1
00:00:00,620 --> 00:00:08,480
‫So B, Web handles different aspects of excess very well, and the next example is one of them.

2
00:00:09,170 --> 00:00:15,650
‫So after logging into B Web, choose reflected Jason from the menu.

3
00:00:17,040 --> 00:00:19,110
‫And there's a search box on the page.

4
00:00:20,290 --> 00:00:22,000
‫So let's examine the page a little bit.

5
00:00:23,050 --> 00:00:27,010
‫So I'm going to type t h o r into the box.

6
00:00:28,180 --> 00:00:30,050
‫And yet we have that movie.

7
00:00:30,100 --> 00:00:32,320
‫It's a positive result.

8
00:00:33,580 --> 00:00:39,070
‫Now, what I type is also in the you are l the title parameter holds this value.

9
00:00:40,350 --> 00:00:42,450
‫OK, so now let's view the source.

10
00:00:43,440 --> 00:00:48,150
‫And here, as a result, the page sends Jason data.

11
00:00:49,810 --> 00:00:52,150
‫And this data is parsed and printed to the page.

12
00:00:53,340 --> 00:00:58,530
‫All right, you ready for another enter i r o n MRN without spaces.

13
00:00:59,740 --> 00:01:03,940
‫And a negative result comes back, but also the data is reflected.

14
00:01:04,960 --> 00:01:06,790
‫And the value is still in the early.

15
00:01:08,370 --> 00:01:09,840
‫So view the page source again.

16
00:01:11,470 --> 00:01:16,420
‫And this is my input and it is reflected to the page.

17
00:01:18,690 --> 00:01:22,800
‫So like I did in the previous lesson, paste the HTML, H1 tag.

18
00:01:24,280 --> 00:01:25,270
‫OK, it works.

19
00:01:26,390 --> 00:01:28,520
‫And paste the NBA link.

20
00:01:30,330 --> 00:01:33,480
‫OK, so something went wrong here as view this horse.

21
00:01:36,270 --> 00:01:37,160
‫Link is here.

22
00:01:38,480 --> 00:01:39,980
‫OK, I think I found it, did you?

23
00:01:41,150 --> 00:01:45,230
‫So the single quote caused the problem with Jason.

24
00:01:48,570 --> 00:01:53,880
‫So if I add back slashes before the quotes, it will work.

25
00:01:55,700 --> 00:02:02,090
‫So this problem is solved now before we go any further, I do want to show you the code.

26
00:02:02,960 --> 00:02:06,350
‫So open terminal and just have a look with me.

27
00:02:09,050 --> 00:02:13,670
‫Now, here, if the level is low, the title parameter is used as is.

28
00:02:14,800 --> 00:02:17,980
‫It was not low, it is checked with a function.

29
00:02:19,580 --> 00:02:21,770
‫Then the output is generated.

30
00:02:23,340 --> 00:02:24,450
‫And scroll down.

31
00:02:25,850 --> 00:02:27,230
‫So now here is a script.

32
00:02:28,550 --> 00:02:31,130
‫And the output is added into the script.

33
00:02:32,170 --> 00:02:36,520
‫And then, as you see, if the result is negative, the search term is sent back to the browser.

34
00:02:38,070 --> 00:02:39,780
‫So go back to Firefox's.

35
00:02:41,500 --> 00:02:44,860
‫And we can run HTML tags entered into this field.

36
00:02:46,310 --> 00:02:49,130
‫So let's paste this tiny script.

37
00:02:50,870 --> 00:02:51,950
‫OK, no, it doesn't work.

38
00:02:53,130 --> 00:02:55,740
‫So now to figure out what's happening, let's view the source.

39
00:02:58,500 --> 00:03:02,240
‫Because my input breaks the original script, right?

40
00:03:04,000 --> 00:03:11,980
‫Now, this part is between script tags, so it can't be executed if there's, you know, anything meaningful.

41
00:03:13,560 --> 00:03:16,110
‫And the rest is not between script tags.

