1
00:00:01,160 --> 00:00:08,320
In this lecture we're going to have a look on NCIS or cross-site requests for Jerry these vulnerabilities

2
00:00:08,380 --> 00:00:12,750
allow us to force a user to do things that they don't want to do.

3
00:00:12,760 --> 00:00:17,680
For example once you log into a Web site let's take Facebook you'll be able to do certain things to

4
00:00:17,680 --> 00:00:20,020
your profiles so you can upload pictures.

5
00:00:20,080 --> 00:00:26,250
You can change your password you can change your information send messages and post stuff to your wall.

6
00:00:26,260 --> 00:00:33,160
Now she SRF Ockers when the website doesn't validate if the user actually wants to do a certain task

7
00:00:33,160 --> 00:00:39,100
so it doesn't check if the user actually intends to change their profile picture or to change their

8
00:00:39,130 --> 00:00:39,870
password.

9
00:00:40,060 --> 00:00:44,590
So if the website doesn't do that we'll be able to program a hasty e-mail page.

10
00:00:44,590 --> 00:00:50,860
And if the user clicks it or runs it they'll be forced to carry out a certain task that we program it

11
00:00:50,860 --> 00:00:56,150
to do for example we can get the user to change their password without them even knowing.

12
00:00:56,680 --> 00:01:01,630
Let's have an example on how this happens and it will become more clear to you.

13
00:01:01,720 --> 00:01:07,420
So I have my DVD Avenue here and I'm just going to log in with my username and password which is admen

14
00:01:09,070 --> 00:01:14,280
and I'm going to put my password.

15
00:01:14,400 --> 00:01:22,170
Now if we go to the C.R. I surfed up here you'll see that it allows us to change our our password.

16
00:01:22,170 --> 00:01:26,040
So this is just like a normal control panel to a normal web site.

17
00:01:26,040 --> 00:01:30,390
And usually when you log into your account one of the features that you can do is you can change your

18
00:01:30,390 --> 00:01:32,030
password to a different password.

19
00:01:32,040 --> 00:01:39,670
So from here I'm going to set my password to 2 2 2 2 2 2 and I'll say it in here as well the same password.

20
00:01:39,800 --> 00:01:41,000
I'm going to hit enter.

21
00:01:41,280 --> 00:01:45,160
And as you can see is telling us that the password has been changed.

22
00:01:45,390 --> 00:01:50,940
So this is an example of a feature that the user can do to their account they can change their password

23
00:01:51,780 --> 00:01:57,760
if the target web site which is DVD-Video doesn't check if the user actually wants to do this task.

24
00:01:57,780 --> 00:02:01,450
Then we can create a page that is similar to this page.

25
00:02:01,560 --> 00:02:07,950
And once the user runs that page they'll actually change their password without them even knowing.

26
00:02:07,950 --> 00:02:12,510
Now there's a number of ways to analyze the connection and our lives the information sent between the

27
00:02:12,510 --> 00:02:16,280
client and the target to make that SRF exploit.

28
00:02:16,500 --> 00:02:21,180
I'm going to show you the easiest and most reliable way and it works regardless of the type of form

29
00:02:21,180 --> 00:02:23,310
whether it's post or get.

30
00:02:23,340 --> 00:02:27,990
So with this particular one it's actually really easy to exploit if you just send the or right here

31
00:02:27,990 --> 00:02:29,170
to the target user.

32
00:02:29,340 --> 00:02:31,570
And then if they're on it they're password will be changed.

33
00:02:31,680 --> 00:02:36,240
But in more complicated ways sometimes you don't see that sometimes post is used.

34
00:02:36,240 --> 00:02:40,080
So I'll show you the most reliable way to do this kind of attack.

35
00:02:40,380 --> 00:02:44,260
So the first thing to do is right click the form that you want to hijack.

36
00:02:44,620 --> 00:02:51,790
You were going to inspect the element and we're going to look to that where the forum is so we're going

37
00:02:51,790 --> 00:02:58,290
to look at where is the start of the forum tag and the end of the forum tag.

38
00:02:58,400 --> 00:03:00,990
I'm actually going the right clicking in here inside the forum.

39
00:03:03,530 --> 00:03:10,880
And as you can see now we have the start of the forum is in here and it ends with a slash forum forward

40
00:03:10,880 --> 00:03:11,750
slash forum.

41
00:03:11,900 --> 00:03:14,570
And you can see it right here at the end.

42
00:03:14,990 --> 00:03:20,510
So this is the part of the code that we're interested into this is the part of the code that we want

43
00:03:20,510 --> 00:03:27,350
to modify and send to the target user so that when they run it they'll actually change their password

44
00:03:27,350 --> 00:03:28,330
without them knowing.

