1
00:00:00,240 --> 00:00:02,010
Welcome to cross site scripting.

2
00:00:02,010 --> 00:00:06,830
This is one of my favorite bugs to hunt for and to find.

3
00:00:06,870 --> 00:00:14,730
So in cross site scripting we really have three that we're going to talk about and this is a popular

4
00:00:14,730 --> 00:00:20,160
interview question you're going to get asked what are the three types of cross-eyed scripting.

5
00:00:20,750 --> 00:00:21,090
OK.

6
00:00:21,120 --> 00:00:22,260
So we're going to cover that.

7
00:00:22,290 --> 00:00:28,530
We're going to cover what they are why they're a little bit different and what they might look like

8
00:00:28,530 --> 00:00:29,790
in code.

9
00:00:29,790 --> 00:00:34,280
And then in the next couple of videos we're going to exploit a couple of these.

10
00:00:34,320 --> 00:00:39,340
So as you see here there are three types of cross site scripting.

11
00:00:39,360 --> 00:00:44,430
We have one which is called reflected now reflected means that it's reflected.

12
00:00:44,430 --> 00:00:47,790
We're going to inject as something malicious.

13
00:00:47,790 --> 00:00:53,190
And what's going to happen is you're going to get a pop up and it's going to be reflected to us.

14
00:00:53,220 --> 00:00:53,860
OK.

15
00:00:54,000 --> 00:00:57,030
It never gets stored on the server.

16
00:00:57,030 --> 00:01:03,600
So the server is going to read the request and then it's going to respond back with that request and

17
00:01:03,720 --> 00:01:05,820
it's going to reflect on the page.

18
00:01:05,830 --> 00:01:11,550
Now if we leave that page and come back to the page again it's going to go away unless we make that

19
00:01:11,550 --> 00:01:14,510
request and be malicious again with it.

20
00:01:14,550 --> 00:01:21,320
Now the opposite of that is what is called stored or persistent cross-eyed scripting.

21
00:01:21,420 --> 00:01:27,990
What that means is we inject a malicious payload and then it is stored onto the server.

22
00:01:27,990 --> 00:01:33,410
So we leave we come back and that payload is still there.

23
00:01:33,510 --> 00:01:33,870
OK.

24
00:01:33,870 --> 00:01:40,590
So we have a stored capability and you're going to see in this course you're going to see a reflected

25
00:01:40,770 --> 00:01:42,440
and a stored.

26
00:01:42,440 --> 00:01:46,190
Now the last one is what is called Dom.

27
00:01:46,230 --> 00:01:50,450
Now Dom stands for the document object model right.

28
00:01:50,460 --> 00:01:52,050
This is in javascript.

29
00:01:52,380 --> 00:01:59,380
So what's happening here is when you are going out and you're injecting this.

30
00:01:59,510 --> 00:02:06,240
So when you go out to a Web site the server is going to show you some HMO is going to show you some

31
00:02:06,240 --> 00:02:08,940
javascript is going to send it back to you in your browser.

32
00:02:08,940 --> 00:02:09,710
Right.

33
00:02:09,810 --> 00:02:15,980
And when you see this in when you want to modify this it's called the DOM.

34
00:02:15,990 --> 00:02:18,210
The document object model.

35
00:02:18,270 --> 00:02:21,080
Now we can exploit that Dom.

36
00:02:21,090 --> 00:02:28,170
And this again is going to be client side so reflected in Dom and both client side and we can attack

37
00:02:28,290 --> 00:02:35,160
specifically the Dom and I'm going to show you more of how that works and what it is here in just a

38
00:02:35,160 --> 00:02:35,880
second.

39
00:02:36,030 --> 00:02:37,430
But those are the three.

40
00:02:37,440 --> 00:02:42,820
One is reflected two is stored in three as Dom cross-eyed scripting.

41
00:02:42,900 --> 00:02:48,040
So let's go ahead and take a look first at reflected cross-eyed scripting.

