Hang tight while we fetch the video data and transcripts. This only takes a moment.
Connecting to YouTube player…
Fetching transcript data…
We’ll display the transcript, summary, and all view options as soon as everything loads.
Next steps
Loading transcript tools…
Mohammad Abu Qadourah, Waad Alatiyat, Break It Like a Tester: QA tactics and real-world practice | CTF Stream2 | YouTubeToText
YouTube Transcript: Mohammad Abu Qadourah, Waad Alatiyat, Break It Like a Tester: QA tactics and real-world practice
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
This session highlights how Quality Assurance (QA) professionals can leverage their testing mindset to identify security vulnerabilities, specifically demonstrating how to prevent "man-in-the-middle" attacks on Mendix applications through application-level encryption.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
Hello. Hello.
Hello.
What
>> Hello.
Yeah, it's working. [Music]
>> Hello.
Okay, perfect. It's working. Uh I think
we can start. Hi everyone. We have
people online. We have people here in
person. Um uh my name is N. Uh I am the
coach for the CTF and uh also uh I am a
vertra employee as a director of
emerging tech uh innovation and
architecture. Today I'm going uh just to
give you an introduction about our
session that it will be uh hosted by our
uh lead application engineer Muhammad
Abuadura and Wad our QA uh senior uh
senior QA engineer. So today's session
it will be about break it like a tester
where it will be uh representing some
tactics that the QA tester uh use it um
dur to do some security finding and it
will follow up by uh a live demo session
uh with for with our uh lead application
Muhammad Abu Kadura representing um and
how he how he solved an issue on a
native mobile uh that it was found by
man in the middle attack using uh some
techniques and uh between nanoflows and
micrflows. So welcome everyone. I hope
you will enjoy the session and and good
luck with that challenges. Thank you.
Hey everyone, it's lovely to have you
all here today and whoever watching us
on the stream. Hello, good morning, good
afternoon. Uh, I would like to kick off
this session with a quick introduction
about myself. Uh, my name is Watiat. I'm
a certified senior quality assurance
engineer with extensive experience in in
functional and nonfunctional testing. My
main focus is identifying weaknesses,
bottlenecks, and edge cases which might
impact our systems and end users.
While I'm not a while I'm not a cyber
security specialist, I bring the
perspective of a professional QA who is
trained to think critically about systems
systems
not only in the way of does it work and
also uh if it might fail and what's the
impact of that failure. So today we'll
be focusing on um So today we'll be
focusing on how to use our skills as a
QA in finding vulnerabilities and uh
saving our system from
hackers. Okay.
So um QA when working with Mandex a QA
usually verify if apps behaves correctly
whether it was about page loading uh
workflows running and if data is stored
but MEX is usually used for sensitive
business processes such as customer
portals, financial services, government
solutions which makes its security as
critical as its functionality and if not
more. Us as QAs, we already explored the
unexpected and we never play by the
rules. So with a small mind shift from
traditional QA, we would be great threat hunters.
hunters. Okay.
Okay.
Attention to details is a skill 101 for
any QA. We notice inconsistencies, bad
or wrong behavior, and even a tiny
misalignment which makes developers hate
us so much.
Okay. Uh but why don't we look at the
bigger picture? Let's say that I was
testing a website. Okay. I logged in
using the username John Do, but I
entered the wrong password. Mandx
verified those credentials and returned
the message in connect password for user
John Do. If you want to stick to the
surface, you would say that this test
has passed because we were not able to
login again using a password. But the
security impact of this is pretty huge
because that message revealed the
existence of that username which might
be abused in brute attack uh in brute
force attacks.
Another thing exploratory testing let's
say that we were testing a form or a
text field or anything that input that
uh that accept inputs. Okay, we entered
special characters and they were
accepted into that field. If we didn't
use Mendix built-in input validation
that would expose our system to
Okay, we already uh discussed a few
examples that represents the power of
shifting our mindset from does it work
to can it be broken by but why don't we
think more outside of the box.
What would happen if I intentionally try
to bypass our security checks? Let's go
back to the login example. Okay. I
entered the credentials. Medics verified
it. If we uh if we if we displayed the
correct message and everything was
right, the user was not able to login.
