all right, so this time we're going to actually use Internet Explorer on Windows seven
our actual attack. Some of our browsers, particularly
our ice weasel on Callie, have some filtering in place but
can be kind of a knife returned to do pen testing. But
course we want our browsers, particularly for the end user, to have
checks and filter's in place that it possibly could to keep
protections in place. But we actually want to see what it's the worst case scenario. What's possible for an attacker?
We would want to turn those off.
turn that off on Internet Explorer. I turned off protected mode,
but look at the security setting that just want to custom level on down here at the bottom.
S R. X s s sir for cross site scripting filter is disabled.
That's what we're going to do years cross site scripting, the
probably the most common and also most
undervalued bug in Web security. There's lots of
cross site scripting vulnerabilities, and
fortunately, a lot of times have not taken too seriously. We could just get a little hose here was actually hosted on this system.
So what we want to do here is actually look at this search functionality. There's two pines of cross site scripting, vulnerability stored and reflected. But when we're gonna look at here is actually reflected,
you play with some other
bad applications that have vulnerabilities. I mentioned some like and vulnerable weather application or a while ago
they would have some stored cross site scripting as well and store cross site scripting. It'll actually, as the name implies, restored on the server.
Anyone who browses to the page with it
Steward cross site scripting attack is we'll have. We'll have their browser attacked.
Things like foreign posts, where you can comment anywhere you can comment that doesn't do a good job of filtering out malicious content.
There's a good place to find those.
But what we have here is something called the reflected cross site scripting. So it's actually going to be part of the
So what I wanna do is in the search function when do script with tags and stay alert
and you put whatever text you want in there,
just the text is going to say, and then in script.
Good competition case again It wrong go
and we get a pop up that says whatever our text is
and you can see here in the girl as well.
So basically, what's happening here is the way this search is set up. It says No book found for word or no books found for our script. So it basically repeats back to us what we said.
So, like all of our security vulnerabilities that we've seen for our web, perhaps adult, been about
making sure what the user puts in is correct. There's our injection where we added an extra sequel, or XML,
when we got to do other things on our behalf,
and then we exist. We see that we also able to feed it
code in this case that executes in our browser. So putting up in alert boxes as like
some words, isn't too terribly exciting. Typically, what people do nice is put in like document
Tookie, but this one doesn't actually have anything that comes up blank.
Um, you can get people's cookies. You can send them all sight
good, even like set up.
What looks like a log in form and a I frame
Really interesting. The kind of things you can do. There's also you look at
something called the browser
exploitation framework of beef,
and it goes like has a lot of functionality built in where if you hook it up to a process scripting vulnerability, it'll give you lots of buttons. You can click to do different things, too.
Browsers that have been hooked by it.
So there's also another form
with application vulnerability that we're not going to see an example of here called Cross site Request forgery.
So we think of cross site scripting as we're attacking the browser
that we're taking. The browser
believes what the Web server sends us to be good. It just accepts it and rendered it
Cross forgery is basically the opposite. It's the server. Trust our browser. We have an active session, have a cookie we've logged in. It hasn't timed out. We have an active session,
then the servers. It receives requests that are valid from our browser while we have an active session.
The server accepts those in fact and acts upon them. So the typical example for that is like a bank account
were loved in at our bank account. We're all sure as people do. We have a bunch of other tabs open in our browser doing other things. We end up with a malicious website,
not sends a request like it loads up a picture that sends a request to our bank website and says,
Send $5 million home should have that much money to give away to George's account and gives it George's account number.
So my bank sees that get request. I'm low being. My browser has a valid session, so it accepts that to be an active
connection for me, since I'm law again and my browser and it will act on that it actually did is where's the server Intel come from me? When I didn't actually
make that request myself, just
another malicious website did,
attacking again in this case, the server accepting my browser so cross. That's good thing is the clouds are accepting the server cross. I request surgery.
the server accepting my browser
So again there's not an example of this in this particular site.
It's a little bit more and have to set up something like that.
there are examples of
dummy websites for testing that do have those. You'll certainly
run into them as you continue.
But I gave you a few examples here to get the basics down again. I'm sure that there is a Web application testing
class that goes much deeper into all of these. As pin testers, you may spend a lot of time with applications. Some people, that's all they do, is work with weather applications. Some people just do. You know the basics of Web testing
can run their weather application scanners, bullet burp and check for You know, our lost stopped in our main
vulnerabilities, and some people may go so deepest to do code review on websites and
go really deep in the website. So it really just depends. You know, things you enjoy doing and the kind of work that you have coming in. There's so much different security work that
you kind of pick the areas that you like. So I guess it's just kind of basic overview of Denver without testing you're interested in learning more about it, Certainly
pick up a class or a book on the subject. There is certainly a lot of work in this area was with many of the others that we've touched.