1
00:00:01,300 --> 00:00:08,170
Now let's talk about how we can prevent excesses vulnerabilities the way these vulnerabilities happen

2
00:00:08,260 --> 00:00:16,510
is because whenever a user enters something into a text box or into a parameter that input is displayed

3
00:00:16,630 --> 00:00:22,870
into the Hasyim else it is treated as if it's part of the page and therefore if there is javascript

4
00:00:22,870 --> 00:00:25,430
in it the code is being executed.

5
00:00:25,990 --> 00:00:33,620
So to prevent this exploit the best thing to do is to try and minimize the usage of untrusted input.

6
00:00:33,610 --> 00:00:40,370
So anytime a user input something or anytime something is input from parameters try to minimize that.

7
00:00:40,450 --> 00:00:47,590
Also make sure that you always escape wherever that's going to be displayed or used into the hasty e-mail

8
00:00:47,590 --> 00:00:53,750
page because Access can only be injected into places where things are displayed on the page.

9
00:00:53,870 --> 00:01:02,090
But it can also be injected into parameters of certain elements of the Hasyim page.

10
00:01:02,150 --> 00:01:08,780
So what I mean by scaping is converting each of these characters to what they would be represented by

11
00:01:08,780 --> 00:01:10,020
in haste.

12
00:01:10,670 --> 00:01:15,410
You can do that using scripts and you can do that using your own script.

13
00:01:15,410 --> 00:01:20,600
Now let me show you how this happens now I'm here as my vulnerable Web page that we were using and I'm

14
00:01:20,600 --> 00:01:22,800
going to go to this third one.

15
00:01:23,040 --> 00:01:27,270
And obviously you can see that every time you click on that the exercise runs.

16
00:01:27,270 --> 00:01:29,100
So let's inspect this element.

17
00:01:29,100 --> 00:01:32,550
Now this element is where we injected our alert.

18
00:01:32,970 --> 00:01:41,340
And if you right click and go on inspect element it will show us the Hastey amount of this page or the

19
00:01:41,420 --> 00:01:46,260
out of this particular element right here highlighted.

20
00:01:46,300 --> 00:01:54,550
So I'm going to make this bigger and if we look at it right here you'll see that we have the name and

21
00:01:54,620 --> 00:01:59,690
that Zayde and then the other input which is the message.

22
00:01:59,790 --> 00:02:06,060
It's a script and the script where the script does it does alert exercise so it's exactly what we injected

23
00:02:06,060 --> 00:02:09,470
into it when we did that comment.

24
00:02:09,490 --> 00:02:14,440
So every time we were on this page this piece of code gets executed.

25
00:02:14,770 --> 00:02:19,900
So we need to do is we need to make sure every time a user enters something and that something will

26
00:02:19,900 --> 00:02:24,920
be displayed on a page or that something will be used somewhere in the argument.

27
00:02:24,920 --> 00:02:32,040
So even the idea here or even the Atri the idea is just for example is a parameter of the day.

28
00:02:32,050 --> 00:02:38,160
It's not the stage you never see this ID but this is this can be injectable can be injected as well.

29
00:02:38,170 --> 00:02:42,080
So hackers can actually try to inject stuff into the parameters.

30
00:02:42,190 --> 00:02:47,950
They can try to inject stuff into the image attributes for example they can do an image and inject stuff

31
00:02:47,950 --> 00:02:50,170
into the source or into the you or else.

32
00:02:50,320 --> 00:02:52,090
So this is just an example here.

33
00:02:52,480 --> 00:02:58,440
And every time user's input is going to be used anywhere on the page so even if you don't see it if

34
00:02:58,450 --> 00:03:04,870
usually don't see it you need to make sure that you escape that input and make sure that it does not

35
00:03:04,870 --> 00:03:10,600
contain any code and if it contains any code that it's converted to its history to be equivalent once

36
00:03:10,600 --> 00:03:13,770
you escaped this you'll actually see this in the message.

37
00:03:13,770 --> 00:03:19,030
So you see the message as script alert exercise but it will never be executed.

38
00:03:19,140 --> 00:03:24,320
The script will never actually be executed on the target person when they run it.

39
00:03:26,510 --> 00:03:30,340
And this is exactly what the high security level atonements.

40
00:03:30,350 --> 00:03:32,400
So let me go through the security settings.

41
00:03:33,890 --> 00:03:39,240
And let me close this and I'm going to send this to a high

42
00:03:41,900 --> 00:03:49,480
submitted and we'll go back to our reflected this the same measurements are taken in the reflected and

43
00:03:49,490 --> 00:03:50,530
in the story.

