Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,679 --> 00:00:06,878 welcome back in the demo 2 00:00:04,000 --> 00:00:08,879 uh user enumeration so let me start with 3 00:00:06,878 --> 00:00:12,079 the login functionality 4 00:00:08,880 --> 00:00:15,519 let me as i um already explained to you 5 00:00:12,080 --> 00:00:18,240 in the previous video let me start with 6 00:00:15,519 --> 00:00:18,800 existing email and non-existing email 7 00:00:18,239 --> 00:00:20,399 and 8 00:00:18,800 --> 00:00:23,439 let's see how the web application 9 00:00:20,399 --> 00:00:26,640 responds so my email is david 10 00:00:23,439 --> 00:00:28,719 example.com well i am the user of this 11 00:00:26,640 --> 00:00:29,679 web application i am registered out 12 00:00:28,719 --> 00:00:31,759 there so 13 00:00:29,678 --> 00:00:33,039 well i know that this is uh you know 14 00:00:31,760 --> 00:00:35,679 existing 15 00:00:33,039 --> 00:00:37,839 uh email and now i'm gonna provide some 16 00:00:35,679 --> 00:00:39,920 arbitrary password right i just wanna 17 00:00:37,840 --> 00:00:41,680 see if the web application is going to 18 00:00:39,920 --> 00:00:42,640 tell me something about this email if 19 00:00:41,679 --> 00:00:44,878 this is 20 00:00:42,640 --> 00:00:46,399 registered email or not well i know that 21 00:00:44,878 --> 00:00:48,238 this is registered email but 22 00:00:46,399 --> 00:00:50,320 you know in case of other emails i don't 23 00:00:48,238 --> 00:00:52,640 know it so i just have to 24 00:00:50,320 --> 00:00:53,840 see how the web application responds 25 00:00:52,640 --> 00:00:55,920 because 26 00:00:53,840 --> 00:00:58,320 this is something what i need to learn 27 00:00:55,920 --> 00:00:59,120 to see if other emails are registered or 28 00:00:58,320 --> 00:01:02,640 not right 29 00:00:59,119 --> 00:01:05,920 so let me now click login and let's 30 00:01:02,640 --> 00:01:09,359 see the response wrong 31 00:01:05,920 --> 00:01:11,359 email and or password 32 00:01:09,359 --> 00:01:12,640 well when you've got this message you 33 00:01:11,359 --> 00:01:16,239 don't know what is wrong 34 00:01:12,640 --> 00:01:16,719 email and or password so now let's try 35 00:01:16,239 --> 00:01:20,319 with 36 00:01:16,719 --> 00:01:24,158 some arbitrary email like whatever 37 00:01:20,319 --> 00:01:25,279 add whatever dot com and arbitrary 38 00:01:24,159 --> 00:01:27,520 password 39 00:01:25,280 --> 00:01:30,000 let's see how it works for non-existing 40 00:01:27,519 --> 00:01:33,118 email right 41 00:01:30,000 --> 00:01:34,078 wrong email and or password the same 42 00:01:33,118 --> 00:01:36,640 response 43 00:01:34,078 --> 00:01:38,158 so i have completely no chance to learn 44 00:01:36,640 --> 00:01:41,040 anything here right 45 00:01:38,159 --> 00:01:42,320 providing existing email non-existing 46 00:01:41,040 --> 00:01:45,040 email or in other words 47 00:01:42,319 --> 00:01:46,000 registered or not registered i cannot 48 00:01:45,040 --> 00:01:48,479 figure out 49 00:01:46,000 --> 00:01:50,239 which one is registered and which one is 50 00:01:48,478 --> 00:01:53,359 not right 51 00:01:50,239 --> 00:01:56,399 okay but as i told you uh don't give up 52 00:01:53,359 --> 00:01:59,759 hackers are smart and hackers will 53 00:01:56,399 --> 00:02:01,040 try to reach their goal in a number of 54 00:01:59,759 --> 00:02:03,159 different ways 55 00:02:01,040 --> 00:02:05,040 now let me go to forgot password 56 00:02:03,159 --> 00:02:08,319 functionality 57 00:02:05,040 --> 00:02:10,399 in forgot password functionality i'm 58 00:02:08,318 --> 00:02:11,679 asked to enter my email and then the 59 00:02:10,399 --> 00:02:14,639 password reset link 60 