42
00:02:48,530 --> 00:02:48,810
OK.

43
00:02:48,810 --> 00:02:54,850
Let's say that we have a HP page and we'll just call this index that BHP as an example.

44
00:02:55,290 --> 00:03:01,320
And let's just write out some BHP here it's OK if you don't know BHP I'm just going to show you some

45
00:03:01,320 --> 00:03:02,180
things.

46
00:03:02,220 --> 00:03:07,940
So will this declare BHP and then we'll declare user name as a variable.

47
00:03:08,730 --> 00:03:13,860
And will this say we're going to go ahead and get user name

48
00:03:17,300 --> 00:03:17,790
all right.

49
00:03:18,300 --> 00:03:24,990
And when we do that we're going to echo Hi user name

50
00:03:29,030 --> 00:03:30,620
and then we're gonna kill this.

51
00:03:30,830 --> 00:03:31,820
So that's it.

52
00:03:31,820 --> 00:03:33,380
What are we doing here.

53
00:03:33,380 --> 00:03:40,090
Well let's say we have a situation where we have index that BHP and it looks something like username

54
00:03:40,520 --> 00:03:42,910
equals Keith.

55
00:03:43,120 --> 00:03:45,040
Well what's gonna happen here.

56
00:03:45,120 --> 00:03:47,180
It's going to say hi Heath.

57
00:03:48,120 --> 00:03:51,190
When you come to the Web page right OK.

58
00:03:51,190 --> 00:03:59,230
Well what if we have something like index that BHP in the user name instead is something like this script

59
00:03:59,310 --> 00:04:03,270
alert one script.

60
00:04:03,310 --> 00:04:04,480
Well guess what.

61
00:04:04,480 --> 00:04:06,790
That's going to run javascript.

62
00:04:06,940 --> 00:04:12,580
OK we're declaring that we're running javascript with the script tags and we're going to run what's

63
00:04:12,580 --> 00:04:19,270
called an Alert alert is going to bring a pop up on the browser and it's going to pop up but it's going

64
00:04:19,270 --> 00:04:25,420
to say one on the pop up and this is classic cross site scripting.

65
00:04:25,420 --> 00:04:25,860
All right.

66
00:04:25,960 --> 00:04:30,830
So that is what reflected looks like this would be an example of reflect it.

67
00:04:30,850 --> 00:04:34,750
Now imagine stored the best way to describe stored.

68
00:04:34,750 --> 00:04:41,230
We don't even have to look at code we can just think about it a think about having a blog post and you

69
00:04:41,230 --> 00:04:47,020
can go comment on that blog post or having a form and you comment on that form right.

70
00:04:47,020 --> 00:04:55,150
What if you were to leave something like this script alert one slash script and you left it on a blog

71
00:04:55,150 --> 00:04:55,660
post.

72
00:04:55,870 --> 00:05:03,070
Well every time if the site was vulnerable every single time you went to that page or anybody else went

73
00:05:03,070 --> 00:05:05,280
to that page then guess what.

74
00:05:05,290 --> 00:05:10,120
They would also see that pop up because it's stored on the server side.

75
00:05:10,120 --> 00:05:10,480
Right.

76
00:05:10,510 --> 00:05:17,410
So there's some difference here to talk about when it comes between reflected well really reflective

77
00:05:17,560 --> 00:05:22,580
Dom and stored reflected in Dom require social engineering.

78
00:05:22,660 --> 00:05:29,860
We have to get somebody to open a malicious link in that malicious link might point us or point to us

79
00:05:29,890 --> 00:05:34,900
as an attacker we might have some sort of javascript that we're running in that JavaScript is going

80
00:05:34,900 --> 00:05:40,660
to execute it's going to send a it's going to steal a cookie from a user and it's going to send it to

81
00:05:40,660 --> 00:05:43,980
us and we have their cookie we're gonna go to try to log in as them.

