Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,599 --> 00:00:06,640 hello guys in this video i'm gonna show 2 00:00:04,160 --> 00:00:09,599 you how to extract the metadata 3 00:00:06,639 --> 00:00:11,279 from files that are hosted on the domain 4 00:00:09,599 --> 00:00:13,359 that you are testing right 5 00:00:11,279 --> 00:00:14,919 so if your web application is hosted on 6 00:00:13,359 --> 00:00:18,239 the domain for example 7 00:00:14,919 --> 00:00:20,320 example.com like what i have in my um 8 00:00:18,239 --> 00:00:21,519 testy web application that i am 9 00:00:20,320 --> 00:00:23,920 interested 10 00:00:21,519 --> 00:00:25,118 in all files that are hosted on this 11 00:00:23,920 --> 00:00:28,480 domain in 12 00:00:25,118 --> 00:00:29,599 different doc files docx files pdfs and 13 00:00:28,480 --> 00:00:32,480 stuff like that 14 00:00:29,599 --> 00:00:33,359 why am i interested in this because you 15 00:00:32,479 --> 00:00:36,799 know this is an 16 00:00:33,359 --> 00:00:39,439 integral part of the web application 17 00:00:36,799 --> 00:00:40,799 and it may happen that i will find some 18 00:00:39,439 --> 00:00:43,199 sensitive interesting 19 00:00:40,799 --> 00:00:44,000 information in the metadata of these 20 00:00:43,200 --> 00:00:45,679 documents 21 00:00:44,000 --> 00:00:48,000 that's why this is something really 22 00:00:45,679 --> 00:00:49,519 interesting from my point of view and 23 00:00:48,000 --> 00:00:51,359 also from the attacker's point of view 24 00:00:49,520 --> 00:00:52,800 right because the attacker is interested 25 00:00:51,359 --> 00:00:56,079 in the disclosure of 26 00:00:52,799 --> 00:00:56,479 sensitive data okay so what i've got 27 00:00:56,079 --> 00:00:58,799 here 28 00:00:56,479 --> 00:01:00,238 is the cookie policy and maybe you can 29 00:00:58,799 --> 00:01:02,959 see it in the 30 00:01:00,238 --> 00:01:04,079 uh bottom left corner this is a doc file 31 00:01:02,960 --> 00:01:07,118 cookie policy dot 32 00:01:04,079 --> 00:01:10,560 doc let me now uh click right and 33 00:01:07,118 --> 00:01:11,118 save it on my disk and now you clearly 34 00:01:10,560 --> 00:01:14,240 see 35 00:01:11,118 --> 00:01:16,478 that this is cookiepolicy.doc right 36 00:01:14,239 --> 00:01:17,839 and let me let me save it so i'm going 37 00:01:16,478 --> 00:01:21,840 to save it 38 00:01:17,840 --> 00:01:24,880 in cookie policy directory 39 00:01:21,840 --> 00:01:26,320 okay now it has been saved so it has 40 00:01:24,879 --> 00:01:29,519 been saved on my disk 41 00:01:26,319 --> 00:01:30,399 and now i'm gonna go uh to the command 42 00:01:29,519 --> 00:01:33,759 line 43 00:01:30,400 --> 00:01:35,359 and uh well it has been saved on desktop 44 00:01:33,759 --> 00:01:37,439 in cookie polish directory 45 00:01:35,359 --> 00:01:38,560 so it is out there let me let me show 46 00:01:37,438 --> 00:01:41,438 you that indeed 47 00:01:38,560 --> 00:01:42,159 it is here yes cookiepolicy.doc so now 48 00:01:41,438 --> 00:01:45,679 i'm gonna 49 00:01:42,159 --> 00:01:48,640 use a exif tool in order to retrieve the 50 00:01:45,680 --> 00:01:49,360 metadata from this file so uh let me do 51 00:01:48,640 --> 00:01:52,719 it 52 00:01:49,359 --> 00:01:55,200 so exif tool dash a 53 00:01:52,719 --> 00:01:56,560 and the name of