00:02:11,680 --> 00:02:15,840 will be sent to this email so now when i 61 00:02:14,639 --> 00:02:18,878 provide my email 62 00:02:15,840 --> 00:02:20,080 here and i click send password reset 63 00:02:18,878 --> 00:02:22,719 link 64 00:02:20,080 --> 00:02:25,120 then i see a message password reset link 65 00:02:22,719 --> 00:02:27,840 has been sent to your email 66 00:02:25,120 --> 00:02:29,759 that's cool that's cool but how does the 67 00:02:27,840 --> 00:02:32,479 web app responds 68 00:02:29,759 --> 00:02:33,199 to non-existing email let's check this 69 00:02:32,479 --> 00:02:37,119 out 70 00:02:33,199 --> 00:02:40,399 whatever add whatever right dot com 71 00:02:37,120 --> 00:02:40,400 send password reset link 72 00:02:40,560 --> 00:02:46,719 email doesn't exist so 73 00:02:43,759 --> 00:02:47,439 yeah we've got it we've got it we have 74 00:02:46,719 --> 00:02:50,400 found 75 00:02:47,439 --> 00:02:52,639 that user enumeration via forgot 76 00:02:50,400 --> 00:02:55,360 password functionality is possible 77 00:02:52,639 --> 00:02:56,479 because the system responds differently 78 00:02:55,360 --> 00:02:59,200 the web app 79 00:02:56,479 --> 00:03:00,079 responds differently for registered 80 00:02:59,199 --> 00:03:03,439 email 81 00:03:00,080 --> 00:03:05,200 and non-registered email right and this 82 00:03:03,439 --> 00:03:08,239 is how you can start 83 00:03:05,199 --> 00:03:11,679 building a list of registered emails 84 00:03:08,239 --> 00:03:13,920 now do some kind of automation here 85 00:03:11,680 --> 00:03:15,200 and voila you will learn who's register 86 00:03:13,919 --> 00:03:17,518 who is not 87 00:03:15,199 --> 00:03:20,238 and that's it i've got two different 88 00:03:17,519 --> 00:03:22,719 types of responses for registered emails 89 00:03:20,239 --> 00:03:23,759 and unregistered emails this is it this 90 00:03:22,719 --> 00:03:27,039 is how it works 91 00:03:23,759 --> 00:03:29,519 and in a real attack the attacker would 92 00:03:27,039 --> 00:03:30,560 do some kind of automation here but when 93 00:03:29,519 --> 00:03:32,239 you do hacking 94 00:03:30,560 --> 00:03:33,680 you need to provide a kind of proof of 95 00:03:32,239 --> 00:03:36,640 concept you need to 96 00:03:33,680 --> 00:03:37,599 show the program owner or the company 97 00:03:36,639 --> 00:03:41,279 how you can 98 00:03:37,598 --> 00:03:44,238 build this list of registered emails 99 00:03:41,280 --> 00:03:44,799 and what i explained to you is is enough 100 00:03:44,239 --> 00:03:47,439 right 101 00:03:44,799 --> 00:03:48,080 we see in forgot password functionality 102 00:03:47,439 --> 00:03:50,560 two different 103 00:03:48,080 --> 00:03:52,400 uh responses for registered and 104 00:03:50,560 --> 00:03:53,680 unregistered emails and this is how we 105 00:03:52,400 --> 00:03:55,360 can differentiate 106 00:03:53,680 --> 00:03:56,959 who is registered who is not registered 107 00:03:55,360 --> 00:03:59,280 this is how we can start building 108 00:03:56,959 --> 00:04:00,080 uh this list and here is how the 109 00:03:59,280 --> 00:04:03,840 attacker 110 00:04:00,080 --> 00:04:06,879 can build this list as well so you see 111 00:04:03,840 --> 00:04:09,598 try to be smart don't give up too early 112 00:04:06,878 --> 00:04:11,598 try also other functionalities in the in 113 00:04:09,598 --> 00:04:12,479 the web application if you've got a goal 114 00:04:11,598 --> 00:04:14,479 in your mind 115 00:04:12,479 --> 00:04:15,919 try to be open-minded and and then you 116 00:04:14,479 --> 00:04:17,759 can reach your goal 117 00:04:15,919 --> 00:04:23,039 i believe that this is clear and 118 00:04:17,759 --> 00:04:23,040 basically this is it in this demo 7920