1
1

00:00:00,985  -->  00:00:03,170
<v ->In this section, we're gonna be talking about</v>
2

2

00:00:03,170  -->  00:00:06,040
web application penetration testing.
3

3

00:00:06,040  -->  00:00:08,010
Before we can start talking about that,
4

4

00:00:08,010  -->  00:00:10,803
we need to understand what is a website.
5

5

00:00:11,690  -->  00:00:13,110
Just like I said before,
6

6

00:00:13,110  -->  00:00:17,430
a website is just an application installed on a computer.
7

7

00:00:17,430  -->  00:00:20,160
That computer probably just has better specs
8

8

00:00:20,160  -->  00:00:21,320
than your computer,
9

9

00:00:21,320  -->  00:00:24,400
but, fundamentally, it works exactly
10

10

00:00:24,400  -->  00:00:26,010
just like another computer.
11

11

00:00:26,010  -->  00:00:27,740
It has an operating system
12

12

00:00:28,610  -->  00:00:31,040
and it also has a number of applications
13

13

00:00:31,040  -->  00:00:34,240
to allow it to act as a web server.
14

14

00:00:34,240  -->  00:00:36,920
The main two applications that it probably has is
15

15

00:00:36,920  -->  00:00:40,870
a web server and a database.
16

16

00:00:40,870  -->  00:00:43,120
A web server is like Apache,
17

17

00:00:43,120  -->  00:00:45,393
and a database is like MySQL.
18

18

00:00:46,490  -->  00:00:50,370
The web server, basically, understands and executes
19

19

00:00:50,370  -->  00:00:51,680
the web application.
20

20

00:00:51,680  -->  00:00:54,580
Your web application would be written in PHP or Python,
21

21

00:00:54,580  -->  00:00:56,550
in any programing language, really.
22

22

00:00:56,550  -->  00:00:58,010
The only thing is that the web server
23

23

00:00:58,010  -->  00:00:59,870
needs to be able to understand
24

24

00:00:59,870  -->  00:01:02,930
and execute this web application.
25

25

00:01:02,930  -->  00:01:06,963
The database contains the data used by the web application.
26

26

00:01:08,120  -->  00:01:11,260
All of this is stored on a computer called the server.
27

27

00:01:11,260  -->  00:01:13,590
The computer is connected to the internet,
28

28

00:01:13,590  -->  00:01:15,440
and it has a real IP address,
29

29

00:01:15,440  -->  00:01:18,393
so anybody can access that computer and can ping it.
30

30

00:01:20,715  -->  00:01:25,450
The web application is executed by the web server
31

31

00:01:25,450  -->  00:01:30,310
which is installed on your server, on your target.
32

32

00:01:30,310  -->  00:01:34,140
Therefore, any time you request a page
33

33

00:01:34,140  -->  00:01:35,830
or you run the web application,
34

34

00:01:35,830  -->  00:01:38,670
it's, actually, executed on the web server,
35

35

00:01:38,670  -->  00:01:41,720
and it's not executed at the client's computer.
36

36

00:01:41,720  -->  00:01:43,940
It gets executed at the web server,
37

37

00:01:43,940  -->  00:01:47,850
and then it sends a HTML page which is ready to read
38

38

00:01:47,850  -->  00:01:51,673
for the target person or for the clients.
39

39

00:01:53,070  -->  00:01:55,650
Let's have a look on an example.
40

40

00:01:55,650  -->  00:01:58,290
Let's say you're on the phone or on your computer
41

41

00:01:58,290  -->  00:02:00,100
and you wanted to go to facebook.com.
42

42

00:02:00,100  -->  00:02:02,743
So, you type in facebook.com into your URL.
43

43

00:02:03,770  -->  00:02:08,610
This will be translated using a DNS server
44

44

00:02:08,610  -->  00:02:09,880
to an IP address.
45

45

00:02:09,880  -->  00:02:14,237
There is a server that translates every name,
46

46

00:02:14,237  -->  00:02:18,320
.com, .edu, or any website with a domain name,
47