That would actually pass a test. But
what if I intentionally manipulate the
uh the response from the network tab?
Would I pass the MEX UI? And are my
checks only implemented in UI or also in
the back end?
Another thing is user role testing or
switching which is widely used in menx
especially in admin portals. Let's say I
was working using a limited role uh
while navigating through this website I
would only see the authorized pages. But
if I bookmarked a restricted page or I
know the link for a page that's only
supposed to be displayed to the super
admin. Clicking on that bookmark or
opening the the URL would it display the
page or it wouldn't. If that was
displayed then our our access are misconfigured.
To recap those were the points that
we've discussed input viation negative
testing user switching handed or
indirect navigation path and also added
session management. We all know the
importance of session management.
Leaving a user session active for too
long will expose our system to risk. But
also it has another impact. It might
overload our system which might cause it
uh MEX provides strong uh strong
security defaults such as entity access
rules, page page access control and
cross- site scripting protection. But
misconfiguration and overlooked rules
are common. QAS already have the already
have the skill to spot vulnerabilities
simply by asking what what would happen
if I break it or or if I misuse it. Okay.
Okay.
Um lastly I would like to emphasize on
something. Functioning applications is
good but functionality is only half of
the bottle. Having functional uh having
a fast, secure, resilient, userfriendly
and functional application is the end
goal. By combining both functional and
nonfunctional testing, then adding menex
security which is going to be the cherry
on top, we would have a bulletproof
system. Okay,
that would conclude my part for today. I
wish you all bug and threat
bug and threateree development. I will
leave you with my colleague Muhammad who
will introduce you to man in the middle
and how to secure applications against it.
Okay. Hello everyone. My name is
Muhammad Abu Khadura. I a lead
application engineer here here as a
Vertra. I have joined Avertra four years
ago. So since uh that time I have been
uh leading multiple banking projects. So
those project were uh contains of uh web
application and native mobile application.
application.
So it's great to be here today at
capture the flag events. Uh so guys
today uh our presentation uh will
revolve around illustrating how uh a
threat actor will can leverage device
proxies. So uh to to intercept the the
data that will leave the native mobile
into uh to the server side.
So this interception
uh this interception will will allow the
attacker to view or even modify the data
in the transit of the payloads.
So uh
so today we are going to go through
three main parts. uh the attack the
strategy and the result. So firstly the
attack we are going to show you how
exactly the attacker is going to
intercept the data in the transit
between client side and the server side.
Next we will move to the strategy. So
here where we are going to explain our
strategy which is uh application level
encryption and decryption.
And finally we will go to the result. we
will run the exact same attack that we
already have uh done in the first step
but this time with our solution in place.
So uh we are looking here guys at uh in
this image we are seeing a classic man
in the middle attack right where the
attacker places themselves in the line
of communication between the client side
and the server side uh logic so they can
intercept the data. So uh the attacker
will use a specialized uh software uh
called interception proxy. So in this
session today we are going to use one of
the most uh common tools uh called burp suite.
So uh in burp suite once the uh the
traffic uh reach let's say the network
side leaves the the native mobile side
this burpuite this tool will capture the
traffic and decrypt the https or SSL
pinning that we are using to uh to give
control to give control to the attacker
to view or even modify the data in transit.
transit. Okay.
Okay.
>> So yeah uh now we are going to show you
a a small demo how the attacker will
intercept this uh traffic or let's say
the payload once it leaves the mobile
device and uh reach the network. he will
be able to view, modify, uh change uh
anything in the payload itself uh using
the tool that we talked about which is
So, I'm going to I'm going to uh this is
guys the B suite uh tool that we already
talked about. um you will need to
configure the proxy setting in uh to be
able to intercept the payload or the
request that have left the mobile. So in
our case today now I'm going to show it
to you without any uh solution without
our solution actually application level
encryption. I'm going to uh start the
intercept intercept. Let's make it on.
I'm going to enter values. Uh in this in
this example uh I'm going to enter it on
the mobile. Uh we are going to enter
from account to account transaction
amount and the currency. So from account
let's make it 111. Uh the two account
222 for example transaction amount let's
make it 100. And the currency
So I'm going to hit on submit.
