1
00:00:00,390 --> 00:00:01,650
-: Welcome back.

2
00:00:01,650 --> 00:00:04,830
I want to quickly talk about another vulnerability

3
00:00:04,830 --> 00:00:09,120
or a bug which is called HTML injection.

4
00:00:09,120 --> 00:00:10,680
And it is quite similar

5
00:00:10,680 --> 00:00:12,660
to the cross site scripting attack.

6
00:00:12,660 --> 00:00:15,990
Just as its name says in this type of the attack,

7
00:00:15,990 --> 00:00:18,360
we're not injecting JavaScript code

8
00:00:18,360 --> 00:00:21,723
but instead we're injecting HTML code.

9
00:00:22,560 --> 00:00:26,070
And you might say that that is not really dangerous.

10
00:00:26,070 --> 00:00:28,770
However, even though that is correct

11
00:00:28,770 --> 00:00:31,440
HTML injection is still a bug

12
00:00:31,440 --> 00:00:33,450
that you should be searching for.

13
00:00:33,450 --> 00:00:34,283
Why?

14
00:00:34,283 --> 00:00:36,090
Well, if there is an HTML injection

15
00:00:36,090 --> 00:00:39,540
in some big company, what an attacker could do

16
00:00:39,540 --> 00:00:42,660
is they could change the entire page look.

17
00:00:42,660 --> 00:00:45,240
They could add whatever they want to that page.

18
00:00:45,240 --> 00:00:46,890
They could pose different pictures.

19
00:00:46,890 --> 00:00:49,560
They could completely change that webpage

20
00:00:49,560 --> 00:00:54,210
to their own liking just by injecting HTML code.

21
00:00:54,210 --> 00:00:56,880
And that would be pretty bad for that company

22
00:00:56,880 --> 00:00:59,850
because someone else would have a complete control

23
00:00:59,850 --> 00:01:02,400
of how that page would look like.

24
00:01:02,400 --> 00:01:04,140
So how can we test for that?

25
00:01:04,140 --> 00:01:06,630
How can we find HTML injection?

26
00:01:06,630 --> 00:01:10,560
Well, you can just go and navigate to the access reflected

27
00:01:10,560 --> 00:01:14,310
and XSS stored that we covered in previous videos

28
00:01:14,310 --> 00:01:17,523
and we can test for HTML injections here.

29
00:01:18,360 --> 00:01:22,110
So usually what you want to test is different HTML tags,

30
00:01:22,110 --> 00:01:25,830
such as h1, h2, or different header tags, just to see

31
00:01:25,830 --> 00:01:30,330
whether your input will be interpreted as HTML code.

32
00:01:30,330 --> 00:01:32,070
So let's give it a try.

33
00:01:32,070 --> 00:01:34,740
Everything is low and if I go right here

34
00:01:34,740 --> 00:01:38,580
and just type h1, which is an HTML tag

35
00:01:38,580 --> 00:01:40,650
for header size one,

36
00:01:40,650 --> 00:01:43,810
and I type test close the HTML tag

37
00:01:45,180 --> 00:01:48,870
by typing these arrows and then closed h1,

38
00:01:48,870 --> 00:01:51,180
I click on submit and we can see

39
00:01:51,180 --> 00:01:55,410
it does indeed interpret our input as an HTML code.

40
00:01:55,410 --> 00:01:57,970
If we were to type for example h2

41
00:01:59,550 --> 00:02:02,823
or h3 and then test once again.

42
00:02:05,640 --> 00:02:08,400
This would be smaller size, which is a good enough

43
00:02:08,400 --> 00:02:12,930
indication that there is an HTML injection on this page.

44
00:02:12,930 --> 00:02:16,530
Now, there is no point of us changing this to medium or high

45
00:02:16,530 --> 00:02:21,180
because this specific input is used for JavaScript attacks

46
00:02:21,180 --> 00:02:23,760
so only JavaScript syntax will be filtered.

47
00:02:23,760 --> 00:02:26,400
Therefore, HTML injection will be the same

48
00:02:26,400 --> 00:02:28,740
on medium level security as well.

