Cross-Site Scripting (XSS)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:01
cross site scripting
00:03
are learning objectives are to understand the basics of cross site scripting,
00:07
demonstrate how to use the beef framework and identify the different types of cross site scripting vulnerabilities.
00:14
So I've spoken a lot about server side attacks attacking FTP servers attacking web servers
00:21
attacking SMB. Uh so these are all server side attacks.
00:27
Client side attacks are having to have somewhat interact
00:32
like a victim, open up their browser and surf to your website.
00:37
We saw this client side attack
00:39
in the wire shark module and the drive by download that person had to click that link and be enticed to go to our website.
00:47
Cross site scripting is an injection attack. So we're actually allowed to or were able to inject
00:56
javascript
00:58
into a web form or into the RL bar itself. Kind of like sequel injection, where we could also write sequel queries into things like uh like into the U. R. L. Bar itself
01:10
or into a form. Cross site scripting. You can write java script into the U. R. L.
01:15
Or into a form.
01:18
And what makes that dangerous is javascript allows Attackers to do things like steal cookies
01:23
to redirect victims to their controlled page.
01:27
Um and you can also inject things like html, which is not as bad. Why? Because html is static.
01:34
So an html injection would just be
01:36
adding things like, you know, click this link
01:40
and that person on the page could see a click this link
01:44
but it wouldn't actually execute any kind of script.
01:49
So there's three types of javascript or I'm sorry, cross site scripting
01:53
attacks. One is reflected,
01:56
which you send somebody a link and it executes the javascript when they click it.
02:01
They're stored where it's actually written to the server. It's actually written on the page. Reflect is also written on the page when it's executed,
02:08
but stored is on the page. So you'll see this a lot in web forms or forums, I should say,
02:15
where people visit the forum and there's stored javascript in it that may redirect the victim to the Attackers controlled page where there might be a small little image in there that actually is redirecting someone's browser or having their browser contact
02:30
the Attackers controlled server so they can steal cookies
02:34
then login as the victim.
02:36
And there's also dom based on base is hard to understand for a lot of people
02:40
but it's not written to the server like stored or reflected where you can actually see it on the source of the page.
02:47
Dom occurs in the document object model of the page document object model which is
02:55
kind of a hard
02:58
hard thing to understand within itself.
03:00
But we'll talk about that a little bit later. So it doesn't it's not it's not dealing with the server itself, it's dealing with
03:07
the dom which is an interface in the browser. So you won't you won't actually see it written on the page.
03:19
All right,
03:20
reflected.
03:22
Reflected means a victim has to click on a link.
03:25
And within that link is malicious javascript. So it's very easy to see that if you click a link that has a script tag in it,
03:35
that javascript will be executed. So what an attacker may do is create something like a bit li link or a shortened link that a victim clicks or
03:45
they may create a type of squatted domain. What type of squatted me? Type of squat? It means if I want a type of squat, something like google instead of those, I could put zeros and the victim would look at that link and say oh I'm going to google but in fact it's google with two zeros as opposed to two owes.
04:01
Okay.
04:02
So if the victim clicks the link, you can have a script in there, you can write javascript that redirects them to your controlled page, which could look like a gmail login
04:15
and is actually the Attackers controlled site and the victim enters their credentials and the Attackers steals their credentials from there.
04:21
You'll see this a lot in bug bounty. There are so many crosses reflected, cross site scripting vulnerabilities
04:29
And I see this a lot with payloads where they'll do this script alert one script
04:34
And they'll show the big called the Big Scary one
04:39
as a client. If if, if a pen tester or bug bounty hunter showed this to me, I would ask, where's the impact. Okay. You can make a big scary one pop up. Let me show you what it looks like,
04:50
wow. There it is.
04:54
So here's the vulnerable site as you can see it's my baby. It's a vulnerability in my BB. It's across a scripting vulnerability reflected
05:00
and you can see in the U. R. L. Bar, the script tags, right, script alert one. And then as you oil encoded, but that's a forward slash that percent to f
05:10
script and it's writing an alert box with one in it. We can do better than that.
