1
00:00:00,430 --> 00:00:08,560
Welcome back, I want to quickly talk about another vulnerability or a bug, which is called HTML injection,

2
00:00:09,070 --> 00:00:15,250
and it is quite similar to the cross site scripting attack, just as its name says in this type of the

3
00:00:15,250 --> 00:00:21,610
attack, we're not injecting JavaScript code, but instead we're injecting HTML code.

4
00:00:22,500 --> 00:00:29,160
And you might say that that is not really dangerous, however, even though that is correct, if the

5
00:00:29,400 --> 00:00:33,840
injection is still a book that you should be searching for, why?

6
00:00:33,990 --> 00:00:40,260
Well, if there is an e-mail injection in some big company, what an attacker could do is they could

7
00:00:40,260 --> 00:00:41,880
change the entire page.

8
00:00:41,880 --> 00:00:44,880
Look, they could add whatever they want to that page.

9
00:00:45,210 --> 00:00:46,920
They could post different pictures.

10
00:00:46,920 --> 00:00:53,490
They could completely change that Web page to their own liking just by injecting HTML code.

11
00:00:54,180 --> 00:01:00,120
And that would be pretty bad for that company because someone else would have a complete control of

12
00:01:00,120 --> 00:01:01,560
how that page would look like.

13
00:01:02,370 --> 00:01:06,030
So how can we test for that, how can we find him an injection?

14
00:01:06,630 --> 00:01:13,740
Well, you can just go and navigate to the excess reflected and exercice stores that we covered in previous

15
00:01:13,740 --> 00:01:14,250
videos.

16
00:01:14,250 --> 00:01:17,400
And we can test for Tmall injections here.

17
00:01:18,350 --> 00:01:25,520
So usually what you want to test is different HTML tags such as H1, H2 or different header tax just

18
00:01:25,520 --> 00:01:30,030
to see whether your input will be interpreted as HTML code.

19
00:01:30,350 --> 00:01:31,520
So let's give it a try.

20
00:01:32,060 --> 00:01:39,830
Everything is on low and if I go right here and just type it one, which is an HTML tag for header size

21
00:01:39,830 --> 00:01:43,730
one and they type test, close the tag.

22
00:01:45,180 --> 00:01:52,710
By typing these arrows and then closed each one, I click on Submit and we can see it does indeed interpret

23
00:01:52,710 --> 00:01:54,950
our input as an HTML code.

24
00:01:55,380 --> 00:02:02,670
If we were to type, for example, H two or three and then test once again.

25
00:02:05,650 --> 00:02:11,590
This would be smaller size, which is a good enough indication that there is an optimal injection on

26
00:02:11,590 --> 00:02:12,130
this page.

27
00:02:12,910 --> 00:02:20,200
Now, there is no point of us changing this to medium or high because this specific input is used for

28
00:02:20,230 --> 00:02:21,240
JavaScript attacks.

29
00:02:21,240 --> 00:02:23,710
So only JavaScript syntax will be filtered.

30
00:02:23,740 --> 00:02:28,210
Therefore, HTML injection will be the same on medium level security as well.

31
00:02:28,700 --> 00:02:35,740
As I mentioned, this also back and it should be reported because for now we only typed in a small HTML

32
00:02:35,740 --> 00:02:40,120
code which changes our input to size one header and size three header.

33
00:02:40,390 --> 00:02:44,340
But what we could also do, for example, on a stalled page.

34
00:02:44,920 --> 00:02:50,590
And let me just reset the database real quick from the previous video where we covered the existant.

35
00:02:51,010 --> 00:02:58,480
And if you were to type an HTML injection right here, let's say the name will be test and here we type

36
00:02:58,690 --> 00:02:59,410
this code.

37
00:03:00,130 --> 00:03:05,470
Let me first write it inside of a terminal and then we are going to copy it to this page just so you

38
00:03:05,470 --> 00:03:07,170
can see everything better.

39
00:03:07,480 --> 00:03:16,990
So open brackets and then meta http equiv equals open double quotes, refresh close double quotes,

40
00:03:17,260 --> 00:03:22,480
content equals zero dot and comma and then space.

41
00:03:22,480 --> 00:03:33,940
Your URL equals http google dot com and then close double quotes and close the tag by typing slash and

42
00:03:33,940 --> 00:03:35,240
close right error.

43
00:03:35,800 --> 00:03:40,860
If we were to inject this code, well let's just see what would happen.

