4/27/24, 11:26 AM (1) Class3 CIA - YouTube

Subtitles Bilingual

00:07 yesterday we were discussing about

00:09 client server

00:11 communication then HTTP versus

00:14 https what is the difference between

00:17 those

00:18 two what is the significance of

00:22 cryptography different types of

00:24 encryption ports protocols these are the

00:28 concepts which we discussed in

00:30 yesterday's

00:32 session can you guys list down the three

00:35 components of three Tire

00:37 architecture Replay in the chart

00:39 everyone or you can make use of audio as

00:42 well what are the major components in

00:45 three Tire

00:49 architecture we server application

00:52 server and database

00:54 server yeah DB

00:58 server application

01:00 DB server application server and web

https://www.youtube.com/watch?v=AcUXtMx0R3I 1/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

01:02 server okay these are the three

01:04 components three major components in

01:07 three TI architecture and the basics of

01:10 uh any kind of uh basically know

01:13 software engineering because it doesn't

01:15 matter whether you are a developer

01:16 tester or ethical hacker you should know

01:20 how this uh application architecture has

01:23 been designed right okay that's

01:27 good which one is secured

01:30 out which one is secure out of HTTP and

01:35 https

01:37 https yes

01:41 listen Okay

01:43 um what is the difference between

01:46 symmetric and asymmetric encryption

01:52 process in Sy

01:55 symmetric has one key a symmetric has

01:58 two keys

02:00 yes others respond in the

02:02 chat this is a very very important

02:05 question every interview they'll ask you

https://www.youtube.com/watch?v=AcUXtMx0R3I 2/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

02:07 this

02:08 question what are the different types of

02:11 encryptions can you explain even for

02:14 manager also they lost this question

02:17 security

02:20 manager everyone respond to this

02:23 question what are the different types of

02:27 encryption and give me some examples for

02:29 the

02:43 algorithms anyone wants to explain about

02:45 that complete end to

02:51 end Shas log out and reconnect in case

02:55 if you're not able to hear

03:12 okay so in symmetric encryption process

03:15 we use single key for encryption and

03:17 decryption whereas in asymmetric

03:19 encryption process we depend on two keys

03:23 those are public key and private key so

03:26 if you're are using if you're are using

03:28 private key for encryption we need to

03:29 decrypt with public key if we are doing

03:32 encryption with public key we need to

https://www.youtube.com/watch?v=AcUXtMx0R3I 3/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

03:34 decrypt with private key and always

03:37 ensure that private key is confidential

03:41 okay public key shared with everyone

03:44 give me some examples on symmetric

03:47 algorithms d triple D AES a 128

03:55 a256 then asymmetric encryption

03:57 algorithms RSA ecd

04:04 H what is the default port number for

04:11 https

04:14 4343

04:16 okay DEA default port number for

04:23 RDP

04:24 389 38989 okay

04:35 as let me give you a live real time

04:38 scenario there is a

04:41 system

04:44 and there is basically know you have

04:47 given one IP address something like

04:57 this this is the IP address just assume

05:00 that of a Target and you come to know

05:04 that there are two ports that are open

05:06 in this those are 80

https://www.youtube.com/watch?v=AcUXtMx0R3I 4/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

05:10 and

05:12 53 can you explain me like what what is

05:17 your approach for doing the penetration

05:21 testing anyone wants to

05:26 try I want the like basic approach how

05:30 you initiate penetration

05:35 testing you are given only with the only

05:38 the IP address that's it they didn't

05:39 give any information but after scanning

05:42 you come to know that there are it8 is

05:46 Uh yes go

05:48 ahead sir uh the port number with 8 is a

05:52 HTTP sir so that's not secure okay uh so

05:57 I will go with uh I I will Target to 80

06:00 sir port number 80 so you do Network pin

06:03 testing or web application pin

06:07 testing web application sir yes majorly

06:11 we start with website so you need to

06:14 launch this IP address in the URL and

06:17 see if you can access the website when

06:19 you find out that port number 80 is open

06:22 it means that there is a website that is

https://www.youtube.com/watch?v=AcUXtMx0R3I 5/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

06:24 running in that box or in that system

06:27 then you need to perform all the web

06:30 application related security scenarios

06:32 or security testing to find out

06:34 vulnerabilities along with that uh 53 is

06:37 for DNS some scenarios on

06:41 DNS let us start with web application

06:44 vulnerability assessment web app testing

06:48 our web application via PT pen testing

06:51 security

06:52 testing so lot many scenario lot many

06:56 names in today's session we'll talk

07:00 about how we perform pen testing on a

07:04 website okay let us take ABC bank.com

07:08 only as a security engineer as a ethical

07:11 hacker your job is to find

07:14 vulnerabilities already we discussed

07:16 about vulnerability right you need to

07:20 learn about different types of different

07:22 types of vulnerabilities and how to

07:25 exploit it what do you mean by

07:27 vulnerability

https://www.youtube.com/watch?v=AcUXtMx0R3I 6/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

07:30 weakness weakness or loopholes in the

07:32 system

07:34 weakness or

07:39 loopholes or

07:41 flaw flaw in an application or a system

07:44 or a device or whatever it is if that

07:47 system or the target has vulnerability

07:50 then it is possible for the attacker to

07:53 exploit the target so the exploitation

07:55 is all

07:58 about gaining

08:00 access or compromising the

08:05 target compromising the

08:07 target is all about exploitation

08:10 remember the terms and you guys know

08:12 what is mean by uh

08:15 attacker attacker is a one tries to

08:20 perform malicious activities to the

08:22 Target right are you guys aware of

08:26 Target what do you mean by Target

08:30 respond to the Chart

08:34 everyone in this

https://www.youtube.com/watch?v=AcUXtMx0R3I 7/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

08:36 picture what do you consider as a

08:39 Target in general Target is something

08:42 which can have some sensitive data store

08:45 or process some sensitive data right so

08:49 it can be a server or mobile or a device

08:52 or a web

08:54 application okay that is the target

08:57 target can be considered as asset

09:00 also you can you can call it like asset

09:03 as

09:07 well attackers will try to find

09:12 vulnerabilities so that they can exploit

09:15 the target

09:19 okay in general what is the meaning of

09:25 threat what is the meaning of threat

09:34 threat is an

09:35 event that would cause potential damage

09:40 to the Target okay yeah you would have

09:44 seen in movies right uh going to that

09:47 place is a threat it is a threat from

09:50 someone or threat from something right

09:53 possible threat going or living at this

https://www.youtube.com/watch?v=AcUXtMx0R3I 8/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

