1 00:00:02,240 --> 00:00:05,300 ‫So there are several types of CSR, FNB Web. 2 00:00:07,270 --> 00:00:09,420 ‫I want to do with you one more as well. 3 00:00:11,310 --> 00:00:17,400 ‫We can first have a quick look at all the types if you want, so let's log in to be Web and go to see 4 00:00:17,400 --> 00:00:18,750 ‫SRF one. 5 00:00:19,980 --> 00:00:24,180 ‫And this is a password change and we've exploited the low level. 6 00:00:25,490 --> 00:00:30,410 ‫The source of the form and we mimic the request triggered by this form. 7 00:00:33,560 --> 00:00:39,950 ‫OK, no change here to two, so here's a second example, view the page source. 8 00:00:42,340 --> 00:00:46,210 ‫As you can see, there are no extra fields to secure the form. 9 00:00:47,250 --> 00:00:50,580 ‫So now I'm going to intercept the request of this form. 10 00:00:53,120 --> 00:00:55,190 ‫And remember, to enable foxy proxy. 11 00:00:56,890 --> 00:00:58,870 ‫And burp together request. 12 00:01:00,240 --> 00:01:02,160 ‫Data transmits in the early. 13 00:01:03,200 --> 00:01:07,790 ‫And it is not so different from the example that we did with a password change form. 14 00:01:09,150 --> 00:01:13,020 ‫We just need to change the form field names. 15 00:01:14,020 --> 00:01:15,360 ‫And let it go. 16 00:01:17,760 --> 00:01:25,800 ‫B Webb also has one more CSIR, for example, so go to the CSR F3 page. 17 00:01:27,690 --> 00:01:32,160 ‫Now, this page changes the secret value of the session user. 18 00:01:33,100 --> 00:01:34,210 ‫To view the source. 19 00:01:35,980 --> 00:01:39,070 ‫OK, now see how this form has an additional hidden field. 20 00:01:40,520 --> 00:01:44,300 ‫But it really doesn't bring you any added security. 21 00:01:45,680 --> 00:01:49,550 ‫So the only thing you need to know is the longer the name of the user. 22 00:01:51,010 --> 00:01:54,930 ‫And when you refresh the page, nothing changes as well. 23 00:01:56,200 --> 00:01:59,050 ‫So I'm going to send a request to you it. 24 00:02:00,890 --> 00:02:02,960 ‫OK, the request is here in berp. 25 00:02:04,760 --> 00:02:09,410 ‫You can easily add these fields to your fake form and request. 26 00:02:10,350 --> 00:02:16,830 ‫So now you need to just enumerate users, then prepare fake forms. 27 00:02:17,980 --> 00:02:19,060 ‫And that's all. 28 00:02:20,730 --> 00:02:24,960 ‫Now go back to square one and change the level of medium. 29 00:02:26,920 --> 00:02:30,940 ‫So this is the form that once the user to fill the current password as well. 30 00:02:31,960 --> 00:02:32,980 ‫Sure, it's a good measure. 31 00:02:34,280 --> 00:02:36,620 ‫And go to see Assaraf to. 32 00:02:38,160 --> 00:02:39,870 ‫Nothing changes in a display. 33 00:02:41,340 --> 00:02:42,540 ‫But view the source. 34 00:02:43,900 --> 00:02:47,100 ‫So this time a token field is added to the form. 35 00:02:49,080 --> 00:02:50,910 ‫Now refresh the page. 36 00:02:53,150 --> 00:02:55,590 ‫By the token, value is the same. 37 00:02:56,300 --> 00:03:00,670 ‫So this is not a good implementation as well. 38 00:03:01,920 --> 00:03:08,010 ‫So when we fill the form and send the request will be, as you can see, in berp. 39 00:03:10,140 --> 00:03:18,240 ‫So this time you need to enumerate tokens or force users to use your tokens like we did in session fixation. 40 00:03:20,040 --> 00:03:23,340 ‫So let it go and go to see Assaraf three. 41 00:03:25,810 --> 00:03:27,100 ‫And view the source. 42 00:03:28,570 --> 00:03:30,550 ‫This warm also has a token feel. 43 00:03:31,620 --> 00:03:33,360 ‫And when you refresh the page. 44 00:03:34,480 --> 00:03:35,560 ‫The token changes. 45 00:03:37,560 --> 00:03:39,570 ‫OK, so fill in the input field. 46 00:03:40,990 --> 00:03:42,460 ‫And this will be the request. 47 00:03:44,050 --> 00:03:49,000 ‫So now we are going to exploit this one opened up your terminal. 48 00:03:50,090 --> 00:03:53,090 ‫Views, the SRF underscore three. 49 00:03:55,090 --> 00:03:57,940 ‫So if the level is low, it just changes the value. 50 00:03:59,070 --> 00:04:02,460 ‫But if the level is medium or high at first check, citoyen. 51 00:04:03,970 --> 00:04:05,560 ‫So then just update the secret. 