1
00:00:00,590 --> 00:00:04,920
‫Now, this type of exercise is the most dangerous one.

2
00:00:06,410 --> 00:00:13,220
‫It occurs when the malicious input and an HTTP request is stored at the back end for later use.

3
00:00:14,330 --> 00:00:21,440
‫So here, the attacker doesn't need to perform any clever social engineering techniques because the

4
00:00:21,470 --> 00:00:27,740
‫malicious script is stored at the back end and then embedded into the pages that are viewed by other

5
00:00:27,740 --> 00:00:28,160
‫users.

6
00:00:29,410 --> 00:00:35,860
‫So the users trust the application and the attacker script is executed in their browser.

7
00:00:38,070 --> 00:00:43,950
‫It's also known as persistent or second order or type to excess.

8
00:00:46,050 --> 00:00:47,550
‫OK, so open up, Kelly.

9
00:00:48,480 --> 00:00:49,380
‫Longing going to be rap.

10
00:00:50,280 --> 00:00:52,740
‫And open access to our blog.

11
00:00:54,500 --> 00:00:56,000
‫And again, it's a sample page.

12
00:00:57,490 --> 00:01:03,220
‫So it looks just like a comment page and you can add and delete your entries.

13
00:01:04,460 --> 00:01:10,990
‫So let's check in here to show all the entries from the other users as well.

14
00:01:11,940 --> 00:01:14,970
‫And here you can see that comments are listed just like this.

15
00:01:16,650 --> 00:01:18,870
‫So you can view someone else's comments also.

16
00:01:21,250 --> 00:01:22,480
‫Let's view the source page.

17
00:01:23,980 --> 00:01:27,010
‫Doesn't look like there's anything suspicious in the source.

18
00:01:28,890 --> 00:01:31,320
‫And the comments are listed in a table.

19
00:01:33,770 --> 00:01:39,550
‫OK, so now I'm going to do the same thing that we did for reflected excess.

20
00:01:41,190 --> 00:01:47,970
‫I'll first try to add HTML tags, so Paiste each email, each one tag and submit.

21
00:01:49,090 --> 00:01:49,840
‫And it works.

22
00:01:51,250 --> 00:01:54,880
‫And paste an HTML link and then submit.

23
00:01:56,630 --> 00:01:59,100
‫It also works.

24
00:01:59,780 --> 00:02:01,640
‫OK, so view page source.

25
00:02:06,030 --> 00:02:10,350
‫And you see, the female tags I entered are lying in the source.

26
00:02:11,550 --> 00:02:15,450
‫They are not escaped, not sanitized, nothing else.

27
00:02:16,560 --> 00:02:20,070
‫So now open a terminal to see the code.

28
00:02:22,140 --> 00:02:23,550
‫And this is the code file.

29
00:02:24,500 --> 00:02:33,200
‫Now, don't confuse this with school injection functions, the actual excess, as Jack happens below.

30
00:02:34,560 --> 00:02:39,000
‫This just prevents you from reforming escarole injections on the same form.

31
00:02:40,840 --> 00:02:46,000
‫So if the level is low, there's no check and the entry is added to the database.

32
00:02:47,310 --> 00:02:50,100
‫And this part is reviewing the comments.

33
00:02:51,910 --> 00:02:56,470
‫So if show all is checked, it will use this Escorial query.

34
00:02:58,100 --> 00:02:59,840
‫Otherwise, it will use this one.

35
00:03:02,090 --> 00:03:07,430
‫And after querying the database, according to the security level, it will show the data on the page.

36
00:03:09,410 --> 00:03:18,680
‫Now, if the level is high, check three is called for, medium check for is called and for low, there

37
00:03:18,680 --> 00:03:19,460
‫is no check.

38
00:03:20,780 --> 00:03:28,580
‫OK, so the best part of these vulnerable applications is this you can view the code and understand

39
00:03:28,580 --> 00:03:30,290
‫the hacking process better.

40
00:03:31,140 --> 00:03:33,920
‫So follow me, go to Firefox.

41
00:03:35,060 --> 00:03:38,240
‫Now, pace, the popular excess, has payload.

42
00:03:39,170 --> 00:03:41,270
‫And yeah, you guessed it right.

43
00:03:41,300 --> 00:03:42,830
‫Document Doc Cookie.

44
00:03:44,650 --> 00:03:47,470
‫So the script executes and a cookie value is printed.

45
00:03:49,100 --> 00:03:52,190
‫All right, so this means that we can run JavaScript on the page.

46
00:03:54,110 --> 00:03:57,650
‫So the next thing to do is collect the session I.D..

47
00:03:59,280 --> 00:04:01,520
‫And that's why I'm going to pass this payload again.

48
00:04:02,800 --> 00:04:06,730
‫And remember to open the web developer tool and submit it.

49
00:04:08,120 --> 00:04:15,560
‫As you watch the web developer tool, the base 64 cookie value is sent to the cookie stealer at.

50
00:04:16,810 --> 00:04:22,060
‫So open the cookie stealer app, refresh the page.

51
00:04:23,050 --> 00:04:24,340
‫And here's the cookie.

52
00:04:26,770 --> 00:04:28,060
‫OK, so go to the session.

53
00:04:29,330 --> 00:04:30,410
‫This is our user.

54
00:04:32,140 --> 00:04:34,210
‫And we're able to get the session ID.

55
00:04:36,000 --> 00:04:37,200
‫So now go back to Kelly.

56
00:04:39,290 --> 00:04:41,540
‫The same change level to medium.

57
00:04:43,940 --> 00:04:45,920
‫And then just add the same payload again.

58
00:04:48,570 --> 00:04:52,710
‫Open web developer as well and submit.