09:57 moment or in the late night towards the

10:00 hill so basically threat

10:02 means the event that would cause

10:05 potential damage to the

10:16 Target what do you mean by

10:19 risk risk is all about

10:21 impact business impact customer impact

10:26 that is caused because of the threat

10:29 when the threat happens then the risk

10:32 will

10:33 occur risk risk will happen because of

10:35 the vulnerabilities can anyone tell

10:40 me if there are more

10:43 vulnerabilities risk will be more or

10:49 less more number of vulnerabilities will

10:52 be proportional to the risk or not

10:58 proportionate it will be directly

11:01 proportional so if there are more

11:03 vulnerabilities it is

11:05 highly uh it is more likely that the

11:08 target is having the risk if you want to

11:11 reduce the risk to the Target we want to

https://www.youtube.com/watch?v=AcUXtMx0R3I 9/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

11:14 reduce viabilities that's it very simple

11:17 the relation between vulnerabilities and

11:20 risk ethical hackers what they try to do

11:24 is they try to find out vulnerabilities

11:29 they try to find vulnerabilities and get

11:31 it closed so that they trying to reduce

11:33 the risk to the application or the

11:35 system or the device okay fine then what

11:40 kind of vulnerabilities can exist for a

11:42 website let us consider ABC bank.com

11:46 today's session we'll see some basic

11:48 vulnerabilities for an application if

11:50 you have already attended the session

11:52 don't respond to the question if you are

11:55 not attended try to see like how you can

11:59 find vulnerabilities in an application

12:04 okay there is a website called alra

12:06 mutual.com

12:12 ALR mutual.com

12:17 and I'm giving you the valid

12:19 credentials you are one of the user and

12:22 your username is J Smith and password is

https://www.youtube.com/watch?v=AcUXtMx0R3I 10/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

12:27 demo 1 2 3 4 yes of course you can login

12:31 by using these credentials apart from

12:34 this is there any way how you can log to

12:37 the system all of you try this launch

12:40 this website give the username and

12:43 password and see if you can log to the

12:45 website and confirm in the

12:48 chat from today onwards it will be like

12:52 more like uh realtime systems so

12:55 everyone needs to login with your laptop

12:57 I'll be asking you some questions

12:59 you have to do it practically

13:03 okay launch this website login and

13:06 confirm in the

13:28 Chat E

14:25 yes of course you have to do it now L

14:28 the browser in case if you don't have

14:30 the laptop you can do it from Mobile

14:33 also launch the browser in your mobile

14:37 Chrome and then launch ALR mutual.com

14:40 login with valid credentials of jith and

14:44 demo 1 2 3

https://www.youtube.com/watch?v=AcUXtMx0R3I 11/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

14:54 4 last 2 minutes

15:20 that's

15:27 good hacking is is not so tough you need

15:31 to understand different types of

15:34 techniques to compromise okay basically

15:37 we are going to perform unauthorized

15:39 access now in this case the positive

15:43 scenario is you give the

15:46 username J

15:49 Smith yeah all of you listen maybe you

15:51 can try it later jith is the username

15:55 and the password is demo 1 2 3 4 this

15:58 the positive test case I say positive

16:01 case where you are giving the valid

16:03 credentials and able to log to the

16:05 system or log to the application am I

16:08 correct now I'm giving you five

16:12 minutes you check if you can log to ALR

16:18 mutual.com

16:19 by any other

16:21 means the target is ALR mutual.com

16:29 see if you can log to this website

https://www.youtube.com/watch?v=AcUXtMx0R3I 12/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

16:32 without giving the valid

16:35 credentials if you have any thoughts any

16:37 ideas post it in the group post it in

16:41 the chat or else I'll let you know after

16:43 4

16:44 minutes if you have already attended my

16:46 sessions don't post the answers

16:56 okay make use of mic in case if anyone

16:59 has some idea you have the username

17:03 field and you have the password

17:06 field username is

17:09 there password is

17:11 there and submit

17:14 button the question that is asked in the

17:16 interviews are there is a there is a

17:19 website with username password and

17:21 submit button can

17:23 you explain me the different

17:26 scenarios how you can test

17:29 for the

17:30 vulnerabilities okay this is a real time

17:33 question that is asked in the interviews

https://www.youtube.com/watch?v=AcUXtMx0R3I 13/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

17:35 of course very important and

17:38 interesting no need of any kind of tools

17:41 for this I saw one answer from

17:46 shivakumar it is working with admin so

17:50 what is the username and what is the

17:51 password

17:52 shivakumar uh sir admin admin itself sir

17:56 okay let us try that everyone try to do

17:58 that

17:59 and confirm me

18:01 again you log out as a J Smith and then

18:05 you username as admin and password as

18:08 admin and see if it

18:23 works it's working sir that's

18:27 good let me try it from my

18:32 end you launch ALR visual.com

18:40 click on

18:44 signning username is admin password is

18:48 admin click on

18:51 login yes we are able to gain access to

18:54 the admin

18:55 account by using the username as admin

https://www.youtube.com/watch?v=AcUXtMx0R3I 14/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

18:58 and password res yes this is a sample

19:00 banking account you can log in and you

19:03 can transfer the funds click on transfer

19:05 funds you can select any of your friends

19:08 account or

19:10 your uh the beneficiaries and you can

19:13 transfer the amount you are not the

19:16 admin but still you are able to login

19:18 and you are able to perform some

19:20 unauthorized activities so the issue

19:23 here is I'm able to guess the username

19:26 and password right so is this

19:29 vulnerability yes or no let me sign

19:33 out what is the answer is this

19:35 vulnerability yes or

19:39 no it's vulnerable yes what is the

19:41 reason sir why it is vulnerable weak

19:45 password weak username and password weak

19:48 username and password so the password is

19:51 weak that is one issue other one

19:54 is default credentials they have enabled

19:57 default credentials means

https://www.youtube.com/watch?v=AcUXtMx0R3I 15/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