Burp suit will start capturing all the
requests that is coming out uh from the
device. So as you can see here uh this
is the request that have left the
device. So if you can uh you can see the
entity name uh the attributes inside
this payload. So the entity name is uh
bank account right. Uh if you you can
see here the from account that we have
entered the value is 111 the two account
the transaction amount you can see
actually everything inside this payload.
So for now let's uh let's change the
transaction amount. Let's make it for
Uh then just we are going to click on
forward. This will forward the uh the
request to the server side. I'm going to
also show you uh on menx I have already
added the debugger to see the data how
it have been reached to the server side.
So as you can see we have entered the
from account the currency the two
account and the transaction amount. The
transaction amount now is reached the
server with uh uh 1,000 and we already
uh entered on the mobile application
100. So the the attacker was able to
intercept the request. He was able to
view all the data and the most important
thing he was able to change the data
itself from 100 to 1,000.
So this is guys uh the attack that we
are uh we are going to have a solution
So guys yeah uh as we just saw uh the
impact the impact itself is uh severe.
So uh we have seen uh how sensitive data
uh we have seen uh we we have seen
sensitive data exposure uh which have
lead uh leds to unauthorized action. Uh
as we just saw in the example, the
attacker have been able to view all the
payload itself. He was able to modify
the payload uh to from we we changed
actually the transaction amount from 100
to 1,000 uh which will lead to um uh a
loss of trust in our application. So
that's why the uh our solution which is
application level encryption is
important in our case. So guys the most
important takeaway uh from this section
is we can't uh we can't u we can't rely
just on the HTTPS itself. We need
another layer of security
which will lead us to our strategy.
uh slides right
so guys uh this uh which as as I
mentioned before this will lead us to
our strategy
so uh we will implement uh our an let's
say application level encryption and
decryption to prevent uh this whole
attack from happening inside the the
network itself.
So the concept is basic um as we just
saw we don't just uh rely on the let's
say in interception layers itself uh we
can't we can't just rely on the HTTPS or
SSL pinning we need another layer as we
mentioned before to cap to encrypt the
data on the client side right after it
before it goes to the network itself uh
once it reached the network. Uh let's
say that this data this payload will be
cipher cipher text. He the attacker will
not see anything. The data will be
encrypted. So what once this uh payload
reach the server side, it will be
decrypted again and uh it will return to
its uh original uh format. So it can be
processed at the server side itself.
So this is how it will look like in mind
context. So in in mind we are going to
do encryption inside the nanoflow which
is obviously the client side. Uh we are
going to use uh an inter uh let's say an
encryption mechanism. Uh in our example
we are going to use JWT.
So once the device or the nanoflow
encrypt this data it will go to uh the
network itself during the transit the
data even if the attacker was able to
intercept the request and compromise
let's say the HTTPL uh and the SSL
pinning he will not be able to uh let's
say to to view or even edit the data
itself. it will already be unreadable
cipher text and uh once the uh the
request reach the server side in a
micrflow we will uh do the decrypt
mechanism with the same J JWT. So guys
uh here the the most important thing
that we will we will need to take uh
that we will need to actually be careful
with it is the keys for the encryption
and decryption. we have to to manage
manage it in a secure way that uh the
attacker will not be able to have access
to those keys. Uh so he cannot uh let's
say decrypt the payload himself. So now
we are going to do uh another demo
another we will show you another example
but this time with our solution in place
uh we are going to show you exactly how
the attacker uh will uh see the payload
after the application level encryption
So guys, I'm going to enter the same
values that we have entered before,
which is the from account 111 and the
two account will be 22.
The transaction amount uh we have added
100 and the currency was uh USD in our
uh previous example. So I'm going to
turn on the interception on the uh burp
suite uh tool. So I'm going to hit on
submit. Now we will see the request in B
suite. So guys, as we can see on uh the
screen that this is the payload with the
our solution application level
encryption the the object itself the
payload was encrypted inside the client
side in anlow and reach the network. The
the attacker was able to intercept the
the request itself but he can't see
anything. It's already cipher text in
the in the transit. there's nothing uh y
everything was will be gibberish for him
he will he will not know what is the
parameter that is being uh passed or
what is the object type what is the
values anything so here everything is
encrypted I'm going to forward it now
uh to see it exactly in mind how it's
going to be so uh now if you can see my
screen the request have reached the
server side as you can See the value is
encrypted nothing clear uh so nothing
happened to it. So firstly uh in our uh
micrflow we are going to uh first uh
decrypt this uh payload that have
reached the string value. Uh after
decrypt it it will be converted to uh
JSON structure. We can see it here. This
is the same object as JSON structure.
