this 86 00:03:04,479 --> 00:03:08,000 request 87 00:03:05,360 --> 00:03:08,879 and the external domain can ask a 88 00:03:08,000 --> 00:03:10,639 question hmm 89 00:03:08,878 --> 00:03:12,000 who wants to fetch the data from my 90 00:03:10,639 --> 00:03:14,318 domain so 91 00:03:12,000 --> 00:03:15,280 the external domain takes a look at the 92 00:03:14,318 --> 00:03:17,199 referral header 93 00:03:15,280 --> 00:03:19,280 and here is the answer here's the answer 94 00:03:17,199 --> 00:03:20,639 who is asking about this data who wants 95 00:03:19,280 --> 00:03:21,519 to fetch the data from the external 96 00:03:20,639 --> 00:03:24,399 domain right 97 00:03:21,519 --> 00:03:27,200 so this is how referral header works and 98 00:03:24,400 --> 00:03:30,319 the the interesting part here is that 99 00:03:27,199 --> 00:03:32,639 we definitely don't want our 100 00:03:30,318 --> 00:03:33,679 password reset link with the password 101 00:03:32,639 --> 00:03:36,958 reset token 102 00:03:33,680 --> 00:03:39,599 to be disclosed automatically 103 00:03:36,959 --> 00:03:40,239 via referral leakage to an external 104 00:03:39,598 --> 00:03:42,798 domain 105 00:03:40,239 --> 00:03:43,920 or to external domains right we don't 106 00:03:42,799 --> 00:03:46,400 want it to happen 107 00:03:43,919 --> 00:03:47,839 because when it happens then we are 108 00:03:46,400 --> 00:03:50,480 actually talking about 109 00:03:47,840 --> 00:03:52,120 disclosure of sensitive data very 110 00:03:50,479 --> 00:03:55,280 sensitive piece of data gets 111 00:03:52,120 --> 00:03:58,480 automatically disclosed to 112 00:03:55,280 --> 00:04:00,080 external domains and yeah it happens 113 00:03:58,479 --> 00:04:03,119 automatically because this is how 114 00:04:00,080 --> 00:04:06,159 browsers work right they just 115 00:04:03,120 --> 00:04:06,959 you know fetch the data from from other 116 00:04:06,158 --> 00:04:10,079 domains 117 00:04:06,959 --> 00:04:13,598 and this kind of problem uh can 118 00:04:10,080 --> 00:04:16,720 happen so now i believe that uh 119 00:04:13,598 --> 00:04:17,599 you understand how this attack works 120 00:04:16,720 --> 00:04:20,160 you've got a 121 00:04:17,600 --> 00:04:20,639 kind of you know understanding and you 122 00:04:20,160 --> 00:04:23,120 see 123 00:04:20,639 --> 00:04:24,240 the risk you see the impact the impact 124 00:04:23,120 --> 00:04:27,040 is really high 125 00:04:24,240 --> 00:04:28,000 because well it leads actually uh to 126 00:04:27,040 --> 00:04:30,560 account takeover 127 00:04:28,000 --> 00:04:31,680 right if the password is that link gets 128 00:04:30,560 --> 00:04:34,639 disclosed 129 00:04:31,680 --> 00:04:36,560 uh to external domain then everyone from 130 00:04:34,639 --> 00:04:39,199 this external domain can 131 00:04:36,560 --> 00:04:40,319 you know take this password reset link 132 00:04:39,199 --> 00:04:43,439 and they can 133 00:04:40,319 --> 00:04:45,599 change your password and and that's it 134 00:04:43,439 --> 00:04:48,478 right so this is an account takeover 135 00:04:45,600 --> 00:04:50,240 so now let's uh jump to the demo because 136 00:04:48,478 --> 00:04:53,439 i want to show you 137 00:04:50,240 --> 00:04:55,120 how you can find if this kind of problem 138 00:04:53,439 --> 00:04:58,240 exists in a web application 139 00:04:55,120 --> 00:05:00,079 or not so you are not only going to see 140 00:04:58,240 --> 00:05:03,280 this attack in action but 141 00:05:00,079 --> 00:05:05,038 you also learn how to check if the web 142 00:05:03,279 --> 00:05:08,638 application is vulnerable 143 00:05:05,038 --> 00:05:14,000 to this kind of problem and and yeah 144 00:05:08,639 --> 00:05:14,000 let's let's jump straight to the demo 9611