49
00:02:28,740 --> 00:02:31,950
As I mentioned, this is also a bug and it should be reported

50
00:02:31,950 --> 00:02:36,060
because for now we only typed in a small HTML code

51
00:02:36,060 --> 00:02:38,970
which changes our input to size one header

52
00:02:38,970 --> 00:02:40,440
and size three header.

53
00:02:40,440 --> 00:02:44,970
But what we could also do, for example, on a stored page

54
00:02:44,970 --> 00:02:48,030
and let me just reset the database real quick

55
00:02:48,030 --> 00:02:51,090
from the previous video where we covered the XSS stored

56
00:02:51,090 --> 00:02:54,870
and if you were to type an HTML injection right here

57
00:02:54,870 --> 00:02:58,680
let's say the name will be test, and here we type

58
00:02:58,680 --> 00:03:00,120
this code.

59
00:03:00,120 --> 00:03:02,160
Let me first write it inside of a terminal

60
00:03:02,160 --> 00:03:03,540
and then we are going to copy it

61
00:03:03,540 --> 00:03:05,040
to this page,

62
00:03:05,040 --> 00:03:07,440
just so you can see everything better.

63
00:03:07,440 --> 00:03:08,670
So open brackets

64
00:03:08,670 --> 00:03:10,470
and then meta,

65
00:03:10,470 --> 00:03:11,790
http,

66
00:03:11,790 --> 00:03:13,560
equiv, equals,

67
00:03:13,560 --> 00:03:14,790
open double quotes,

68
00:03:14,790 --> 00:03:17,250
refresh close double quotes

69
00:03:17,250 --> 00:03:18,148
content

70
00:03:18,148 --> 00:03:19,320
equals

71
00:03:19,320 --> 00:03:20,310
zero,

72
00:03:20,310 --> 00:03:21,480
dot and comma.

73
00:03:21,480 --> 00:03:25,298
And then space URL equals http,

74
00:03:25,298 --> 00:03:26,910
slash slash,

75
00:03:26,910 --> 00:03:29,250
google.com.

76
00:03:29,250 --> 00:03:30,810
And then close double quotes

77
00:03:30,810 --> 00:03:35,810
and close the tag by typing slash and close right arrow.

78
00:03:35,820 --> 00:03:38,880
If we were to inject this code,

79
00:03:38,880 --> 00:03:40,860
well let's just see what would happen.

80
00:03:40,860 --> 00:03:43,350
Let's copy with this code right here.

81
00:03:43,350 --> 00:03:46,950
Go to our page and type it here.

82
00:03:46,950 --> 00:03:49,083
I click on sign guess book.

83
00:03:52,470 --> 00:03:55,560
And do you see what is happening?

84
00:03:55,560 --> 00:03:57,158
It is constantly trying to go

85
00:03:57,158 --> 00:03:58,740
to a different page

86
00:03:58,740 --> 00:04:02,160
and it is constantly refreshing that page.

87
00:04:02,160 --> 00:04:05,610
It pretty much made the page completely unusable

88
00:04:05,610 --> 00:04:09,240
because we cannot even go up here and type something in.

89
00:04:09,240 --> 00:04:11,730
So what we must do is we must change to a

90
00:04:11,730 --> 00:04:14,700
different directory such as file inclusion

91
00:04:14,700 --> 00:04:18,390
and go and clear our database or reset the database

92
00:04:18,390 --> 00:04:20,940
because we will not be able to visit the stored

93
00:04:20,940 --> 00:04:23,460
since it'll automatically start refreshing the

94
00:04:23,460 --> 00:04:25,470
page and trying to visit google.com.

95
00:04:25,470 --> 00:04:28,980
However, if we were to type same right here

96
00:04:28,980 --> 00:04:31,290
in the reflected

97
00:04:31,290 --> 00:04:33,030
and we were to change, for example

98
00:04:33,030 --> 00:04:37,690
from google.com to facebook.com and click on submit

99
00:04:39,090 --> 00:04:41,760
well pretty much the same thing would happen

100
00:04:41,760 --> 00:04:45,120
but for some reason it doesn't want to visit

101
00:04:45,120 --> 00:04:49,080
facebook.com and we are going to take a look at why that is.