82
00:05:44,170 --> 00:05:51,280
But we need to be able to know the user and then send that send that well crafted link social engineering

83
00:05:51,610 --> 00:05:56,650
and get that cookie stolen right now if it's stored.

84
00:05:56,650 --> 00:05:58,070
We don't have to do anything.

85
00:05:58,210 --> 00:06:03,940
We just put a malicious JavaScript in and we're not going to make it a pop up pop ups or just use for

86
00:06:03,940 --> 00:06:06,260
an example because they pop up we can see them.

87
00:06:06,370 --> 00:06:11,620
But if it's stored we might have the same feature where it's stealing a cookie and that cookie gets

88
00:06:11,620 --> 00:06:13,360
stolen it comes to us.

89
00:06:13,480 --> 00:06:17,290
And guess what you're going to the page you don't even know that it's there you're not looking at the

90
00:06:17,290 --> 00:06:19,660
source code you have no idea what's going on.

91
00:06:19,780 --> 00:06:23,690
It's just sitting there stored on that page so we can be really malicious with that.

92
00:06:23,740 --> 00:06:29,050
There's a lot of different things that we can do across site scripting including stealing cookies is

93
00:06:29,050 --> 00:06:30,120
really the big one.

94
00:06:30,220 --> 00:06:33,500
We can do key logging we can do denial of service.

95
00:06:33,520 --> 00:06:35,950
We can deface a web page.

96
00:06:35,950 --> 00:06:41,560
There's so many different things that we have options with the most common and the best examples are

97
00:06:41,560 --> 00:06:46,730
stealing cookies and doing this javascript kind of pop up as a proof of concept.

98
00:06:46,750 --> 00:06:49,550
So that's what we're going to do with these lessons.

99
00:06:49,780 --> 00:06:56,650
Now before we do that I do want to point out one more thing I want to point out this blog post on Donbass

100
00:06:56,740 --> 00:07:03,880
cross-eyed scripting now Donbass is hard for people to get their minds around it's it's not one that

101
00:07:03,880 --> 00:07:12,670
you find very easily it's kind of complex and I really just want to give kudos to this author who talks

102
00:07:12,670 --> 00:07:18,130
about Donbass cross-eyed scripting and can explain it better than I can.

103
00:07:18,340 --> 00:07:22,960
I'm going to walk you through what's going on here in the code and how you should be able to understand

104
00:07:22,960 --> 00:07:24,700
what you're seeing here.

105
00:07:24,700 --> 00:07:27,090
So there's two things that we need to talk about.

106
00:07:27,100 --> 00:07:33,040
There is one what is called a source and then the other is called a sink and you could see them here

107
00:07:33,040 --> 00:07:34,630
identified in the code.

108
00:07:34,660 --> 00:07:35,390
OK.

109
00:07:35,470 --> 00:07:39,700
Now a source is where you insert malicious input.

110
00:07:39,730 --> 00:07:44,630
So that's what you're malicious input goes your sink is where it is executed.

111
00:07:45,280 --> 00:07:45,590
OK.

112
00:07:45,620 --> 00:07:47,710
So we have a sauce and a sink.

113
00:07:47,740 --> 00:07:49,840
Now what's happening here.

114
00:07:49,840 --> 00:07:54,690
Well we have our source and it says this is just a variable called source and it says hello.

115
00:07:55,000 --> 00:07:56,870
And then they're just putting a hash here.

116
00:07:56,920 --> 00:07:57,180
OK.

117
00:07:57,190 --> 00:08:00,920
Because this decode your eyes you're saying hey we're going to put a hash here.

118
00:08:00,940 --> 00:08:06,070
A lot of modern browsers nowadays will obfuscate this or try to prevent cross-eyed scripting.

119
00:08:06,070 --> 00:08:12,100
So it's just going to say hey allow this hash and we're gonna say OK we've got the hash and what's going

120
00:08:12,100 --> 00:08:18,520
to happen then is we are also going to execute our code here because this is the source.