44
00:03:50,810 --> 00:03:58,640
And now if we try to inject any of our codes that we were doing before for example if we try to inject

45
00:03:58,910 --> 00:04:05,960
this script so script with exercise and then we close the script you'll see the script exactly the same

46
00:04:05,960 --> 00:04:07,910
way that you would have seen a normal name.

47
00:04:07,910 --> 00:04:14,660
So if we say Zayde here you'll just see my name and if we inject our script you'll see it appear in

48
00:04:14,690 --> 00:04:17,240
as if it's a normal name it doesn't appear.

49
00:04:17,240 --> 00:04:22,080
You don't only see what's between the tags and then the code doesn't even get executed.

50
00:04:22,340 --> 00:04:28,080
If we look at the source you'll see that you see all the tag so you can see the script.

51
00:04:28,260 --> 00:04:32,970
You can see the close of the script tag and everything is being injected properly.

52
00:04:32,970 --> 00:04:38,820
So you think that this should work but it doesn't work because the Web site or the web page or the browser

53
00:04:39,240 --> 00:04:45,780
knows that these tags are should be treated as Hastey mild characters and should not be treated as part

54
00:04:45,780 --> 00:04:46,710
of the code.

55
00:04:47,130 --> 00:04:55,270
And this is all thanks to a function that's being used here which is called the Hasyim of special characters.

56
00:04:55,360 --> 00:04:57,540
So it's all thanks to this function.

57
00:04:57,560 --> 00:05:02,850
So whatever you're putting in the name it's been filtered through this function.

58
00:05:02,860 --> 00:05:08,830
Now this function will iterate over each character that you entered and it'll tell Hastey email or the

59
00:05:08,830 --> 00:05:12,940
browser it'll change it to its equivalent in haste DML code.

60
00:05:12,940 --> 00:05:16,720
Therefore the browser will know that this is not part of the code.

61
00:05:16,810 --> 00:05:21,340
And this is part of what should be displayed on screen as text.

62
00:05:21,730 --> 00:05:27,880
And this way no matter what you try to inject it will be converted to a stream of code which will just

63
00:05:27,880 --> 00:05:34,970
be displayed on screen like normal text or normal characters.

64
00:05:34,980 --> 00:05:40,620
Now as a user to prevent yourself from being used into an exercise attack.

65
00:05:40,860 --> 00:05:45,540
Now you are coming to you will probably look like you are out of a trusted website.

66
00:05:45,540 --> 00:05:51,510
For example let's assume that you work in a company and there was an exercise in your company and you

67
00:05:51,510 --> 00:05:55,180
are logging into your company and the code gets executed on you.

68
00:05:55,290 --> 00:06:01,410
Then there isn't much you can do yourself but you need to be careful with beef we so in order to exploit

69
00:06:01,410 --> 00:06:04,840
the vulnerabilities we were shown for example a fake update.

70
00:06:04,890 --> 00:06:09,240
So make sure when you if you get an if you get a message always that there is an update.

71
00:06:09,360 --> 00:06:14,070
Make sure you actually go to the website that provides that application.

72
00:06:14,070 --> 00:06:20,010
So if Firefox said that there an update go to the face to the website of face of Firefox and see if

73
00:06:20,010 --> 00:06:25,800
there is actually an update and if there is download it from that website don't download it from the

74
00:06:25,800 --> 00:06:27,750
notification that you got.

75
00:06:27,750 --> 00:06:34,260
Also make sure you're downloading it from a hasty CPS website and once you download it you can inspect

76
00:06:34,260 --> 00:06:37,160
it and check it the same way that we've seen before.

77
00:06:37,200 --> 00:06:40,680
To make sure that there is no back doors or anything in it.

78
00:06:41,250 --> 00:06:46,950
You can also check the five some to make sure that the file hasn't been manipulated while it was being

79
00:06:46,950 --> 00:06:52,610
downloaded the same way when we did the fake Facebook log in when you were with beef.

80
00:06:52,680 --> 00:06:58,900
So what you can do is whenever you're told that you got logged out and please log back in again.

81
00:06:58,950 --> 00:06:59,760
Ignore that.

82
00:06:59,760 --> 00:07:01,260
Go to Facebook dot com.

83
00:07:01,290 --> 00:07:11,050
Make sure it's going through the CPS and then log into Facebook so always try to be careful with notifications

84
00:07:11,050 --> 00:07:13,330
popping up telling you you need to do stuff.

85
00:07:13,330 --> 00:07:15,380
Always be wary and never trust them.