1
00:00:00,300 --> 00:00:07,160
‫Cross site scripting or access is one of the most common vulnerabilities of Web applications.

2
00:00:07,200 --> 00:00:11,970
‫It's caused by improper input and output validation.

3
00:00:13,330 --> 00:00:20,410
‫So generally, it happens by including malicious client side scripts in Web pages, and when a victim

4
00:00:20,410 --> 00:00:26,410
‫visits the page or exit code injected link, then the malicious script code is executed.

5
00:00:27,650 --> 00:00:32,840
‫And at this point, the victim's browser is no way to determine whether the script is trusted or not,

6
00:00:33,470 --> 00:00:35,150
‫so it'll just execute the script.

7
00:00:36,550 --> 00:00:43,060
‫And by the execution of the script, it can access cookies or other sensitive information retained by

8
00:00:43,060 --> 00:00:43,750
‫the browser.

9
00:00:45,370 --> 00:00:49,840
‫Such a script can even rewrite the entire content of the demo document.

10
00:00:51,600 --> 00:01:00,480
‫Although excess attacks are possible in VB script, ActiveX, Flash and even cIass has the most used

11
00:01:00,480 --> 00:01:02,700
‫language, of course, is JavaScript.

12
00:01:03,820 --> 00:01:09,960
‫So executing untrusted JavaScript code in browsers can have devastating consequences.

13
00:01:11,740 --> 00:01:22,930
‫Anyway, we can divide excess asset attacks into three types reflected, stored and dom based excess.

14
00:01:23,720 --> 00:01:28,900
‫So in the next few lessons we're going to cover excess has flaws in detail.

15
00:01:30,920 --> 00:01:39,470
‫So this type of excess has vulnerabilities occur when the malicious input in an HTTP request is immediately

16
00:01:39,470 --> 00:01:43,340
‫returned to the victim's browser in an HTTP response.

17
00:01:44,870 --> 00:01:50,390
‫So the militias input data is not stored on the backend, so that's why we call it reflected.

18
00:01:52,020 --> 00:01:56,010
‫Well, the attacker enters is reflected to the victim quickly.

19
00:01:57,010 --> 00:02:02,920
‫And it's also known as non persistent or first order or type one excess.

20
00:02:04,480 --> 00:02:10,870
‫Reflected excess vulnerabilities, required a malicious script to be embedded into a new URL.

21
00:02:12,020 --> 00:02:19,400
‫So as a pen tester, we should try to find a way to entice the victim user to click the link containing

22
00:02:19,400 --> 00:02:20,450
‫the malicious script.

23
00:02:22,160 --> 00:02:26,450
‫Now, in order to be successful, the user needs to click on the infected link.

24
00:02:28,170 --> 00:02:34,980
‫But before that, we need to use whatever social engineering technique we need to deliver the infected

25
00:02:34,980 --> 00:02:36,630
‫link to the potential victims.

26
00:02:38,370 --> 00:02:41,220
‫So open carry and longing to be web.

27
00:02:42,100 --> 00:02:43,390
‫Just like we always do.

28
00:02:44,340 --> 00:02:49,920
‫Now, as you can see, there are many examples of excess vulnerabilities in B Web.

29
00:02:50,970 --> 00:02:54,190
‫And I'm going to exploit some of them, not all.

30
00:02:55,110 --> 00:02:59,400
‫So let's first choose the excess reflected get.

31
00:03:00,680 --> 00:03:02,600
‫But it's nothing but this sample page.

32
00:03:03,780 --> 00:03:07,560
‫But what you type in the fields will be reflected to the page.

33
00:03:08,730 --> 00:03:12,030
‫And then the values will transmit over the you are Al.

34
00:03:13,750 --> 00:03:15,550
‫And view the page source.

35
00:03:16,620 --> 00:03:22,170
‫And here are the values I typed, so this is a suspicious form.

36
00:03:23,200 --> 00:03:25,000
‫OK, so now let's have a look at the code.

37
00:03:28,520 --> 00:03:35,690
‫Now, here at the beginning, there is a function named excess, and it calls excess as check three

38
00:03:35,690 --> 00:03:39,390
‫and check for functions according to the security level.

39
00:03:40,220 --> 00:03:41,390
‫So scroll down a little bit.

40
00:03:42,410 --> 00:03:48,560
‫And it grabs values in the form and it uses them in the exercise function.

41
00:03:49,810 --> 00:03:56,270
‫All right, so if the level is low, the values will be printed on the screen directly, if not, access

42
00:03:56,270 --> 00:04:01,570
‫has check three and check for functions will be executed for medium and a high level.

43
00:04:02,680 --> 00:04:07,180
‫And this function is in this file will scroll down.

44
00:04:08,260 --> 00:04:15,970
‫And here are the functions, so check for uses and slashes function to prevent these characters.

45
00:04:17,000 --> 00:04:26,420
‫And check there, he uses HD amoun, special chars function with an encoding show, go back to Firefox's.

46
00:04:27,370 --> 00:04:31,390
‫And I'm going to paste HTML one H1 tag in here.

47
00:04:32,490 --> 00:04:33,780
‫And it's executed.

48
00:04:34,690 --> 00:04:36,010
‫So view the source.

49
00:04:37,190 --> 00:04:42,650
‫And here's a problem, so the input is not sanitized at the back end.

50
00:04:44,110 --> 00:04:46,570
‫And added the source of the page.

51
00:04:47,620 --> 00:04:48,250
‫So.