19:59 admin admin admin

20:01 ABCD or like username as user password

20:04 as password so all these are called

20:07 default credentials when you search in

20:09 Google you get around thousands of

20:11 default credentials so the first check

20:14 for the login you have to perform

20:17 is default credentials you can get this

20:19 list in the Google GitHub you can

20:22 search and you can get the list

20:25 thousands of credentials will come you

20:27 cannot try one after another manually

20:30 there are some tools like bsit that

20:32 we'll discuss in further sessions so we

20:35 got one vulnerability here default

20:38 credentials admin SL admin is working we

20:41 need to report this vulnerability to the

20:43 developers they try to fix it okay and

20:46 what do you recommend the recommendation

20:48 is don't enable admin user or don't en

20:53 enable default credentials that is one

20:56 thing and Implement strong password

https://www.youtube.com/watch?v=AcUXtMx0R3I 16/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

20:59 that is one more

21:01 recommendation now any other scenarios

21:03 you try and then figure out the

21:07 vulnerabilities give me some more

21:09 vulnerabilities in this login

21:11 implementation as I said username is

21:14 jith and password is demo 1 2 3 4

21:17 considering that you can come up with

21:18 some more scenarios either you list the

21:21 scenarios or tell the vulnerability and

21:25 there are 3

21:27 E minutes

21:59 by same scenarios like valid

22:02 username and password

22:05 as blank we don't know it may work uh

22:10 and some more scenarios like valid

22:13 username of course we have to log out

22:15 and then

22:18 retry we need to log in J Smith and try

22:24 with some special characters like all

22:26 stars

22:34 I see some scenarios from tra URL is not

https://www.youtube.com/watch?v=AcUXtMx0R3I 17/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

22:38 secured it is HTP yes that is a

22:40 vulnerability that is like if you are

22:43 out of if you are not concentrating on

22:45 only username and

22:48 password that is one more vulnerability

22:51 the

22:52 application is supporting http

22:58 HTP one more

23:07 vulnerability is it clear because I'm

23:09 trying to list down these scenarios on

23:11 one corner are you guys able to see it

23:15 properly or you want me to take a new M

23:19 to see clear right okay

23:30 and you can try some more scenarios

23:34 like if I give like

23:38 this J

23:40 Smith

23:48 slash 1 2 3

23:50 4 it should work or it should not work

23:53 you guys WR it out

23:59 these kind of scenarios you need to come

24:00 up whenever you try some uh login

https://www.youtube.com/watch?v=AcUXtMx0R3I 18/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

24:04 scenarios of course as a hacker you have

24:07 to try then only you'll be able to

24:08 figure

24:10 out the way how you can

24:15 bypass good sir so it is

24:18 working fine and that scenario I'm I'm

24:22 sure like by now you would have got one

24:24 more scenario in your mind what is

24:26 that J Smith and

24:31 What scenario I can try based on the

24:32 number

24:35 five password yeah yeah password in

24:39 upper case right try these two scenarios

24:43 and see if you can find some

24:45 vulnerability you have to tell me the

24:46 vulnerability after checking with these

24:49 scenarios 5 and

24:55 six try first remember log out after

24:59 every scenario if required you can close

25:01 the browser and relaunch

25:12 it that is also working so the scenario

25:16 five Capt username in uppercase and uh

https://www.youtube.com/watch?v=AcUXtMx0R3I 19/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

25:21 password as it is the login is

25:24 successful uh the scenario six username

25:27 is in low lower case and password is in

25:29 upper case there also I see like login

25:33 is working so considering that which one

25:36 is vulnerable number five or number

25:39 six both

25:43 both try to log in your Gmail if you if

25:47 you're giving all in upper case assume

25:50 like you Gmail is hacker book Bangalore

25:54 at gmail.com first you try with lower

25:57 case again you try with upper case

26:00 whether they allow or

26:02 not you can compare some of the

26:04 scenarios with the very secured

26:06 applications like Gmail Facebook Okay

26:10 most of the cases 95% of the cases

26:14 username can be say case username can

26:17 be like uh without case sensitivity in

26:20 the sense username can be in upper case

26:23 or lower case it doesn't matter but when

26:26 it comes to the password if you replace

https://www.youtube.com/watch?v=AcUXtMx0R3I 20/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

26:29 one character with the other case say

26:32 for example in instead of demo 1 2 3 4

26:35 in lower case if you're trying to give

26:38 upper case it should not allow you to

26:41 login it should be treating those two as

26:43 different passwords here it is allowing

26:47 right so I feel like number six is a

26:51 vulnerability okay number five it all

26:54 depends on the application but most of

26:56 the cases we do allow if the username is

26:59 uppercase try with face try with your

27:01 Gmail in case if you want to check

27:06 okay we got three

27:09 vulnerabilities any other scenarios

27:11 interesting scenarios think of some

27:13 applications like uh Gmail

27:16 Snapdeal flip cart Amazon and then come

27:20 up with some scenarios with respect to

27:22 the username password and submit

27:37 last 2

27:42 minutes you're giving the username as J

27:46 Smith okay take another two minutes and

https://www.youtube.com/watch?v=AcUXtMx0R3I 21/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

27:49 then tell me in case if you get any

27:52 other scenarios apart from this

28:01 yes for Gmail username is not case

28:03 sensitive most of the applications

28:05 username is not Kens to but password is

28:09 K sense2

28:11 100% for the question you need to list

28:14 down all these scenarios in the

28:16 interview very very important question

28:19 more oftenly asked how do you test the

28:21 login page when you are provided with a

28:23 username password and submit button

28:32 okay I'll tell you the scenario J Smith

28:36 and I'm giving some password which is

28:39 invalid

28:41 password you get a message saying

28:46 like invalid

28:50 password the password you provided is

28:52 invalid you got this

28:54 message so considering that is there any

28:57 one in the scenario 7 yes or

29:03 no what is the vulnerability in the

https://www.youtube.com/watch?v=AcUXtMx0R3I 22/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

29:05 scenario

29:06 7 repl the chart hacker might come to

29:11 know that

29:13 password username is correct yes so this

29:16 is called user enumeration remember the

29:18 term enumeration enumeration is all

29:21 about trying to get more details okay so

29:24 if you are getting a message like this

29:27 then you are giving

29:28 hint to the attacker saying like you are

29:31 able to get the username but the

29:33 password is invalid so the the message

29:35 should be

29:38 like either invalid username or

29:41 password makes

29:43 sense yeah yes the same thing even when

29:48 you try to give invalid username it

29:49 should not say like invalid username it

29:52 should say invalid username or password

29:56 okay and the last SC scario very

29:58 interesting scenario these are the basic

30:01 scenarios anyone

https://www.youtube.com/watch?v=AcUXtMx0R3I 23/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

