1
00:00:01,200 --> 00:00:06,660
‫Now, this type of access, as is kind of rare and hard to find.

2
00:00:07,610 --> 00:00:16,310
‫But it may have the consequences similar to the reflected excess, so basically in this vulnerability,

3
00:00:16,310 --> 00:00:18,170
‫everything happens in Dum.

4
00:00:19,500 --> 00:00:26,550
‫These attacks occur when the Web application uses data in the dorm with JavaScript in an unsafe way.

5
00:00:28,560 --> 00:00:31,830
‫OK, go to Kelly and log in to be Web.

6
00:00:33,330 --> 00:00:40,530
‫Now, there are different types of excess that are present in this area, but Dom, excess as does not

7
00:00:40,530 --> 00:00:45,130
‫appear here, so I don't know why.

8
00:00:45,840 --> 00:00:52,860
‫However, it's not a really big deal because we can always import our own dumb excess as example.

9
00:00:54,740 --> 00:00:57,710
‫So go ahead and download this sample page.

10
00:00:58,720 --> 00:01:05,530
‫I've coated it and integrated it to work with a BWB security model, so you can just go ahead and import

11
00:01:05,530 --> 00:01:08,550
‫the page into the BW folder and then use it from there.

12
00:01:09,670 --> 00:01:19,900
‫Okay, so now I'll assume that you've already done this, so open the page to, um, excess dot HP.

13
00:01:21,100 --> 00:01:26,560
‫And the default level is low, as always, but before going any further, let me explain a couple of

14
00:01:26,560 --> 00:01:27,200
‫things.

15
00:01:28,030 --> 00:01:30,740
‫So previously we talked a little bit about Dom, right?

16
00:01:31,540 --> 00:01:34,350
‫You know, it's like a I don't know, it's like the back stage.

17
00:01:34,780 --> 00:01:42,080
‫So you see the stage in the show happens out there, but everything is set and controlled from backstage.

18
00:01:42,520 --> 00:01:42,930
‫Yeah.

19
00:01:43,510 --> 00:01:48,610
‫So Dom is really the backstage of browser's.

20
00:01:49,660 --> 00:01:57,550
‫All right, so now what if you're able to find sync and change some of the sources it backstage, what

21
00:01:57,550 --> 00:01:57,970
‫happens?

22
00:01:58,950 --> 00:02:07,200
‫Well, naturally, the show would be affected by this change and Dumex SS works a lot like that.

23
00:02:08,130 --> 00:02:15,690
‫So in this context, a source is JavaScript property that contains data that the attacker could potentially

24
00:02:15,870 --> 00:02:16,560
‫control.

25
00:02:17,710 --> 00:02:25,270
‫So an example of a source is location dot search, which reads input from the query string.

26
00:02:26,760 --> 00:02:35,970
‫And a sink is a function or dumb object that allows JavaScript code execution or the rendering of HTML.

27
00:02:37,760 --> 00:02:41,870
‫Now, an example of code execution's sync is eval.

28
00:02:42,880 --> 00:02:49,330
‫And an example of an HD Mensink is document body dot, inner HTML.

29
00:02:51,420 --> 00:02:54,450
‫OK, so on this page, there are several sources to play with.

30
00:02:55,920 --> 00:02:57,900
‫I'm going to continue with the first one.

31
00:02:58,810 --> 00:03:02,480
‫It provides a language selection function.

32
00:03:04,050 --> 00:03:08,640
‫So choose a language and select the URL will change to this.

33
00:03:09,860 --> 00:03:15,840
‫Type parameter specifies this source type and a langue parameter defines the chosen language.

34
00:03:16,640 --> 00:03:19,670
‫So if you this horse like we always do.

35
00:03:21,450 --> 00:03:25,080
‫And as you can see, here is JavaScript code.

36
00:03:26,430 --> 00:03:30,150
‫And it uses the data in the document that you are source.

37
00:03:31,440 --> 00:03:34,380
‫So it looks for the lagging parameter in the early.