44
00:03:40,870 --> 00:03:42,760
Let's copy this code right here.

45
00:03:43,360 --> 00:03:46,090
Go to our page and type it here.

46
00:03:46,900 --> 00:03:48,940
I click on Sign Guestbook.

47
00:03:54,070 --> 00:03:55,250
Do you see what is happening?

48
00:03:55,570 --> 00:04:02,650
It is constantly trying to go to different pitch and it is constantly refreshing that pitch, it pretty

49
00:04:02,650 --> 00:04:09,430
much made the pitch completely unusable because we cannot even go up here and type something in to.

50
00:04:09,430 --> 00:04:16,180
What we must do is we must change to a different directorate such as Phyll Inclusion and go and clear

51
00:04:16,180 --> 00:04:22,300
our database or reset the database because we will not be able to visit the Stort since it will automatically

52
00:04:22,300 --> 00:04:25,480
start refreshing the page and trying to visit Google dot com.

53
00:04:25,990 --> 00:04:33,010
However, if we were to type same right here in the reflected and we want to change, for example,

54
00:04:33,010 --> 00:04:37,630
from Google dot com to Facebook dot com and click on submit.

55
00:04:39,070 --> 00:04:45,520
Well, pretty much the same thing would happen, but for some reason, it doesn't want to visit Facebook

56
00:04:45,520 --> 00:04:52,590
dot com and we going to take a look at why that is that to see whether we specified something incorrectly.

57
00:04:52,600 --> 00:04:54,730
So you are L equals HTP.

58
00:04:55,940 --> 00:05:01,700
OK, so I've tested it out, and for some reason, it doesn't seem to work on Callinan's browser, but

59
00:05:01,700 --> 00:05:08,900
if I go to my Windows 10 machine and I visit the metastable page and right here I copy the same code

60
00:05:08,900 --> 00:05:13,750
that we just sent in our clinics, just we copied and tried from our Windows 10 machine.

61
00:05:14,060 --> 00:05:19,580
I just changed the URL to be Bing dot com is to try it here and click on Submit.

62
00:05:21,170 --> 00:05:28,640
Well, now it fully redirects our access, reflected input and the entire page to this pink dot com

63
00:05:28,640 --> 00:05:29,150
website.

64
00:05:30,080 --> 00:05:30,890
Let's give it a try.

65
00:05:30,920 --> 00:05:38,240
What happens if we do that on the street so I type test as name and I type this comment right here as

66
00:05:38,240 --> 00:05:42,020
a message, and it appears that there is a limitation of characters right here.

67
00:05:42,050 --> 00:05:50,720
So what we can do is we can inspect the element, navigate to the body, then let's go and find the

68
00:05:50,720 --> 00:05:51,790
message input.

69
00:05:51,800 --> 00:05:57,410
So under the form we go table body and message input.

70
00:05:58,400 --> 00:06:05,570
We checked right here, it says that the max length is 50, so what I can do is I can type five hundred

71
00:06:05,570 --> 00:06:12,590
and now if I go and try to copy this, so I'll just delete all of this, page the code and click sign

72
00:06:12,590 --> 00:06:13,300
guestbook.

73
00:06:13,310 --> 00:06:16,340
Well, now it actually redirects.

74
00:06:16,910 --> 00:06:23,270
So you will see that even when I try to go back and I go, for example, to brute force and again on

75
00:06:23,660 --> 00:06:26,250
thought it will just load dot com.

76
00:06:26,660 --> 00:06:32,380
So with the help of code injection, we can even redirect pages to different websites.

77
00:06:33,050 --> 00:06:35,170
And this is usually what attackers do.

78
00:06:35,480 --> 00:06:40,730
So if they find us toward code injection vulnerability, what they will do is they will just inject

79
00:06:40,970 --> 00:06:47,060
a redirection link to a different website, possibly a malicious website or a website where they advertise

80
00:06:47,060 --> 00:06:48,680
something or something similar.

81
00:06:48,920 --> 00:06:55,280
And every time someone visits a page, for example, they want to go and stored on our Metters political

82
00:06:55,280 --> 00:07:02,120
page, well, they just load Bing dot com and that is the power of HTML injection vulnerability.

83
00:07:02,810 --> 00:07:08,180
So now that we covered this in the next video, we're going to go on to another big vulnerability,

84
00:07:08,270 --> 00:07:10,580
which is called Ezekial Injection.

85
00:07:11,420 --> 00:07:11,960
So they're.