30:02 can uh try even the normal user but as a

30:05 security engineer you need to try with

30:08 some other input so these are called

30:11 whenever you try any kind of security

30:14 scenarios the input whatever you submit

30:17 that is called payload remember the name

30:22 payload so payload means some piece of

30:26 code that can be used for compromising

30:30 the target okay remember either it can

30:34 be for bypassing the login or deleting

30:36 the user or gaining access to the Target

30:40 there will be some small piece of code

30:43 that piece of code or piece of

30:47 software is

30:49 called payload so in these scenarios the

30:53 payload whatever we have used is

30:55 username and password are the payloads

30:58 now I'm going to try with one more

31:01 payload that is

31:03 called you guys try and let me know the

31:06 username what you have to do is one

31:08 single code one of 1 is equal to 1 give

https://www.youtube.com/watch?v=AcUXtMx0R3I 24/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

31:14 this

31:15 username this input you give it as a

31:17 username and password in the ALR

31:20 mutual.com and check whether the login

31:24 succeeds or not right now

31:56 you need to give the correct

31:59 payload Leti try this I'm sending you

32:02 the

32:05 payload one

32:07 or 1 is = to 1 yeah try

32:13 now I have tested the payload everyone

32:18 try and confirm in the

32:20 chat how many of of you are able to log

32:23 in

32:46 same

32:47 password password is also same same

32:50 payload you give one or 1 is equal to

32:53 one in the username field and password

32:56 field click on submit

32:58 then see whether the login succeeds or

33:00 not

33:32 it should succeed in if if it is not

https://www.youtube.com/watch?v=AcUXtMx0R3I 25/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

33:35 succeeding then it means that the

33:37 payload has gone wrong let me try it

33:50 once if you want to see the credentials

33:52 what you are sending you can always

33:55 inspect right click on the web page

34:07 inspect there is a network

34:10 tab select the network tab okay so if

34:15 you want to see the requests that are

34:17 getting exchanged between client and

34:18 server you can always inspect the web

34:21 page and click on network tab now click

34:24 on sign in

34:28 give the username and password I'm

34:30 saying username is same password is also

34:33 same click on

34:40 login I'm able to get admin access again

34:44 so by giving the

34:45 credentials as one or 1 is equal to 1

34:49 I'm able to log to the

34:52 application so you can see the user ID

34:55 password and submit these are the values

34:58 which I have provided try everyone you

https://www.youtube.com/watch?v=AcUXtMx0R3I 26/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

35:02 guys should be able to log

35:09 in payload is a

35:12 terminology in the cyber

35:17 security of course this is a scenario

35:19 within the scenario the input whatever

35:21 you are giving is considered as a

35:23 payload

35:30 very important payload this is for

35:32 bypassing the login can I say like I'm

35:35 able to bypass the login mechanism

35:37 without knowing the user and password

35:40 there is no user as one or 1 is equal to

35:42 one in the database but still I'm making

35:45 use of this input and loging to the

35:50 Target okay let me log it out log

35:54 out who wants to explain like why we are

35:56 able to log in when you you one or 1 is

35:59 equal to one in the username or password

36:02 anyone I want the technical explanation

36:05 for this is there anyone who has worked

36:08 in the

36:10 database database servers or database

https://www.youtube.com/watch?v=AcUXtMx0R3I 27/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

36:13 tester database

36:15 developer no one or are new to

36:19 database or can you guys can guess why

36:22 the login is working when you provide 1

36:25 or 1 is equal to 1 in the username and

36:30 password uh is it uh pointing to some

36:34 username and password like in the

36:36 database good try uh but uh there is no

36:40 user as

36:42 such obviously the way how the approach

36:45 is good basically you are trying to

36:47 check validate the users in the database

36:50 yes that's good but that this is not the

36:53 root cause for this

36:55 issue anyone else

36:59 this condition will never

37:01 satisfy yeah that's good very close to

37:04 the answer you're saying like condition

37:07 is what is the

37:09 answer condition is this condition will

37:12 never satisfy no it is way the condition

37:15 always satisfies let me give you the

https://www.youtube.com/watch?v=AcUXtMx0R3I 28/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

37:18 technical explanation we are going to

37:20 this vulnerability is called SQL

37:22 injection remember the name SQL

37:24 injection variability we are going to

37:27 practice this SQL injection

37:29 vulnerability by manual process and by

37:32 using tools for 3 to four days well to

37:35 learn this vulnerability it will take 3

37:37 to four days for now I'll give you just

37:40 a high level explanation for this

37:42 scenario okay pay

37:45 attention in your

37:47 graduation you would have learned about

37:51 Boolean Expressions

37:53 right

37:55 select start from users

38:02 where user ID is equal

38:05 to some other rate of

38:10 name

38:13 and password is equal

38:17 to at the rate of password so whatever

38:21 the value you are trying to

https://www.youtube.com/watch?v=AcUXtMx0R3I 29/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

38:24 give in the password field is coming and

38:27 sitting at the location of

38:30 atate right at the

38:34 placeholder the password goes to that

38:36 place and the name comes to this

38:40 location this is how the query is

38:43 constructed but instead of giving

38:45 username and password what you are

38:47 trying to do is you are trying to give

38:50 one or 1 is equal to one so when this

38:53 combination is not matching then you'll

38:56 get invalid input but when the

38:58 combination matches it allows you to the

39:00 login here instead of giving the

39:03 password I

39:06 give one or 1 is equal to 1 is a syntax

39:10 matching here one enclosed in single

39:13 quote one enclosed in single code and

39:16 this one also enclosed in single code

39:18 the same thing for username as

39:21 well one or 1 is equal to 1 don't worry

39:26 in case you find it difficulty because

https://www.youtube.com/watch?v=AcUXtMx0R3I 30/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

