XSS: Cross-Site Scripting

00:00

Hello, everyone, and welcome back to the course, identifying Web attacks through logs.

00:05

In the last video, we talked about file inclusion in its types of attacks.

00:09

In this video, we'll talk about cross site scripting attacks.

00:13

Let's start by talking about the video objectives.

00:17

The video objectives are to review cross site scripting attacks and identify cross site scripting attacks with long analysis.

00:25

Now let's do a brief review of cross site scripting attacks and injection attacks.

00:30

It's also a client side attack

00:32

pages with forms and forums are the most common examples that offer cross site scripting attacks. Usually they use JavaScript processed by the user browser.

00:43

There are two types of cross site scripting

00:46

stored when the entrusted data is saved in the Web server

00:50

and reflected when no data is saved in the Web server.

00:53

This means that in the store type, the attacker needs to change the Web page while in the reflected one, the entrusted data is sent and processed.

01:03

One of the causes of cross site scripting is incorrect user input validation, and this is on Topic a seven off the 2017 oh WASP Top 10 project.

01:14

Check these two websites to get more information about cross site scripting.

01:19

Now let's see together how cross site scripting works.

01:23

The process is like this.

01:25

The user accesses the website.

01:26

The Web server will then answer the request.

01:30

The user browser will process the Web server answer, and if the answer contains a malicious code, it will be executed by the browser.

01:38

Some actions that are common on cross site scripting are re directions to other sites, crypto mining credential theft or, in some cases, infecting the user's computer with malware or back doors.

01:52

Let's start analyzing the attack.

01:53

The first will be reflected

01:56

here we have a website that is vulnerable to cross site scripting.

01:59

Whatever we put inside this text box will be displayed in the Web page after this submission.

02:05

For example, if we put log analysis, it will say Hello, log analysis.

02:10

What do you think will happen if we add in this text box a JavaScript code

02:15

like this one?

02:16

The JavaScript loads an alert in the user browser.

02:21

In this picture, you can see the alert.

02:23

You'll notice that the same text we put into the text box is displayed in the alert.

02:28

This means that the Web server accepted the JavaScript and sent it to the client.

02:31

When the Web server answer is processed by the user browser, it will load the JavaScript that says there is an alert.

02:39

Now

02:40

together, let's analyze the logs from the two actions.

02:45

In the first, Nothing's wrong. Just hello log analysis.

02:50

Since the website used to get method, we can see the request, and here you have the log analysis strength.

02:55

The second log contains the JavaScript alert.

02:59

Then you see that we have a lot of encoded characters.

03:01

Remember the Web server Onley except asking characters

03:07

here. You see that during the cross site scripting attack, the attacker needs to use a lot of encoded characters.

03:13

This is one behavior of cross site scripting attack that you can see in the logs.

03:19

So how do you identify the reflected cross site scripting attacks?

03:23

One of the ways is to look for script html text in the request. Also, look for JavaScript code in the request,

03:30

since cross site scripting needs to using coded characters. If you see a lot of encoded characters in the same request,

03:36

it's better to take a closer look.

03:38

And since the attacker needs to craft the request.

03:40

Look for unexpected user agents.

03:45

The next type of cross site scripting is stored.

03:49

As I said before

03:50

stored cross site scripting attacks changed the Web page,

03:53

for example, here we have a message board

03:57

like a forum. You put in your name in a message,

04:00

and it will be stored in the Web page.

04:02

Can you guess how the attack occurs?

04:05

You can see here that we have two messages.

04:09

Everything looks okay

04:11

to perform the attack. We need to send the server the malicious request,

04:14

like this alert message in JavaScript.

04:16

Now,

04:17

whenever we access the Web page, the alert message will show in the message board will show nothing in the message part.

04:25

This happens because our message contains the script text in the script. Text doesn't show as text they're executed by the browser.

04:33

Now

04:34

let's check the Web server logs from this attack.

04:38

The first two lines of the logs for a non malicious use of the website.

04:42

We have the post time that we sent some data to the Web server and after the get

04:46

to relearn the Web page,

04:48

the next two lines of the logs from the attack.

04:51

What's the problem here.

04:53

Can you identify the attack?

04:56

Remember that on the Post request. The payload has the action, and that's why we can't see the request on the Web server lock.

05:01

If you analyze the to post logs, you can see that the two lines are almost the same

05:08

Now. Maybe you're thinking how can identify the attack if I don't see the Web server law?

05:13

As I said before, there are other log sources that could help us.

05:16

The i PS or IEDs is one of them.

05:20

They analyzed the full packet

05:23

with the full packet. It can see the malicious request like in this picture.

05:27

In this case, the log is different, but it can see the request.

05:30

Inside the request, you can see the malicious code that was sent to the Web server.

05:35

If your I PS is in the block mood,

05:38

the attack will fail.

05:40

One example of cross site scripting attacks is crypto mining, since the attack can add some code on the Web page. And whenever users access the Web page, the user browser processes the Web page.

05:50

If the Web page has a command on its code that

05:54

is asking the Web server to start the crypto mining process,

05:57

the Web browser will do it.

05:59

This can make the users device run slower.

06:01

You can check this website to Seymour about crypto mining. Cross site scripting attacks

06:09

store cross site scripting changes the Web page.

06:12

One of the ways to confirm the attack is to check the Web page code.

06:15

During your analysis, you can look for script text in unexpected places.

06:20

Here's the code of our vulnerable Web page.

06:23

Since this is a small page,

06:25

it will be easy to find the malicious code

06:27

the militia code is this year.

06:31

There are many payloads that are used to perform cross side scripted.

06:34

This website contains some examples of cross site scripting payloads.

06:41

The way toe identified stored cross site scripting is almost a statement with reflected,

06:46

although since it commonly uses the Post request,

06:48

it's better to have more log sources like the I PS and, if possible, to check the Web page code and look for malicious commands.

06:59

Post assessment question.

07:00

There is no difference between stored and reflected cross site scripting attacks.

07:05

Is this affirmation true or false?

07:10

This affirmation is false.

07:13

Although the attacks are similar, there are some differences between them.

07:15

The difference changes the way we identify them.

07:20

For the next question,

07:21

analyze the weblog below and identify which part is malicious.

07:26

You can pause the video if you'd like.

07:29

Let's analyze the log together

07:31

first. We have the clients I p address, followed by the date and time

07:34

after we have the get method and the requested file.

07:38

After we have a 200 status code, that means okay,

07:41

the size

07:43

we don't have the refer, and in the end we have the user agent.

07:46

As I said before, many of the attacks can be identified in the requested file.

07:51

Do you think that we have a lot of encoded characters and requested file, or does it look normal?

07:57

Even if you think that this request looks normal and we do have a lot of encoded characters, we can see the script word.

08:03

Did you see it

08:05

to make things more clear here, you can see the decoded request

08:11

so you have the malicious parts of the log

08:15

video summary

08:16

in today's lesson, we talked about the two types of cross site scripting

08:20

reflected and stored and their differences.

08:22

We also talked about how Doe identify both types of cross site scripting.

08:26

Look for a script in the request. Look for JavaScript code look, many encoded characters and unexpected user agents

08:33

for stored cross site scripting. You can check the Web page code