Part 1 - What is XSS

Video Activity

This lesson offers and introduction into cross site scripting, also called XSS. This lesson discusses the following: 1. What is XSS? 2. Attack types? 3. Attack examples 4. Why is this dangerous? 5. Examples of real world attacks XSS is a client side code vulnerability which allows an attacker to inject malicious scripts and can be used to obtain in...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Description

This lesson offers and introduction into cross site scripting, also called XSS. This lesson discusses the following: 1. What is XSS? 2. Attack types? 3. Attack examples 4. Why is this dangerous? 5. Examples of real world attacks XSS is a client side code vulnerability which allows an attacker to inject malicious scripts and can be used to obtain information from a compromised site. XSS is the most common vulnerability on web sites and there are three types: persistent, reflected and DOM-based. However, this lesson will only cover the persistent and reflected types.

Video Transcription
00:03
>> Welcome to Cybrary.
00:03
I am Raymond Evans and I will be
00:03
your subject matter expert for
00:03
Cybrary's web app pentesting course.
00:03
In this video we will be
00:03
discussing what is cross-site scripting
00:03
or the other name it's known by XSS.
00:03
So what will be covered?
00:03
What is XSS or cross-site scripting, attack types,
00:03
attack examples, why this is so dangerous,
00:03
and some examples of real-world attacks.
00:03
So what is cross-site scripting?
00:03
Cross-site scripting is a client-side
00:03
>> code vulnerability
00:03
>> which allows an attacker to inject code
00:03
which can execute malicious scripts.
00:03
This type of attack can be used to
00:03
obtain cookie, session tokens,
00:03
or other sensitive information
00:03
used with a compromised site.
00:03
Cross-site scripting is one of
00:03
the most common vulnerability
00:03
discovered and exploited on websites.
00:03
Comes in three different flavors which are persistent,
00:03
reflected, and DOM-based.
00:03
However, for this lesson,
00:03
and we will only be covering the persistent and
00:03
reflected types of cross-site scripting.
00:03
Cross-site scripting can present
00:03
a serious concern for websites which contains
00:03
sensitive user data or sites
00:03
which users place their sensitive data into,
00:03
or sites where users
00:03
enter their sensitive data into forms.
00:03
Like I said before, the three different types
00:03
of cross-site scripting are persistent,
00:03
reflected, and DOM-based.
00:03
However, we will only be covering the persistent and
00:03
reflected due to them being the most common.
00:03
So persistent cross-site scripting.
00:03
This form is the most dangerous form
00:03
of cross-site scripting.
00:03
It saves the code to the server and
00:03
permanently delivers the attack.
00:03
This can most commonly be found on forums
00:03
>> and sites which
00:03
>> allow users to post HTML format data.
00:03
However, this attack can also occur if
00:03
the attacker is able to
00:03
inject their own code onto a web page,
00:03
so it doesn't have to be a forum type website.
00:03
It can be a website whose security is lacking and allows
00:03
people to edit the HTML code for the site.
00:03
Persistent is really dangerous
00:03
because it will always be there.
00:03
It will constantly hit
00:03
every single user that goes to that web page.
00:03
So if that persistent occurs
00:03
and the people who own
00:03
the site are unaware of the attack occurring,
00:03
then that attack can go for a extended period of
00:03
time and the attackers
00:03
can get a lot of information
00:03
or hit a lot of people
00:03
with whatever they're trying to accomplish.
00:03
Then we have reflected, which is
00:03
the more common type of cross-site scripting.
00:03
It's more commonly found in HTTP
00:03
query parameters or an HTML form submissions.
00:03
This type of attack is most commonly used
00:03
with a URL that appears to be innocent,
00:03
but has a cross-site scripting attack
00:03
located within the link.
00:03
So the reflected will be more of
00:03
a onetime shot thing or
00:03
however many times you decide to use
00:03
that URL, that's malicious.
00:03
But once you stop sending that URL to people,
00:03
the attack is going to stop happening.
00:03
So that attack is not as bad as a persistent attack.
00:03
So here's a couple of attack examples
00:03
that we put in here.
00:03
The first attack example we have up here,
00:03
simply generates an alert box
00:03
to a user who's viewing that link.
00:03
So when a user goes to this site,
00:03
we see the script parameters here.
00:03
Because the website isn't
00:03
properly handling their JavaScript,
00:03
it will execute that script command
00:03
that is located in the URL.
00:03
In this first one,
00:03
the script attack is put after the guest