39:29 we are going to learn the SQL injection

39:31 vulnerability for 3 to 5 days for now

39:34 just I'm giving a high level explanation

39:37 about this database query and syntax so

39:41 whenever you get this syntax is 1 is

39:43 equal to 1 true or false you should have

39:47 heard about the bullan Expressions long

39:49 time back in your schooling or

39:52 graduation what is the answer 1 is equal

39:54 to one is true or false

39:59 I'll give you I'll say like I have to

40:01 give you 100 rupees and I give give you

40:03 100 bucks $100 or 100 rupees then it is

40:09 a match right 100 is equal to 100 I have

40:12 borrowed 1,000 rupes and when I'm giving

40:14 you only

40:16 500 500 is equal to th000 is it true or

40:19 false obviously it is false it is not

40:23 equal 1,000 is equal to th000 is a true

40:26 condition equal to 100 is a true

40:28 condition 1 is equal to 1 is the true

40:31 condition so I can replace 1 isal to 1

https://www.youtube.com/watch?v=AcUXtMx0R3I 31/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

40:35 with

40:36 true how does the bullan r Works

40:40 anyone how does the bullan r

40:43 Works uh or means any conditions will so

40:47 at least at

40:48 least one operant or one value should be

40:52 true to get the result as true that is

40:55 how R works at least minimum one should

40:57 be true so it doesn't matter the left

41:00 hand side of R is true or false you'll

41:04 get the result as for this combination

41:06 password is equal to something this

41:08 combination is always true same thing

41:11 again user ID combination is always true

41:14 true and condition with

41:15 true the way how and works is both

41:19 should be true then output is true so

41:22 the condition where condition whatever

41:24 you have put it has been neutralized

41:27 and we are removing the condition by

41:29 giving 1 or 1 is equal to 1 and finally

41:33 your application will give you access to

https://www.youtube.com/watch?v=AcUXtMx0R3I 32/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

41:36 the first record in the database that's

41:38 how we are able to log

41:40 in okay for now just remember this or if

41:44 you're not able to understand don't

41:46 worry just remember the payload one or

41:48 one is equal to one is a payload we have

41:51 used and we are able to bypass the login

41:53 and gain access so this is one more

41:56 vulnerability

42:00 and few more are there that we'll

42:02 discuss in some other scenarios and

42:05 these are the very important scenarios

42:07 to try for the

42:09 login today's session we talked about

42:12 very important scenario that is one or 1

42:14 is equal to

42:15 1 this is how the how you need to test

42:18 the login

42:20 page and I want to explain one more

42:24 topic there is a website

42:28 we'll come back to this one or one is

42:30 equal to one letter here is the website

https://www.youtube.com/watch?v=AcUXtMx0R3I 33/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

42:32 ABC bank.com attacker u4 attacker is

42:37 there and this guy is able to log in

42:39 unauthorized access to the application

42:41 that is a vulnerability yes

42:43 obviously say in other

42:47 case he's not able to log to the

42:50 website but he's able

42:54 to delete the user in the application or

42:58 delete the beneficiary in the website

43:01 without log to the application by

43:03 running some script or okay let me give

43:07 you some other scenario here is the

43:09 database what is the purpose of the

43:13 database the purpose of the database is

43:16 to store the data right

43:19 yeah if the hacker u4 is able to read

43:23 the data from the database unauthorized

43:26 reading unauthorized

43:28 access is this vulnerability yes or no

43:32 first

43:33 case he's able to read the

43:35 data so this is a vulnerability and we

https://www.youtube.com/watch?v=AcUXtMx0R3I 34/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

43:39 say

43:41 like confidentiality is

43:47 compromised remember this names very

43:49 very

43:51 important confidentiality got

43:53 compromised if he's able to read the

43:56 data sensitive data without permission

43:58 unauthorized access we say Okay second

44:02 case I cannot read the data but by using

44:05 some script I am successful in

44:08 modification or deletion of the

44:12 data modification or deletion of the

44:16 data so you can consider some scenario

44:19 like uh Google comments are there Google

44:23 RS are there right everyone knows how

44:25 the Google RS work yes or

44:30 we have around 300 views in hacker book

44:33 I able to see two or three negative

44:36 reviews some or other way I have to

44:38 delete that data from the Google okay I

44:42 don't have

44:43 permissions they don't give permissions

https://www.youtube.com/watch?v=AcUXtMx0R3I 35/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

44:45 for deleting the negative comments or

44:47 negative reviews or any other reviews

44:49 you can delete your own review but you

44:51 cannot delete other reviews if the

44:53 attacker is able to modify or delete the

44:55 review or I can say like from database

45:00 if the attacker is able to delete or

45:01 modify some

45:03 data the first question is is this

45:06 vulnerable yes or

45:10 no reply in the chat

45:20 everyone yes first case is vulnerability

45:24 where the attacker is able to read

45:27 sensitive data the second case is also

45:30 vulnerability where the attacker is able

45:32 to modify or delete some data so in the

45:35 second case if the attacker is able to

45:38 modify or delete then we call it

45:41 like Integrity is

45:45 compromised Integrity okay

45:57 the third case I'm not able to delete or

46:02 I'm not able to modify but I'm running

https://www.youtube.com/watch?v=AcUXtMx0R3I 36/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

46:05 some script and I'm able to see that

46:10 website is down down in the sense not

46:14 accessible website or website services

46:17 are not

46:23 accessible is this vulnerability yes or

46:25 no

46:28 I'm the owner for SNAP deal e-commerce

46:32 application I'm the owner and there is

46:35 one more website Amazon some or other

46:38 way I'm able to bring down

46:40 amazon.com just before 3 days of the

46:43 festival Festival season will it be a

46:46 drawback for Amazon yes or

46:51 no yes of course can anyone tell me by

46:55 using mic what it is a drawback for

46:57 Amazon remember the scenario I am the

47:00 owner for SNAP deal e-commerce

47:04 application okay and there is one more

47:06 application called Amazon I am the owner

47:10 but some or other way I have used some

47:12 script and brought down amazon.com for

47:15 the entire 3 days before the festive

https://www.youtube.com/watch?v=AcUXtMx0R3I 37/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

47:18 season what is the dback for the

47:21 Amazon the

47:24 business come again business la

47:28 business L the reason is before the

47:31 festive season lot of the customers will

47:33 place the orders in case if the in the

47:36 peak time if the application is down it

47:39 is going to affect lot of business and

47:42 will there be any advantage for SNAP

47:44 deal slight Advantage will be there

47:46 because whoever wants to purchase some

47:49 products they try to choose the

47:51 alternative like that they also will get

47:53 some market

47:55 share so the the third case I'm not

47:58 trying to read some sensitive data I'm

47:59 not able to delete some sensitive data

48:02 but still I'm able to bring down the

48:05 services right so this case availability

48:09 got

48:11 affected and the attack which you

48:13 perform to bring to affect the

https://www.youtube.com/watch?v=AcUXtMx0R3I 38/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

