WEBVTT

00:00.049 --> 00:03.660
>> Let's start off by talking
about Code Injection.

00:03.660 --> 00:05.475
It's exactly what
it sounds like.

00:05.475 --> 00:07.260
An attacker injects code into

00:07.260 --> 00:09.225
a backend database
through a website,

00:09.225 --> 00:11.850
usually through a form that
is open to the public.

00:11.850 --> 00:14.415
We fill out forms all the
time on the Internet,

00:14.415 --> 00:15.990
anytime you are buying something

00:15.990 --> 00:18.585
online or filling out
a survey and so forth.

00:18.585 --> 00:21.210
Of course, what we
enter into those forms,

00:21.210 --> 00:23.939
gets dumped into a
backend database.

00:23.939 --> 00:26.610
But the thing is, if
I'm allowed to enter

00:26.610 --> 00:29.805
garbage and it gets processed
on the backend database,

00:29.805 --> 00:32.955
it can actually run a command
that is very harmful.

00:32.955 --> 00:34.980
You don't have to
be a SQL engineer

00:34.980 --> 00:36.030
to know that the command in

00:36.030 --> 00:38.115
this cartoon drop table

00:38.115 --> 00:41.520
is probably not going to
be good for your database.

00:41.520 --> 00:43.995
What do we do to mitigate this?

00:43.995 --> 00:46.140
Input validation.

00:46.140 --> 00:47.990
We make sure that what goes into

00:47.990 --> 00:49.765
our database meets our rules.

00:49.765 --> 00:52.020
We're going to validate
things like datatype,

00:52.020 --> 00:54.290
so if the form is
asking for a date-time,

00:54.290 --> 00:55.760
I'll make sure that
the only field

00:55.760 --> 00:57.485
accepts that type of data.

00:57.485 --> 00:59.210
We restrict the field linked to

00:59.210 --> 01:01.145
limit what a malicious
actor can do.

01:01.145 --> 01:04.280
Or even better, we give you
a drop-down menu to select

01:04.280 --> 01:05.510
from so you don't enter

01:05.510 --> 01:07.400
something in a field
that can be damaging.

01:07.400 --> 01:10.090
That's all part of
the input validation.

01:10.090 --> 01:13.640
Now, input sanitization
is comparable,

01:13.640 --> 01:15.320
but what it will do is attempt

01:15.320 --> 01:17.185
to clean up what
is being entered.

01:17.185 --> 01:19.295
For example, let's
say we allowed

01:19.295 --> 01:21.890
12 characters for
a last name field,

01:21.890 --> 01:24.735
but your last name
is 14 characters.

01:24.735 --> 01:27.390
Maybe you enter
all 14 characters,

01:27.390 --> 01:30.170
but data sanitization
is going to truncate

01:30.170 --> 01:32.000
the last two characters so that

01:32.000 --> 01:35.425
your information is
input as 12 characters.

01:35.425 --> 01:37.730
The answer to code injection is

01:37.730 --> 01:40.540
input validation
and sanitization.

01:40.540 --> 01:42.530
Let me just tell you, that's

01:42.530 --> 01:44.735
the answer to a lot of issues.

01:44.735 --> 01:46.940
Well-written web
applications that

01:46.940 --> 01:48.620
make sure the interface or

01:48.620 --> 01:50.450
the scripting that
pulls the entry of

01:50.450 --> 01:54.355
the user ensures the data
meets certain requirements.

01:54.355 --> 01:56.030
There are utilities that

01:56.030 --> 01:58.130
perform what's referred
to as fuzzing,

01:58.130 --> 02:00.200
which makes sure that
the application has

02:00.200 --> 02:04.125
the proper input validation
and sanitization.

02:04.125 --> 02:07.060
Now, some people will
talk about running

02:07.060 --> 02:08.470
fuzzing tools to see if they can

02:08.470 --> 02:10.765
exploit weaknesses
and vulnerabilities.

02:10.765 --> 02:12.820
It's just like anything else.

02:12.820 --> 02:14.500
Anything that was developed for

02:14.500 --> 02:17.105
good also can be used for evil.