00:03
and it would create
00:03
a simple alert box that says attacked.
00:03
You can put whatever you want in there.
00:03
You can put a fake message or you can even
00:03
have that alert box if you wanted to.
00:03
You can have a more extravagant alert box
00:03
popping where you would ask for a certain bit of
00:03
information from a user and that information after it's
00:03
entered would be sent
00:03
back to a listener that the attacker has running.
00:03
The second example, we have a script here that is
00:03
running and doing a request
00:03
for cookies and sending them back to a listener.
00:03
So here we see
00:03
the script parameters and it's enclosed around,
00:03
and then we are saying that we're calling
00:03
a new image and the location of
00:03
the new image is the attacker's IP address.
00:03
So it will send a request to get that new image
00:03
plus the document.cookie information.
00:03
So it will send the cookies back to
00:03
the attacker's listener as the request
00:03
trying to get the image that it's calling for.
00:03
So little bit of trickery here,
00:03
tricking the website into
00:03
trying to find an image at a location.
00:03
But in the process of sending the request,
00:03
it's also sending the cookies in that request.
00:03
Now this is a pretty bad attack because if you
00:03
have a cookie editor on a web browser,
00:03
then the individual who is
00:03
listening can just take
00:03
that cookie information that has been
00:03
sent to them and can then
00:03
imitate the individual who they are attacking.
00:03
We'll demonstrate this further on and I will
00:03
have you do this in a lab as well.
00:03
Steal some cookies and imitate
00:03
a session which you are not the owner of the session.
00:03
Then finally, the last act to hack,
00:03
example here is calling a script from
00:03
>> an external source.
00:03
>> Why would you want to call
00:03
a script from an external source?
00:03
Well, if you have a more extravagant type of alert box,
00:03
something that has animations,
00:03
images, and all kinds of other things,
00:03
and you want to present that to a user,
00:03
something that makes the user
00:03
believe wholeheartedly that what
00:03
they're seeing in front of them is from
00:03
the website and you want
00:03
them to put in all kinds of different information,
00:03
or even try to trick them into downloading a piece of
00:03
malicious software with
00:03
that JavaScript that you're calling,
00:03
you can do that.
00:03
With this last example here,
00:03
this allows an attacker to
00:03
do a lot of things rather than just a simple alert box.
00:03
So why is this dangerous?
00:03
Cross-site scripting can be one of
00:03
the more dangerous attack types due to what it can do.
00:03
If an iframe used by
00:03
an advertiser is vulnerable to cross-site scripting,
00:03
a large number of websites delivering
00:03
that content now become vulnerable.
00:03
We've seen this in recent news,
00:03
actually where somebody like Forbes or Yahoo
00:03
have an iframe and the advertiser
00:03
who's delivering content to that iframe
00:03
is now become compromised and
00:03
they are now delivering malicious
00:03
>> content to individuals.
00:03
>> So that's really dangerous
00:03
because a large number of websites,
00:03
you're all using this advertiser then a large number
00:03
of websites could potentially
00:03
become victim now to this malicious attack.
00:03
Like I said before, we used to steal cookies
00:03
and these cookies can be used to imitate another user,
00:03
and that person who's imitating
00:03
the new user has
00:03
the ability to do whatever they want now.
00:03
It can also be used to deliver a malicious payload,
00:03
which would allow the attacker to gain control of
00:03
their browser via a piece of software called beEF.
00:03
We're going to be covering beEF later on.
00:03
We'll have an exercise,
00:03
some demonstrations on it.
00:03
It's a fantastic tool as a pen tester to
00:03
see just how far you can take your vulnerability.
00:03
So if you think, well,
00:03
an internal web page
00:03
is vulnerable to cross-site scripting.
00:03
But we have proxies and
00:03
firewalls and all kinds of IDS and
00:03
IPSs that won't allow
00:03
callbacks or information to be funneled out.
00:03
BeEF is an excellent tool to see just how far
00:03
you can take this cross-site scripting exploit.
00:03
Also cross-site scripting can be used
00:03
to redirect users to a malicious page or
00:03
convince a user to input their credentials into
00:03
form fields generated by a cross-scripting.
00:03
So you could think that you're placing
00:03
your bank login credentials on a web page, however,
00:03
they may be victim to
00:03
cross-site scripting
00:03
and those form fields might actually have
00:03
other form fields overlaid on top of
00:03
them to take your credentials rather than the web-page.
Up Next