48:15 availability is called dos attack

48:18 remember denial of

48:19 service so these are the the three

48:23 principles of information security c i

48:27 yeah confidentiality integrity and

48:29 availability these are called the three

48:32 principles of information security CIA

48:35 tried CIA Triad and commonly asked

48:38 question is can you explain about CIA

48:41 tried or what are the principles of

48:44 information security and give the

48:45 explanation for it the other question is

48:49 can you give me live example realtime

48:52 example where confidentiality is

48:56 compromised in Integrity is compromised

48:57 availability is compromised okay the

49:00 three principles of information security

49:02 is it clear everyone

49:04 CIA how do you say confidentiality is

49:07 compromised Integrity is compromised

49:09 availability is compromised respond in

49:11 the chat

https://www.youtube.com/watch?v=AcUXtMx0R3I 39/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

49:30 I'll give you some live examples you

49:33 have to tell me which of the principles

49:35 got compromised in that realtime

49:38 security breaches that has happened in

49:40 the past clear so if you are saying yes

49:44 it means that you can answer the simple

49:46 questions I will'll discuss about the

49:49 Live security breaches or live hacks

49:51 that were happened in the past and you

49:54 need to figure out which principle got

49:56 compromised

50:05 okay or even we can talk about these

50:08 scenarios

50:11 scenario 7 number seven is it right you

50:15 provide invalid password and it says

50:18 assuming like it says invalid password

50:21 what is the security principle it is

50:23 compromising here

50:26 this scenario I'm trying to provide

50:29 valid username and invalid password and

50:32 you got the message as invalid

50:38 password out of C compromised

https://www.youtube.com/watch?v=AcUXtMx0R3I 40/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

50:40 confidentiality or Integrity or

50:42 availability

50:45 confidentiality everyone respond in the

50:48 chat

50:50 confidentiality what is that we are able

50:52 to gain or read by doing that scenario

50:57 we are able to guess the username right

51:00 in the database means you are able to

51:02 read some sensitive data so

51:04 confidentiality got compromised that is

51:06 a correct

51:08 answer next one 1 or 1 is equal to 1 I'm

51:11 able to log in to the admin account very

51:14 interesting one let me see how many can

51:16 answer it correctly think and let me

51:18 know take two minutes of time and see

51:21 like

51:22 whether confidentiality can be

51:24 compromised or Integrity can be

51:25 compromised or availability or

51:28 combination of those

51:30 three for the eighth one 1 or 1 is equal

https://www.youtube.com/watch?v=AcUXtMx0R3I 41/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

51:33 to 1 what is the

51:36 answer confidentiality sir

51:40 okay and the two minutes think of it so

51:44 after you log in see whether you can

51:46 read some sensitive data or you can

51:48 delete some sensitive data or you can

51:50 bring down the website or bring down the

51:52 account considering that

51:56 what is confidentiality and integrity

51:59 confidentiality and integrity

52:03 okay let us the last one minute I'll

52:05 give you the explanation for it

52:43 one or 1 is equal to one this is not the

52:45 user right but still we are able to gain

52:48 admin access after you gain admin access

52:51 I mean to say like after you gained

52:53 access to the account you are able to

52:54 login

52:56 are you able to read sensitive data

52:58 first of all if you are able to login it

53:00 means that you can do anything you can

53:02 see the users you can see the account

https://www.youtube.com/watch?v=AcUXtMx0R3I 42/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

53:04 balance you can see the transactions and

53:07 you can change the password as well

53:09 right so confidentiality got compromised

53:14 that is the first one

53:17 Integrity are you able to modify some

53:19 data in the

53:20 database it is possible for you to

53:22 delete the account not the account

53:25 delete that

53:27 beneficiaries you can update the

53:28 username you can update the password you

53:30 can update the phone number email

53:33 ID

53:35 or you can transfer the funds when you

53:39 transfer the funds from your account to

53:41 some other account by using the admin

53:45 access it means that the data is getting

53:48 changed right Integrity got

53:51 compromised the last

53:54 one first of all when I tried one or 1

53:57 is equal to one I am not the admin user

54:00 remember I'm not the actual admin user I

https://www.youtube.com/watch?v=AcUXtMx0R3I 43/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

54:04 am trying to imitate the admin which

54:06 means the application accepted me as an

54:09 admin I am the hacker actually right I'm

54:13 able to log in after I log

54:16 in I changed the password for that

54:21 account I change the password for the

54:23 admin account and even I have Chang

54:26 changed the phone

54:28 number then is it possible for the real

54:30 admin to login yes or no real

54:33 administrator if you use the real

54:36 password like admin SL Harry at theate 1

54:40 234 it is not possible for him to login

54:44 so are we affecting the availability the

54:46 to the genuine

54:48 user right we are trying to affect the

54:51 service to the genuine user because we

54:54 have I have changed the password

54:57 As a

54:58 hacker uh so the availability got

55:02 affected availability states that the

55:04 application or the system should be

https://www.youtube.com/watch?v=AcUXtMx0R3I 44/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

55:06 accessible to the legitimate users all

55:09 the time legitimate users genine users

55:12 all the time so the it clearly says that

55:16 application is accessible to the real

55:18 users should not be accessible to the

55:21 hackers or of course it is always

55:24 accessible to the genine users any

55:28 unauthorized uh I mean to say like dos

55:31 attack should not happen that's what

55:33 availability is okay fine this is with

55:37 respect to the login page let us

55:39 consider some more live

55:45 scenarios I'm sure like everyone knows

55:48 Piza Hut dominoes what are

55:54 these piz h

56:02 Domino's have you used F demos yes or no

56:07 food delivery so e-commerce based online

56:10 food delivery applications can I say

56:13 that e-commerce applications but those

56:15 are mainly meant for food delivery to

56:18 your doorstep there is no need for you

56:20 to go

https://www.youtube.com/watch?v=AcUXtMx0R3I 45/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