52 00:04:07,680 --> 00:04:11,820 ‫And below, you can see the code that produced the token on each request. 53 00:04:13,340 --> 00:04:14,800 ‫So open up your browser again. 54 00:04:16,560 --> 00:04:18,750 ‫OK, so let me summarize a problem. 55 00:04:20,190 --> 00:04:23,220 ‫We have a form that has a hidden token field. 56 00:04:24,050 --> 00:04:27,050 ‫And this field changes her request. 57 00:04:28,340 --> 00:04:35,240 ‫Even if we create a fake form, we cannot get this value right, because the fake form will be triggered 58 00:04:35,660 --> 00:04:36,770 ‫in another tab. 59 00:04:38,440 --> 00:04:44,530 ‫So fake forms cannot reach what we're looking for in the actual form. 60 00:04:46,190 --> 00:04:52,610 ‫We can add a token field to our fake request, but we cannot add a true value. 61 00:04:54,200 --> 00:04:57,170 ‫So that means we're basically stuck here. 62 00:04:58,850 --> 00:05:01,850 ‫Now, obviously, I have a solution. 63 00:05:03,850 --> 00:05:07,480 ‫So to exploit this vulnerability, we'll just going to need another vulnerability. 64 00:05:08,920 --> 00:05:10,360 ‫Cross site scripting. 65 00:05:11,570 --> 00:05:14,110 ‫So go to X. 66 00:05:14,210 --> 00:05:14,590 ‫S. 67 00:05:14,660 --> 00:05:23,810 ‫S underscored store page, and we're going to look at this vulnerability a little later in greater detail, 68 00:05:24,230 --> 00:05:28,430 ‫but this page stores your entries and shows him just like that. 69 00:05:30,140 --> 00:05:37,640 ‫And, of course, it's vulnerable to access, so that means we can execute a JavaScript code on the 70 00:05:37,640 --> 00:05:38,990 ‫page from another source. 71 00:05:39,930 --> 00:05:43,510 ‫For example, if you add this code, you'll get an alert. 72 00:05:44,750 --> 00:05:49,780 ‫And what I want is to execute JavaScript code on my server in this page. 73 00:05:51,350 --> 00:05:53,690 ‫So I will serve this code and kaui. 74 00:05:58,210 --> 00:06:01,540 ‫It is an example, HDP request code. 75 00:06:03,020 --> 00:06:08,360 ‫Then after injecting this code into the page, it'll request a six hour F3 page. 76 00:06:10,110 --> 00:06:16,320 ‫Pass the token and then send a change request with a value that I provide. 77 00:06:17,670 --> 00:06:18,870 ‫And you can get it from here. 78 00:06:20,560 --> 00:06:23,770 ‫So now I'm going to copy it to my Web root directory. 79 00:06:25,190 --> 00:06:27,110 ‫Apache's not running so stardate. 80 00:06:29,910 --> 00:06:30,600 ‫Now it's running. 81 00:06:31,740 --> 00:06:38,790 ‫And now on the access page, I'm just going to add this line of code to inject my script into the page. 82 00:06:40,120 --> 00:06:41,350 ‫Copy and paste it. 83 00:06:44,060 --> 00:06:46,850 ‫Now, before submitting open web developer. 84 00:06:48,440 --> 00:06:50,450 ‫HDMI and JavaScript from here. 85 00:06:51,620 --> 00:06:52,940 ‫OK, now submit it. 86 00:06:54,670 --> 00:06:57,610 ‫And the alert comes from the previous code. 87 00:06:59,010 --> 00:06:59,670 ‫Quick, OK. 88 00:07:01,040 --> 00:07:04,160 ‫And below, you will see the request sent by this page. 89 00:07:05,450 --> 00:07:09,350 ‫Lo and behold, it requests my JavaScript code from my server. 90 00:07:10,340 --> 00:07:16,130 ‫After including that code in the page, my script request, CSR, a three page. 91 00:07:17,280 --> 00:07:20,160 ‫And then sends the change request containing a valid token. 92 00:07:21,520 --> 00:07:25,810 ‫OK, so now let's look to see if it changes it or not, you know, being Crome. 93 00:07:27,120 --> 00:07:30,390 ‫And as you can see, this is the old secret value. 94 00:07:31,340 --> 00:07:32,870 ‫So now refresh the page. 95 00:07:35,390 --> 00:07:37,150 ‫Browse the user's table again. 96 00:07:38,290 --> 00:07:41,500 ‫And looky here, the value has changed. 97 00:07:42,350 --> 00:07:46,180 ‫OK, so now view the page source. 98 00:07:47,140 --> 00:07:51,460 ‫And the script tags are present in the page just like that. 99 00:07:52,930 --> 00:07:56,030 ‫So we change the password without the user's knowledge. 100 00:07:56,770 --> 00:07:57,760 ‫What do you think about that?