Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

One of the most popular terms in web application penetration testing is Cross Site Scripting, which is commonly referred to as XSS. Cross site scripting is the most common bug in web security. There are two types of cross site scripting vulnerabilities:

  • Stored: stored on a server
  • Reflected: part of the URL

Participants learn how to use script with tags to discover security vulnerabilities within a web site.

Video Transcription

00:04
all right, so this time we're going to actually use Internet Explorer on Windows seven
00:10
so we can see
00:13
our actual attack. Some of our browsers, particularly
00:18
our ice weasel on Callie, have some filtering in place but
00:23
can be kind of a knife returned to do pen testing. But
00:27
course we want our browsers, particularly for the end user, to have
00:32
in a
00:33
checks and filter's in place that it possibly could to keep
00:36
protections in place. But we actually want to see what it's the worst case scenario. What's possible for an attacker?
00:44
We would want to turn those off.
00:46
So I actually have
00:48
turn that off on Internet Explorer. I turned off protected mode,
00:55
but look at the security setting that just want to custom level on down here at the bottom.
01:00
I made sure the
01:02
S R. X s s sir for cross site scripting filter is disabled.
01:07
That's what we're going to do years cross site scripting, the
01:12
probably the most common and also most
01:17
undervalued bug in Web security. There's lots of
01:21
cross site scripting vulnerabilities, and
01:23
fortunately, a lot of times have not taken too seriously. We could just get a little hose here was actually hosted on this system.
01:34
So what we want to do here is actually look at this search functionality. There's two pines of cross site scripting, vulnerability stored and reflected. But when we're gonna look at here is actually reflected,
01:48
you play with some other
01:49
bad applications that have vulnerabilities. I mentioned some like and vulnerable weather application or a while ago
02:00
they would have some stored cross site scripting as well and store cross site scripting. It'll actually, as the name implies, restored on the server.
02:08
Anyone who browses to the page with it
02:12
Steward cross site scripting attack is we'll have. We'll have their browser attacked.
02:17
Things like foreign posts, where you can comment anywhere you can comment that doesn't do a good job of filtering out malicious content.
02:27
There's a good place to find those.
02:29
But what we have here is something called the reflected cross site scripting. So it's actually going to be part of the
02:35
You're ill.
02:37
So what I wanna do is in the search function when do script with tags and stay alert
02:45
and you put whatever text you want in there,
02:47
just the text is going to say, and then in script.
02:52
Good competition case again It wrong go
02:55
and we get a pop up that says whatever our text is
03:00
and you can see here in the girl as well.
03:05
So basically, what's happening here is the way this search is set up. It says No book found for word or no books found for our script. So it basically repeats back to us what we said.
03:19
So that allows us again, since we haven't done proper filtering to use JavaScript and actually executed in the context of our users browser.
03:29
So, like all of our security vulnerabilities that we've seen for our web, perhaps adult, been about
03:35
improper soldering
03:37
us dinner,
03:38
making sure what the user puts in is correct. There's our injection where we added an extra sequel, or XML,
03:46
when we got to do other things on our behalf,
03:51
and then we exist. We see that we also able to feed it
03:55
code in this case that executes in our browser. So putting up in alert boxes as like
04:03
some words, isn't too terribly exciting. Typically, what people do nice is put in like document
04:10
Tookie, but this one doesn't actually have anything that comes up blank.
04:15
Um, you can get people's cookies. You can send them all sight
04:18
good, even like set up.
04:21
Thanks.
04:23
What looks like a log in form and a I frame
04:27
miso.
04:29
Really interesting. The kind of things you can do. There's also you look at
04:33
something called the browser
04:35
exploitation framework of beef,
04:39
and it goes like has a lot of functionality built in where if you hook it up to a process scripting vulnerability, it'll give you lots of buttons. You can click to do different things, too.
04:49
Browsers that have been hooked by it.
04:53
So there's also another form
04:56
with application vulnerability that we're not going to see an example of here called Cross site Request forgery.
05:03
So we think of cross site scripting as we're attacking the browser
05:09
that we're taking. The browser
05:13
believes what the Web server sends us to be good. It just accepts it and rendered it
05:17
cross site.
05:19
Cross forgery is basically the opposite. It's the server. Trust our browser. We have an active session, have a cookie we've logged in. It hasn't timed out. We have an active session,
05:31
then the servers. It receives requests that are valid from our browser while we have an active session.
05:38
The server accepts those in fact and acts upon them. So the typical example for that is like a bank account
05:45
were loved in at our bank account. We're all sure as people do. We have a bunch of other tabs open in our browser doing other things. We end up with a malicious website,
05:57
not sends a request like it loads up a picture that sends a request to our bank website and says,
06:03
Send $5 million home should have that much money to give away to George's account and gives it George's account number.
06:12
So my bank sees that get request. I'm low being. My browser has a valid session, so it accepts that to be an active
06:19
connection for me, since I'm law again and my browser and it will act on that it actually did is where's the server Intel come from me? When I didn't actually
06:30
make that request myself, just
06:33
another malicious website did,
06:36
attacking again in this case, the server accepting my browser so cross. That's good thing is the clouds are accepting the server cross. I request surgery.
06:46
Is
06:46
the server accepting my browser
06:49
So again there's not an example of this in this particular site.
06:54
It's a little bit more and have to set up something like that.
06:59
But
07:00
there are examples of
07:02
dummy websites for testing that do have those. You'll certainly
07:06
run into them as you continue.
07:10
But I gave you a few examples here to get the basics down again. I'm sure that there is a Web application testing
07:17
class that goes much deeper into all of these. As pin testers, you may spend a lot of time with applications. Some people, that's all they do, is work with weather applications. Some people just do. You know the basics of Web testing
07:32
can run their weather application scanners, bullet burp and check for You know, our lost stopped in our main
07:42
vulnerabilities, and some people may go so deepest to do code review on websites and
07:47
go really deep in the website. So it really just depends. You know, things you enjoy doing and the kind of work that you have coming in. There's so much different security work that
07:59
you kind of pick the areas that you like. So I guess it's just kind of basic overview of Denver without testing you're interested in learning more about it, Certainly
08:09
pick up a class or a book on the subject. There is certainly a lot of work in this area was with many of the others that we've touched.

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor