Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

This lesson discusses entering XSS script manually using a list of commands via Web for Pentester to scan for vulnerabilities.

Video Transcription

00:04
all right. And finally, we're going to discover cross site scripting manually. Best way to check for cross a scripting manually is to enter the string below the script alert whatever you want to say. Script. So, for example, if you were to go Thio example dot com index a PHP user equals
00:24
and then you add that script of the end. So let's go
00:26
try that.
00:27
See what we get.
00:41
Alright, here we are. And with for a pen tester.
00:44
Good example. One we see up here.
00:47
Name equals hacker.
00:49
No.
00:51
Ah
00:52
had scripted to here
00:58
alert for an alert prompt.
01:00
And then we're gonna say,
01:03
Oh, my God.
01:07
Loans.
01:12
And then we're going to simply close it here,
01:22
and we're hander.
01:23
Oh, my God. Vulnerabilities. That's what we got back for us.
01:29
So
01:33
we know that this is Ah, this is in fact, vulnerable.
01:38
No,
01:38
Let's see what else? Um, cookies from this.
01:42
Because if we can pull our own cookies,
01:47
that tells us that weaken d'oh! Mischievous stuff
01:51
with this cross site scripting.
01:59
If you went to test for cookie theft on your application, you could use a string below.
02:04
So
02:05
script alert What you want to say and you're gonna add document dot cookie to it. So example here we see user equals script alert
02:15
Cookie plus
02:16
Document that cookie. Chrissy, if we're getting ah well, our own cookies here And then
02:22
later on, I'm gonna shoot just how you can exploit that.
02:38
So we have ours, you know? My God, bones here
02:42
una had a plus
02:46
document
02:49
that
02:50
cookie
02:52
you can enter
02:53
And we did not get anything back from that script.
02:57
So
02:58
let's go over this little bit of script here.
03:08
It's come to example to let's see if this is vulnerable to cookie theft
03:20
now that was not vulnerable to cookie theft.
04:29
All right, so here we are in our cross site scripting environment here.
04:33
So we have zero My god bones, that works.
04:38
We could pull a cookie here,
04:40
so it's do plus
04:43
document
04:44
that
04:46
cookie.
04:47
We didn't get anything back
04:49
now.
04:50
I mean, the website is invulnerable. Just means that this area here is that so
04:57
let's come over here
04:59
to our pen tester, lab,
05:02
main page
05:04
and Strauss. Some of the other ones
05:11
I couldn't get cookie from that one. Let's try example for
05:14
it's a good cookie from here
05:15
We got an error from there. That's interesting.
05:18
Continue on its good five. Remember, we perform across that scripting or any kind of vulnerability assessment. You
05:27
gonna hit all the pages? You gotta find out where all of the vulnerabilities lie.
05:41
It's example. 80 Unless we got a query here.
05:45
Semitic query. No.
05:48
Did not work in the query field.

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
Raymond Evans
Instructor