45
00:03:29,400 --> 00:03:35,430
So I'm going to Right-Click this and I'm going to edit as the e-mail and I'm going to copy everything

46
00:03:35,430 --> 00:03:41,760
inside here so I'm going to do control I control See and that's copy it for me.

47
00:03:43,980 --> 00:03:51,010
And then I'm going to go to my left page right here and I'm going to paste it and I'm going to save

48
00:03:51,010 --> 00:03:53,650
this and we'll call it Yes or aftertaste him out

49
00:03:59,660 --> 00:04:04,000
and I'll put this in the desktop and click on Save.

50
00:04:04,970 --> 00:04:05,890
And that's it save.

51
00:04:05,900 --> 00:04:10,790
Now if we let's just run this code at the start and see what we get.

52
00:04:10,970 --> 00:04:13,100
So I have it right here on my desktop.

53
00:04:14,470 --> 00:04:15,810
And I'm just going to click it.

54
00:04:17,450 --> 00:04:21,770
And as you can see just get a page and a whole page that asks you for a new password and account to

55
00:04:21,770 --> 00:04:27,760
confirm the password so you can see the form here is actually similar to the form that we want to hijack.

56
00:04:29,690 --> 00:04:33,080
Now to get that page to work we need to modify a few things.

57
00:04:33,080 --> 00:04:40,460
Now you can see here we have a form right here and the action is set to a hash tag so it actually doesn't

58
00:04:40,790 --> 00:04:43,690
give a web site to submit this form to.

59
00:04:43,700 --> 00:04:48,140
So the first thing you want to modify is you want to give it to the Web site to submit this form to

60
00:04:48,560 --> 00:04:51,630
and this is going to be the same web site that we're on at the moment.

61
00:04:51,680 --> 00:04:59,850
So I'm going to control copy this and I'm going to put it in here instead of the hashtag.

62
00:04:59,870 --> 00:05:05,120
Now sometimes you'll actually if you're copying a form from a different website you might actually see

63
00:05:05,210 --> 00:05:10,590
a name of a file so you'll just see a file name you want to make sure you have the full your URL to

64
00:05:10,590 --> 00:05:11,830
the to the form.

65
00:05:11,930 --> 00:05:17,450
Because if you just have a file name for example if you just have indexed that BHB it won't know where

66
00:05:17,480 --> 00:05:23,340
that index that BHP is at now when it's on the Web site because it's already started on that Web site.

67
00:05:23,510 --> 00:05:28,250
But when we're actually taking the file like this and storing it on our local machine you want to make

68
00:05:28,250 --> 00:05:33,140
sure you have the full You are all and here so even if you see something instead of the hash tag for

69
00:05:33,190 --> 00:05:36,090
using something like indexed that BHP or whatever.

70
00:05:36,140 --> 00:05:43,440
Keep that in there but make sure you give it the full the or L that comes before that page.

71
00:05:43,450 --> 00:05:44,360
So this is all good.

72
00:05:44,350 --> 00:05:51,790
Now if I save this and if we run this we'll actually be able to change the password using this for now

73
00:05:51,810 --> 00:05:53,520
the beautiful thing about these exploits.

74
00:05:53,520 --> 00:05:58,740
You can actually confirm that it works for you first and then you can send it to the target's client

75
00:05:58,770 --> 00:06:04,650
or to the Daggett's person so if we actually reset our password here so I'm going to set the password

76
00:06:04,650 --> 00:06:11,250
2 3 3 3 3 3 3 and confirm it in here.

77
00:06:13,520 --> 00:06:14,810
And then I'm going to do.

78
00:06:14,810 --> 00:06:16,940
Hit enter.

79
00:06:16,990 --> 00:06:21,610
You'll see that we get a message telling us that the password has been changed and we can actually now

80
00:06:21,610 --> 00:06:24,280
log out and log in with the new password.

81
00:06:24,280 --> 00:06:25,050
So this is good.

82
00:06:25,050 --> 00:06:30,970
Now we have a forum that's actually not stored on the web site but using it we can actually go to that

83
00:06:30,970 --> 00:06:32,980
Web site and change the password.

84
00:06:32,980 --> 00:06:40,090
So this actually confirms that the target web site is vulnerable to see f because it's not validating

85
00:06:40,090 --> 00:06:42,810
that the request is coming from the Web site itself.

86
00:06:42,910 --> 00:06:46,160
So it's not validating if the user actually wants to do that.