52
00:04:49,080 --> 00:04:54,990
‫Let's look to see and there's no difference between this tag and any other female tag on the page.

53
00:04:56,220 --> 00:05:02,970
‫Now, encoding or anything else, and this tag is reflected with the page to us again.

54
00:05:04,920 --> 00:05:07,410
‫So now I'm going to paste another female tag.

55
00:05:12,440 --> 00:05:14,300
‫And it's here in this source.

56
00:05:16,290 --> 00:05:20,220
‫OK, so this time I'm going to add this tiny JavaScript code.

57
00:05:21,530 --> 00:05:23,180
‫And it's also executed.

58
00:05:24,140 --> 00:05:25,790
‫So you're the source.

59
00:05:28,110 --> 00:05:30,030
‫And here the script tags that we sent.

60
00:05:31,600 --> 00:05:34,810
‫And now I'm going to change this JavaScript code a little bit.

61
00:05:36,470 --> 00:05:38,600
‫Then fill in the form and go.

62
00:05:42,040 --> 00:05:44,710
‫And in the message box, we see the cookies.

63
00:05:45,710 --> 00:05:47,390
‫And the session ID as well.

64
00:05:49,210 --> 00:05:49,690
‫So.

65
00:05:51,740 --> 00:05:55,520
‫How do we benefit by executing JavaScript in the browser?

66
00:05:57,260 --> 00:06:02,930
‫So JavaScript provides us the power to do many things, browser design.

67
00:06:05,090 --> 00:06:12,260
‫But we do have to use a browser, so in order to hack, we need to execute JavaScript in someone else's

68
00:06:12,260 --> 00:06:12,740
‫browser.

69
00:06:13,760 --> 00:06:21,830
‫So copy that you are out and open another tab and paste it and go.

70
00:06:23,220 --> 00:06:28,410
‫So you can see JavaScript payload in your L is executed as soon as I open the page.

71
00:06:29,840 --> 00:06:33,110
‫Or in our scenario, clicking a link.

72
00:06:35,380 --> 00:06:37,090
‫So we needed to see the user.

73
00:06:38,010 --> 00:06:39,180
‫To click a link, right?

74
00:06:41,650 --> 00:06:45,550
‫But alerting the session ID is not a good way.

75
00:06:46,950 --> 00:06:56,100
‫So you can use this code, it will send base64 encoded users cookie to my application.

76
00:06:57,070 --> 00:07:01,670
‫You can download and post it on your county or your host if you like.

77
00:07:02,560 --> 00:07:04,660
‫It's a simple bootstrap for app.

78
00:07:05,980 --> 00:07:08,430
‫So paste this payload in here.

79
00:07:11,620 --> 00:07:15,280
‫Open the web developer tool, then go.

80
00:07:16,810 --> 00:07:19,660
‫And what do you see the code has sent to the server?

81
00:07:20,690 --> 00:07:22,370
‫And nothing happens at the back end.

82
00:07:23,850 --> 00:07:26,750
‫Then the JavaScript code is reflected to the page.

83
00:07:28,140 --> 00:07:31,800
‫And then this JavaScript code executes.

84
00:07:32,750 --> 00:07:38,870
‫And sends the encoded cookie value to my grab page, so if you source.

85
00:07:40,810 --> 00:07:44,260
‫And our payload is perfectly displayed here.

86
00:07:45,650 --> 00:07:49,640
‫So now go to the cookie stealer app, refresh the page.

87
00:07:51,040 --> 00:07:52,750
‫And we have an incoming session.

88
00:07:54,370 --> 00:07:55,810
‫So quick to log in.

89
00:07:57,510 --> 00:08:02,520
‫Username is a Web site and password is one, two, three, four, five.

90
00:08:04,080 --> 00:08:06,660
‫And the cookie with the session ID is here.

91
00:08:08,400 --> 00:08:13,680
‫Now, from the more button, you can view details about incoming requests.

92
00:08:15,600 --> 00:08:17,910
‫You can check to see if the sessions live or not.

93
00:08:21,380 --> 00:08:22,610
‫Return to sessions.

94
00:08:23,690 --> 00:08:26,660
‫Also, you can view the main page on BWP.

95
00:08:28,370 --> 00:08:30,920
‫And as you can see, here's our current user.

96
00:08:34,080 --> 00:08:42,720
‫OK, then go back to Cali again, and I validated the excess vulnerability, so now copy this, you

97
00:08:42,870 --> 00:08:43,140
‫el.

98
00:08:44,120 --> 00:08:45,350
‫Then logout.

99
00:08:47,290 --> 00:08:54,760
‫Open back up with just as another user, so log in to it as be Web user one.

100
00:08:56,140 --> 00:09:03,010
‫And let's say somehow I I've sent the link to this user and the user clicks on it, so that means I'm

101
00:09:03,010 --> 00:09:04,930
‫just going to paste it here and hit enter.

102
00:09:06,240 --> 00:09:07,110
‫View source.

103
00:09:09,130 --> 00:09:12,280
‫The value in your URL is lying in the source.

104
00:09:13,500 --> 00:09:19,950
‫And go to a cookie, steal the rap, refresh the page, and here is a new users cookie.

105
00:09:21,590 --> 00:09:22,520
‫Now go to session.

106
00:09:26,360 --> 00:09:29,270
‫And it is bwp, yuzu one session.

107
00:09:31,660 --> 00:09:37,120
‫So we stole this idea value of a user and will use it to authenticate ourself.

108
00:09:38,690 --> 00:09:41,410
‫Good, so let's have a look at some other examples.