42
00:03:17,250 --> 00:03:24,450
‫So the browser uses the remaining part as text, so displays text in the page.

43
00:03:24,660 --> 00:03:28,530
‫So now type ironmen to clear here and do the source.

44
00:03:30,950 --> 00:03:34,850
‫Now we can create our payload, which doesn't break the original script.

45
00:03:35,900 --> 00:03:37,810
‫So I'm going to just write it here.

46
00:03:39,430 --> 00:03:42,040
‫And step by step, I will create the payload.

47
00:03:43,330 --> 00:03:46,630
‫So first, let's close these double quotes around our input.

48
00:03:48,050 --> 00:03:56,240
‫Then using this curly bracket and then this bracket and then the single quote around the Jason data.

49
00:03:57,720 --> 00:04:00,870
‫And a semicolon to and this line.

50
00:04:02,740 --> 00:04:04,840
‫And close the opening script tag.

51
00:04:06,660 --> 00:04:10,080
‫So now we can start our payload.

52
00:04:12,320 --> 00:04:17,480
‫First alert, the cookie is always then add an opening script tag.

53
00:04:18,530 --> 00:04:21,020
‫And that's it, so let's copy this payload.

54
00:04:24,110 --> 00:04:26,360
‫And based in the search box.

55
00:04:28,570 --> 00:04:32,560
‫And yeah, the JavaScript code executes.

56
00:04:33,560 --> 00:04:36,190
‫And that's a view, the source to figure it out better.

57
00:04:42,580 --> 00:04:44,260
‫And this is the first part.

58
00:04:45,430 --> 00:04:47,080
‫So doesn't have any meaning to the page.

59
00:04:48,170 --> 00:04:50,690
‫And then this is our actual payload.

60
00:04:52,260 --> 00:04:54,210
‫And then this part is the remaining code.

61
00:04:55,170 --> 00:04:57,300
‫It also doesn't really have any meaning to the page.

62
00:04:58,910 --> 00:05:00,620
‫OK, so let's go back to the page.

63
00:05:02,300 --> 00:05:06,110
‫Now we can send the session value to our kookie steel wrap.

64
00:05:08,110 --> 00:05:09,430
‫And we have the payload.

65
00:05:10,460 --> 00:05:15,050
‫So I'm going to copy in and out of here instead of the alert code.

66
00:05:16,760 --> 00:05:17,950
‫Then copy this line.

67
00:05:19,600 --> 00:05:21,220
‫Open a web developer tool.

68
00:05:22,600 --> 00:05:25,570
‫Base the code into the search box and go.

69
00:05:27,030 --> 00:05:29,550
‫The requests sent from this page are below.

70
00:05:30,770 --> 00:05:34,880
‫And base64 cogie value is sent to our stihler application.

71
00:05:36,120 --> 00:05:37,230
‫So if you the source.

72
00:05:39,540 --> 00:05:41,940
‫So our good payload is lying in the source.

73
00:05:43,260 --> 00:05:44,670
‫So open this dealer at.

74
00:05:45,960 --> 00:05:46,980
‫Refresh the page.

75
00:05:48,140 --> 00:05:50,240
‫And the cookie values come up.

76
00:05:51,500 --> 00:05:53,270
‫So now let's go to our session.

77
00:05:55,120 --> 00:05:56,080
‫This is our user.

78
00:05:57,130 --> 00:05:59,530
‫And we are able to send the user session.

79
00:06:01,020 --> 00:06:03,060
‫OK, so go back to Kalli.

80
00:06:04,420 --> 00:06:08,830
‫Now we can use this URL to get any user session.

81
00:06:10,020 --> 00:06:14,400
‫So we get to see the user to click on a link comprised of this URL.

82
00:06:15,920 --> 00:06:16,880
‫Then get the session.

83
00:06:18,130 --> 00:06:20,410
‫And we've already done that in a previous lesson.

84
00:06:21,430 --> 00:06:22,780
‫So I'm going to leave that for you to do.

85
00:06:23,440 --> 00:06:23,860
‫All right.