the file very simple 54 00:01:55,200 --> 00:01:59,280 command 55 00:01:56,560 --> 00:02:00,799 but before i click this command i'm 56 00:01:59,280 --> 00:02:01,280 going to show you how this file looks 57 00:02:00,799 --> 00:02:02,719 like 58 00:02:01,280 --> 00:02:04,879 because i want to show you that at the 59 00:02:02,718 --> 00:02:07,759 first glance you don't see 60 00:02:04,879 --> 00:02:09,598 the metadata but when you launch this 61 00:02:07,759 --> 00:02:11,280 command when you use exif tool you can 62 00:02:09,598 --> 00:02:11,840 see what is hidden actually out there 63 00:02:11,280 --> 00:02:14,560 okay 64 00:02:11,840 --> 00:02:17,280 so let me first go to cookie policy 65 00:02:14,560 --> 00:02:19,120 directory i will click it 66 00:02:17,280 --> 00:02:20,800 and what i've got here is just a cookie 67 00:02:19,120 --> 00:02:24,000 policy look at that 68 00:02:20,800 --> 00:02:26,080 well cookie policy we may use now or in 69 00:02:24,000 --> 00:02:29,439 the future cookies on the sides 70 00:02:26,080 --> 00:02:31,840 stuff like that just go for it 71 00:02:29,439 --> 00:02:33,359 nothing interesting right nothing 72 00:02:31,840 --> 00:02:35,840 sensitive out there 73 00:02:33,360 --> 00:02:37,040 just a kind of a text right we've got 74 00:02:35,840 --> 00:02:39,280 just a text 75 00:02:37,039 --> 00:02:40,159 nothing sensitive out there but as i 76 00:02:39,280 --> 00:02:43,840 told you 77 00:02:40,159 --> 00:02:46,878 metadata is hidden you don't see it but 78 00:02:43,840 --> 00:02:47,920 you can find it in the document and for 79 00:02:46,878 --> 00:02:49,598 that reason 80 00:02:47,919 --> 00:02:51,679 we can use exif tool because this is 81 00:02:49,598 --> 00:02:52,479 really the fast way of retrieving the 82 00:02:51,680 --> 00:02:56,239 metadata 83 00:02:52,479 --> 00:02:59,598 so let me now go back to my 84 00:02:56,239 --> 00:03:02,640 command line let me now hit enter 85 00:02:59,598 --> 00:03:04,318 and and and voila and you see the 86 00:03:02,639 --> 00:03:06,479 metadata extracted 87 00:03:04,318 --> 00:03:08,479 you see different kind of information 88 00:03:06,479 --> 00:03:11,119 like here you've got 89 00:03:08,479 --> 00:03:12,639 file modification time and stuff like 90 00:03:11,120 --> 00:03:15,680 that 91 00:03:12,639 --> 00:03:17,039 and you can go for this kind of metadata 92 00:03:15,680 --> 00:03:21,280 but there is something really 93 00:03:17,039 --> 00:03:24,158 interesting in the comments here right 94 00:03:21,280 --> 00:03:25,439 read this stuff and especially the 95 00:03:24,158 --> 00:03:28,479 second line let me 96 00:03:25,439 --> 00:03:32,079 highlight it right now 97 00:03:28,479 --> 00:03:34,399 so ben please review this document 98 00:03:32,080 --> 00:03:35,920 and then upload it to the following 99 00:03:34,400 --> 00:03:38,959 directory and this 100 00:03:35,919 --> 00:03:42,079 is the directory 101 00:03:38,959 --> 00:03:47,239 ftp column slash 102 00:03:42,080 --> 00:03:48,879 root column super secure password at 103 00:03:47,239 --> 00:03:53,120 192.168 104 00:03:48,878 --> 00:03:55,598 and and and more right this is it 105 00:03:53,120 --> 00:03:57,599 here you see something very nice what 106 00:03:55,598 --> 00:04:02,238 you've got after the protocol part 