Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

This lesson offers and introduction into cross site scripting, also called XSS. This lesson discusses the following: 1. What is XSS? 2. Attack types? 3. Attack examples 4. Why is this dangerous? 5. Examples of real world attacks XSS is a client side code vulnerability which allows an attacker to inject malicious scripts and can be used to obtain information from a compromised site. XSS is the most common vulnerability on web sites and there are three types: persistent, reflected and DOM-based. However, this lesson will only cover the persistent and reflected types.

Video Transcription

00:04
Welcome to Cyber Eri. I am Raymond Evans and I will be your subject matter expert for Cyber Aires web At pen testing course this video we will be discussing what is crossing, scripting or the other name. It's known by access s so what will be covered? What is excess us
00:20
or cross site scripting
00:22
attack types?
00:24
Attack examples
00:26
Why this is so dangerous and some examples of real world attacks. So what is cross I scripting?
00:32
Cross I Scripting is a client side code of vulnerability, which allows an attacker to inject code which can execute militia scripts.
00:41
This type of attack could be used to obtain cookies, section tokens or other sensitive information used with a compromise site. Cross site scripting is one of most common vulnerabilities discovered. An exploit on websites
00:55
comes in three different flavors which are persistent, reflected
00:58
and dom based. However,
01:00
for this lesson, we will only be covering the persistent and reflect it.
01:04
Types of cross site scripting and cross like scripting can present a serious concern for website, which contains sensitive user data or sites which users place they're sensitive data into, or sites where users enter their sensitive data into forms. Like I said before,
01:23
the three different types of cross site scripting are persistent, reflect it
01:26
and down based. However, we will only be covering the persistent reflect it do to them. Being the most common,
01:34
so
01:34
persistent cross site scripting,
01:38
this form is the most dangerous form of cross site scripting.
01:42
It saves the code to the server and permanently delivers the attack. This can most commonly be found on forms and sites which allow users to post HTML four minute data.
01:53
However, this attack can also occur if the attacker is able to inject their own code onto a Web page so it doesn't have to be a forum
02:07
tech website. It can be a website whose security is lacking and allows people to edit the HTML code for the site.
02:19
Persistent is really dangerous because it will always be there. It will constantly hit every single user that goes to that Web page.
02:28
So if that persistent occurs and
02:31
the people who owned the site are unaware of the attack occurring, then that attack and go for a extended period of time
02:40
and the Attackers can
02:44
get a lot of information or hit a lot of people with
02:49
whatever they're trying to accomplish. And then we have reflected, which is the more common type of cross site scripting. It's more commonly found in http query parameters or, in html form submissions.
03:00
The savage attack is most commonly used with a U. R L that appears to be innocent but has a cross site scripting attack located within a link.
03:09
So the reflected will would be more of a one time shot kind of thing,
03:16
or how every money times you decide to use that you are l. That's
03:23
that's malicious. But once you stop sending that, you are a lot of people.
03:28
The attack is going to stop happening, so that attack is not as bad as a persistent attack.
03:35
There's a couple of attack examples that we put in here. The first attack example we have up here
03:40
simply generates an alert box to a user who's viewing that link. So when I user goes to this site,
03:50
we see the script parameters here,
03:53
and because the website isn't properly
03:58
handling their Java script, it will execute that script command that is located in the Earl
04:06
and this 1st 1 the script attack is put after the guest, and it would create a simple alert box that says, Attacked. You could put whatever you want in there. You could put a fake message. Or you can even have that alert box. If you wanted Thio, you can have a more extravagant
04:26
alert box pop in
04:28
where you would ask for a certain bit of information from a user and then that information, after it entered, would be sent back to a listener that the attacker has running. The second example. We have a script
04:42
here that is running
04:44
and doing a request fraud for cookies and sending them back to a listener. So here we see the script parameters. It's enclosed around.
04:55
And then we are saying that we're creating a calling a new image
05:00
and the location of the new image is the Attackers i p. Address.
05:08
So it will send a request
05:11
to get that new image, plus the document
05:15
that cookie information
05:17
so it will send the cookies back to the Attackers listener as the request, trying to get the image that it's calling for So
05:30
a little bit of ah trickery here, tricking the website
05:34
into trying to find an image at a location,
05:39
but in the process of sending the request, it's also sending the cookies. In that request,
05:46
that was a pretty bad attack because if you have a cookie editor
05:50
on a Web browser
05:51
than the individual who is listening,
05:56
I can just
05:57
take that cookie information that has been sent to them
06:00
and can then imitate the individual who they are attacking.
06:09
We'll demonstrate this further on, and I will have you
06:14
do this in a lab as well, steal some cookies and imitate a session
06:19
which you are not
06:21
these owner of the session. And then, finally,
06:26
the last attack example here
06:29
is calling a script from an external source. So
06:34
why would you wanna call a script from an external source?
06:39
Well, if you have a more extravagant type of alert box, something has animations, images and all kinds of other things, and you want to present that to a user you know, something that makes the user
06:54
believe wholeheartedly that what they're seeing in front of them is from the website, and you want them to put in all kinds of different for information or even try to trick them into downloading a piece of malicious software with
07:10
that
07:11
Java script that you're calling, you can do that.
07:15
So
07:15
with this last example here, Miss allows an attacker to do
07:21
a lot of things rather than just a simple our box. So why is this dangerous cross site scripting could be one of the more dangerous attack types do to what it can dio. If a NY frame used by an advertiser is vulnerable to cross a scripting
07:39
now, a large number of websites delivering that content now become vulnerable. We've seen this and recent news, actually
07:46
where somebody like Forbes or Yahoo have an eye frame,
07:51
and the advertiser who's delivering content that I frame has now become compromised, and they're not delivering malicious
08:01
content to individuals.
08:03
So that's really, really dangerous, because if
08:09
a large number of websites are all using
08:11
this advertiser, then a large number of websites could potentially become victim now to this malicious attack. Like I said before, we used to steal cookies on DDE.
08:24
These cookies can be used to imitate another user, and
08:30
that person who's imitating the new user has the ability to do whatever they want. Now it can also be used to deliver a malicious payload,
08:39
which would allow the attacker do gain control their browser via a piece of software called Beef.
08:46
We're gonna be covering beef later on. We'll have an exercise, some demonstrations on it.
08:52
It's a fantastic tool as a pen tester to see just how far you can take your
09:01
vulnerability.
09:03
So
09:03
if you think well, an internal Web page is vulnerable to cross that scripting. But you know, we have proxies and firewalls and all kinds of ideas is an I. P. S is
09:16
that won't allow,
09:16
you know, call backs our information to be funneled out.
09:20
Beef is an excellent tool of See just how far you can take this cross site scripting exploit and also cross site scripting could be used to redirect users, toe a malicious page or convince a user to import their credentials into foreign fields generated by across a scripting. So you could think that you're placing
09:39
your bank log in credentials on their Web page. However,
09:43
they may be victim to cross site scripting,
09:46
and those form fields might actually have other foreign fields over laid on top of them. Thio actually
09:54
to take your credentials rather than the Web page

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
Raymond Evans
Instructor