1
00:00:00,390 --> 00:00:06,480
So the same Argin policy is a critical security mechanism to web applications.

2
00:00:07,610 --> 00:00:13,010
And it restricts how a document or script is loaded from one Argin.

3
00:00:13,880 --> 00:00:17,940
How we can interact with another origin makes sense.

4
00:00:18,890 --> 00:00:25,430
So, in other words, it helps to isolate potentially malicious documents and reduces the a possible

5
00:00:25,700 --> 00:00:26,900
attack vectors.

6
00:00:27,890 --> 00:00:35,000
On the other hand, cross origin resource sharing is a relaxation of the same ARGIN policy implemented

7
00:00:35,000 --> 00:00:36,410
in modern browsers.

8
00:00:37,580 --> 00:00:46,700
And CNRS uses additional HTTP headers to tell browsers to give a web application running at one argin

9
00:00:46,700 --> 00:00:49,980
access to selected resources from a different origin.

10
00:00:51,140 --> 00:00:52,700
So I don't know.

11
00:00:52,700 --> 00:00:59,390
I think we can say this mechanism supports secure across origin requests and data transfers between

12
00:00:59,390 --> 00:01:00,590
browsers and servers.

13
00:01:02,060 --> 00:01:10,430
And also, for security reasons, browsers restrict cross origin HTTP requests initiated from scripts.

14
00:01:11,740 --> 00:01:15,970
So that means in this lesson, we are going to examine CRC features.

15
00:01:17,610 --> 00:01:22,770
So after you log in to be WAP open cross origin resource sharing from the menu.

16
00:01:23,630 --> 00:01:26,030
And it's a simple page, isn't it?

17
00:01:27,260 --> 00:01:28,620
But here's a different scenario.

18
00:01:29,030 --> 00:01:30,680
So there's a link on this page.

19
00:01:31,850 --> 00:01:38,120
And based on the security level, we are going to try to read the content of the file that this link

20
00:01:38,120 --> 00:01:38,720
points to.

21
00:01:39,990 --> 00:01:44,370
So there are some cross origin obstacles to pass.

22
00:01:45,570 --> 00:01:50,160
OK, so now let's start with the first level enable Foxe proxy.

23
00:01:51,050 --> 00:01:55,460
Then we'll click on the secret link and the request will appear in berp.

24
00:01:57,210 --> 00:02:03,900
Now, look at the first line of the request, it is secret cause one that BHP.

25
00:02:05,010 --> 00:02:07,140
But it doesn't look like there's anything suspicious.

26
00:02:08,050 --> 00:02:08,890
So forward it.

27
00:02:10,080 --> 00:02:15,330
Now you can see the response message and it contains the secret of Neo.

28
00:02:16,990 --> 00:02:18,370
But also look at the headers.

29
00:02:19,810 --> 00:02:26,950
There is access control, allow Argin header with a value asterisk that means accept requests from all

30
00:02:26,950 --> 00:02:27,490
origins.

31
00:02:28,770 --> 00:02:34,530
That's why the secret court is one page except a request and shows a secret.

32
00:02:35,880 --> 00:02:38,490
OK, so then forward that response to the browser.

33
00:02:39,810 --> 00:02:41,700
All right, so now change the level of medium.

34
00:02:43,200 --> 00:02:45,960
And we have a new superhero, Wolverine.

35
00:02:47,200 --> 00:02:54,970
And we need his secret, but his secret is hidden behind this link, so click on the secret link.

36
00:02:55,930 --> 00:02:58,060
And Berp has a request now.

37
00:02:59,700 --> 00:03:03,110
And the first line is different from the previous request, huh?

38
00:03:04,320 --> 00:03:08,850
But now we are requesting secret cause to page.

39
00:03:09,840 --> 00:03:14,490
And there's nothing interesting here, so forward the request.

40
00:03:16,400 --> 00:03:23,210
But it doesn't look like we can read the secret, it's just a plain response message.

41
00:03:24,330 --> 00:03:25,190
So let it go.

42
00:03:27,320 --> 00:03:29,840
OK, so there is a hint here on the page.

43
00:03:30,730 --> 00:03:34,930
So the requested page can only accept requests from this origin.

44
00:03:35,590 --> 00:03:39,580
OK, so before going any further, let's have a look at the code.

45
00:03:42,930 --> 00:03:44,640
So this one is the main page.

46
00:03:45,740 --> 00:03:49,880
And based on the security level, it redirects us to the superhero pages.

47
00:03:51,130 --> 00:03:53,710
So scroll on down to the main part below.

48
00:03:54,910 --> 00:03:57,130
And it just brings the values, nothing more.

49
00:03:58,360 --> 00:03:59,170
So we can exit.

50
00:04:00,350 --> 00:04:02,240
And view the cause one file.

51
00:04:04,850 --> 00:04:07,520
And it just sets the header for all origins.

52
00:04:08,550 --> 00:04:09,870
And Prince, the secret.

53
00:04:10,950 --> 00:04:11,540
That's all.

54
00:04:13,020 --> 00:04:13,800
So exit.

55
00:04:14,930 --> 00:04:17,180
So what is inside caused to.

56
00:04:18,560 --> 00:04:24,730
And it's not letting us read the secret, so it checks for a specific origin.

57
00:04:25,790 --> 00:04:32,000
So if somehow we can add this Argin header to our request, we'll be able to read the secret for Wolverine.

58
00:04:33,180 --> 00:04:35,400
So let's at this and view cause three.

