Demo: Cross-Site Scripting

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 54 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Let's take a look now at some cross-site scripting.
00:00
You'll see here on OWASP 2017 that
00:00
cross-site scripting was A7 and in motility,
00:00
there's a whole bunch of different ways
00:00
to exploit cross-site scripting,
00:00
and I highly suggest if you never
00:00
use the beef framework to try that.
00:00
Again, when we talk about an impact,
00:00
the beef framework does some great things with
00:00
beef hooks where you can
00:00
dump cookies in someone's browser.
00:00
Again, it really depends on what browser they're using
00:00
but you can try to have them.
00:00
You can make alert boxes pop up,
00:00
which you know is interesting but you can
00:00
also redirect them to fishing pages and
00:00
see if they'll download
00:00
executables and things like that all
00:00
through their webpage or their browser,
00:00
I should say so that's all pretty interesting stuff.
00:00
Let's look at reflected cross-site scripting.
00:00
If we look at this DNS lookup.
00:00
I can ping something like
00:00
192168.1.242 but then what
00:00
if I do something like SVG on load equals,
00:00
we'll do the big scary one
00:00
just to show you what that looks like,
00:00
and you can see that
00:00
the big scary one pops up on the webpage.
00:00
Again, not too interesting.
00:00
It's reflected back to me.
00:00
If I look at the webpage,
00:00
if I look at the source of the page then I try
00:00
to find alert one,
00:00
you can see here it's written to the page itself.
00:00
What differentiates reflected and stored
00:00
from down based because
00:00
it's actually written to the page,
00:00
so if we do stored.
00:00
Let's do something a little bit more interesting,
00:00
so we'll look at persistent add to your blog,
00:00
so we'll do a SVG on load equals alert document cookie,
00:00
and we'll save that.
00:00
Now we can see the PHP session ID here.
00:00
As an attacker, what can I do with this?
00:00
We'll simulate an attacker using a different browser.
00:00
Right now we're in Firefox.
00:00
Let's go to Chrome, and
00:00
you can see here that we're not logged in,
00:00
whereas here we're logged in as
00:00
admin and if I wanted to add cookies here,
00:00
I can right-click ''Inspect''.
00:00
I can go to ''Sources.''
00:00
Actually, let me move this down.
00:00
Application, cookies and you can
00:00
see I have PHP session ID is different.
00:00
If I add this here and I refresh the page,
00:00
you can see now, I'm logged in as an admin.
00:00
Again, I can steal cookies with
00:00
[LAUGHTER] cross-site scripting,
00:00
and I can steal the cookie and assume the identity or do
00:00
a cookie replay attack in this case and
00:00
now I'm logged in as admin.
00:00
That's simulating how bad
00:00
this can get where you can steal
00:00
people's cookies and if I go to
00:00
this webpage every time I refresh,
00:00
you'll see again, it keeps coming
00:00
back because it's written to the page itself.
00:00
I have inspect element and I take a look in here,
00:00
we can see that SVG unload
00:00
alert document cookie is written on the page itself.
00:00
Let's take a look now that was stored.
00:00
Now let's take a look at DOM-based.
00:00
If we look at the page,
00:00
if we view the source of the page,
00:00
we can see there's some script.
00:00
I took this directly from the OWASP website.
00:00
We have this default parameter of Spanish.
00:00
Now I can add script, alert,
00:00
Cybrary, script and we see
00:00
that cybrary is echoed back to us.
00:00
All this happens in the browser.
00:00
Nothing happens on the server.
00:00
If we look here, we don't
00:00
see cybrary or the alert box anywhere in here.
00:00
To make this sneakier,
00:00
we can use a #.
00:00
Now I don't know if you've ever seen a #
00:00
before but typically,
00:00
if you're doing a Google search and you're looking for
00:00
specific words on the page.
00:00
The page can be delineated by this # here.
00:00
You'll see that this happens again with this #.
00:00
Now, that's not sent to the server so
00:00
it's pretty sneaky because if someone's looking at logs,
00:00
if you're using a # here,
00:00
they can't tell that you've done this attack here
00:00
with cross-site scripting with
00:00
JavaScript here, they won't know that,
00:00
so putting the # there actually
00:00
is a better way to do a cross-site scripting attack.
00:00
Again, if you've seen webpages,
00:00
if you've seen where they have the #,
00:00
that's just time to delineate somewhere on
00:00
a page where something might be.
00:00
But also, as you can see in this case,
00:00
we can execute JavaScript with it as
00:00
well to execute
00:00
our DOM-based cross-site scripting attack.
00:00
Those are the three types: reflected, stored,
00:00
and DOM-based cross-site scripting, so now you know.
Up Next
Scenario: Shellshock
10m
Lab: Command Injection Vulnerability
45m