102
00:04:49,080 --> 00:04:52,560
Let us see whether we specified something incorrectly.

103
00:04:52,560 --> 00:04:54,873
So URL equals http.

104
00:04:55,980 --> 00:04:58,560
Okay, so I've tested it out and for some reason

105
00:04:58,560 --> 00:05:01,350
it doesn't seem to work on Kali Linux browser.

106
00:05:01,350 --> 00:05:04,860
But if I go to my Windows 10 machine and I visit the

107
00:05:04,860 --> 00:05:06,270
metasploitable page,

108
00:05:06,270 --> 00:05:08,880
and right here I copy the same code

109
00:05:08,880 --> 00:05:10,740
that we just sent in our Kali Linux,

110
00:05:10,740 --> 00:05:14,130
just we copy it and try it from our Windows 10 machine.

111
00:05:14,130 --> 00:05:16,440
I just changed the URL to be Bing.com,

112
00:05:16,440 --> 00:05:19,683
paste it right here and click on submit.

113
00:05:21,180 --> 00:05:25,320
Well, now it fully redirects our access reflected input

114
00:05:25,320 --> 00:05:29,223
and the entire page to this Bing.com website.

115
00:05:30,060 --> 00:05:30,893
Let's give it a try.

116
00:05:30,893 --> 00:05:33,060
What happens if we do that on the stored?

117
00:05:33,060 --> 00:05:37,980
So I type test as name, and I type this command right here

118
00:05:37,980 --> 00:05:40,860
as a message and it appears that there is a limitation

119
00:05:40,860 --> 00:05:41,970
of characters right here.

120
00:05:41,970 --> 00:05:46,970
So what we can do is we can inspect the element navigate

121
00:05:47,070 --> 00:05:51,780
to the body, then let's go and find the message input.

122
00:05:51,780 --> 00:05:55,718
So under the form we go table, body

123
00:05:55,718 --> 00:05:57,573
and message input.

124
00:05:58,440 --> 00:06:02,040
We check right here it says that the max length is 50.

125
00:06:02,040 --> 00:06:05,550
So what I can do is I can type 500

126
00:06:05,550 --> 00:06:07,140
and now if I go

127
00:06:07,140 --> 00:06:10,380
and try to copy this, so I will just delete all of this

128
00:06:10,380 --> 00:06:13,320
paste the code and click sign guess book.

129
00:06:13,320 --> 00:06:16,950
Well now it actually redirects.

130
00:06:16,950 --> 00:06:18,630
So you will see that even

131
00:06:18,630 --> 00:06:22,380
when I try to go back and I go for example to Brute Force

132
00:06:22,380 --> 00:06:26,670
and again on XXS stored, it'll just load Bing.com.

133
00:06:26,670 --> 00:06:28,350
So with the help of code injection

134
00:06:28,350 --> 00:06:33,120
we can even redirect pages to different websites.

135
00:06:33,120 --> 00:06:35,490
And this is usually what attackers do.

136
00:06:35,490 --> 00:06:38,550
So if they find a stored code injection vulnerability,

137
00:06:38,550 --> 00:06:40,865
what they will do is they will just

138
00:06:40,865 --> 00:06:43,470
inject a redirection link to a different website

139
00:06:43,470 --> 00:06:46,230
possibly a malicious website or a website where

140
00:06:46,230 --> 00:06:48,990
they advertise something or something similar.

141
00:06:48,990 --> 00:06:52,560
And every time someone visits a page, for example

142
00:06:52,560 --> 00:06:53,393
they want to go

143
00:06:53,393 --> 00:06:56,040
and XSS stored on our metasploitable page.

144
00:06:56,040 --> 00:06:58,830
Well, they just load bing.com

145
00:06:58,830 --> 00:07:02,820
and that is the power of HTML injection vulnerability.

146
00:07:02,820 --> 00:07:05,490
So now that we covered this, in the next video

147
00:07:05,490 --> 00:07:08,310
we're going to go onto another big vulnerability

148
00:07:08,310 --> 00:07:11,430
which is called SQL injection.

149
00:07:11,430 --> 00:07:12,263
See you there.