Then we are going to uh convert it back
to an object. So it can be uh returned
to its original format. So the the the
system will complete pro the process
that he already started.
So guys have you have as you have seen
uh one second let me go back to the slides.
So as we have seen uh our our solution
uh let's say application level
encryption and decryption will focus on
the encryption itself. So firstly on the
nanoflow on the client side we are going
to get that object that we will need to
pass it uh from the client side to the
server side. We will need to change it
uh convert it actually to uh JSON
format. After changing it to JSON format
we are going to encrypt it. Uh once the
data as we have seen reach the server
side it's going to be decrypted again.
then it will be converted converted to
uh an object. So u the server side will
will have uh uh will see the data in its
original format. So he can do the
process that uh he's supposed to do. One
more thing I wanted to add here is uh
any parameter any parameter you are
passing from the client side to the
server side will be exposed. So you need
to encrypt in the client side and
decrypt in the server side. The
additional thing is even if you return
data from the micrflow to the nanoflow.
So the response which will come from the
the server side to the uh let's say the
client side will be also exposed. So you
need also to encrypt inside the server
side. Same same steps. encrypt the data,
send it back to the uh client side uh
encrypted and in the client side you
need to decrypt it again and do the
whole scenario the whole steps.
So to summarize
uh let's go back. So guys to summarize
u it's important to to understand that
uh security is about layers. So we have
multiple layers here for security. We
have HTTPS TLS, we have SSL pinning. So
as we just saw in our example, uh we
can't just rely on HTTPS or SSL pinning.
So it might be uh compromised
uh by the attacker itself. That's why we
have got to our solution uh the third
layer uh our solution uh which is
application level encryption. And
there's uh that that's the place for uh
our solution. This is the third layer
the extra layer that we will have on
this. So uh actually the result will be
uh guaranteed that the our payload is is
secure and uh the data reach uh without
any manipulation by the attacker. Okay.
Okay.
So guys, I'm going to leave you with uh
three main points uh from our session
today. So firstly, the threat is real,
right? So we demonstrated that man in
the middle attack uh was able to
intercept the communication and uh let's
say view and even modify the data in
transit even with HTTPS was there. So he
will be able to actually reach the data.
Secondly, the solution is uh the
solution is to think in layers. So we
can't put all of our trust in the uh
let's say that that those channels which
is the HTTP TLS and the SSL pinning. we
need to add uh another extra layer of
security uh so we can um let's say uh
encrypt the data before it reach the the
server side and finally um actually the
the let's say the the in in the as as as
a result uh we have been able to uh to
let's say
protect our data our payloads in inside
the network itself. So the attacker was
not able to see anything inside this
data. So this will uh ensures that uh
confidentiality and strategy uh sorry
and integrity of our data remains uh untouchable.
untouchable.
So yeah this is uh everything guys for
today. Thank you for listening and hope
you will actually
uh use uh some tips from this uh session
today so you can capture the flag. Thank
Thank you W. Thank you Muhammad. Um so I
think there was one question online
about a key for the per suite if there
is a version but uh there's a community
version they can download. No key is required.
required.
>> Yeah they can use it actually. Yeah uh
they can use it without keys. I already
used it without the keys. Yeah, exactly.
So, it it will not give them all the the
the options. Uh but uh at least it will uh
uh
Exactly. Yes. Exactly.
>> Uh let's see if there is another
question from the audience about the
tool or anything
or Muhammad Alad.
If you need guys any help in
actually exactly tool, we are going to
help you with it.
>> You can ask anything regarding it. But
yeah, I'm not an expert actually in this
tool, but at least we can help each
other. Yeah,
>> thank you so much. Thank you. Thank you all.
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