47

00:02:18,320  -->  00:02:19,810
so this is a domain name,
48

48

00:02:19,810  -->  00:02:22,750
to its relevant IP address.
49

49

00:02:22,750  -->  00:02:24,400
So, you request facebook.com,
50

50

00:02:24,400  -->  00:02:26,580
the request goes to a DNS server,
51

51

00:02:26,580  -->  00:02:28,150
it translates facebook.com
52

52

00:02:28,150  -->  00:02:31,530
to the IP where Facebook is stored,
53

53

00:02:31,530  -->  00:02:36,530
and then it'll go to the IP address of Facebook,
54

54

00:02:37,230  -->  00:02:39,560
it'll execute the page that you wanted
55

55

00:02:39,560  -->  00:02:42,380
using all of the applications that we spoke about,
56

56

00:02:42,380  -->  00:02:44,950
and then just give you a ready HTML.
57

57

00:02:44,950  -->  00:02:48,270
What you get back is just a markup written in HTML,
58

58

00:02:48,270  -->  00:02:49,780
which is a markup language,
59

59

00:02:49,780  -->  00:02:52,540
of the result of executing the program.
60

60

00:02:52,540  -->  00:02:55,060
The program gets executed on the server,
61

61

00:02:55,060  -->  00:02:57,570
and then you just only get the result.
62

62

00:02:57,570  -->  00:02:59,500
This is very important because
63

63

00:02:59,500  -->  00:03:02,120
in the future if we wanted to get anything executed
64

64

00:03:02,120  -->  00:03:02,980
on the web server,
65

65

00:03:02,980  -->  00:03:05,840
if we wanted to get a shell, a reverse shell, or a virus
66

66

00:03:05,840  -->  00:03:07,910
executed on the target computer,
67

67

00:03:07,910  -->  00:03:10,410
then we need to send it into a language
68

68

00:03:10,410  -->  00:03:12,160
that the web server understands.
69

69

00:03:12,160  -->  00:03:13,230
For example, PHP.
70

70

00:03:14,290  -->  00:03:15,800
Once you execute it there,
71

71

00:03:15,800  -->  00:03:20,270
it'll be executed on that computer, not on your computer.
72

72

00:03:20,270  -->  00:03:22,783
Regardless of the person that accesses the page,
73

73

00:03:24,060  -->  00:03:26,070
the web shell that you're gonna send,
74

74

00:03:26,070  -->  00:03:27,310
if it's written in PHP,
75

75

00:03:27,310  -->  00:03:29,400
in a language that the server understands,
76

76

00:03:29,400  -->  00:03:31,670
it's gonna be executed on the server
77

77

00:03:31,670  -->  00:03:33,320
and not on your computer.
78

78

00:03:33,320  -->  00:03:35,830
Therefore, it'll give you access to the server,
79

79

00:03:35,830  -->  00:03:39,293
and not access to the person who accessed that server.
80

80

00:03:42,340  -->  00:03:43,720
JavaScript, on the other hand,
81

81

00:03:43,720  -->  00:03:46,600
there are some websites who use JavaScript.
82

82

00:03:46,600  -->  00:03:48,853
JavaScript is a client-side language.
83

83

00:03:49,800  -->  00:03:52,300
If you manage to find a website
84

84

00:03:52,300  -->  00:03:54,660
that allow you to run JavaScript code,
85

85

00:03:54,660  -->  00:03:58,000
then the code will be executed by the clients.
86

86

00:03:58,000  -->  00:04:01,060
Even though the code might be injected into the web server,
87

87

00:04:01,060  -->  00:04:03,290
it'll be executed on the client-side
88

88

00:04:03,290  -->  00:04:08,290
and it'll allow you to do things to the client computer
89

89

00:04:08,530  -->  00:04:10,590
and not to the server.
90

90

00:04:10,590  -->  00:04:12,160
It's very important to separate
91

91

00:04:12,160  -->  00:04:15,733
between a client-side language and a server-side language.