1
00:00:06,460 --> 00:00:07,960
- [Tutor] Cross-site
scripting vulnerabilities

2
00:00:07,960 --> 00:00:10,770
have become one of the most common

3
00:00:10,770 --> 00:00:13,430
web applications
vulnerabilities out there.

4
00:00:13,430 --> 00:00:16,650
There are three types of
cross-site scripting attacks,

5
00:00:16,650 --> 00:00:21,600
Reflected, stored or
persistent and DOM-based

6
00:00:21,600 --> 00:00:23,440
cross-site scripting attacks.

7
00:00:23,440 --> 00:00:26,280
Now reflected, I forgot
to mention is actually

8
00:00:26,280 --> 00:00:29,090
a nonpersistent attack while stored

9
00:00:29,090 --> 00:00:32,240
as I just mentioned it is a persistent

10
00:00:32,240 --> 00:00:35,210
cross-site scripting condition.

11
00:00:35,210 --> 00:00:36,730
Now another thing that I want to highlight

12
00:00:36,730 --> 00:00:40,890
is that cross site scripting
is a flaw in a web application

13
00:00:40,890 --> 00:00:44,360
but the target the victim
itself is the user.

14
00:00:44,360 --> 00:00:47,490
So successful exploitation
of cross site scripting

15
00:00:47,490 --> 00:00:50,410
can result in many different things,

16
00:00:50,410 --> 00:00:53,590
installation or execution
of malicious code,

17
00:00:53,590 --> 00:00:57,797
account compromise,
session cookie hijacking,

18
00:00:57,797 --> 00:01:01,370
revelation or modification of local files

19
00:01:01,370 --> 00:01:03,360
or site redirection.

20
00:01:03,360 --> 00:01:05,930
So that means that redirecting the user

21
00:01:05,930 --> 00:01:10,670
to a malicious site or to
a site that can be used

22
00:01:10,670 --> 00:01:13,793
to obtain sensitive
information from that user.

23
00:01:14,910 --> 00:01:17,450
You typically find cross-site
scripting vulnerabilities

24
00:01:17,450 --> 00:01:21,780
in search fields, HTTP
headers, input fields

25
00:01:21,780 --> 00:01:23,780
that I call user data,

26
00:01:23,780 --> 00:01:26,780
error messages that
return user supplied text,

27
00:01:26,780 --> 00:01:30,130
hidden fields that may
include user input data,

28
00:01:30,130 --> 00:01:35,130
or websites or applications
that display user supplied data.

29
00:01:35,320 --> 00:01:38,210
Now in this example, I'm
actually demonstrating

30
00:01:38,210 --> 00:01:40,330
a quick cross-site scripting tests.

31
00:01:40,330 --> 00:01:44,440
In this case actually
I am using a script tag

32
00:01:44,440 --> 00:01:46,490
followed by an alert, right

33
00:01:46,490 --> 00:01:48,310
so I'm going to cause a pop up window

34
00:01:48,310 --> 00:01:51,460
to appear in the window in the screen.

35
00:01:51,460 --> 00:01:54,560
And I'm just typing here
Omar was here, right?

36
00:01:54,560 --> 00:01:55,393
Think about that.

37
00:01:55,393 --> 00:01:58,680
This can be actually any malicious code

38
00:01:58,680 --> 00:02:01,710
or even any message to the user, you know,

39
00:02:01,710 --> 00:02:04,257
it can be something like,

40
00:02:04,257 --> 00:02:06,777
"Your authentication has expired,

41
00:02:06,777 --> 00:02:08,870
"please click here to re-login."

42
00:02:08,870 --> 00:02:11,870
And then the user is
redirected to another page.

43
00:02:11,870 --> 00:02:14,430
The user, you know, doesn't know better

44
00:02:14,430 --> 00:02:17,500
is entering his users credentials

45
00:02:17,500 --> 00:02:18,570
and then you're actually getting

46
00:02:18,570 --> 00:02:20,320
the user credentials from the user.

47
00:02:21,280 --> 00:02:24,940
Now there are many
different attack vectors.

48
00:02:24,940 --> 00:02:27,620
So cross-site scripting vectors out there.

49
00:02:27,620 --> 00:02:29,570
What I did is actually I have a list

50
00:02:29,570 --> 00:02:33,050
of pretty comprehensive list
of many different examples

51
00:02:33,050 --> 00:02:38,050
for your reference in the GitHub
repository for this class.

52
00:02:38,210 --> 00:02:41,070
Now, let's actually start
by actually going over

53
00:02:41,070 --> 00:02:43,330
what is reflected cross-site scripting

54
00:02:43,330 --> 00:02:46,230
the examples of the methods of delivery

55
00:02:46,230 --> 00:02:48,200
and then going over, you know,

56
00:02:48,200 --> 00:02:50,340
store based cross site scripting as well.