56:22 and sit at restaurant and have it you

56:26 can order the food from your home and

56:31 automatically the food will be delivered

56:33 to your doorstep so similar to that

56:36 there is a baking system called Panera

56:40 Bread Panera Bread is a online food

56:43 delivery app in US does anyone are aware

56:45 of that yes or no who is aware of

56:50 this pan

56:52 bread yes Kina I guess you are from us

56:57 so you're very familiar with paner yeah

57:00 it is a similar

57:01 app the attacker what he did is every

57:06 app or every website will have the URL

57:08 right in the

57:10 URL the attacker kept some simple script

57:14 and that script when you run in that

57:18 website it will list the complete the

57:22 customer details whatever are the

57:24 customers that are there in the database

57:26 you can see in this picture their credit

57:28 card number name phone

https://www.youtube.com/watch?v=AcUXtMx0R3I 46/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

57:31 number and mail ID all those details

57:36 will be displayed over the web page what

57:38 he's trying to do is after this https

57:41 delivery. pen.com he's trying to put

57:44 some simple script like slash it doesn't

57:47 matter what script the attacker has used

57:50 he's able to read sensitive data and

57:53 he's able to list these details credit

57:56 card details debit card details first

57:58 name last name phone number email this

58:00 is the security breach that has happened

58:02 in the past for this application you can

58:06 see there Le panar bread leaks millions

58:09 of customer records right now tell

58:13 me what is the security principle that

58:15 got compromised in case of P bled what

58:18 is the answer think and let me know the

58:22 integrity and confidentiality

58:27 if I ask you to select only one which

58:29 one do you

58:32 select

58:33 confidentiality okay if I ask you to

https://www.youtube.com/watch?v=AcUXtMx0R3I 47/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

58:35 select only one you will select

58:38 confidentiality okay okay in

58:42 general if I ask you like you can select

58:45 one or

58:47 more what is your

58:49 answer first

58:52 thing okay go ahead

58:58 since website is

59:00 available avability okay let me ask you

59:02 the final final question is the is

59:06 availability compromised in this case P

59:08 yes or no no yes availability

59:12 compromised yes or no see avability not

59:18 compromised attacker is running the

59:20 script but if you launch pan bre.com you

59:23 are able to access as a normal user even

59:26 delivery. pan.com is also be accessible

59:30 only when you script it is revealing the

59:34 sensitive details so the other customers

59:36 are able to place the orders and able to

59:38 log to the application everything is

59:40 working fine for the other customers so

https://www.youtube.com/watch?v=AcUXtMx0R3I 48/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

59:43 availability is not compromised okay

59:46 then is the attacker able to read

59:48 sensitive data yes or no yes yes so

59:53 confidentiality got compromised is the

59:55 attacker able to modify some sensitive

59:57 data in the

59:59 database no no no so Integrity

1:00:03 compromised or

1:00:04 not not compromised not compromised yes

1:00:07 so the correct answer is confidentiality

1:00:10 compromised no Integrity no availability

1:00:13 okay that's

1:00:15 good I'll give you one more example last

1:00:18 example on

1:00:20 this this is a 100% question that is

1:00:23 asked in all the interviews from

1:00:25 freshers to

1:00:26 10 plus years of experience can you

1:00:29 explain about CIA give me some live

1:00:31 example you can consider these live

1:00:33 examples itself to explain about

1:00:36 confidentiality integrity and

https://www.youtube.com/watch?v=AcUXtMx0R3I 49/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

1:00:38 availability I see a question why was

1:00:41 availability not compromised so why

1:00:45 availability not compromised means

1:00:47 pan.com has lot of

1:00:50 users they're able to access the

1:00:52 application still though the attacker

1:00:54 ran the script it is listing some

1:00:57 details but it doesn't mean like the

1:00:58 website is down website is still

1:01:00 accessible so availability is not

1:01:03 compromised right

1:01:07 yeah only under the condition when you

1:01:09 run the script it is displaying the

1:01:11 sensitive details other users they can

1:01:14 login they can place the ERS and as

1:01:16 usual the web services the website is

1:01:19 accessible and the services are

1:01:21 accessible to the genuine users real

1:01:25 users leg

1:01:29 users have you guys uh seen any kind of

1:01:32 POS

1:01:35 systems POS systems yes where do where

https://www.youtube.com/watch?v=AcUXtMx0R3I 50/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

1:01:40 did you see that pipe

1:01:44 machine yes POS systems or POS

1:01:52 devices P transfer point of sell I'm

1:01:55 sure everyone would have seen

1:01:58 this have you guys seen or

1:02:03 not

1:02:07 yes whenever you get into any store

1:02:11 there will be a device that is used for

1:02:14 transactions for your debit card and

1:02:16 credit card okay that will be integrated

1:02:19 to the monitor or POS devices you type

1:02:23 most of the fuel stations

1:02:26 you can see these devices right so these

1:02:30 are called POS devices or POS systems

1:02:33 point of cell which is used for doing

1:02:35 the

1:02:37 transactions is uh is it processing some

1:02:40 sensitive data yes or

1:02:43 no yes yes sir it process it it will

1:02:47 have some personal data it can process

1:02:50 some financial data like credit card

1:02:52 number debit card number pin number and

https://www.youtube.com/watch?v=AcUXtMx0R3I 51/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

1:02:54 everything so so the connection will be

1:03:01 like you have this device and that

1:03:04 device is integrated to your system and

1:03:08 your system is connected to the Su

1:03:11 Network okay attacker what he did is

1:03:16 he's trying to spy everyone knows right

1:03:18 spying James

1:03:20 Bond okay they get into some other enemy

1:03:23 group and he collects some data and send

1:03:27 it to the some other group spying that

1:03:32 is called spying right the same thing

1:03:34 here the attacker is able to configure

1:03:37 some spying software in this network uh

1:03:40 so that will try to collect all the

1:03:43 transactions that are happening through

1:03:44 this POS and send it to the attacker

1:03:47 system you guys are able to get it right

1:03:49 what exactly I'm trying to tell

1:03:52 basically know all the transactions are

1:03:54 read and send to the attacker system

1:03:57 attacker is sitting somewhere in us and

1:04:01 this store is there somewhere in Europe

https://www.youtube.com/watch?v=AcUXtMx0R3I 52/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