38
00:03:35,430 --> 00:03:40,560
‫Then uses the decoded value of this parameter in the HTML option tag.

39
00:03:42,220 --> 00:03:46,930
‫So then this Java code is what you're going to see when you view the source.

40
00:03:48,590 --> 00:03:56,330
‫Now, there's no way to understand for me from the source because I chose Spanish, but if you do,

41
00:03:56,420 --> 00:03:58,220
‫you dumb, it differs.

42
00:03:58,820 --> 00:04:05,870
‫So open the developer tool, then pick dropdown element and look at the code in the inspector tab.

43
00:04:06,540 --> 00:04:10,520
‫It shows the latest source for the browser to display the chosen language.

44
00:04:12,200 --> 00:04:14,990
‫So we can determine the chosen language here.

45
00:04:16,240 --> 00:04:21,730
‫Now, enable Foxe proxy and choose English, then submit.

46
00:04:23,270 --> 00:04:27,350
‫Berp gets the request very straight and forward.

47
00:04:29,120 --> 00:04:36,440
‫And the response comes up, so let's look here, there's really no way to understand the German language

48
00:04:36,440 --> 00:04:37,430
‫directly, right.

49
00:04:38,270 --> 00:04:43,580
‫But the JavaScript code uses that you are elsewheres and detects the language.

50
00:04:44,790 --> 00:04:52,050
‫So now let's turn this into a mechanism that will execute scripts for us.

51
00:04:53,170 --> 00:04:55,960
‫Just add an alert code to the end of the URL.

52
00:04:57,170 --> 00:05:00,110
‫And yes, it works.

53
00:05:01,710 --> 00:05:04,590
‫So open web developer and pick the element.

54
00:05:06,170 --> 00:05:07,910
‫And you see here, this is our payload.

55
00:05:09,730 --> 00:05:14,290
‫OK, so now we can use our famous payload to send this session and.

56
00:05:15,730 --> 00:05:21,060
‫And I'm not going to close the developer to I'll need to open it again.

57
00:05:22,260 --> 00:05:27,780
‫And go to the network tab, then paste the payload and hit enter.

58
00:05:29,180 --> 00:05:31,820
‫And we can observe the cookie value sent.

59
00:05:33,360 --> 00:05:35,310
‫So go to the inspector tab.

60
00:05:36,570 --> 00:05:38,070
‫Pick the drop down menu.

61
00:05:41,160 --> 00:05:43,530
‫Open these collapsed parts.

62
00:05:44,730 --> 00:05:47,910
‫And here is the payload that we've entered.

63
00:05:49,650 --> 00:05:51,210
‫So now open the Stelara.

64
00:05:52,470 --> 00:05:53,430
‫Refresh the page.

65
00:05:54,660 --> 00:05:57,420
‫And the first one is the session, and it's coming up.

66
00:05:59,030 --> 00:06:00,680
‫So go back to Kelly.

67
00:06:02,250 --> 00:06:04,350
‫OK, so now let's look at different levels.

68
00:06:05,320 --> 00:06:09,660
‫So change it to medium first, choose the source again.

69
00:06:10,590 --> 00:06:16,950
‫Selective language to see parameters, and I'm going to paste this simple JavaScript code and go.

70
00:06:18,510 --> 00:06:22,920
‫OK, so it doesn't work, but remember, in this level, the script tags are not allowed.

71
00:06:24,210 --> 00:06:27,180
‫And actually, this phrase is not allowed.

72
00:06:29,060 --> 00:06:30,770
‫So we need to create another payload.

73
00:06:32,750 --> 00:06:37,490
‫Open developer, tool pick, yeah, pick the element.

74
00:06:38,310 --> 00:06:40,610
‫Now, here is the option tag.

75
00:06:41,880 --> 00:06:47,820
‫OK, so now we need to find a way to inject the JavaScript code here to execute.

76
00:06:49,250 --> 00:06:52,160
‫So we're going to create the payload step by step.

