Welcome to Cyber Eri. I am Raymond Evans and I will be your subject matter expert for Cyber Aires web At pen testing course this video we will be discussing what is crossing, scripting or the other name. It's known by access s so what will be covered? What is excess us
or cross site scripting
Why this is so dangerous and some examples of real world attacks. So what is cross I scripting?
Cross I Scripting is a client side code of vulnerability, which allows an attacker to inject code which can execute militia scripts.
This type of attack could be used to obtain cookies, section tokens or other sensitive information used with a compromise site. Cross site scripting is one of most common vulnerabilities discovered. An exploit on websites
comes in three different flavors which are persistent, reflected
and dom based. However,
for this lesson, we will only be covering the persistent and reflect it.
Types of cross site scripting and cross like scripting can present a serious concern for website, which contains sensitive user data or sites which users place they're sensitive data into, or sites where users enter their sensitive data into forms. Like I said before,
the three different types of cross site scripting are persistent, reflect it
and down based. However, we will only be covering the persistent reflect it do to them. Being the most common,
persistent cross site scripting,
this form is the most dangerous form of cross site scripting.
It saves the code to the server and permanently delivers the attack. This can most commonly be found on forms and sites which allow users to post HTML four minute data.
However, this attack can also occur if the attacker is able to inject their own code onto a Web page so it doesn't have to be a forum
tech website. It can be a website whose security is lacking and allows people to edit the HTML code for the site.
Persistent is really dangerous because it will always be there. It will constantly hit every single user that goes to that Web page.
So if that persistent occurs and
the people who owned the site are unaware of the attack occurring, then that attack and go for a extended period of time
and the Attackers can
get a lot of information or hit a lot of people with
whatever they're trying to accomplish. And then we have reflected, which is the more common type of cross site scripting. It's more commonly found in http query parameters or, in html form submissions.
The savage attack is most commonly used with a U. R L that appears to be innocent but has a cross site scripting attack located within a link.
So the reflected will would be more of a one time shot kind of thing,
or how every money times you decide to use that you are l. That's
that's malicious. But once you stop sending that, you are a lot of people.
The attack is going to stop happening, so that attack is not as bad as a persistent attack.
There's a couple of attack examples that we put in here. The first attack example we have up here
simply generates an alert box to a user who's viewing that link. So when I user goes to this site,
we see the script parameters here,
and because the website isn't properly
handling their Java script, it will execute that script command that is located in the Earl
and this 1st 1 the script attack is put after the guest, and it would create a simple alert box that says, Attacked. You could put whatever you want in there. You could put a fake message. Or you can even have that alert box. If you wanted Thio, you can have a more extravagant
where you would ask for a certain bit of information from a user and then that information, after it entered, would be sent back to a listener that the attacker has running. The second example. We have a script
here that is running
and doing a request fraud for cookies and sending them back to a listener. So here we see the script parameters. It's enclosed around.
And then we are saying that we're creating a calling a new image
and the location of the new image is the Attackers i p. Address.
So it will send a request
to get that new image, plus the document
that cookie information
so it will send the cookies back to the Attackers listener as the request, trying to get the image that it's calling for So
a little bit of ah trickery here, tricking the website
into trying to find an image at a location,
but in the process of sending the request, it's also sending the cookies. In that request,
that was a pretty bad attack because if you have a cookie editor
than the individual who is listening,
take that cookie information that has been sent to them
and can then imitate the individual who they are attacking.
We'll demonstrate this further on, and I will have you
do this in a lab as well, steal some cookies and imitate a session
these owner of the session. And then, finally,
the last attack example here
is calling a script from an external source. So
why would you wanna call a script from an external source?
Well, if you have a more extravagant type of alert box, something has animations, images and all kinds of other things, and you want to present that to a user you know, something that makes the user
believe wholeheartedly that what they're seeing in front of them is from the website, and you want them to put in all kinds of different for information or even try to trick them into downloading a piece of malicious software with
Java script that you're calling, you can do that.
with this last example here, Miss allows an attacker to do
a lot of things rather than just a simple our box. So why is this dangerous cross site scripting could be one of the more dangerous attack types do to what it can dio. If a NY frame used by an advertiser is vulnerable to cross a scripting
now, a large number of websites delivering that content now become vulnerable. We've seen this and recent news, actually
where somebody like Forbes or Yahoo have an eye frame,
and the advertiser who's delivering content that I frame has now become compromised, and they're not delivering malicious
content to individuals.
So that's really, really dangerous, because if
a large number of websites are all using
this advertiser, then a large number of websites could potentially become victim now to this malicious attack. Like I said before, we used to steal cookies on DDE.
These cookies can be used to imitate another user, and
that person who's imitating the new user has the ability to do whatever they want. Now it can also be used to deliver a malicious payload,
which would allow the attacker do gain control their browser via a piece of software called Beef.
We're gonna be covering beef later on. We'll have an exercise, some demonstrations on it.
It's a fantastic tool as a pen tester to see just how far you can take your
if you think well, an internal Web page is vulnerable to cross that scripting. But you know, we have proxies and firewalls and all kinds of ideas is an I. P. S is
you know, call backs our information to be funneled out.
Beef is an excellent tool of See just how far you can take this cross site scripting exploit and also cross site scripting could be used to redirect users, toe a malicious page or convince a user to import their credentials into foreign fields generated by across a scripting. So you could think that you're placing
your bank log in credentials on their Web page. However,
they may be victim to cross site scripting,
and those form fields might actually have other foreign fields over laid on top of them. Thio actually
to take your credentials rather than the Web page