107 00:03:57,598 --> 00:04:05,119 so ftp columns slash are the credentials 108 00:04:02,239 --> 00:04:05,599 to the to the ftp this is how you can 109 00:04:05,120 --> 00:04:09,200 actually 110 00:04:05,598 --> 00:04:11,280 provide credentials to to the ftp after 111 00:04:09,199 --> 00:04:12,560 slash you can provide the credentials so 112 00:04:11,280 --> 00:04:14,640 root is 113 00:04:12,560 --> 00:04:15,920 is the login and super secure password 114 00:04:14,639 --> 00:04:18,478 is the password 115 00:04:15,919 --> 00:04:20,879 this is very nice this is a kind of 116 00:04:18,478 --> 00:04:23,439 metadata that has been extracted 117 00:04:20,879 --> 00:04:24,399 you didn't see it when i presented this 118 00:04:23,439 --> 00:04:26,639 file to you 119 00:04:24,399 --> 00:04:28,959 but you clearly see that it is somewhere 120 00:04:26,639 --> 00:04:30,639 there inside hidden 121 00:04:28,959 --> 00:04:32,560 and this is it this is the power of 122 00:04:30,639 --> 00:04:35,840 metadata extraction 123 00:04:32,560 --> 00:04:38,800 and i really recommend you to 124 00:04:35,839 --> 00:04:39,519 also in your own pen testing hacking go 125 00:04:38,800 --> 00:04:41,600 around 126 00:04:39,519 --> 00:04:43,839 and fetch the metadata because you can 127 00:04:41,600 --> 00:04:46,000 find uh quite many interesting 128 00:04:43,839 --> 00:04:47,439 information out there because you know 129 00:04:46,000 --> 00:04:50,720 there are different people that 130 00:04:47,439 --> 00:04:53,439 cooperate in a given company and before 131 00:04:50,720 --> 00:04:54,320 publishing the documents they forget uh 132 00:04:53,439 --> 00:04:57,279 to 133 00:04:54,319 --> 00:04:57,918 delete the metadata from a from a given 134 00:04:57,279 --> 00:05:00,638 file 135 00:04:57,918 --> 00:05:01,839 uh people just put the links like here 136 00:05:00,639 --> 00:05:05,038 the links with 137 00:05:01,839 --> 00:05:07,439 credentials uh right inside 138 00:05:05,038 --> 00:05:09,038 when something like this is somewhere in 139 00:05:07,439 --> 00:05:10,079 the file and you can fetch it from the 140 00:05:09,038 --> 00:05:12,959 file then you immediately 141 00:05:10,079 --> 00:05:14,319 know the credentials right so um and 142 00:05:12,959 --> 00:05:15,279 this is beautiful from the attacker's 143 00:05:14,319 --> 00:05:17,918 point of view 144 00:05:15,279 --> 00:05:20,319 this is a kind of interesting bug that 145 00:05:17,918 --> 00:05:22,399 you can find and you can get paid for it 146 00:05:20,319 --> 00:05:24,240 because here we are talking about 147 00:05:22,399 --> 00:05:26,799 sensitive data 148 00:05:24,240 --> 00:05:27,918 exposure right or disclosure of 149 00:05:26,800 --> 00:05:30,639 sensitive data 150 00:05:27,918 --> 00:05:31,439 i hope it is clear you see how easily 151 00:05:30,639 --> 00:05:34,319 you can 152 00:05:31,439 --> 00:05:35,519 use exif tool to fetch the metadata you 153 00:05:34,319 --> 00:05:38,879 can do it quickly 154 00:05:35,519 --> 00:05:40,079 and you can find some interesting stuff 155 00:05:38,879 --> 00:05:42,560 inside the documents 156 00:05:40,079 --> 00:05:44,319 so i believe that this is clear and let 157 00:05:42,560 --> 00:05:48,399 me now jump to another bug 158 00:05:44,319 --> 00:05:48,399 on our list 10594