Time
2 hours 19 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
Hello, everyone, Welcome back to the course. It'd finally faxed through logs I made of the air and in the last video we talked about for inclusion, and it's topped off attacks.
00:10
In this video, we'll talk about cross site scripting attack. Let's start talking about the video objectives.
00:18
The video objectives are reviewed. A cross eyed skips attack, and they tried to cross eyed scream. She attacks with Logan addresses.
00:27
Now a brief review off cross site scripting yet
00:30
is an injection. I think
00:32
it's also a blindside attack.
00:35
Basically, forms in forums are the most common examples that suffers cross site scripting attacks.
00:42
Usually each explorers the JavaScript process it by the user browser.
00:47
There are two types, of course. I description the store when the interested data it saved in the Web sever and reflected
00:56
where no data is saving in the Web. Seven.
00:59
This means that in they start type, the attacking needs to change the webpage
01:04
while you're reflected one, the interested data is saying in processed
01:10
one of the causes of the cross ice cream. She is wrong using port validation,
01:15
and it is on the top. A seven off the 2017 0 R stopped in project.
01:21
Check this to upsides to get more information about cross site scripting.
01:26
Now let's see together how the cross artscape he works.
01:30
The process is like this The user access the website the Web's ever we will answer. They use a request,
01:38
they use a browser. We process the website answer.
01:41
And if the answer from things are malicious code, it will be executed by the browser.
01:46
Some actions that are come on course subscription are the directions on the other side
01:52
Crypto mining credential, Beth.
01:55
On some cases, in fact, the user computer with my hours or back doors.
02:01
Let's start analyzing the attack. The first will be refracted.
02:07
Here we have a big there is vulnerable to cross ice cream tea.
02:09
Wherever we put inside of Stax box, we will be displayed in the webpage after this submit.
02:16
For example, if we put log analysis which will say hello, Logan. As is
02:23
What do you think that will happen if we had in this text box JavaScript code like this one. This Jarvis creeps loads on a large in the user browsers.
02:32
In this picture, you can see the alert.
02:36
Did you notice that the same texts that we put it in the textbooks it displayed in the alert.
02:43
This means that the website I've accepted the job script and sent each to the quiet with the Web's ever answer is processed by the use of browsers. It's reload the job script
02:53
that says that is an alert.
02:57
Let's analyze together the logs from the two actions. The first nothing wrong. Just Hello, Logan Els is
03:05
sees this website use. Get my food, we can see the request.
03:09
And here you have the log analysis string. The second World called things the JavaScript alert.
03:16
Can you see that we have a lot of recorded characters?
03:21
Remember that the Web service only accept asking characters. You see that during the cross site scripting Tex the turkey needs to use a lot off goaded characters.
03:32
So this is one behavior off the cross site scripting attacks that you can see on the logs.
03:38
So how did they try the reflected cross site scripting attack?
03:44
One of the ways is look for its creepy Hmm attacks on the request.
03:50
Also, JavaScript called on the request,
03:53
and since course that's creepy needs to use included characters. If you see a lot often called the characters. In the second request, it's better take a better look
04:02
and sees the talking needs to craft the requests. Look for respected user agents.
04:09
The next type off course. I screamed. He is. They stored.
04:13
As we said before the start, Cross, I scooped attack changed the Web page from simple. Here we have a message board
04:21
like a four room. You put your name and a message and you to be started in the Web page.
04:29
Can you guess how that will happen?
04:31
You can see here that we have two masters.
04:34
Everything looks okay
04:36
to perform that that we need to send to the server. The malicious request
04:42
blocked his alert message in JavaScript.
04:46
Now, whenever we access the Web page, the alert message you show
04:50
and the message board Michelle, nothing in the message part.
04:55
This happens because our message contains the scripts, tags
05:00
and the script tags doesn't show s text.
05:02
They are executed by the browser. Now let's check the website. The logs from this attack The 1st 2 lines are the Lords. For a normal issues use off the website.
05:14
We have the post telling that We sent some data to the Web server
05:18
and after the get to reload the weapons,
05:23
the next two lines are the logs from that.
05:26
What is the problem here?
05:28
Can you read it for the attack?
05:30
Remember that on the post request. The payload has the action. That's why we cannot see the requests on the Web. Several logs, each one allies the to post logs. You see that the two lines are almost the same.
05:46
Maybe you're thinking how can identify the deck if I don't see the website below?
05:51
As we said before, there are another log sources that can help us. The i PS or ideas is one off them.
06:00
They analyzed the food packet,
06:01
which therefore packet it can see the malicious request
06:05
Black in this picture,
06:08
in this case, the longest different, but it can see the request
06:13
and decided request. You can see the malicious code that was sent to the Web server.
06:17
If your I PS is on the block mold,
06:20
the attack will fail you
06:23
one off the examples off the cross eyed script on tax, a script or mine.
06:29
Since Dr King had some called on the Web page and whenever used accessed the Web page.
06:33
They use his browser. You process the Web page.
06:36
If the Web page has a common Oh, it's called that asked to the Web browser to start crypto mining process, there were browser. We'll do it
06:46
and this can make the uses. Device runs lower. You can check it subside to see more about crypto mining course site scripting attacks
06:56
the cross escape. You start changes. There were Page one off their ways to confirm the attack.
07:01
Let's check the Web page codes
07:03
during your analogies. You can look for the script to tags on respected places here, the cold off our vulnerable webpage.
07:14
Since this is a small page, it will be easy to find the militias cold.
07:18
The malicious called Is this Here?
07:20
There are men, payloads that are used to perform course site scripting.
07:25
This website could say some examples off cross site scripting payloads.
07:30
The way she did fire the cross site scripting started is almost the same as the refracted one, although sees it common, eight years is the post of requests.
07:40
It is better to have more luck sources
07:43
like the I PS and, if possible, check the Web page codes and look for malicious Commons
07:50
post. That's that's my question.
07:53
There is no difference between store and refracted course. That's cute. Tex
07:59
is this information toe are false,
08:01
These affirmations force. Although the attack is similar, there are some difference between them,
08:07
and this difference changed the way to identify it
08:11
for the next question. And that's the way belong below. He didn't find which parts is malicious.
08:18
You can part of you if you want. Let's analyze. They look together first. We have the clients I p address
08:26
followed by day every time
08:28
after we have to get method and they requested fire
08:33
after we have 200 stars cold. That means okay this size. We don't not have a riff error,
08:41
and in the end we have to use their agents.
08:43
As we said before men off the attacks can be they tried in the requested fire.
08:50
Do you think that we have a lot of encoded characters in this requested fire?
08:56
Are it looks normal,
08:58
even if you think that this request is normal, that we do not have a lot off included Carter's, we can see the scripts board.
09:07
Did you see it to make things clear. Here, you can see the recorded request so you have the malicious parts off the law.
09:15
Very summer in today's last, which cost about the two top off parasites screeching
09:20
reflected in start and its differences.
09:24
We are stopped about how to identify the both type of cross site scripting.
09:31
Look for a script on the request. Look for job script cold.
09:35
Many corded Carter's
09:39
in this fact that used agents and for start cross site scripting,
09:43
you can check the webpage coat
09:46
in the next video. We'll talk about cross sights, request forgery and analyze the Web. Seven logs You don't fight the cross eyed to request a forager attacks.

Up Next

Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By

Instructor Profile Image
Igor Vieira
Information Security Analyst
Instructor