The course is part of this learning path
This course explores HTML injection, stored HTML injection, and other types of attacks in order to begin carrying out some web pen testing in a practical way.
This course is intended for anyone who wants to learn the necessary skills to become an ethical hacker and/or a bug bounty hunter.
We recommend that this course be taken as part of our Web Penetration Testing & Bug Bounty Hunting learning path.
Hi. Within this lecture, we're going to see how we can discover the hidden pages in our website. And in order to do that, first of all, I'm going to go into the iFrame Injection. We're going to see why. We know what an iFrame is but we don't know what we can get out of this depending on the situation in here. So, let me close everything down here so that we can start refreshed. So, whenever we do a weapon testing, we need to open the Burp Suite and we need to wander around a little bit so that we can gather information in the Burp Suite as much as we can. For example, if I wanted to do a real weapon testing here, like I could have opened the target so that I can see everything that I'm interacting with inside of this 10.0.2.9. And as you can see, it actually tags everything that I'm interacting with. We have gone to Google. We have getHub and stuff so it tagged everything but particularly, we are interested in this 10.0.2.9 and we can see every page that we are interacted with over here. So, if I go to this, this so if I wander around over here a little bit, it will tag everything in there. So, if I open the blog, so if it just takes me to somewhere else, I can just see everything that are starting here like that I have interacted over here. For example, I have robots.txt inside of this list at this point. So, I cannot see the response that I get from robots.txt but I can see the robots.txt file. So, what is robots.txt? Let me show you. So, if you come over here and just write robots.txt. So, this is a file that you use either to say to the web crawlers, stay away from these websites. So basically, when a web developer develops a website, they may want to just keep the Google or any other web crawlers or any other search engines away from some websites or web pages . So for example, if they have an admin page or if they have a password page for some reason, they may want to say to Google, Okay, don't tag this. I don't want it to be public. So, if you find the robots.txt file, you can see all the content and you can just try to reach them. So, let me zoom in so that you can see it in a better way. Here we go. We have a password file for example, or a folder. So, I'm going to copy this and just paste it in there and see what we can get out of it. So, let me do this and just paste it and here you go. I have some things over here like an xml file. So, if I download this or just open this. I can see some, kind of, passwords or login information, user IDs, like login is hero, the password is trinity. It's from Matrix obviously. So of course, in real life, it doesn't have to be necessarily this easy and nobody will store their passwords on some random page and just put it on robots.txt but there is robots.txt in many of the websites because they want to keep crawlers away from some pages and you can find that pages and just look for the content and sometimes you see robots.txt here. Sometimes you don't. And in the pro version of the Burp Suite, there is a crawler plugin or there is a crawler or spider plugin that you can use to crawl the websites automatically. So, what we did was to click around over here to gather around or just look around but in a pro version you can do that automatically. This is one of the differences, main differences, between pro version and community version as well but again, I'm going to show you an alternative way of doing or discovering some hidden web pages. There are a lot of tools for that inside of our Kali Linux. So, there is something called Dirb or DirBuster or Dir buster for directory buster. So, I'm going to show you the DirBuster which is brought us by OWASP. So, it's commonly used in web penetration tests. So, if you want to discover some web pages hidden and you cannot see the link but if you just go there, it will be there. So, how do we do it? We just copy the website, website URL to the DirBuster and then we just try some web pages randomly and see if they exist or not. So, I'm going to put 10.0.2.9 over here and as you can see they're work methods use GET requests only or Auto Switch. Of course, we want to Auto Switch so that it will be auto chosen for us and let me just put this down so you can see it in a better way. So, there are a Number Of Threads over here so if we just choose the go faster thing, it will be run on 200 threads rather than 10 threads. So, if we increase the threads, it will be faster. So, treading means like a parallel programming doing the same thing in different levels at the same time so we can get faster responses. But the more you do that, the more you increase the threads, the more it consume power, like a CPU power or GPU power depending on the thing that you're working on but at this point, you don't want to go crazy in this. You may get blocked or banned from the website due to load balancing protocols. You may want to go 10 or 200 depending on the firewall of the website. We're going to see how we can actually define if there is or understand if there is any firewall or if there's any protection. So, at this point I'm just going to say go faster and make it 200 threads. So, we want it to be fast because it would be very, very small, slow, if we just make it 10 because we're going to test the thousands or tens of thousands of different pages in here. You're going to see what I mean. So in this case, there are a couple of options here as well like List based brute force and Pure brute force. We're going to do a List based brute force. Brute forcing means testing things until we find a working one. So, we're going to test a list of alternative websites or web pages or names to see if they exist or not. And there are a couple of already created lists for us, we can create our own list as well but it's not very good thing to do so because how you're going to create like thousands or tens of thousands or alternatives just to find some hidden web pages. So, let me show you something. If you open the File System, if you go to user from here, usr. So, this stands for user, so if you find this and go to share. Under users share you can see something called wordlists. So, let me find this. Here you go. Let's see. Wordlists folder, open this and you will see some sort of alternatives over here like dirb, dirbuster or DirBuster, so metasploit, fasttrack.txt, rockyou.txt, nmap. So, there are a couple of wordlists. So, some of them are for password cracking or password brute forcing. We're going to see that later on in this course as well. Like if you just open any of this, you will see like lots of thousands of alternatives to be tested in a brute force attack. So, what we want to do. We want to test this against our website, target website, to see the pages are there or not. For example, there is a fasttrack.txt. It contains like 200, 300 commonly used passwords around the globe so that you can use it in a regular weapon testing or CTF. We're going to see how to use fasttrack and rockyou.txt later on. rockyou.txt is actually much bigger. It contains like maybe millions of passwords inside of it. So, even if I just double click on that, it didn't open for a while as you can see because its includes many of the passwords that are commonly used. If you go inside of the DirBuster folder, we can see different options here as well. You generally want to go for directory medium. So, this is pretty comprehensive and if you open it, you can see there are thousands of thousands of words over here. So, what it does is that it actually tests every one of them so that it can see if a page like that exists or not. So, if you want to try this manually, it will take years for you to do so. But rather than that, you want to come over here and find user, share, wordlists. And go into the dirbuster and find the thing that I have shown you. So, let me find this wordlist, dirbuster and here you go the medium one. So, small one consists less alternatives than medium one obviously, but we generally go for the medium to find optimal results. So, if I say Start, it will just start testing every one of them. And as you can see, even though we have chosen the current number of running threads to be 200, we still have something like three or four hours or five hours to finish this. So, it needs to be faster than this but I don't want to increase the running threads right now. You can see the results from these tabs by the way. You can actually follow this in real time as well. I'm not going to wait until this is finished, obviously Because I already started getting responses back and it shows me four hours or something like that in a real weapon test or maybe you can just do this like a first thing to do and then continue your weapon testing later on. But I'm just going to stop this to show you how to deal with the responses. So, if you go to this Results tab, you can see the response and the size of that page. So, we can see the found directories and files from here and we can see the responses on the right hand side as well. So this, we have scanned the 10.0.2.9 and it added the 80 ports itself automatically. You don't have to do that. Of course, we could have added bWAPP at the end of this so it would be much more, actually, valid for us or related for us but it really doesn't matter or I wanted to just show you how to discover some directories. If you filter it according to response, it would be good for you because 200 means okay, we got a response back from server. So, these are all the things that we got response. yet we have some other things like 500, it means that there is no response from the server or something like that. Okay, maybe server is down. So, if you find 200s, then you can just try them and see if they exist or not. So, even if there is no link to dir in any of the website, then you can still see them. So, we're going to stop here and continue within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.