1 00:00:02,240 --> 00:00:05,300 So there are several types of CSR, FNB Web. 2 00:00:07,270 --> 00:00:09,420 I want to do with you one more as well. 3 00:00:11,310 --> 00:00:17,400 We can first have a quick look at all the types if you want, so let's log in to be Web and go to see 4 00:00:17,400 --> 00:00:18,750 SRF one. 5 00:00:19,980 --> 00:00:24,180 And this is a password change and we've exploited the low level. 6 00:00:25,490 --> 00:00:30,410 The source of the form and we mimic the request triggered by this form. 7 00:00:33,560 --> 00:00:39,950 OK, no change here to two, so here's a second example, view the page source. 8 00:00:42,340 --> 00:00:46,210 As you can see, there are no extra fields to secure the form. 9 00:00:47,250 --> 00:00:50,580 So now I'm going to intercept the request of this form. 10 00:00:53,120 --> 00:00:55,190 And remember, to enable foxy proxy. 11 00:00:56,890 --> 00:00:58,870 And burp together request. 12 00:01:00,240 --> 00:01:02,160 Data transmits in the early. 13 00:01:03,200 --> 00:01:07,790 And it is not so different from the example that we did with a password change form. 14 00:01:09,150 --> 00:01:13,020 We just need to change the form field names. 15 00:01:14,020 --> 00:01:15,360 And let it go. 16 00:01:17,760 --> 00:01:25,800 B Webb also has one more CSIR, for example, so go to the CSR F3 page. 17 00:01:27,690 --> 00:01:32,160 Now, this page changes the secret value of the session user. 18 00:01:33,100 --> 00:01:34,210 To view the source. 19 00:01:35,980 --> 00:01:39,070 OK, now see how this form has an additional hidden field. 20 00:01:40,520 --> 00:01:44,300 But it really doesn't bring you any added security. 21 00:01:45,680 --> 00:01:49,550 So the only thing you need to know is the longer the name of the user. 22 00:01:51,010 --> 00:01:54,930 And when you refresh the page, nothing changes as well. 23 00:01:56,200 --> 00:01:59,050 So I'm going to send a request to you it. 24 00:02:00,890 --> 00:02:02,960 OK, the request is here in berp. 25 00:02:04,760 --> 00:02:09,410 You can easily add these fields to your fake form and request. 26 00:02:10,350 --> 00:02:16,830 So now you need to just enumerate users, then prepare fake forms. 27 00:02:17,980 --> 00:02:19,060 And that's all. 28 00:02:20,730 --> 00:02:24,960 Now go back to square one and change the level of medium. 29 00:02:26,920 --> 00:02:30,940 So this is the form that once the user to fill the current password as well. 30 00:02:31,960 --> 00:02:32,980 Sure, it's a good measure. 31 00:02:34,280 --> 00:02:36,620 And go to see Assaraf to. 32 00:02:38,160 --> 00:02:39,870 Nothing changes in a display. 33 00:02:41,340 --> 00:02:42,540 But view the source. 34 00:02:43,900 --> 00:02:47,100 So this time a token field is added to the form. 35 00:02:49,080 --> 00:02:50,910 Now refresh the page. 36 00:02:53,150 --> 00:02:55,590 By the token, value is the same. 37 00:02:56,300 --> 00:03:00,670 So this is not a good implementation as well. 38 00:03:01,920 --> 00:03:08,010 So when we fill the form and send the request will be, as you can see, in berp. 39 00:03:10,140 --> 00:03:18,240 So this time you need to enumerate tokens or force users to use your tokens like we did in session fixation. 40 00:03:20,040 --> 00:03:23,340 So let it go and go to see Assaraf three. 41 00:03:25,810 --> 00:03:27,100 And view the source. 42 00:03:28,570 --> 00:03:30,550 This warm also has a token feel. 43 00:03:31,620 --> 00:03:33,360 And when you refresh the page. 44 00:03:34,480 --> 00:03:35,560 The token changes. 45 00:03:37,560 --> 00:03:39,570 OK, so fill in the input field. 46 00:03:40,990 --> 00:03:42,460 And this will be the request. 47 00:03:44,050 --> 00:03:49,000 So now we are going to exploit this one opened up your terminal. 48 00:03:50,090 --> 00:03:53,090 Views, the SRF underscore three. 49 00:03:55,090 --> 00:03:57,940 So if the level is low, it just changes the value. 50 00:03:59,070 --> 00:04:02,460 But if the level is medium or high at first check, citoyen. 51 00:04:03,970 --> 00:04:05,560 So then just update the secret. 