1
00:00:00,300 --> 00:00:01,350
-: Welcome back.

2
00:00:01,350 --> 00:00:03,780
I want to talk about another vulnerability

3
00:00:03,780 --> 00:00:04,770
that we mentioned

4
00:00:04,770 --> 00:00:08,520
in the theory video, and that is cross site scripting.

5
00:00:08,520 --> 00:00:09,510
If you remember,

6
00:00:09,510 --> 00:00:12,420
this is a vulnerability where we execute code due

7
00:00:12,420 --> 00:00:15,120
to poor user input filtering.

8
00:00:15,120 --> 00:00:16,950
In this attack, it is not

9
00:00:16,950 --> 00:00:19,050
the server that is getting targeted

10
00:00:19,050 --> 00:00:21,813
but the users that visit that website.

11
00:00:22,770 --> 00:00:25,830
There are three main types of XSS attack.

12
00:00:25,830 --> 00:00:29,340
There is reflected XSS, stored XSS

13
00:00:29,340 --> 00:00:31,770
and DOM based XSS.

14
00:00:31,770 --> 00:00:34,980
And in this course we'll be covering first two

15
00:00:34,980 --> 00:00:39,000
which are reflected and stored XSS.

16
00:00:39,000 --> 00:00:42,270
But before we do that, let's quickly remind ourselves

17
00:00:42,270 --> 00:00:46,410
of scenario as to how this attack looks like.

18
00:00:46,410 --> 00:00:50,070
So, the attacker finds an XSS vulnerability.

19
00:00:50,070 --> 00:00:52,590
They inject JavaScript code that they want to

20
00:00:52,590 --> 00:00:55,320
target to execute inside of their browsers

21
00:00:55,320 --> 00:00:57,977
and then anyone who visits that web page

22
00:00:57,977 --> 00:01:01,623
will execute the JavaScript code that you inject it.

23
00:01:02,460 --> 00:01:06,000
This is an example of stored XSS

24
00:01:06,000 --> 00:01:09,360
where the victim doesn't have to click on any links.

25
00:01:09,360 --> 00:01:12,810
All they need to do is to visit the same page on their own

26
00:01:12,810 --> 00:01:16,710
and they will execute that script that you injected.

27
00:01:16,710 --> 00:01:18,930
So, how does this work?

28
00:01:18,930 --> 00:01:22,110
Well, this is possible only in case the script

29
00:01:22,110 --> 00:01:26,190
that you injected is getting stored on the server.

30
00:01:26,190 --> 00:01:28,830
This would most likely be if there is, for example

31
00:01:28,830 --> 00:01:31,290
a page where you need to type in some type

32
00:01:31,290 --> 00:01:34,890
of a comment and then that comment will show on that page.

33
00:01:34,890 --> 00:01:37,050
If that comment input is vulnerable

34
00:01:37,050 --> 00:01:39,870
then you most likely will have a stored XSS

35
00:01:39,870 --> 00:01:41,940
because, anyone loading that page,

36
00:01:41,940 --> 00:01:44,820
after that, will load your comment as well.

37
00:01:44,820 --> 00:01:47,190
And if your comment was a JavaScript code

38
00:01:47,190 --> 00:01:49,650
they will execute that code.

39
00:01:49,650 --> 00:01:50,730
So what does this mean?

40
00:01:50,730 --> 00:01:53,580
Well, this means once you inject it, it'll stay

41
00:01:53,580 --> 00:01:56,520
on the server and server will host that page

42
00:01:56,520 --> 00:02:01,446
with malicious JavaScript code to anyone trying to visit it.

43
00:02:01,446 --> 00:02:04,650
On the other hand, reflected XSS is

44
00:02:04,650 --> 00:02:06,240
a little bit different.

45
00:02:06,240 --> 00:02:08,970
It won't work on anyone that visits the page.

46
00:02:08,970 --> 00:02:12,330
It'll only work if you send a link with malicious code to

47
00:02:12,330 --> 00:02:13,650
to someone.