59
00:04:55,210 --> 00:05:00,760
‫And now we cannot see the request since the session two are still here at.

60
00:05:02,630 --> 00:05:05,660
‫So then just right, click on the page and view source.

61
00:05:07,120 --> 00:05:12,250
‫So now, look, the back are added in before this sign and double quotes.

62
00:05:14,750 --> 00:05:18,500
‫And this prevents the JavaScript payload to execute.

63
00:05:20,010 --> 00:05:25,740
‫So remember, in the code, there is an excess check for function, and that's called for the medium

64
00:05:25,740 --> 00:05:26,100
‫level.

65
00:05:28,250 --> 00:05:32,810
‫And this function calls another be built in function and slashes.

66
00:05:34,010 --> 00:05:37,160
‫So that's why we see these extra slashes here.

67
00:05:38,890 --> 00:05:42,250
‫Now, in order to bypass this security measure.

68
00:05:43,230 --> 00:05:47,070
‫There are a few ways, so I'm going to show you just one now.

69
00:05:48,690 --> 00:05:51,300
‫And I'll serve the actual payload code.

70
00:05:52,230 --> 00:05:54,150
‫On my host is a script file.

71
00:05:55,410 --> 00:06:01,920
‫And it is completely the same as the previous payload, except for this script, Tagg's.

72
00:06:04,580 --> 00:06:09,800
‫All right, so after that, I am just going to call that file from Firefox's.

73
00:06:11,120 --> 00:06:13,190
‫And so I'm going to paste this payload here.

74
00:06:14,360 --> 00:06:17,570
‫The source attribute has no single or double quotes.

75
00:06:18,790 --> 00:06:23,340
‫I'm not going to add them because Dom will normalize this code and add it for me.

76
00:06:24,730 --> 00:06:28,810
‫OK, so open developer tools and submit.

77
00:06:30,870 --> 00:06:32,370
‫And look at that, it is done.

78
00:06:33,800 --> 00:06:36,890
‫First, the page includes the script file for my host.

79
00:06:37,830 --> 00:06:42,360
‫And then the script executes and sends the cookie value to the Steeler app on my host.

80
00:06:44,610 --> 00:06:47,340
‫So go to the steel trap and refresh.

81
00:06:48,770 --> 00:06:50,300
‫And the session value is here.

82
00:06:52,160 --> 00:06:54,800
‫That's right, this is our user.

83
00:06:56,760 --> 00:06:58,170
‫OK, so go back to Kelly.

84
00:06:59,420 --> 00:07:01,910
‫Now, let me summarize what what we did here.

85
00:07:02,980 --> 00:07:09,340
‫We validated that there is a stored excess vulnerability on the target application.

86
00:07:10,260 --> 00:07:15,630
‫And why is it stored because of payloads we provide are stored at the back end in a database.

87
00:07:16,440 --> 00:07:23,460
‫So here's a question how can we exploit such a vulnerability to collect the session ID for users?

88
00:07:24,940 --> 00:07:30,610
‫The answer is we don't need to do anything because we already have.

89
00:07:31,780 --> 00:07:37,420
‫So we injected the excess payload into the page and now it is stored in the database.

90
00:07:38,620 --> 00:07:45,220
‫So very user visits his page, our excess payload will automatically execute within their browser.

91
00:07:46,710 --> 00:07:50,090
‫So I'm going to open Chrome and go to Brett.

92
00:07:52,630 --> 00:07:56,140
‫And I'm going to log in as b web user number to.

93
00:07:57,850 --> 00:08:00,850
‫And I'm going to visit the store, Texas Page.

94
00:08:04,150 --> 00:08:08,200
‫And let me just zoom in here for you, check, show all.

95
00:08:09,160 --> 00:08:12,340
‫And write something here and submit.

96
00:08:13,780 --> 00:08:18,850
‫Now, scroll down to see what you display and here's your comment.

97
00:08:20,260 --> 00:08:23,110
‫Now, have a look, though, some of them are not displayed.

98
00:08:24,010 --> 00:08:25,840
‫So let's view the page source now.

99
00:08:26,750 --> 00:08:27,950
‫And scroll down.

100
00:08:29,730 --> 00:08:31,020
‫All right, so look at here.

101
00:08:32,260 --> 00:08:39,340
‫All JavaScript payloads that we tried are here in the page, so as soon as this user opens a page,

102
00:08:39,340 --> 00:08:41,830
‫these payloads are executed in his browser.

103
00:08:43,310 --> 00:08:47,060
‫Then over this dealer app, refresh the page.

104
00:08:48,020 --> 00:08:57,110
‫And a new session opens, so go to check session and all right, so perfect, we have the user session

105
00:08:57,110 --> 00:08:57,500
‫value.

106
00:08:59,010 --> 00:09:00,480
‫See, so this is really cool, huh?

107
00:09:01,770 --> 00:09:03,540
‫So go back to Firefox's.

108
00:09:04,610 --> 00:09:10,100
‫And I want to show you just a small thing here as well, so set the level to low.

109
00:09:11,390 --> 00:09:14,660
‫And I'm going to paste this payload and submit.

110
00:09:17,990 --> 00:09:22,250
‫Now, look here, this is also a way of exploiting the users.

111
00:09:23,230 --> 00:09:28,900
‫So click this link and it will display multiplatform login screen.

112
00:09:30,260 --> 00:09:38,720
‫So this is just, you know, a matter of social engineering, little psychology, so I use this simple

113
00:09:38,720 --> 00:09:46,370
‫login screen, but you can detect and copy other applications of your customers as well and then serve

114
00:09:46,370 --> 00:09:53,000
‫the HTML interface of these apps to be able to use in social engineering attacks, perhaps against any

115
00:09:53,000 --> 00:09:54,830
‫of those companies employees.