52 00:04:07,680 --> 00:04:11,820 And below, you can see the code that produced the token on each request. 53 00:04:13,340 --> 00:04:14,800 So open up your browser again. 54 00:04:16,560 --> 00:04:18,750 OK, so let me summarize a problem. 55 00:04:20,190 --> 00:04:23,220 We have a form that has a hidden token field. 56 00:04:24,050 --> 00:04:27,050 And this field changes her request. 57 00:04:28,340 --> 00:04:35,240 Even if we create a fake form, we cannot get this value right, because the fake form will be triggered 58 00:04:35,660 --> 00:04:36,770 in another tab. 59 00:04:38,440 --> 00:04:44,530 So fake forms cannot reach what we're looking for in the actual form. 60 00:04:46,190 --> 00:04:52,610 We can add a token field to our fake request, but we cannot add a true value. 61 00:04:54,200 --> 00:04:57,170 So that means we're basically stuck here. 62 00:04:58,850 --> 00:05:01,850 Now, obviously, I have a solution. 63 00:05:03,850 --> 00:05:07,480 So to exploit this vulnerability, we'll just going to need another vulnerability. 64 00:05:08,920 --> 00:05:10,360 Cross site scripting. 65 00:05:11,570 --> 00:05:14,110 So go to X. 66 00:05:14,210 --> 00:05:14,590 S. 67 00:05:14,660 --> 00:05:23,810 S underscored store page, and we're going to look at this vulnerability a little later in greater detail, 68 00:05:24,230 --> 00:05:28,430 but this page stores your entries and shows him just like that. 69 00:05:30,140 --> 00:05:37,640 And, of course, it's vulnerable to access, so that means we can execute a JavaScript code on the 70 00:05:37,640 --> 00:05:38,990 page from another source. 71 00:05:39,930 --> 00:05:43,510 For example, if you add this code, you'll get an alert. 72 00:05:44,750 --> 00:05:49,780 And what I want is to execute JavaScript code on my server in this page. 73 00:05:51,350 --> 00:05:53,690 So I will serve this code and kaui. 74 00:05:58,210 --> 00:06:01,540 It is an example, HDP request code. 75 00:06:03,020 --> 00:06:08,360 Then after injecting this code into the page, it'll request a six hour F3 page. 76 00:06:10,110 --> 00:06:16,320 Pass the token and then send a change request with a value that I provide. 77 00:06:17,670 --> 00:06:18,870 And you can get it from here. 78 00:06:20,560 --> 00:06:23,770 So now I'm going to copy it to my Web root directory. 79 00:06:25,190 --> 00:06:27,110 Apache's not running so stardate. 80 00:06:29,910 --> 00:06:30,600 Now it's running. 81 00:06:31,740 --> 00:06:38,790 And now on the access page, I'm just going to add this line of code to inject my script into the page. 82 00:06:40,120 --> 00:06:41,350 Copy and paste it. 83 00:06:44,060 --> 00:06:46,850 Now, before submitting open web developer. 84 00:06:48,440 --> 00:06:50,450 HDMI and JavaScript from here. 85 00:06:51,620 --> 00:06:52,940 OK, now submit it. 86 00:06:54,670 --> 00:06:57,610 And the alert comes from the previous code. 87 00:06:59,010 --> 00:06:59,670 Quick, OK. 88 00:07:01,040 --> 00:07:04,160 And below, you will see the request sent by this page. 89 00:07:05,450 --> 00:07:09,350 Lo and behold, it requests my JavaScript code from my server. 90 00:07:10,340 --> 00:07:16,130 After including that code in the page, my script request, CSR, a three page. 91 00:07:17,280 --> 00:07:20,160 And then sends the change request containing a valid token. 92 00:07:21,520 --> 00:07:25,810 OK, so now let's look to see if it changes it or not, you know, being Crome. 93 00:07:27,120 --> 00:07:30,390 And as you can see, this is the old secret value. 94 00:07:31,340 --> 00:07:32,870 So now refresh the page. 95 00:07:35,390 --> 00:07:37,150 Browse the user's table again. 96 00:07:38,290 --> 00:07:41,500 And looky here, the value has changed. 97 00:07:42,350 --> 00:07:46,180 OK, so now view the page source. 98 00:07:47,140 --> 00:07:51,460 And the script tags are present in the page just like that. 99 00:07:52,930 --> 00:07:56,030 So we change the password without the user's knowledge. 100 00:07:56,770 --> 00:07:57,760 What do you think about that?