welcome to cyber ery. I'm Raymond Evans. I will be your subject matter expert for Cyber Aires web at penetration testing course. In this section, we will be discussing discovering cross site scripting so it will be covered. Well, we're gonna be discussing
discovering cross site scripting with tools and and discovering cross site scripting manually.
So the first tool that we will be discussing as cross site scripting with Vega I showed you sequel injection Discovery with Vegas. So now I'm gonna cover some cross the scripting discovery with big as well. So here we are in our Kelly environment
we're gonna have to do is go up to applications. We have application analysis and you're going to start big up. Now, remember, it does take a second for Vega toe pop up. So you gotta stick with it and ah,
let it do its thing.
All right, so here we have big up. We see some of the results from our previous scan up here still populated.
So let's go to scam start a new scan.
And are you Earl for our page was 192
Gonna click next on here
now you will want to. If you do have the old results in, you will want to include the previous discovered paths. Form the Web model,
turn everything off again, and then we're gonna come through Margo, turn on cross a scripting injection check here,
Make sure we got everything. If there's any other cross site scripting here,
no, unless he would be everything. Press says it next
again. If we had some kind of identity, we would like to use where we could do that next, again
and again. If there's any kind of parameters you want to exclude, you will put them here. So it's finish
Ban. Let's let it run its skin here
and we see the scan has started identifying some vulnerabilities here. So it's quick down here and let's take a look at what the scan gives us here.
So it's identified 10 cross site scripting
vulnerabilities here, and we can click on the vulnerability it's found.
See the request that was made and come down here. We can see some impact and remediation and discussion
Come over here requests. You could see some some more detailed information here,
so example, five request was made.
We'll see exactly what was made. And then if you want to dig deeper into what you've gotten back,
you can view the response here. Toe try. Figure out where exactly
the cross site scripting popped off. And
you know what? What exactly it had done here.
So we will actually be showing you. Ah, manual cross A scripting here
Shea what it looks like firsthand when, uh, when you attempt a cross site scripting here,
see, where's our cross it scripting at
here we see a request, and in the response it highlights and the HTML code
where you received the response back, which is very handy. So this helps you pinpoint
were executive exactly when a place that attack what you want to see for the attack and things like that in the discovery phase. So
I'm really good. Check out the response and see what you get back.
Taylor and create your next attack