121
00:08:18,580 --> 00:08:21,000
So if you look down here it is vulnerable again.

122
00:08:21,010 --> 00:08:23,910
We've got the hash at this example Web site.

123
00:08:24,070 --> 00:08:24,270
OK.

124
00:08:24,280 --> 00:08:29,290
We've got the hash and then we put in this what they're doing is they're putting in an image with a

125
00:08:29,290 --> 00:08:32,650
source of test and there is no image that's called tests.

126
00:08:32,680 --> 00:08:39,420
So on the air of that image not loading it's going to pop up an alert box and say cross-eyed scripting.

127
00:08:39,490 --> 00:08:44,330
Now here in the DOM we also are going to have the sync.

128
00:08:44,350 --> 00:08:45,040
OK.

129
00:08:45,130 --> 00:08:51,670
So this div element enter H Jamal is going to be our sync that's going to pull this all down for us

130
00:08:51,760 --> 00:08:54,670
and it's going to be executed right here.

131
00:08:54,700 --> 00:08:57,340
So this is all happening on the client side.

132
00:08:57,340 --> 00:09:01,840
This is a great example of Donbass cross site scripting.

133
00:09:01,840 --> 00:09:06,590
Again this is something that you're going to have to pull off with social engineering just like reflect

134
00:09:06,590 --> 00:09:07,420
it.

135
00:09:07,450 --> 00:09:10,670
You're going to see Donbass the least in my opinion.

136
00:09:10,810 --> 00:09:15,600
You're going to see a lot more reflected you're going to see a lot more stored and a little bit of Dom

137
00:09:15,600 --> 00:09:16,680
based.

138
00:09:16,700 --> 00:09:20,290
OK so you have to understand this this article is great.

139
00:09:20,290 --> 00:09:24,850
It tells you where a bunch of sources are where a bunch of syncs talks about defenses.

140
00:09:24,850 --> 00:09:29,890
I think this is one of the best articles that I have read especially when I was a beginner and I like

141
00:09:29,890 --> 00:09:31,800
to pass on those articles as well.

142
00:09:31,810 --> 00:09:34,800
So I'm going to be putting this down in the description.

143
00:09:34,870 --> 00:09:40,360
So from here hopefully that was a good overview of what this is like.

144
00:09:40,390 --> 00:09:40,760
OK.

145
00:09:40,770 --> 00:09:42,730
So hopefully there's a good overview.

146
00:09:42,910 --> 00:09:49,180
Now you know all you need to take out of this right now is OK there is reflected there is stored and

147
00:09:49,180 --> 00:09:50,470
there's Donbass.

148
00:09:50,590 --> 00:09:54,550
And when you think of reflected reflect that just means that it pops back to you would if you were to

149
00:09:54,550 --> 00:09:59,680
leave the page and come back it would be gone where stored if you're to leave the page and come back.

150
00:09:59,680 --> 00:10:00,300
Guess what.

151
00:10:00,310 --> 00:10:01,840
It's still going to be there.

152
00:10:01,840 --> 00:10:06,350
So in the next video we're going to do an example of stored.

153
00:10:06,370 --> 00:10:12,130
We'll do a stored base and then we're gonna go ahead and cover a reflected one and we should be good

154
00:10:12,130 --> 00:10:13,080
to go.

155
00:10:13,090 --> 00:10:17,620
I'll show you all the different types across site scripting ones they have and there's even a nice walkthrough

156
00:10:17,620 --> 00:10:22,960
for the DOM which I want you to do on your own and kind of get some experience and see how it's done.

157
00:10:22,960 --> 00:10:27,550
And I do encourage you to also look through the other ones and see how they're done as well.

158
00:10:27,550 --> 00:10:31,720
But for now let's go ahead and go into stored and then we'll move on into reflected.