Part 3 - Discovering XSS

Video Activity

This lesson continues to cover XSS and focuses on XSS with VEGA. Participants receive step by step instructions in how to turn on XSS injection checks to perform a scan.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Description

This lesson continues to cover XSS and focuses on XSS with VEGA. Participants receive step by step instructions in how to turn on XSS injection checks to perform a scan.

Video Transcription
00:03
>> Welcome to Cybrary.
00:03
I'm Raymond Evans and I will
00:03
be your subject matter expert for
00:03
Cybrary's web app penetration testing course.
00:03
In this section,
00:03
we will be discussing discovering cross site scripting.
00:03
What I'll be covering?
00:03
Well, we're going to be
00:03
discussing discovering cross site scripting
00:03
with tools and discovering
00:03
>> cross site scripting manually.
00:03
>> The first tool that we will be discussing
00:03
is cross site scripting with Vega.
00:03
I showed you SQL injection discovery with Vega.
00:03
Now, I'm going to cover some cross site
00:03
scripting discovery with Vega as well.
00:03
So here we are in our Kali environment.
00:03
What you're going to have to do is go to applications,
00:03
web application analysis,
00:03
and you're going to need to start Vega app.
00:03
Now, remember it does take a second for Vega pop up,
00:03
so you got to stick with it and let it do its thing.
00:03
Here we have Vega and we see some of the results from
00:03
our previous scan up here still populate it.
00:03
Let's go to scan, start a new scan and
00:03
our URL for our page was 192.168.0.11.
00:03
I'm going to click Next on here.
00:03
Now, if you do have the old results in,
00:03
you will want to include
00:03
the previous discovered paths from the web model.
00:03
We're going to turn everything off
00:03
again and the we are going to come through,
00:03
turn on cross site scripting injection Check
00:03
here and come down here,
00:03
make sure we got everything if there's
00:03
any other cross site scripting here.
00:03
Nonetheless, this would be everything
00:03
for us. So just hit Next.
00:03
Again, if we had some identity we would like to use,
00:03
this is where we could do that.
00:03
Next again, and again,
00:03
if there's any parameters you
00:03
want to exclude, you'll put them here.
00:03
So it's finished. Let's let it run it scan here.
00:03
We see the scan has started
00:03
identifying some vulnerabilities here.
00:03
Let's click down here and let's take
00:03
a look at what the scan gives us here.
00:03
So it has identified
00:03
10 cross site scripting vulnerabilities here,
00:03
and we can click on the vulnerability that's found,
00:03
see the request that was made,
00:03
and come down here and we can see
00:03
some impact and remediation and discussion.
00:03
Come over here to requests we can
00:03
see some more detailed information here.
00:03
So example 5 request was made and we can see
00:03
exactly what was made and then if you want to
00:03
dig deeper into what you've gotten back,
00:03
you can view the response here to try and
00:03
figure out where exactly the cross site
00:03
scripting popped off and what exactly it had done here.
00:03
We will actually be showing you
00:03
a manual cross site scripting here,
00:03
and sure it looks like
00:03
firsthand when you attempt a cross site scripting here.
00:03
Where's our cross site scripting at? Here we are.
00:03
Here we see a request and the response and highlights
00:03
an HTML code where you received the response back,
00:03
which is very handy.
00:03
So this helps you
00:03
pinpoint where exactly you want to place it,
00:03
the attack, what you want to see for
00:03
the attack and things like that in the discovery phase.
00:03
I'm going to go check out the response
00:03
and see what you get
00:03
back to help tailor and create your next attack.
Up Next