05:16
And I'll show you that with the B framework. But if you look at the source of the page, you can see that that script tag is written into the page itself.
05:27
So if you analyze the source, if you're having issues with your payload,
05:32
um, you can kind of mess around and look at the source of the page and see how it's written into the source of the page to modify your payload. I've had to do this a lot with, you know, submitting cross site scripting
05:44
vulnerabilities for different programs where you know, you're trying to get your cross site scripting payload to work and you need to focus on the parentheses and you know where to and you'll see input
05:56
and then you'll see that I put the finishing um
06:00
greater than sign uh and that closed it and then I added my script tag and that's why that worked as a payload there.
06:09
So the brief beef framework,
06:11
this is a lot more impactful than one. Okay, I'm gonna show you the B framework in the demo, but how do we use the B framework? I showed you how to set it up earlier.
06:21
But
06:23
when you start the beef framework, ensure that your Apache servers running in Cali
06:28
you need to create a vulnerable web page in var dub, dub, dub, which is html Which is your where your Apache server where the root of that server is.
06:36
And you need to create a page and call whatever you want with this script in it script source equals is your I. P. Address on port 3000
06:46
4/4 Hook Js. That's how it hooks that beef hook works.
06:51
And you need to click, you have to entice the victim to click that link that executes the javascript
06:58
that redirects them to your controlled page.
07:01
Yeah,
07:03
so you'll change the payload. Like you saw the big scary one instead of big scary one. This is what I put script document location equals my controlled server and my page that I made which is this air dot html page which is my malicious page.
07:20
So this is what the victim sees. So instead of the big scary one they get redirected to my page and they see the application has encountered an error. Please try again, that's all that they see.
07:30
But behind the surface and the source of the page,
07:33
you can see that script tag with the source being that beef hook and you can see in beef, we hooked the browser.
07:45
Now let's talk about story cross site scripting.
07:47
So again, this is going to be written to the server, it's going to be written to things like forums
07:54
where everyone that visits that forum, that javascript payload is executed
07:59
and it comes, you can redirect victims can steal their cookies.
08:03
You'll see this a lot in C T F says capture the flags where you know now again, think about this from, from the lab makers perspective,
08:13
they need to script victims. They need to script people that go to that page and you can steal their cookies. So it's a lot harder as a lab maker
08:22
to have to write a script where you script victims, I don't think anyone's gonna be sitting there. Uh you know, I'm not giving any hints or anything like that, but
08:31
think about it for PW K R O S E P. Again, I'm not giving any hints, but
08:37
they have to script a victim going to that page, could they do that? Sure, it's extra work for them.
08:43
But again, that's why this is a client side attack.
08:46
So that this is where you can steal cookies from actually legitimate victims that visit the page and you can log in as like the admin, you know, you're looking for the admin user, you're looking for the admin users cookies because then you can add that cookie to your browser and then become the admin
09:03
down based. Okay, I talked about this before it occurs in the document object model and it's not written into the page. Like we looked at the source of the page with reflected with stored uh same thing is written into the page with dom. It's not you're not going to see it in the page. It's a lot harder.
09:20
You know, I have burp active scanner, it's a lot harder to find because what is what is burp active scanner look for?
09:26
It looks for when it sends a cross site scripting payload that it will see it in the source of the page. It can't do that with Don Bass because it's not written into the page itself.
09:37
It depends on the browser. All these depend on the browser though. So I'd say out of all the browsers testing this use Firefox, it's the most forgiving for cross site scripting payloads.
09:48
So I'm gonna do the summary and then I'm gonna jump right into the demo for beef.
09:54
So in summary, we should understand the basics of cross site scripting. I will demonstrate how to use the B framework in our lab. Or I'm sorry, demo next.
10:01
And then we will identify or we can identify the different types of cross site scripting vulnerabilities.
10:09
Mm.
10:13
Mhm.
10:16
Yeah.
Up Next