48
00:02:13,650 --> 00:02:17,130
In this scenario, the server doesn't store our injected code

49
00:02:17,130 --> 00:02:19,920
on their site, so it won't be hosting the page

50
00:02:19,920 --> 00:02:21,420
with our code.

51
00:02:21,420 --> 00:02:25,470
However, the code injection vulnerability could still exist.

52
00:02:25,470 --> 00:02:28,830
If we find it, then we would craft our JavaScript code

53
00:02:28,830 --> 00:02:31,830
that we want victims to execute, and we would send

54
00:02:31,830 --> 00:02:34,830
those links to anyone that we want.

55
00:02:34,830 --> 00:02:37,855
Once they click on the link and open the website page

56
00:02:37,855 --> 00:02:41,760
our JavaScript code will also get executed.

57
00:02:41,760 --> 00:02:44,730
Now, these types of attacks are usually used

58
00:02:44,730 --> 00:02:49,140
for session stealing or by attackers to mine on targets PCs

59
00:02:49,140 --> 00:02:51,480
and create web botnets.

60
00:02:51,480 --> 00:02:54,510
But our goal is to just find the bug itself

61
00:02:54,510 --> 00:02:57,210
and we will demonstrate how coakley stealing works

62
00:02:57,210 --> 00:02:58,500
later.

63
00:02:58,500 --> 00:03:00,510
Let's get get straight into it.

64
00:03:00,510 --> 00:03:02,580
Okay. So, the thing that we need

65
00:03:02,580 --> 00:03:04,260
is our method exploitable running.

66
00:03:04,260 --> 00:03:05,820
I got it already up.

67
00:03:05,820 --> 00:03:09,510
And we also need the D V W A page.

68
00:03:09,510 --> 00:03:11,400
Make sure that you have burbs running

69
00:03:11,400 --> 00:03:13,290
with intercept turned off.

70
00:03:13,290 --> 00:03:14,820
And once you do all of that

71
00:03:14,820 --> 00:03:18,720
you want to navigate to the XSS reflected right here

72
00:03:18,720 --> 00:03:20,490
because this is the first example

73
00:03:20,490 --> 00:03:23,700
of XSS that we are going to cover in this video.

74
00:03:23,700 --> 00:03:25,680
Another thing that you want to do is you want to

75
00:03:25,680 --> 00:03:30,510
set the security level to be low for our first example

76
00:03:30,510 --> 00:03:32,100
and let's give it a try to figure

77
00:03:32,100 --> 00:03:36,390
out whether this even has an XSS vulnerability.

78
00:03:36,390 --> 00:03:39,270
So, what does this application do?

79
00:03:39,270 --> 00:03:43,290
Well here it asks us to input our name.

80
00:03:43,290 --> 00:03:46,680
So, I will just go and type here Alexa inside

81
00:03:46,680 --> 00:03:49,590
of this input just to see what happens.

82
00:03:49,590 --> 00:03:54,240
So, if I click on submit, okay, so it prints out

83
00:03:54,240 --> 00:03:58,440
hello Alexa, what a welcoming application, right?

84
00:03:58,440 --> 00:04:02,130
And this right here is an example of how it should work.

85
00:04:02,130 --> 00:04:03,420
You type in your name

86
00:04:03,420 --> 00:04:07,230
it'll welcome you with hello and then your name.

87
00:04:07,230 --> 00:04:12,230
However, what happens once we try to inject JavaScript code

88
00:04:12,330 --> 00:04:14,321
the most simple JavaScript code

89
00:04:14,321 --> 00:04:17,399
and what we usually do first once hunting

90
00:04:17,399 --> 00:04:20,370
for XSS is type desk code.

91
00:04:20,370 --> 00:04:23,340
So, let me go in terminal just so you can see it better.

92
00:04:23,340 --> 00:04:25,359
So, this arrow to the left

93
00:04:25,359 --> 00:04:28,803
then script arrow to the right alert.