02:17.105 --> 02:20.220
However the context is
presented on the exam,

02:20.220 --> 02:21.930
think about fuzzing as
something that checks

02:21.930 --> 02:24.990
an application for
weak input control.

02:24.990 --> 02:28.030
Now, one of the problems
that can come from

02:28.030 --> 02:30.980
poor input validation is
cross-site scripting.

02:30.980 --> 02:34.425
Cross-site scripting is
really a major vulnerability.

02:34.425 --> 02:37.450
It's been around for years
and keeps continuing to show

02:37.450 --> 02:40.250
up on the top 10 lists of
most common vulnerabilities.

02:40.250 --> 02:41.890
It's really something
that we need

02:41.890 --> 02:43.915
to work on in
software development.

02:43.915 --> 02:47.235
It's specifically geared
towards web applications.

02:47.235 --> 02:50.195
We have three basic types
of cross-site scripting.

02:50.195 --> 02:52.595
We have persistent,
we have reflective,

02:52.595 --> 02:54.250
and we have DOM-based.

02:54.250 --> 02:57.970
DOM stands for
Document Object Model.

02:58.250 --> 03:00.740
The first type of
cross-site scripting

03:00.740 --> 03:02.360
we'll look at is persistent.

03:02.360 --> 03:04.010
As an example of this type,

03:04.010 --> 03:05.900
let's say that before
you took this class,

03:05.900 --> 03:07.340
you got to know which instructor

03:07.340 --> 03:09.235
you wanted to take
this class from.

03:09.235 --> 03:11.300
Let's say each instructor
gets to create

03:11.300 --> 03:12.890
their own biography for you to

03:12.890 --> 03:15.035
read so you can make
your selection.

03:15.035 --> 03:17.360
When you click on an
instructor's picture,

03:17.360 --> 03:19.870
it switches and
loads the biography.

03:19.870 --> 03:22.160
But what if an instructor also

03:22.160 --> 03:24.695
injected a malicious
script into the picture?

03:24.695 --> 03:26.450
When you clicked on the picture,

03:26.450 --> 03:28.010
the payload did
something like capture

03:28.010 --> 03:29.240
your sensitive information from

03:29.240 --> 03:32.155
your system and send
it to the attacker.

03:32.155 --> 03:35.120
You can see how that's
persistent because it'll be

03:35.120 --> 03:36.290
sitting there in the picture for

03:36.290 --> 03:37.925
whenever someone clicks on it.

03:37.925 --> 03:39.680
Now, just for the record,

03:39.680 --> 03:41.450
nothing like this exists
in the picture for

03:41.450 --> 03:44.635
this course's instructor
on the Cybrary site.

03:44.635 --> 03:48.170
This type of attack could
be done in a lot of ways.

03:48.170 --> 03:50.120
I always think of
dating websites and

03:50.120 --> 03:52.010
how quick people are
to click on this image

03:52.010 --> 03:53.480
or that image and

03:53.480 --> 03:55.655
all those files were
uploaded by strangers.

03:55.655 --> 03:57.440
Who knows what can be in there?

03:57.440 --> 03:59.540
It's up to the site
to ensure that it's

03:59.540 --> 04:01.190
coded to catch that
type of thing and

04:01.190 --> 04:02.780
prevent it and that the data

04:02.780 --> 04:05.155
that is going in is sanitized.

04:05.155 --> 04:07.950
But with social media,
there are million ways that

04:07.950 --> 04:11.400
we could become vulnerable
to cross-site scripting.

04:11.740 --> 04:14.180
Now, with reflective

04:14.180 --> 04:16.825
cross-site scripting,
it is non-persistent.

04:16.825 --> 04:19.010
This starts off with the
attacker who creates

04:19.010 --> 04:21.560
a URL that has some
malicious string in it.

04:21.560 --> 04:24.665
The attacker sends that
URL to the user somehow.

04:24.665 --> 04:26.240
User clicks on that link

04:26.240 --> 04:28.055
thinking is for a
legitimate site,

04:28.055 --> 04:31.210
but ultimately it takes the
user to a rogue website.

04:31.210 --> 04:33.140
Once the user clicks
the malicious

04:33.140 --> 04:34.655
URL and goes to the site,

04:34.655 --> 04:37.160
it runs its payload
on the user system.

