Part 4 Reflected XSS JS context Demo
Video Activity
This lesson offers a demonstration of how to use JavaScript to manipulate a URL to inject a malicious code. By turning on Burp Suite, participants learn how to intercept a request going to a site. A payload is then created in the username parameters.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson offers a demonstration of how to use JavaScript to manipulate a URL to inject a malicious code. By turning on Burp Suite, participants learn how to intercept a request going to a site. A payload is then created in the username parameters.
Video Transcription
00:04
Hello and welcome to the side Berry Secure coding Course. My name is Sonny Wear, and this is tthe e OAS Top 10 for 2013.
00:14
A three cross site scripting demo
00:17
reflected cross site scripting via JavaScript context.
00:23
This is the demo for reflected cross site scripting,
00:28
using the job script context to actually manipulate the U. R L
00:34
Now, as you go to this particular page,
00:37
which is located under a one injection other
00:41
JavaScript injection
00:44
password generator.
00:47
When you take a look at the page, it really doesn't look like there's any kind of input being done or any way to inject militia script into this page.
00:58
But if you take a look at the U. R. L,
01:00
you will notice that there is actually a page that's being requested,
01:08
followed by another parameter, which is user name and that has value right now off anonymous.
01:17
So what we want to do is we want to turn on burp suite, and we want to intercept the request that's going to this page in order to get this to work ahead despite of this particular website,
01:29
and how you can do that is you go ahead and add in where your Mattila is running
01:37
the I P address in the port.
01:40
And then you go over to the site map
01:44
and
01:45
you make sure that your requested items are in our being shown in the site lap,
01:52
and then you can just right click and spider this host.
01:56
So once you do that, you should be able to properly intercept the request.
02:02
So we have an interception now,
02:06
Um, and how you generate this is just by
02:10
going over to the menu and selecting that item
02:15
JavaScript injection password generator,
02:20
and it will intercept that.
02:23
So I want to go ahead and send this request over to the repeater
02:30
so that we're able to send the same request over and over again without having to go through the menu.
02:37
So since we have this, we can go ahead and turn our interceptor off,
02:43
go back to the repeater and go ahead and send our request using this go button
02:47
that gives us our response.
02:51
So, in order to see where we could possibly inject are malicious code, let's go ahead and manipulate our user name parameter here
03:02
instead of anonymous. I'm actually gonna put
03:07
my name in all capitals
03:09
and send that request,
03:13
and then we're gonna search for that string,
03:19
okay? And we see that it ends up inside of a JavaScript block
03:27
and it has
03:30
this string that gets displayed.
03:32
So the next thing we want to do is we can see that
03:37
are same stream comes back to us, but we're not sure. Still, if the programmer has put in
03:45
any kind of output in coding and so how we contest that is if we actually wrapped around our particular value that we're injecting in here special characters
03:58
and see if they actually returned back to us. So I'm gonna put less than sign.
04:03
I'm going to add,
04:06
uh, function like
04:10
and how about some comments
04:13
and then unending HTML tags.
04:18
And so when I send that request
04:24
and I look for my match,
04:30
I can see that those same characters get display back to me. So this reassures me that no output in coding is being done by the programmer in his program.
04:42
So, knowing this information,
04:45
what I want to do is begin to create my payload and put my payload in this username parameters position.
04:55
Now how I want to go about it is. I really need to study
05:00
the script Block here for the JavaScript. I have a try statement, so I know that I'm going to have to address that in some way.
05:12
Starting. Of course. With this string, I've got to end this string first. So let's go ahead and start our payload building.
05:21
So we know we and we need to end that string
05:26
and
05:27
statements in JavaScript end with a semi colon.
05:31
And then we need to
05:34
go ahead and
05:38
address the this ending. Try block.
05:42
And so
05:44
they try. A block is going to end with a catch statement.
05:50
So how we conduce, this is we could actually mimic this This try block right here.
06:00
Okay. And so we could actually we could just copy this,
06:08
paste it here,
06:10
go ahead and end that catch. Block. Right. Grab this.
06:15
And so now where we are ready for actual payload.
06:21
So let me go ahead and end that with a semi colon.
06:27
So now our payload we're going to
06:31
display.
06:35
I'm just going to put the term injected
06:40
just so that I can
06:43
reassure myself that it's actually coming through on the response properly first before actually do the attack.
06:51
And then the last thing that we want to do is remember that we're actually trying to
06:59
replace all of this, so this may not be complete, but I'm gonna go ahead and click. Go and look at my response,
07:14
okay? And so I can see that my
07:18
my statement is ending properly.
07:23
This this string is being ended with the quote and then I have my semi colon.
07:30
I have my ending catch block.
07:32
I have the opening curly brace closing curly brace.
07:39
I have my payload of alert injected.
07:42
However, there's a problem. And the problem is that I still have this remaining catch block. So this was theory. Jinnah ll catch block.
07:54
And so I need to put a try statement in there
08:00
in order to complete that catch block.
08:03
And so I need to add that into,
08:07
uh, my request.
08:13
So let me go ahead and do that. I'm gonna put my try
08:22
my curly brace,
08:24
and I need to put something I need to put something that handles the start
08:31
of that string. Remember that started with with the quotes and so I'm just going to put the letter a equals and then a beginning string.
08:43
So that should enable me to properly close off everything. Let's go ahead and run this
08:56
and we can test it out.
08:58
The try, catch Flock.
09:01
He's being properly closed.
09:05
I have my payload. In this case, I'm just
09:09
reflecting back a string. But of course, in a real attack,
09:16
you would actually inject your malicious script to do something behind the scenes. And then I start my try block.
09:24
And yes, the string is properly started and ended. Course it does nothing.
09:31
But
09:33
what this tribe lock does is then closes off
09:37
this remaining catch block. So I think my payload is ready.
09:41
I'm gonna go ahead and take this
09:46
and copy that.
09:50
Send it over to the decoder
09:56
and go ahead and encode that is You are Well,
10:05
copy that.
10:07
Go back to the proxy.
10:13
Send in my request.
10:24
Paste in my you're Ellen Coated Payload.
10:33
And I have been successful in injecting my malicious script
Up Next
Instructed By
Similar Content
