1
00:00:00,630 --> 00:00:01,620
-: Welcome back

2
00:00:01,620 --> 00:00:05,520
and it is time that we cover another version access attack.

3
00:00:05,520 --> 00:00:08,490
Which is called Stored XSS.

4
00:00:08,490 --> 00:00:11,190
In the previous video, we covered the Reflected XSS

5
00:00:11,190 --> 00:00:13,800
and this is pretty much the same thing.

6
00:00:13,800 --> 00:00:15,510
It is the same vulnerability.

7
00:00:15,510 --> 00:00:18,540
Just this time, our code will get stored

8
00:00:18,540 --> 00:00:21,210
on the server site and it is more dangerous

9
00:00:21,210 --> 00:00:24,060
because everyone that visits that page

10
00:00:24,060 --> 00:00:26,820
from the time that we injected our JavaScript code

11
00:00:26,820 --> 00:00:28,860
will also run that code.

12
00:00:28,860 --> 00:00:32,159
You don't have to send them any link or anything else.

13
00:00:32,159 --> 00:00:36,930
The code will run by itself as soon as they visit that page,

14
00:00:36,930 --> 00:00:39,360
and we already know where we can find the example

15
00:00:39,360 --> 00:00:40,230
of Stored XSS.

16
00:00:40,230 --> 00:00:43,870
So let us just go to our Meta Portable IP address

17
00:00:47,400 --> 00:00:50,793
in the DVWA and let us log in.

18
00:00:53,130 --> 00:00:55,590
As usual, make sure that your burp suite is running

19
00:00:55,590 --> 00:00:59,850
and make sure that the intercept is turned off.

20
00:00:59,850 --> 00:01:01,170
I will zoom this in

21
00:01:01,170 --> 00:01:03,540
so we can see everything better,

22
00:01:03,540 --> 00:01:05,970
and let us first navigate

23
00:01:05,970 --> 00:01:10,470
to the DVWA security and check low right here.

24
00:01:10,470 --> 00:01:14,970
After we do that, let us submit and go to the stored XSS.

25
00:01:14,970 --> 00:01:17,910
So once again, this is the same vulnerability.

26
00:01:17,910 --> 00:01:22,910
We want to inject JavaScript code in user input fields.

27
00:01:22,980 --> 00:01:25,800
So what do we got here inside of our application?

28
00:01:25,800 --> 00:01:29,700
Well, it asks for name and message.

29
00:01:29,700 --> 00:01:33,000
Hmm, vulnerability stored cross eye scripting.

30
00:01:33,000 --> 00:01:34,590
And why is this stored?

31
00:01:34,590 --> 00:01:36,600
Well, if we take a look at down here

32
00:01:36,600 --> 00:01:39,843
it seems that someone already made a comment,

33
00:01:40,740 --> 00:01:44,610
name is test and the message or comment says

34
00:01:44,610 --> 00:01:46,443
this is a test comment.

35
00:01:47,280 --> 00:01:50,670
And you might already see why this is stored.

36
00:01:50,670 --> 00:01:52,590
It is already on the page

37
00:01:52,590 --> 00:01:56,580
and anyone that visits this page will also see this comment.

38
00:01:56,580 --> 00:01:59,550
So this is something that everyone that loads the page,

39
00:01:59,550 --> 00:02:03,750
will also load this comment as a string.

40
00:02:03,750 --> 00:02:05,640
But what happens if we try to,

41
00:02:05,640 --> 00:02:08,310
for example, input JavaScript code?

42
00:02:08,310 --> 00:02:10,440
Will they also load the that?

43
00:02:10,440 --> 00:02:11,820
Yes, they will.

44
00:02:11,820 --> 00:02:13,590
Let me show you an example.

45
00:02:13,590 --> 00:02:15,930
First, let us create a regular comment.

46
00:02:15,930 --> 00:02:20,820
So I'm just going to type Alexa and Hello there.

47
00:02:20,820 --> 00:02:22,233
Can you see me?

48
00:02:23,850 --> 00:02:25,800
And let's sign guest book.

49
00:02:25,800 --> 00:02:29,340
And we can see right here our comment has been added,

50
00:02:29,340 --> 00:02:32,520
so everyone will also be able to see this.

51
00:02:32,520 --> 00:02:34,890
But what happens if we, for example, try to

52
00:02:34,890 --> 00:02:36,690
inject JavaScript code?

53
00:02:36,690 --> 00:02:40,110
Let's go with simple alert Script.

54
00:02:40,110 --> 00:02:45,110
So script alert, and if we continue typing, we will notice

55
00:02:47,010 --> 00:02:52,010
that we cannot really type anymore in this field.

56
00:02:52,110 --> 00:02:55,830
So it could be that this field is limited to only

57
00:02:55,830 --> 00:02:58,200
certain amount of characters.

58
00:02:58,200 --> 00:03:02,700
So let's just leave that on test and let's try

59
00:03:02,700 --> 00:03:04,620
to inject the code here.