59
00:04:39,550 --> 00:04:44,290
And on this page, there are no headers and extra security checks.

60
00:04:45,300 --> 00:04:47,190
So close that and go to Firefox's.

61
00:04:48,800 --> 00:04:50,360
OK, now, quick, the secret again.

62
00:04:51,340 --> 00:04:56,110
The request is in the proxy and I'm going to add the origin header.

63
00:04:57,020 --> 00:04:59,420
You can add it anywhere except for the first line.

64
00:05:00,550 --> 00:05:08,680
So this means the origin of my request is Internet, that it's easy Gamescom, so I'll go ahead and

65
00:05:08,680 --> 00:05:09,190
forward it.

66
00:05:11,360 --> 00:05:14,480
And that's perfect, we are able to get Wolverine Secre.

67
00:05:15,980 --> 00:05:16,990
So let it go now.

68
00:05:18,350 --> 00:05:24,710
A few seconds ago, we intercepted the request and added the origin had it right, but the developer

69
00:05:24,710 --> 00:05:26,520
wants us to try with Ajax.

70
00:05:26,540 --> 00:05:30,770
So open your terminals and I'll prepare an Ajax file.

71
00:05:31,890 --> 00:05:36,960
You can download all the files and then after you download, move them to your Webroot directory and

72
00:05:36,960 --> 00:05:39,180
Calli, because we're going to use them.

73
00:05:40,590 --> 00:05:43,950
OK, so I need to go to Webroot directory.

74
00:05:44,950 --> 00:05:48,660
And the files in this directory are just like that.

75
00:05:49,690 --> 00:05:57,550
And I'm going to use the one that starts with cause, so just type them cause dot p.

76
00:05:59,880 --> 00:06:04,260
All right, so this is a simple file, it just includes the script.

77
00:06:05,250 --> 00:06:10,560
OK, so exit and view the JavaScript, file them caused by James.

78
00:06:12,140 --> 00:06:17,450
And the script makes an Ajax call to the secret cause to be.

79
00:06:18,650 --> 00:06:20,150
It adds an Argin header.

80
00:06:21,360 --> 00:06:22,290
OK, go back.

81
00:06:23,720 --> 00:06:28,580
Open a new tab and request caused that file in Kelly.

82
00:06:30,590 --> 00:06:32,090
OK, so it's an berp now.

83
00:06:32,950 --> 00:06:33,580
Forward it.

84
00:06:34,880 --> 00:06:39,800
In the page loads and look at the script tags, they're calling for the Ajax file.

85
00:06:39,830 --> 00:06:40,580
OK, good.

86
00:06:40,590 --> 00:06:41,450
So forward it.

87
00:06:43,810 --> 00:06:46,720
And now the Ajax code is uploaded to the browser.

88
00:06:47,950 --> 00:06:52,120
And then send a request to secret cause to P.

89
00:06:53,150 --> 00:06:55,040
By adding the header.

90
00:06:56,120 --> 00:06:57,500
And see, this is why we want.

91
00:06:59,340 --> 00:07:00,990
But there's a problem.

92
00:07:02,580 --> 00:07:05,460
The origin had her value is now the same as in the code.

93
00:07:06,690 --> 00:07:08,420
Well, you know what?

94
00:07:08,430 --> 00:07:10,010
Just forward it anyway.

95
00:07:11,880 --> 00:07:13,310
And that's really no secret.

96
00:07:14,780 --> 00:07:21,680
So to figure out what's just happened, let's open up the web developer tool, go to the console tab.

97
00:07:22,720 --> 00:07:29,260
Let's have a look at the warnings, because changing the origin header with Ajax in the browser is forbidden,

98
00:07:30,080 --> 00:07:31,660
so it points to the line.

99
00:07:32,950 --> 00:07:39,520
So the same Arjan policy refuses to read the secret cause to file.

100
00:07:41,210 --> 00:07:41,890
So what do you think?

101
00:07:41,900 --> 00:07:47,360
I think these warnings explain everything quite well, so that means we need to find another solution.

102
00:07:48,670 --> 00:07:52,840
So what I like to do in these situations is use my good old friend, Colonel.

103
00:07:53,860 --> 00:07:54,640
You know, Colonel.

104
00:07:56,080 --> 00:07:57,760
You can always try a different way.

105
00:07:58,990 --> 00:08:00,640
OK, then go back.

106
00:08:01,810 --> 00:08:04,450
Kearl is also implemented in BHP.

107
00:08:05,490 --> 00:08:12,150
So I'm going to show you, cause one BHP and this is the Kerl code.

108
00:08:13,550 --> 00:08:19,610
And it will request the same page and show the response to us, and of course, it's going to add the

109
00:08:19,610 --> 00:08:20,450
Argin header.

110
00:08:21,710 --> 00:08:24,500
So in this case, we are going to request this page.

111
00:08:26,130 --> 00:08:33,480
And then in the background, Curl will request the secret cause to up page.

112
00:08:34,560 --> 00:08:36,660
OK, so go back to Firefox's.

113
00:08:37,960 --> 00:08:42,550
Open a new tab and go to cause one dot BHP.

114
00:08:44,340 --> 00:08:46,080
And there's nothing here in this request.

115
00:08:47,030 --> 00:08:47,930
So his forward.

116
00:08:48,830 --> 00:08:55,490
Yeah, congratulations, we programmatically read Wolverine's secret.

117
00:08:56,370 --> 00:08:56,880
All right.

118
00:08:58,500 --> 00:09:03,510
We didn't even see what happens, thankfully, Kearl did everything for us.