Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,599 --> 00:00:05,680 welcome back 2 00:00:03,120 --> 00:00:06,480 now in this demo i'm gonna show you how 3 00:00:05,679 --> 00:00:09,839 to test for 4 00:00:06,480 --> 00:00:12,000 insecure password change in the context 5 00:00:09,839 --> 00:00:15,519 of broken session management 6 00:00:12,000 --> 00:00:17,039 so this is gonna be exactly what i 7 00:00:15,519 --> 00:00:20,399 presented in the previous video 8 00:00:17,039 --> 00:00:23,439 but now we've got a practical part right 9 00:00:20,399 --> 00:00:26,079 so as you remember from the 10 00:00:23,439 --> 00:00:26,800 previous video we've got a legitimate 11 00:00:26,079 --> 00:00:29,919 user 12 00:00:26,800 --> 00:00:31,359 and we've got an attacker who was able 13 00:00:29,920 --> 00:00:33,840 to get access to the user 14 00:00:31,359 --> 00:00:35,600 account somehow we don't care how right 15 00:00:33,840 --> 00:00:38,640 in in this kind of story 16 00:00:35,600 --> 00:00:38,960 so i've got two browsers uh here i've 17 00:00:38,640 --> 00:00:41,119 got 18 00:00:38,960 --> 00:00:42,079 firefox and let's assume that firefox 19 00:00:41,119 --> 00:00:45,599 this one 20 00:00:42,079 --> 00:00:46,239 is the browser of the user so you see 21 00:00:45,600 --> 00:00:49,920 that 22 00:00:46,238 --> 00:00:53,759 i am authenticated and now i've got also 23 00:00:49,920 --> 00:00:55,520 google chrome and so another browser 24 00:00:53,759 --> 00:00:57,198 and let's assume that this is the 25 00:00:55,520 --> 00:00:59,280 browser of the attacker 26 00:00:57,198 --> 00:01:00,479 who was able to get access to the user's 27 00:00:59,280 --> 00:01:03,520 account right 28 00:01:00,479 --> 00:01:04,558 now what i'm going to do as a legitimate 29 00:01:03,520 --> 00:01:07,760 user so i'm going to 30 00:01:04,558 --> 00:01:11,039 go back to firefox i'm going to 31 00:01:07,760 --> 00:01:11,439 change my password right so i'm going to 32 00:01:11,040 --> 00:01:14,720 click 33 00:01:11,438 --> 00:01:16,959 change password and uh 34 00:01:14,719 --> 00:01:20,319 first i'm asked to enter the current 35 00:01:16,959 --> 00:01:20,319 password so let me do it 36 00:01:24,079 --> 00:01:29,280 and yeah success now i need to provide 37 00:01:26,159 --> 00:01:29,280 the new password 38 00:01:31,519 --> 00:01:35,599 and i will click change password 39 00:01:35,920 --> 00:01:42,640 okay you clearly see here 40 00:01:39,519 --> 00:01:45,759 that my password has been changed 41 00:01:42,640 --> 00:01:49,040 success password changed 42 00:01:45,759 --> 00:01:52,239 this is my browser and 43 00:01:49,040 --> 00:01:55,920 what i expect right now to happen 44 00:01:52,239 --> 00:01:56,798 is that the session id related to my old 45 00:01:55,920 --> 00:01:59,759 password 46 00:01:56,799 --> 00:02:01,439 should be invalidated right so let me 47 00:01:59,759 --> 00:02:05,118 right now go to the 48 00:02:01,438 --> 00:02:06,239 attacker's browser and let me refresh 49 00:02:05,118 --> 00:02:08,800 this page 50 00:02:06,239 --> 00:02:11,519 let me refresh it i'm gonna hit enter 51 00:02:08,800 --> 00:02:14,560 i'm gonna hit enter again 52 00:02:11,520 --> 00:02:18,000 i refreshed it twice and i still 53 00:02:14,560 --> 00:02:20,319 got an access to to this account right 54 00:02:18,000 --> 00:02:21,360 to david's account remember this is the 55 00:02:20,318 --> 00:02:24,079 attacker 56 00:02:21,360 --> 00:02:25,280 so what's the conclusion i changed the 57 00:02:24,080 --> 00:02:28,719 password 58 00:02:25,280 --> 00:02:29,520 but the session id related to old 59 00:02:28,719 --> 00:02:32,639 password 60 00:02:29,520 --> 00:02:35,280 right has not been invalidated 61 00:02:32,639 --> 00:02:36,318 i changed the password in my account but 62 00:02:35,280 --> 00:02:39,519 the session id 63 00:02:36,318 --> 00:02:40,560 related to my old password has not been 64 00:02:39,519 --> 00:02:42,640 invalidated 65 00:02:40,560 --> 00:02:45,199 and i can clearly see it here because 66 00:02:42,639 --> 00:02:48,878 i'm still logged in i'm still logged in 67 00:02:45,199 --> 00:02:53,199 in the attacker's browser right 68 00:02:48,878 --> 00:02:55,759 so it clearly presents the problem right 69 00:02:53,199 --> 00:02:56,639 if the session id related to my old 70 00:02:55,759 --> 00:02:59,120 password 71 00:02:56,639 --> 00:02:59,919 was invalidated at the time of password 72 00:02:59,120 --> 00:03:02,640 changed 73 00:02:59,919 --> 00:03:03,679 then i wouldn't be able to get access to 74 00:03:02,639 --> 00:03:06,878 my account 75 00:03:03,680 --> 00:03:07,439 in the attacker's browser right this is 76 00:03:06,878 --> 00:03:09,598 it 77 00:03:07,439 --> 00:03:10,878 now you you can clearly see that this 78 00:03:09,598 --> 00:03:13,359 problem exists 79 00:03:10,878 --> 00:03:14,799 and nothing has happened the attacker 80 00:03:13,360 --> 00:03:17,599 who got access 81 00:03:14,800 --> 00:03:18,000 to the user's account can still have an 82 00:03:17,598 --> 00:03:21,439 access 83 00:03:18,000 --> 00:03:24,639 to user account despite the fact 84 00:03:21,439 --> 00:03:27,598 that user's password has been 85 00:03:24,639 --> 00:03:29,119 changed right so this is how it works i 86 00:03:27,598 --> 00:03:35,759 believe it is clear 87 00:03:29,120 --> 00:03:35,759 so let me jump to the next bug 5737