94
00:04:29,790 --> 00:04:34,110
And inside of the brackets we put one between single quotes

95
00:04:34,110 --> 00:04:37,140
or you can actually put anything you want

96
00:04:37,140 --> 00:04:39,663
and you close the script tag.

97
00:04:40,620 --> 00:04:43,980
And this right here is a JavaScript code.

98
00:04:43,980 --> 00:04:47,520
It tells the page to alert us with number one.

99
00:04:47,520 --> 00:04:48,353
And once again

100
00:04:48,353 --> 00:04:51,420
you can specify anything between these quotes.

101
00:04:51,420 --> 00:04:53,010
So, what does this mean?

102
00:04:53,010 --> 00:04:55,810
This means it'll open that small popup window

103
00:04:55,810 --> 00:04:59,730
at the top of the page where it should print out one.

104
00:04:59,730 --> 00:05:03,330
And these script tags right here are just a way

105
00:05:03,330 --> 00:05:05,730
for us to tell the webpage, Hey

106
00:05:05,730 --> 00:05:07,737
anything that's inside of these script tags

107
00:05:07,737 --> 00:05:12,420
you should read as JavaScript code and not HTML code.

108
00:05:12,420 --> 00:05:15,390
And this at the end is just the closed script tag

109
00:05:15,390 --> 00:05:16,620
which is telling the webpage,

110
00:05:16,620 --> 00:05:18,528
here is where JavaScript code ends.

111
00:05:18,528 --> 00:05:22,260
This alert is a JavaScript function that will

112
00:05:22,260 --> 00:05:25,320
alert whatever is inside of these brackets.

113
00:05:25,320 --> 00:05:28,710
So, let's give it a try and let's input this inside

114
00:05:28,710 --> 00:05:31,230
of our user input instead of a name.

115
00:05:31,230 --> 00:05:36,230
I will copy it, go to my page and paste it right here.

116
00:05:37,890 --> 00:05:40,860
So, script alert and closed script.

117
00:05:40,860 --> 00:05:44,940
I click on submit, and here it is.

118
00:05:44,940 --> 00:05:47,070
We have XSS vulnerability.

119
00:05:47,070 --> 00:05:51,090
Since it ran our code and it opened this small window,

120
00:05:51,090 --> 00:05:54,570
we can see it says one, which is what we alerted.

121
00:05:54,570 --> 00:05:57,570
Well, this was pretty easy since this was

122
00:05:57,570 --> 00:06:00,960
on low settings we can assume, no user input was filtered

123
00:06:00,960 --> 00:06:03,570
therefore we managed to execute this.

124
00:06:03,570 --> 00:06:06,210
And as easy as this looks like there are many

125
00:06:06,210 --> 00:06:07,449
many pages that are currently

126
00:06:07,449 --> 00:06:11,160
on internet that are vulnerable to this type of bug

127
00:06:11,160 --> 00:06:13,431
even with this simple script.

128
00:06:13,431 --> 00:06:17,460
And as harmless as this looks, it can be used to

129
00:06:17,460 --> 00:06:21,240
do some serious damage on client site depending

130
00:06:21,240 --> 00:06:24,003
on what exactly you send them as JavaScript code.

131
00:06:24,930 --> 00:06:26,370
Let me show you what I mean.

132
00:06:26,370 --> 00:06:27,203
What you would do

133
00:06:27,203 --> 00:06:29,850
after actually creating the XSS vulnerability

134
00:06:29,850 --> 00:06:32,583
and finding it, you would copy the code

135
00:06:32,583 --> 00:06:36,030
with the JavaScript code that you injected

136
00:06:36,030 --> 00:06:38,640
and anyone that clicks on the link.

137
00:06:38,640 --> 00:06:40,080
So, I will just simulate right here

138
00:06:40,080 --> 00:06:41,340
someone clicking on the link

139
00:06:41,340 --> 00:06:45,000
they click on the link that you sent, they press enter.