60
00:03:04,620 --> 00:03:09,620
If I go onto the script, then alert and I alert one

61
00:03:11,550 --> 00:03:14,310
And I closed the script tag,

62
00:03:14,310 --> 00:03:16,860
here we can input the entire script.

63
00:03:16,860 --> 00:03:21,860
So let's sign Guestbook and our JavaScript code executes.

64
00:03:22,440 --> 00:03:24,510
There is no user input filtering.

65
00:03:24,510 --> 00:03:26,430
Therefore, since we are on low level

66
00:03:26,430 --> 00:03:29,793
we will inject a simple code as alert one.

67
00:03:30,720 --> 00:03:33,540
Now the good part about this is that now

68
00:03:33,540 --> 00:03:36,960
since this comment has been added to this list,

69
00:03:36,960 --> 00:03:38,950
every time we visit that page

70
00:03:41,040 --> 00:03:43,620
every time they will execute our code,

71
00:03:43,620 --> 00:03:46,140
or we will execute our code.

72
00:03:46,140 --> 00:03:48,990
So we don't have to type it once again

73
00:03:48,990 --> 00:03:51,090
as we had to with access reflected.

74
00:03:51,090 --> 00:03:54,180
Remember, if we type inside the reflected

75
00:03:54,180 --> 00:03:55,893
a simple alert script,

76
00:03:57,630 --> 00:03:58,620
It'll execute.

77
00:03:58,620 --> 00:04:00,720
But once we change a page and go back

78
00:04:00,720 --> 00:04:03,750
to the access reflected, there is no code running.

79
00:04:03,750 --> 00:04:08,520
However, on stored, we will run this code every time.

80
00:04:08,520 --> 00:04:11,070
And that is why it is more dangerous.

81
00:04:11,070 --> 00:04:13,140
For example, if you did the same attack as

82
00:04:13,140 --> 00:04:15,090
from the previous video where we stole cookies

83
00:04:15,090 --> 00:04:18,300
if you inject that code here, then anyone that

84
00:04:18,300 --> 00:04:21,959
visits this page, their cookie will be sent to you.

85
00:04:21,959 --> 00:04:26,100
And you can then perform session hijacking or something else

86
00:04:26,100 --> 00:04:28,473
if cookies aren't configured correctly.

87
00:04:29,310 --> 00:04:32,250
And this will also happen if we log out of the page.

88
00:04:32,250 --> 00:04:37,250
For example, if I go log out and I go back to the page,

89
00:04:39,510 --> 00:04:44,220
and go back to the access stored this executes once again.

90
00:04:44,220 --> 00:04:46,230
Now if this starts getting annoying

91
00:04:46,230 --> 00:04:49,680
because you want to start testing other examples as well,

92
00:04:49,680 --> 00:04:50,820
what you can do is you can go

93
00:04:50,820 --> 00:04:55,410
to setup right here and create or reset database.

94
00:04:55,410 --> 00:04:56,820
Once you click on this button

95
00:04:56,820 --> 00:04:59,730
navigate back to XSS stored, you will no longer

96
00:04:59,730 --> 00:05:02,610
have the comments that we added in this video.

97
00:05:02,610 --> 00:05:04,890
You will only have this test comment that is there

98
00:05:04,890 --> 00:05:06,330
by default.

99
00:05:06,330 --> 00:05:07,380
Okay, great.

100
00:05:07,380 --> 00:05:10,470
Now let us take a look at the medium level security.

101
00:05:10,470 --> 00:05:14,550
So if I go on medium, submit, go back

102
00:05:14,550 --> 00:05:18,513
to the XSS stored and I try to input right here.

103
00:05:19,620 --> 00:05:23,700
Hmm, it still seems to be limited characters

104
00:05:23,700 --> 00:05:27,090
so we can type longer words than this.

105
00:05:27,090 --> 00:05:29,430
Let's give it a try right here.

106
00:05:29,430 --> 00:05:34,430
So script alert one, and here we can name test.

107
00:05:39,300 --> 00:05:42,030
Hmm. It doesn't work.

108
00:05:42,030 --> 00:05:47,030
It seems that we get these slashes before our single quotes.

109
00:05:47,760 --> 00:05:49,830
So let's take a look at this source code just

110
00:05:49,830 --> 00:05:53,100
to see what is happening inside of our fields.

111
00:05:53,100 --> 00:05:55,740
And it tells us right here in the comments

112
00:05:55,740 --> 00:05:59,310
that this code right here sanitizes the message input

113
00:05:59,310 --> 00:06:01,620
or in other words the comment input.

114
00:06:01,620 --> 00:06:06,090
And this sanitizes or filters the name input.

115
00:06:06,090 --> 00:06:10,650
So it seems that we have this HTML special chars function

116
00:06:10,650 --> 00:06:11,910
onto our comment.

