1
1

00:00:03,390  -->  00:00:06,350
<v Instructor>So far we learnt how to manually discover</v>
2

2

00:00:06,350  -->  00:00:09,450
a number of very dangerous vulnerabilities.
3

3

00:00:09,450  -->  00:00:13,660
We seen how they work and how to exploit them.
4

4

00:00:13,660  -->  00:00:15,809
In today's video, I'd like to show you a tool
5

5

00:00:15,809  -->  00:00:19,520
that will allow you to automatically discover
6

6

00:00:19,520  -->  00:00:22,060
vulnerabilities in web applications.
7

7

00:00:22,060  -->  00:00:24,140
It will allow you to discover the vulnerabilities
8

8

00:00:24,140  -->  00:00:26,770
that we learned, plus much more.
9

9

00:00:26,770  -->  00:00:29,550
The reason why I didn't teach you this at the start,
10

10

00:00:29,550  -->  00:00:32,530
because I wanted you to learn how to do it manually,
11

11

00:00:32,530  -->  00:00:34,470
and I also wanted you to know
12

12

00:00:34,470  -->  00:00:36,700
how this vulnerabilities occur,
13

13

00:00:36,700  -->  00:00:39,200
so to understand the reason behind them.
14

14

00:00:39,200  -->  00:00:41,107
Also this are just tools,
15

15

00:00:41,107  -->  00:00:43,330
so this program is just a tool,
16

16

00:00:43,330  -->  00:00:46,118
it can make mistakes and it can show false positives.
17

17

00:00:46,118  -->  00:00:49,440
It can also miss vulnerabilities in some cases.
18

18

00:00:49,440  -->  00:00:51,160
Therefore, I wanted you to know
19

19

00:00:51,160  -->  00:00:52,650
how to do this stuff manually,
20

20

00:00:52,650  -->  00:00:54,650
so if the program doesn't work
21

21

00:00:54,650  -->  00:00:56,280
or if the program misses something,
22

22

00:00:56,280  -->  00:00:57,833
then you'll be able to find it.
23

23

00:00:58,760  -->  00:01:02,160
The best way to use these programs is as a back up
24

24

00:01:02,160  -->  00:01:06,073
or as just a tool to help you with your penetration testing.
25

25

00:01:07,450  -->  00:01:09,600
So using the tool is very simple.
26

26

00:01:09,600  -->  00:01:11,100
I'm gonna go on my applications
27

27

00:01:11,100  -->  00:01:12,763
and then I'm gonna type in ZAP.
28

28

00:01:16,080  -->  00:01:19,180
And it's asking me if I wanted to save the current session
29

29

00:01:19,180  -->  00:01:21,963
when I search for something, so I'm gonna say no.
30

30

00:01:25,344  -->  00:01:28,980
And this is the main view of the tool,
31

31

00:01:28,980  -->  00:01:31,030
so on the left here you'll see the websites
32

32

00:01:31,030  -->  00:01:32,650
that you're targeting.
33

33

00:01:32,650  -->  00:01:37,390
On the right, you can attack and send the website URL,
34

34

00:01:37,390  -->  00:01:41,190
and in here you'll see the results for your attacking
35

35

00:01:41,190  -->  00:01:42,293
or for your scan.
36

36

00:01:43,720  -->  00:01:45,950
If we go here on the cog on the left,
37

37

00:01:45,950  -->  00:01:50,103
it'll allow you to modify the options for the program.
38

38

00:01:51,100  -->  00:01:53,370
So you can modify certain aspects of it,
39

39

00:01:53,370  -->  00:01:56,460
the way the fuzzer works, the way the spider works,
40