140
00:06:45,000 --> 00:06:46,557
They will also execute

141
00:06:46,557 --> 00:06:49,290
that JavaScript code as we can see right here.

142
00:06:49,290 --> 00:06:53,670
They will also get a pop-up window that says one

143
00:06:53,670 --> 00:06:56,640
and this is a reflected cross site scripting attack.

144
00:06:56,640 --> 00:07:00,120
Anyone that opens this link will also execute this.

145
00:07:00,120 --> 00:07:03,527
They don't have to type the JavaScript code themselves.

146
00:07:03,527 --> 00:07:06,750
Now that we did this, let us also take a quick look

147
00:07:06,750 --> 00:07:09,060
at the source code of this page.

148
00:07:09,060 --> 00:07:11,700
So, I will open view source

149
00:07:11,700 --> 00:07:15,707
and here is the PHP code for this specific page

150
00:07:15,707 --> 00:07:19,573
and they just paste our input right here.

151
00:07:19,573 --> 00:07:23,280
They don't perform any filtering whatsoever.

152
00:07:23,280 --> 00:07:25,680
Now that we covered the low security level

153
00:07:25,680 --> 00:07:27,300
let's try to find XSS

154
00:07:27,300 --> 00:07:30,030
in a medium level security to see if it works.

155
00:07:30,030 --> 00:07:33,660
So, I will close this, go to the D V W A security

156
00:07:33,660 --> 00:07:37,080
and I will change from low to medium.

157
00:07:37,080 --> 00:07:41,610
Click on submit and this will change everything to a medium.

158
00:07:41,610 --> 00:07:43,830
So, let's go back to XSS reflected.

159
00:07:43,830 --> 00:07:46,920
And let's first type the name to see

160
00:07:46,920 --> 00:07:49,890
whether it gives the same output and it does

161
00:07:49,890 --> 00:07:52,500
it prints out Hello and then the name.

162
00:07:52,500 --> 00:07:55,364
So now let's try the same script that we did

163
00:07:55,364 --> 00:07:57,180
with the low security.

164
00:07:57,180 --> 00:08:01,080
So open script text, I will alert one

165
00:08:01,080 --> 00:08:03,913
and I will close script text,

166
00:08:03,913 --> 00:08:05,463
click on submit.

167
00:08:06,420 --> 00:08:10,920
Hmm, it seems that they actually remove the script text.

168
00:08:10,920 --> 00:08:12,450
We can only see right here.

169
00:08:12,450 --> 00:08:14,130
Hello alert one.

170
00:08:14,130 --> 00:08:17,520
And it doesn't give us a popup window that says one.

171
00:08:17,520 --> 00:08:20,790
This means there is some type of filtering performed

172
00:08:20,790 --> 00:08:23,640
onto this page because we don't get that window

173
00:08:23,640 --> 00:08:26,610
and our code doesn't get executed.

174
00:08:26,610 --> 00:08:27,630
By the output

175
00:08:27,630 --> 00:08:31,170
of our application, we can assume that the filtering

176
00:08:31,170 --> 00:08:34,470
performs removing of script text.

177
00:08:34,470 --> 00:08:36,330
And usually this is type of filtering that you

178
00:08:36,330 --> 00:08:37,380
will encounter.

179
00:08:37,380 --> 00:08:41,130
Why? Well, because script tags automatically mean to

180
00:08:41,130 --> 00:08:44,039
develop page that JavaScript code is coming.

181
00:08:44,039 --> 00:08:46,920
So some webpages perform filtering just

182
00:08:46,920 --> 00:08:49,710
by removing this script text.

183
00:08:49,710 --> 00:08:52,830
But let's see whether they filtered it well enough.

184
00:08:52,830 --> 00:08:54,720
They seem to filtered

185
00:08:54,720 --> 00:08:59,700
script like this, but have they filtered

186
00:08:59,700 --> 00:09:02,640
script like this?

187
00:09:02,640 --> 00:09:05,130
What if I write it in capital letters?