1:04:04 some or other way all the data is coming

1:04:06 to the attacker system

1:04:09 okay now tell me what are the principles

1:04:13 that got compromis this happened for

1:04:19 Target Target is a

1:04:21 company uh store in us so the attacker

1:04:25 is able to B to compromise their POS

1:04:27 system and able to read all the

1:04:30 transactions so able to do this activity

1:04:34 considering that what are the principles

1:04:36 that got

1:04:39 compromised confidentiality first

1:04:42 case confidentiality is compromised

1:04:44 because he's able to read all this

1:04:47 credit card debit cards everything

1:04:49 second

1:04:50 case he cannot modify the database of

1:04:56 Target but by using those credit cards

1:04:59 or debit cards he can modify the user

1:05:01 details so in case if you are saying yes

1:05:04 for integrity that is the justification

1:05:07 you have to put right it is not it will

https://www.youtube.com/watch?v=AcUXtMx0R3I 53/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

1:05:09 not affect Target related database but

1:05:12 it is it may affect credit card and

1:05:15 debit card users that is the Integrity

1:05:19 availability also like depending on your

1:05:21 answer you have to

1:05:23 justify the last one for this

1:05:28 everyone knows skimming skimming means

1:05:30 spying basically there is a similar

1:05:33 concept for ATM scheming it has happened

1:05:35 around 7 eight years back attackers are

1:05:39 able to read credit card and debit card

1:05:42 details okay from the ATM systems how do

1:05:46 they read it it is very clear in this

1:05:49 picture they try

1:05:52 to uh fix one optic Optical device to

1:05:57 the to the original one which looks

1:05:59 similar to the original one and this

1:06:02 Optical device will try to read debit

1:06:05 card and credit card

1:06:06 details okay so with that they're able

1:06:09 to get what are the details that will be

1:06:12 there on the credit card or the debit

https://www.youtube.com/watch?v=AcUXtMx0R3I 54/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

1:06:14 card number

1:06:22 then what are different details will be

1:06:25 there credit card number debit card

1:06:27 number CVB CVB yes that's good name name

1:06:32 and CV name and very important one more

1:06:36 attribute what is

1:06:40 that expir or validity right you should

1:06:45 have that in case if you want to perform

1:06:47 some online transactions so all these

1:06:49 details are

1:06:51 getting to this device so the attacker

1:06:54 you can fix this device in the morning

1:06:56 5:00 a.m. and he can collect this device

1:06:57 in the night when there are no one at

1:07:01 the uh ATM premises okay like this

1:07:06 attacker is able to get all these

1:07:08 details how about the pin pin is also

1:07:10 required right to to do some

1:07:13 transactions in case if the attacker

1:07:16 wants to clone the card he requests pin

1:07:20 how can you get the pin number

1:07:24 anyone what are the other ideas keyboard

https://www.youtube.com/watch?v=AcUXtMx0R3I 55/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

1:07:28 I mean

1:07:29 keypad so from keypad how can you

1:07:32 get the PIN

1:07:36 numbers that is a

1:07:38 question any

1:07:41 thoughts um using the card details can

1:07:44 we change the pin by using card

1:07:47 details change the pin that is one

1:07:51 possibility that is good and I'm looking

1:07:53 for one more easiest possibility

1:07:57 see how we can get that answer is there

1:08:00 in the

1:08:01 screen is there any camera or something

1:08:04 use camera is manipulating the

1:08:08 key replacing earlier we have used

1:08:11 Optical device and able to read the

1:08:13 sensitive data and this time I'm going

1:08:16 to fix one more

1:08:18 keypad uh which has some chip so it will

1:08:21 try to read the key

1:08:23 strokes that will exactly fixed to the

1:08:25 keyboard that's how we are able to get

https://www.youtube.com/watch?v=AcUXtMx0R3I 56/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

1:08:27 the pin number okay this is some these

1:08:30 are some of the incidents that has

1:08:32 happened around 7 eight years back in

1:08:35 most of the ATMs now this case doesn't

1:08:37 happen they know how to fix this cameras

1:08:39 are there security guard are there and

1:08:43 they try to capture the person who is

1:08:45 trying to do all the activities and they

1:08:48 they also ensure that they cannot fix

1:08:50 any kind of these kind of devices right

1:08:54 okay

1:08:56 out of C which one got compromised

1:09:00 here

1:09:03 s confidentiality yeah confidentiality

1:09:06 got compromised because attacker is able

1:09:09 to get sensitive data Integrity he's not

1:09:12 able to modify anything directly but

1:09:14 indirectly in case if he clones the card

1:09:17 details there is a possibility for the

1:09:19 Integrity availability again same thing

1:09:22 if he clones the card then there are

1:09:24 chances for the availability

https://www.youtube.com/watch?v=AcUXtMx0R3I 57/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

1:09:27 okay yes that's

1:09:34 good today's session we learned about

1:09:37 how to test login page

1:09:40 and how what are the principles of

1:09:43 information security some live examples

1:09:46 these are the topics we

1:09:48 discussed let me

1:09:54 okay any questions on the topics which

1:09:56 we discussed today are we good for today

1:10:00 okay guys thank you so much are you able

1:10:03 to hello hello yes

1:10:08 C unless you want to do it

1:10:11 tomorrow yeah qu will be tomorrow the

1:10:14 vulnerab session will be tomorrow all

1:10:16 right I'll go ahead and res my question

1:10:18 yes yes we are good for today okay what

1:10:22 okay go through the topics how you

1:10:27 yes go

1:10:28 ahead okay okay that's fine how the SQL

1:10:32 injection is is that how you pronounce

1:10:34 it SQL injection yeah that is uh number

1:10:38 one

https://www.youtube.com/watch?v=AcUXtMx0R3I 58/59
4/27/24, 11:26 AM (1) Class3 CIA - YouTube

1:10:39 vulnerability across the globe okay and

1:10:41 we are going to learn that for three to

1:10:43 four days because you have to learn

1:10:45 about SQL queries to understand these

1:10:47 Concepts I have given you very basic

1:10:50 concept but you need to the queries SQL

1:10:53 queries I'm going to cover for one day

1:10:55 on the next day I'll teach you different

1:10:57 SQL injection attacks by manual process

1:11:01 and by tools so 3 to 4 days of time four

1:11:04 sessions will be on SQL injection you

1:11:07 can go through my course content from

1:11:09 the website there also I would have

1:11:11 listed different types of SQL injection

1:11:17 vulnerabilities fine guys see you

1:11:20 tomorrow uh prepare these topics thank

1:11:22 you for the quiz tomorrow okay thank you

1:11:25 so much

1:11:26 okay thank

1:11:27 you sure

https://www.youtube.com/watch?v=AcUXtMx0R3I 59/59