04:37.160 --> 04:39.320
It might be that this
code causes some of

04:39.320 --> 04:41.690
that user's sensitive
information to be sent back

04:41.690 --> 04:44.555
to the attacker based on
the user's connection.

04:44.555 --> 04:46.970
This is non-persistent
because it's based

04:46.970 --> 04:50.000
on this link that the
attacker sent to the user.

04:50.000 --> 04:52.010
Now, the last type of

04:52.010 --> 04:54.575
cross-site scripting is
called a DOM-based type.

04:54.575 --> 04:57.910
That stands for Document
Object Model-based.

04:57.910 --> 05:00.720
With this type, an
attacker crossed a URL

05:00.720 --> 05:03.755
containing a malicious string
and sends it to the victim.

05:03.755 --> 05:06.215
The victim is tricked
into opening the link

05:06.215 --> 05:09.095
and requesting the malicious
URL from the website.

05:09.095 --> 05:11.420
The website includes
the malicious string

05:11.420 --> 05:12.800
and its response to the victim.

05:12.800 --> 05:16.250
The victim's browser interprets
the malicious code and

05:16.250 --> 05:17.600
the server's response as part of

05:17.600 --> 05:20.290
the legitimate web page
and executes code.

05:20.290 --> 05:22.520
Then the victim's
sensitive information

05:22.520 --> 05:24.395
is sent to the
attacker's server.

05:24.395 --> 05:26.030
An example of this might be

05:26.030 --> 05:27.800
a case where I go to the website

05:27.800 --> 05:29.255
that the attacker has sent me

05:29.255 --> 05:31.235
and it asks me to
fill in my name.

05:31.235 --> 05:33.665
I fill in Kelly and press Enter.

05:33.665 --> 05:37.070
Then I see a welcome screen
that says, hello Kelly.

05:37.070 --> 05:39.290
It is taking my input and using

05:39.290 --> 05:41.845
my input to launch
a second page.

05:41.845 --> 05:43.490
There's nothing happening on

05:43.490 --> 05:46.100
the web server that's been
poisoned, so to speak.

05:46.100 --> 05:47.960
It's more about the
fact that they've

05:47.960 --> 05:49.850
manipulated the
code, so that way,

05:49.850 --> 05:51.829
it modifies with
the website returns

05:51.829 --> 05:53.650
when the user enters the input.

05:53.650 --> 05:55.200
I hope that makes sense.

05:55.200 --> 05:57.500
It's not that the website
has been compromised,

05:57.500 --> 05:58.790
but they've tricked your system

05:58.790 --> 06:00.110
to provide input that is going

06:00.110 --> 06:03.215
to cause some malicious return
on the web server's part.

06:03.215 --> 06:06.320
It's all happening in the
victim's web browser.

06:06.320 --> 06:08.120
No modification at all to

06:08.120 --> 06:11.455
the web server and that's
what makes it DOM-based.

06:11.455 --> 06:12.800
It has nothing to do with

06:12.800 --> 06:15.515
the interaction of objects
on the same system.

06:15.515 --> 06:17.630
Nothing is happening
on the website.

06:17.630 --> 06:19.790
It's more that your
system is being tricked

06:19.790 --> 06:22.980
into requesting some
malicious activity.

06:23.450 --> 06:26.370
Cross-site scripting
can be really nasty.

06:26.370 --> 06:28.910
It usually includes
some manipulation

06:28.910 --> 06:30.200
where you go to a website and

06:30.200 --> 06:32.225
get something
malicious in return.

06:32.225 --> 06:33.890
The best defense from a web

06:33.890 --> 06:35.330
server perspective is to write

06:35.330 --> 06:39.110
clean application that validate
input and sanitize it.

06:39.110 --> 06:41.195
From a user's perspective,

06:41.195 --> 06:42.380
you can keep your browser up to

06:42.380 --> 06:44.195
date and disable JavaScript,

06:44.195 --> 06:46.594
except where it's
absolutely necessary.

06:46.594 --> 06:49.950
Those are some things you
can do to keep it safe.