188
00:09:05,130 --> 00:09:07,320
Will that also be filtered?

189
00:09:07,320 --> 00:09:08,190
Let's give it a try.

190
00:09:08,190 --> 00:09:11,063
If I type script and then alert

191
00:09:11,063 --> 00:09:15,900
and I also close the script with capital letters

192
00:09:15,900 --> 00:09:20,900
click on submit and here it is, we got it to run once again.

193
00:09:21,540 --> 00:09:26,339
So, all we had to do was write scripts in capital letters.

194
00:09:26,339 --> 00:09:30,420
They only filtered out lower letter case script.

195
00:09:30,420 --> 00:09:31,980
Let's make sure that that is the case

196
00:09:31,980 --> 00:09:34,020
by going and visiting the source code.

197
00:09:34,020 --> 00:09:36,930
And let's see, what did they do?

198
00:09:36,930 --> 00:09:39,690
And here it is inside of the print statement

199
00:09:39,690 --> 00:09:41,730
they used the string replace function

200
00:09:41,730 --> 00:09:46,410
onto the script text and replaced it with empty space.

201
00:09:46,410 --> 00:09:49,320
And that is the reason why we did the first example.

202
00:09:49,320 --> 00:09:51,300
We didn't get script printed out.

203
00:09:51,300 --> 00:09:53,610
We only got alert one printed out

204
00:09:53,610 --> 00:09:56,430
since they removed our script text

205
00:09:56,430 --> 00:10:01,140
but we managed to bypass this with capital script letters.

206
00:10:01,140 --> 00:10:03,870
But what would happen if they, for example

207
00:10:03,870 --> 00:10:07,020
also filtered the capital script letters?

208
00:10:07,020 --> 00:10:09,870
Well then we could do something like this.

209
00:10:09,870 --> 00:10:12,480
We could type and let me write it first

210
00:10:12,480 --> 00:10:14,580
in terminal just so you can see it better.

211
00:10:15,420 --> 00:10:18,270
We could write something like this scr

212
00:10:18,270 --> 00:10:23,270
and then open another left arrow script, close right arrow

213
00:10:23,820 --> 00:10:27,960
and then ipt close another right arrow

214
00:10:27,960 --> 00:10:30,270
alert one

215
00:10:30,270 --> 00:10:32,580
and close script tags.

216
00:10:32,580 --> 00:10:35,070
And the reason why we are writing script tags like this is

217
00:10:35,070 --> 00:10:39,210
because our webpage only filters the opening script text.

218
00:10:39,210 --> 00:10:43,412
It only filters this, it doesn't filter closed script text.

219
00:10:43,412 --> 00:10:45,630
So, what did we do right here?

220
00:10:45,630 --> 00:10:46,920
Why would this work?

221
00:10:46,920 --> 00:10:49,560
Well, before I explain it, let me first give it a try

222
00:10:49,560 --> 00:10:51,300
onto the webpage just to see

223
00:10:51,300 --> 00:10:54,660
if it would work and it does indeed work.

224
00:10:54,660 --> 00:10:58,200
So, what I essentially did right here is I split

225
00:10:58,200 --> 00:11:03,120
this script tag into two pieces and what the web page does

226
00:11:03,120 --> 00:11:06,660
it only filters out entire script tag.

227
00:11:06,660 --> 00:11:09,180
So, what the web page would do is it would see

228
00:11:09,180 --> 00:11:12,870
this opening bracket, then script and closing bracket.

229
00:11:12,870 --> 00:11:13,787
It would remove it

230
00:11:13,787 --> 00:11:17,550
but then we would still be left with a script tag.

231
00:11:17,550 --> 00:11:20,270
So, if I go right here and let's pretend that we are

232
00:11:20,270 --> 00:11:23,040
at the webpage, we'll filter out the opening script tag.

233
00:11:23,040 --> 00:11:26,130
So, let's remove this and what do we get?