117
00:06:11,910 --> 00:06:13,680
And usually once you have that,

118
00:06:13,680 --> 00:06:16,170
there will be no SSX vulnerability

119
00:06:16,170 --> 00:06:18,390
since it filters all the characters that you

120
00:06:18,390 --> 00:06:20,970
can use to perform access attack.

121
00:06:20,970 --> 00:06:25,970
So most likely this part doesn't have any vulnerability.

122
00:06:26,280 --> 00:06:29,040
So message input or comment input is not

123
00:06:29,040 --> 00:06:31,560
something that we are going to try to attack.

124
00:06:31,560 --> 00:06:33,720
But what about this name input?

125
00:06:33,720 --> 00:06:37,470
It only has this string replace regular script

126
00:06:37,470 --> 00:06:40,020
with empty space, which we saw in the previous video.

127
00:06:40,020 --> 00:06:44,520
We can simply just bypass this with capital script tech.

128
00:06:44,520 --> 00:06:47,280
But there is another problem that we encounter.

129
00:06:47,280 --> 00:06:50,970
We cannot specify more than a couple characters

130
00:06:50,970 --> 00:06:52,053
in the name field.

131
00:06:53,010 --> 00:06:55,173
Is that something that we can bypass?

132
00:06:56,070 --> 00:06:58,140
Well, if I type like this

133
00:06:58,140 --> 00:06:59,970
I will not be able to type more than this.

134
00:06:59,970 --> 00:07:03,843
But if I go and inspect element of this page,

135
00:07:06,270 --> 00:07:08,040
I find the name input right here

136
00:07:08,040 --> 00:07:12,040
and I can do that by going right here on Dev

137
00:07:13,560 --> 00:07:16,410
navigating to here, navigating to form.

138
00:07:16,410 --> 00:07:18,900
Then from the form, this table

139
00:07:18,900 --> 00:07:22,923
and I want to select this name input right here.

140
00:07:23,760 --> 00:07:27,300
So let us give it a try and see which one it is.

141
00:07:27,300 --> 00:07:29,340
It is this first one.

142
00:07:29,340 --> 00:07:32,490
And if I click on this last arrow

143
00:07:32,490 --> 00:07:35,310
we can see right here that once we select

144
00:07:35,310 --> 00:07:37,383
the name input field,

145
00:07:38,250 --> 00:07:41,403
right here we got the max length of 10.

146
00:07:42,660 --> 00:07:44,400
Is that something that we can change?

147
00:07:44,400 --> 00:07:45,720
Well, let's give it a try.

148
00:07:45,720 --> 00:07:50,080
If I select that and instead of 10 I type 100

149
00:07:50,940 --> 00:07:54,453
press enter and I try to continue typing.

150
00:07:55,380 --> 00:07:57,660
Well now it works.

151
00:07:57,660 --> 00:07:59,490
We navigated to this field.

152
00:07:59,490 --> 00:08:02,490
We found the input name field and it said the

153
00:08:02,490 --> 00:08:05,520
max land for 10, but we just added another zero

154
00:08:05,520 --> 00:08:08,850
and now we can type even more characters.

155
00:08:08,850 --> 00:08:10,113
So let's give it a try.

156
00:08:11,490 --> 00:08:13,800
Remember the only filtering that is inside of

157
00:08:13,800 --> 00:08:15,960
the name field is the script text.

158
00:08:15,960 --> 00:08:17,343
Let us make it capital.

159
00:08:19,200 --> 00:08:20,820
And here we can type anything

160
00:08:20,820 --> 00:08:23,040
since we know that this is most likely not vulnerable

161
00:08:23,040 --> 00:08:24,210
to the access attack.

162
00:08:24,210 --> 00:08:28,260
And if I click on sign guest book, there it is.

163
00:08:28,260 --> 00:08:31,050
Here is our access vulnerability

164
00:08:31,050 --> 00:08:35,100
and that is all about stored XSS.

165
00:08:35,100 --> 00:08:38,100
It is completely the same as the reflected XSS,

166
00:08:38,100 --> 00:08:41,580
just this will get stored on the server page

167
00:08:41,580 --> 00:08:45,330
and anyone will load it once visiting that page.

168
00:08:45,330 --> 00:08:48,120
Great. Now that we covered XSS,

169
00:08:48,120 --> 00:08:49,710
in the next video I want to talk

170
00:08:49,710 --> 00:08:52,590
about a small vulnerability that many penetration

171
00:08:52,590 --> 00:08:54,360
testers skip when testing

172
00:08:54,360 --> 00:08:56,520
for web application vulnerabilities.

173
00:08:56,520 --> 00:08:58,980
And that is called HTML injection.

174
00:08:58,980 --> 00:09:01,680
And we are also going to mention why we should never

175
00:09:01,680 --> 00:09:04,860
skip checking for the HTML injection.

176
00:09:04,860 --> 00:09:06,160
See you in the next video.