57
00:02:50,340 --> 00:02:51,810
So in every flector attack

58
00:02:51,810 --> 00:02:54,730
or non persistent cross-site scripting

59
00:02:54,730 --> 00:02:57,160
is basically when a
malicious code or script

60
00:02:57,160 --> 00:02:59,870
are injected by a
vulnerable web application

61
00:02:59,870 --> 00:03:02,970
using any methods that use a response

62
00:03:02,970 --> 00:03:05,883
as part of a valid HTTP request.

63
00:03:06,990 --> 00:03:09,920
In this example the user
is actually being persuaded

64
00:03:09,920 --> 00:03:12,700
to follow malicious link
to a vulnerable server

65
00:03:12,700 --> 00:03:16,290
that injects or reflects
the malicious code

66
00:03:16,290 --> 00:03:18,680
to the user's web browser.

67
00:03:18,680 --> 00:03:21,730
And this actually is causing the browser

68
00:03:21,730 --> 00:03:24,890
to execute the code or the script.

69
00:03:24,890 --> 00:03:28,360
The vulnerable server is typically unknown

70
00:03:28,360 --> 00:03:29,880
or a trusted site.

71
00:03:29,880 --> 00:03:33,750
There's an element of social
engineering for these attacks,

72
00:03:33,750 --> 00:03:37,120
because you're actually
can you persuade the user

73
00:03:37,120 --> 00:03:40,330
to follow that malicious
link or mean of course

74
00:03:40,330 --> 00:03:42,540
there's many other examples of deliveries,

75
00:03:42,540 --> 00:03:44,900
like you know, sending phishing emails,

76
00:03:44,900 --> 00:03:49,040
messaging applications, search
engines, and many others.

77
00:03:49,040 --> 00:03:51,210
Now let me explain what is
stored cross-site scripting

78
00:03:51,210 --> 00:03:53,380
or persistent cross site scripting.

79
00:03:53,380 --> 00:03:56,810
Basically that attack occurs
when the malicious code

80
00:03:56,810 --> 00:03:59,950
or the script is permanently stored

81
00:03:59,950 --> 00:04:04,350
on a web vulnerable server
or a malicious server.

82
00:04:04,350 --> 00:04:06,820
And basically that is
doing that storing data

83
00:04:06,820 --> 00:04:08,930
in a database or a file.

84
00:04:08,930 --> 00:04:11,010
Now this attacks are typically carried out

85
00:04:11,010 --> 00:04:14,982
on websites hosting things like blog post,

86
00:04:14,982 --> 00:04:19,760
forums, and any other
permanent storage methods.

87
00:04:19,760 --> 00:04:23,300
An example is whenever FC user

88
00:04:23,300 --> 00:04:25,070
is requesting the story information

89
00:04:25,070 --> 00:04:27,370
from the vulnerable or malicious server,

90
00:04:27,370 --> 00:04:29,790
which causes the
injection of the requested

91
00:04:29,790 --> 00:04:33,930
malicious script into
the victim's browser.

92
00:04:33,930 --> 00:04:36,810
Now in this type of attack
the vulnerable server

93
00:04:36,810 --> 00:04:41,810
is usually a known or a trusted website.

94
00:04:42,160 --> 00:04:46,550
Now in this case, I'm
actually using as an example,

95
00:04:46,550 --> 00:04:48,920
you know, the damn
vulnerable web application

96
00:04:48,920 --> 00:04:52,270
and navigating to the
cross-scripting store exercise,

97
00:04:52,270 --> 00:04:53,270
if you will.

98
00:04:53,270 --> 00:04:55,110
And then in there, I'm
actually typing my name

99
00:04:55,110 --> 00:04:59,470
and typing the script
alert, Omar was here.

100
00:04:59,470 --> 00:05:01,770
Similar to what you saw before.

101
00:05:01,770 --> 00:05:04,430
And then you know closing the script tag.

102
00:05:04,430 --> 00:05:06,210
And then I'm signing that guestbook

103
00:05:06,210 --> 00:05:08,250
and as you can see, you
know a pop up message

104
00:05:08,250 --> 00:05:10,600
is actually you know
appearing in the screen

105
00:05:10,600 --> 00:05:12,310
just like you actually saw before.

106
00:05:12,310 --> 00:05:14,680
However the difference here is that

107
00:05:14,680 --> 00:05:16,920
if I navigate out of the page,

108
00:05:16,920 --> 00:05:18,450
and I come back to the same page,

109
00:05:18,450 --> 00:05:21,260
you actually see the pop up message,

110
00:05:21,260 --> 00:05:24,010
you know, again being
displayed to the user.

111
00:05:24,010 --> 00:05:26,510
So that is the difference
between reflected

112
00:05:26,510 --> 00:05:29,980
which is non persistent and stored,

113
00:05:29,980 --> 00:05:32,330
which actually persistent
cross-site scripting.