234
00:11:26,130 --> 00:11:29,580
Well, we get another opening script tag

235
00:11:29,580 --> 00:11:31,380
that won't be removed

236
00:11:31,380 --> 00:11:34,230
and that is why this would work as well.

237
00:11:34,230 --> 00:11:38,070
Great. Now let us see the attack where we steal cookies

238
00:11:38,070 --> 00:11:40,710
from the person that visits our link.

239
00:11:40,710 --> 00:11:43,350
Those cookies could then be used to steal their session

240
00:11:43,350 --> 00:11:46,789
and possibly enter their online account on that website.

241
00:11:46,789 --> 00:11:51,180
If the website session management is also poor.

242
00:11:51,180 --> 00:11:54,030
Right now, we will see only how to get that cookie

243
00:11:54,030 --> 00:11:55,520
with cross site scripting.

244
00:11:55,520 --> 00:11:59,220
So, to do this, we must first see where are we

245
00:11:59,220 --> 00:12:01,620
going to receive the cookie value.

246
00:12:01,620 --> 00:12:03,480
So, they will execute the code

247
00:12:03,480 --> 00:12:05,970
and our code will extract the cookie

248
00:12:05,970 --> 00:12:08,610
but where is it going to send it?

249
00:12:08,610 --> 00:12:12,960
For this, we're going to start a small Python HTP server

250
00:12:12,960 --> 00:12:15,300
that we will send the cookie to.

251
00:12:15,300 --> 00:12:16,890
So, how to do that?

252
00:12:16,890 --> 00:12:19,530
Well, we can go inside of our terminal and just

253
00:12:19,530 --> 00:12:24,530
type the command Python dash m and then simple HTP server

254
00:12:27,210 --> 00:12:29,520
and then the port number where we want to host it

255
00:12:29,520 --> 00:12:32,640
let's say port number 8,000.

256
00:12:32,640 --> 00:12:37,640
If I press enter, this will start the HTP server

257
00:12:37,920 --> 00:12:42,300
on all interfaces on port 8,000.

258
00:12:42,300 --> 00:12:44,340
Then the malicious JavaScript code

259
00:12:44,340 --> 00:12:47,130
that we want to inject is this right here.

260
00:12:47,130 --> 00:12:49,350
I will first write it in another terminal

261
00:12:49,350 --> 00:12:52,770
and then we are going to cope it inside of the page.

262
00:12:52,770 --> 00:12:57,150
So, we must first start with capital script because we are

263
00:12:57,150 --> 00:13:00,030
on medium level, the regular script won't work.

264
00:13:00,030 --> 00:13:04,500
Then we can type document dot, right, open brackets.

265
00:13:04,500 --> 00:13:08,880
Then type one single quote, open another left arrow

266
00:13:08,880 --> 00:13:13,880
and image source equals open double quotes htp slash slash

267
00:13:15,840 --> 00:13:20,130
and then the IP address of our care Linux machine

268
00:13:20,130 --> 00:13:23,040
and then the port on which we are running

269
00:13:23,040 --> 00:13:27,570
that Python server, which in my case is 8,000.

270
00:13:27,570 --> 00:13:31,200
Then we can add another slash and close single quote

271
00:13:31,200 --> 00:13:35,890
after it would add a plus and then document dot cookie

272
00:13:37,650 --> 00:13:40,230
after that space and another plus.

273
00:13:40,230 --> 00:13:44,610
And after that comes single quote space, double quote

274
00:13:44,610 --> 00:13:48,210
close write arrow, another single quote, close bracket dot

275
00:13:48,210 --> 00:13:52,770
and comma, and then the close script text.

276
00:13:52,770 --> 00:13:55,140
Okay, I know what you're thinking.

277
00:13:55,140 --> 00:13:57,150
What even is this?

278
00:13:57,150 --> 00:13:59,790
And this can be a little bit challenging for someone

279
00:13:59,790 --> 00:14:02,520
who never encountered JavaScript before.

280
00:14:02,520 --> 00:14:05,940
However, this is just JavaScript syntax.