40

00:01:56,460  -->  00:01:57,743
the way the scan works.
41

41

00:01:59,180  -->  00:02:00,980
I'm gonna leave everything the same.
42

42

00:02:01,970  -->  00:02:03,770
Another thing that you can modify
43

43

00:02:03,770  -->  00:02:05,900
is the policies used in this scan,
44

44

00:02:05,900  -->  00:02:07,450
so it's something similar to these scans
45

45

00:02:07,450  -->  00:02:09,330
that we we're using with andmap,
46

46

00:02:09,330  -->  00:02:11,530
the intense scan and all of that.
47

47

00:02:11,530  -->  00:02:13,640
So I'm gonna press on the plus,
48

48

00:02:13,640  -->  00:02:15,980
I'm gonna press on the active scan,
49

49

00:02:15,980  -->  00:02:17,560
and if you press on this,
50

50

00:02:17,560  -->  00:02:18,603
on the left here,
51

51

00:02:20,980  -->  00:02:23,350
and I'm gonna press under default policy,
52

52

00:02:23,350  -->  00:02:24,960
now you can create your own policies
53

53

00:02:24,960  -->  00:02:26,830
by using the add button,
54

54

00:02:26,830  -->  00:02:29,390
I'm gonna press on the default one
55

55

00:02:29,390  -->  00:02:30,760
and I'm gonna go on modify
56

56

00:02:30,760  -->  00:02:34,163
to show you the aspects that you can modify.
57

57

00:02:35,700  -->  00:02:37,890
So right here we can modify the name,
58

58

00:02:37,890  -->  00:02:42,033
the threshold and the strength for the global policy.
59

59

00:02:44,660  -->  00:02:46,340
Click in on each of these categories
60

60

00:02:46,340  -->  00:02:51,340
will allow you to modify the specific scans
61

61

00:02:51,680  -->  00:02:52,770
that will be performed.
62

62

00:02:52,770  -->  00:02:54,820
For example, in the injection tab here,
63

63

00:02:54,820  -->  00:02:56,990
we can see all the injection scans
64

64

00:02:56,990  -->  00:02:59,200
that the program is going to try.
65

65

00:02:59,200  -->  00:03:01,580
For example, we can see SQL injections here,
66

66

00:03:01,580  -->  00:03:04,140
we can see Cross-site scripting here,
67

67

00:03:04,140  -->  00:03:06,220
and pressing on the threshold right here
68

68

00:03:06,220  -->  00:03:11,220
we can set this to default, low, medium or high.
69

69

00:03:11,490  -->  00:03:12,980
Setting it to the default
70

70

00:03:12,980  -->  00:03:15,560
will just default to the value selected here
71

71

00:03:15,560  -->  00:03:16,933
which is medium right now,
72

72

00:03:17,870  -->  00:03:19,690
or you can have for example,
73

73

00:03:19,690  -->  00:03:21,840
if SQL injection is what you're looking for,
74

74

00:03:21,840  -->  00:03:24,583
if what you're looking for is access from the database,
75

75

00:03:24,583  -->  00:03:26,410
then you can set this to high
76

76

00:03:26,410  -->  00:03:27,930
so that it'll try everything
77

77

00:03:27,930  -->  00:03:31,923
and it'll try to find it in even difficult places.
78

78

00:03:35,030  -->  00:03:36,050
So I'm gonna close all of this
79

79

00:03:36,050  -->  00:03:37,720
I'm leaving everything the same,
80

80

00:03:37,720  -->  00:03:41,520
and I'm gonna start my attack against the mutillidae script,
81

81

00:03:41,520  -->  00:03:45,500
so we have it in 10.20.14.204
82

82

00:03:45,500  -->  00:03:47,453
running in metasploitable machine,
83

83

00:03:48,320  -->  00:03:50,870
and if we go on Mutillidae right here,
84

84

00:03:50,870  -->  00:03:52,210
that's the URL,
85

85

00:03:52,210  -->  00:03:54,123
so literally I'm just gonna copy this,
86

86

00:03:57,520  -->  00:03:58,723
and paste it here,
87

87

00:04:01,090  -->  00:04:02,533
And then I'm gonna attack.
88

88

00:04:04,080  -->  00:04:07,320
Now the tool is first gonna try to find all the URL's
89

89

00:04:07,320  -->  00:04:11,140
and then it's going to try and attack this URL's
90

90

00:04:11,140  -->  00:04:14,200
based on the scan policy that we used.
91

91

00:04:14,200  -->  00:04:15,430
I'm gonna pause the video
92

92

00:04:15,430  -->  00:04:17,413
and resume it once the scan is over.