77
00:06:54,180 --> 00:07:00,360
‫First, complete the opening option tag, then close the option tag.

78
00:07:01,990 --> 00:07:03,820
‫And then close this electic.

79
00:07:05,410 --> 00:07:08,920
‫So now we can write our payload without a script tag.

80
00:07:10,330 --> 00:07:12,640
‫So now I'm going to write this.

81
00:07:14,210 --> 00:07:17,600
‫And I'll use JavaScript in an event method.

82
00:07:19,040 --> 00:07:21,170
‫It's not copy it now.

83
00:07:21,230 --> 00:07:24,050
‫Yeah, I forgot to write something for the rest.

84
00:07:25,250 --> 00:07:26,810
‫I think you can handle that.

85
00:07:26,820 --> 00:07:29,360
‫Yeah, OK, so I'm going to paste.

86
00:07:30,780 --> 00:07:35,190
‫But I'll close the tool and paste and then go.

87
00:07:37,430 --> 00:07:40,220
‫And perfect, the page executes our payload.

88
00:07:41,220 --> 00:07:44,040
‫Now, exploitation will be up to you.

89
00:07:45,650 --> 00:07:47,660
‫OK, so now enable Foxe proxy.

90
00:07:49,110 --> 00:07:50,520
‫And refresh the page.

91
00:07:52,590 --> 00:07:54,210
‫So this is what it looks like in burb.

92
00:07:55,650 --> 00:07:59,490
‫And here's our payload sent to the server as well.

93
00:08:00,580 --> 00:08:05,230
‫So if there is no check at the back end, Dume excess will arise.

94
00:08:06,200 --> 00:08:07,250
‫So forward all.

95
00:08:09,200 --> 00:08:10,550
‫And the alert appears.

96
00:08:12,150 --> 00:08:16,620
‫All right, so the last level, so first choose the source.

97
00:08:18,010 --> 00:08:21,370
‫So like the language, you see the language parameter.

98
00:08:22,880 --> 00:08:27,350
‫And now we can add here our sample JavaScript payload.

99
00:08:28,220 --> 00:08:29,900
‫Yes, alerting code.

100
00:08:30,920 --> 00:08:39,650
‫Oh, nothing happens, so remember the code check to see if the language parameter has one of the languages

101
00:08:39,650 --> 00:08:40,510
‫in the box.

102
00:08:41,730 --> 00:08:44,040
‫So we may have a problem.

103
00:08:45,220 --> 00:08:49,240
‫But have no fear and no worries at all because.

104
00:08:50,370 --> 00:08:53,610
‫You have also seen the solution, do you remember?

105
00:08:55,010 --> 00:08:55,820
‫I'll take you through it.

106
00:08:55,850 --> 00:08:57,380
‫OK, so enable berp.

107
00:08:58,990 --> 00:09:00,820
‫Base the payload and go.

108
00:09:02,180 --> 00:09:03,590
‫We get the request in berp.

109
00:09:04,870 --> 00:09:12,010
‫And see, the payload is sent to the server and this causes the air and then for the rest.

110
00:09:13,930 --> 00:09:17,320
‫OK, so let me go back to clear you are Al.

111
00:09:20,180 --> 00:09:22,610
‫And now I can paste the same payload here.

112
00:09:23,740 --> 00:09:32,110
‫And the way to send this payload to the server may not be obvious, but there is a way.

113
00:09:34,010 --> 00:09:36,620
‫So just put a pound symbol here.

114
00:09:38,000 --> 00:09:41,570
‫And the rest after this symbol won't be sent to the server.

115
00:09:44,380 --> 00:09:47,340
‫So let's hit enter to see look at berp.

116
00:09:49,060 --> 00:09:55,180
‫And the payload is not in the request forward and let it all go.

117
00:09:56,920 --> 00:09:58,600
‫And the alert message appears.

118
00:10:00,460 --> 00:10:03,970
‫And once again, I will leave the exploitation up to you.