281
00:14:05,940 --> 00:14:08,070
It's just the programming language.

282
00:14:08,070 --> 00:14:11,790
And after a few times trying XSS, you will pretty much

283
00:14:11,790 --> 00:14:14,760
get used to it and it won't be that weird looking

284
00:14:14,760 --> 00:14:18,090
once you write it, since I assume that for anyone

285
00:14:18,090 --> 00:14:21,210
that hasn't encountered this before, this looks pretty

286
00:14:21,210 --> 00:14:22,043
terrible.

287
00:14:22,043 --> 00:14:24,120
But what we are essentially doing right here

288
00:14:24,120 --> 00:14:26,970
is we are opening script text in capital letters because

289
00:14:26,970 --> 00:14:28,530
of the filtering on our page.

290
00:14:28,530 --> 00:14:31,620
And then we are writing the document dot cookie

291
00:14:31,620 --> 00:14:34,470
which is the cookie session of the user visiting that page

292
00:14:34,470 --> 00:14:38,520
and running this code and sending that to the IP address

293
00:14:38,520 --> 00:14:40,076
on Port 8,000.

294
00:14:40,076 --> 00:14:44,220
Since that is where we are running our Python server.

295
00:14:44,220 --> 00:14:48,060
And here we should get printed out the cookie session ID

296
00:14:48,060 --> 00:14:52,110
once someone visits our link with this JavaScript code.

297
00:14:52,110 --> 00:14:53,310
And at the end

298
00:14:53,310 --> 00:14:55,983
all we are doing is we are closing the script tag.

299
00:14:57,011 --> 00:15:01,140
So let's give it a try and run this in our user input.

300
00:15:01,140 --> 00:15:05,823
Copy it once again, go to our page and type it here.

301
00:15:05,823 --> 00:15:08,560
If I press enter or submit

302
00:15:09,870 --> 00:15:12,150
while nothing seems to happen right here

303
00:15:12,150 --> 00:15:16,140
but if I go to my web server, here it is.

304
00:15:16,140 --> 00:15:18,540
Here is our targets cookie.

305
00:15:18,540 --> 00:15:22,020
Here is PHP session ID, and that is the cookie value.

306
00:15:22,020 --> 00:15:24,780
It even tells right here that we got the security

307
00:15:24,780 --> 00:15:27,720
on medium and this is something that we might

308
00:15:27,720 --> 00:15:30,360
be able to use to steal their session.

309
00:15:30,360 --> 00:15:32,670
However, more about that later.

310
00:15:32,670 --> 00:15:35,700
For now, we saw how to find an success vulnerability

311
00:15:35,700 --> 00:15:38,520
in both low and medium security level.

312
00:15:38,520 --> 00:15:39,353
As I said,

313
00:15:39,353 --> 00:15:42,420
this can be one of the challenging parts of the course.

314
00:15:42,420 --> 00:15:45,780
However, if there is anything you don't quite fully get

315
00:15:45,780 --> 00:15:48,720
feel free to post the question so we can clarify

316
00:15:48,720 --> 00:15:51,660
it even more and make it understandable.

317
00:15:51,660 --> 00:15:52,493
Great.

318
00:15:52,493 --> 00:15:53,326
In the next video,

319
00:15:53,326 --> 00:15:55,332
we're going to do this same vulnerability

320
00:15:55,332 --> 00:15:58,230
just we're going to see how it would look like

321
00:15:58,230 --> 00:16:01,170
if it was a stored XSS.

322
00:16:01,170 --> 00:16:04,710
Remember, this what we covered is called reflected XSS

323
00:16:04,710 --> 00:16:07,140
and target will only execute the code if they

324
00:16:07,140 --> 00:16:10,290
open the link with our JavaScript code.

325
00:16:10,290 --> 00:16:12,360
In the next video, we'll see the vulnerability

326
00:16:12,360 --> 00:16:16,023
for the JavaScript code gets stored on the server itself.