And next we're gonna do a cross. A scripting check with Iraq Night. Fantastic tool. All right, we're on the Cali box again
and do a quick Alice issue. We're sitting. We're gonna do a CD to change directory over the desktop.
We're gonna CD over to Iraq and I
on. Then we're going to start a wreck. My web with a dot ford slash
a wreck, and I underscore web.
Give it a second to start up here.
All right. And Iraq and I has started on look close at port 9 to 9 to
So you're about lice, weasel.
it was signing with admin at admin dot admin with a password of administrator.
And we have successfully logged in to Iraq night.
Now we're gonna come up here scans and started new scam
on our target. You are all we want to
that 1680 dy 11. Remember, You have to put the http colon forward slash four. Selection of fried.
We drop down here and select cross site scripting global,
and we will want to d'oh
increase the instances, multiple instances will achieve higher efficiency levels,
and, uh, you will have
decreased scan times.
were you running a scanner against a Web application?
He don't necessarily want to throw too much at the Web application at once. I have ran scans against Web applications for cos I've worked with, and
they have had pages that have been very brittle, and as the scanners hit those pages, it just completely breaks them
and causes the entire server to crash.
So you don't want to overload a Web page necessarily, um,
in a practice range. Like the pen tester labs, which are
built and designed to be able to be scanned heavily
by all means. At the instance. Count to knock out the scans as quick as you want,
a really world environment. Keep businesses is down. Run one kind of vulnerability skin a time, meaning go through sequel injection and then, after sequel injection Hit that. Cross it scripting and l if I
director of reversal, whatever,
do them one at a time. Because if something crashes, if something breaks or something fails, you want to be able to identify what type of test broke it.
You're running everything at the same exact time. You necessarily can't pinpoint exactly what broke that page. So you want to do it step by step by step by step.
All right, so we're gonna run a scan now,
and we're gonna let Iraq not here do its thing.
All right, The skin is complete. That was a quick scan.
If you're running on a larger website
that has more code going for it, those scans will not be that quick.
we see the cross site scripting, and we see cross site scripting in script context.
So we have two different types of cross site scripting vulnerabilities
that have been found.
So let's come up here. Let's take a look. At example, one here
was awaiting our review.
see the seed that was injected
for this cross site scripting,
and we could see the request down here.
And so it gives us back, gives us our request. It was sent.
And then if you come further down, you see the response, and we see here in the HTML code hacker,
and all these numbers.
Now, in this response back we're seeing. It's an HTML code, which means that most likely there was a prompt of some sort that had
due to this cross. A scripting attack.
Discovered it here. With this tool,
again. Taylor, your attack.