1 00:00:00,120 --> 00:00:05,860 All right, so welcome back, everyone, to the freshness and the station is about seeing origin policy. 2 00:00:06,450 --> 00:00:08,190 We have learned this. 3 00:00:08,190 --> 00:00:16,740 We have got to know about this in the last session where we have understood about a challenge for JavaScript. 4 00:00:17,190 --> 00:00:24,960 The challenge was with the when we can actually insert JavaScript code into the other domain. 5 00:00:25,170 --> 00:00:25,610 Right. 6 00:00:25,770 --> 00:00:26,990 That was the challenge. 7 00:00:27,750 --> 00:00:35,310 And remember that this is not the usual redirection when when you type on something on the you are on 8 00:00:35,310 --> 00:00:42,240 the Web browser and you get the redirected from example one dot com two example, do dot com than to 9 00:00:42,840 --> 00:00:44,310 zampa three dot com. 10 00:00:44,310 --> 00:00:48,540 You usually have been in case of payment gateways and all those stuff. 11 00:00:48,810 --> 00:00:56,520 This is where this is where the situation when you get the EDP response on your web browser and that 12 00:00:56,520 --> 00:01:02,460 consists of a JavaScript code and that can lead you to redirect to another website. 13 00:01:02,910 --> 00:01:05,790 That's for the challenges in that situation. 14 00:01:05,790 --> 00:01:09,980 Any random website can mislead you to any other website. 15 00:01:09,990 --> 00:01:10,320 Right. 16 00:01:10,650 --> 00:01:18,950 So this mislead of information or mislead or three direction is being ratified by this policy called 17 00:01:18,960 --> 00:01:20,790 Team Origin Policy. 18 00:01:21,510 --> 00:01:30,150 Let's understand a bit more so I but I understand the position was a bit difficult to digest. 19 00:01:30,270 --> 00:01:39,140 So indisposition will try to try to connect all those dots so that our mind would be easily mined, 20 00:01:39,180 --> 00:01:42,350 can easily digest the information again. 21 00:01:42,600 --> 00:01:43,040 Right. 22 00:01:43,050 --> 00:01:44,910 So let's understand first. 23 00:01:44,910 --> 00:01:53,550 Paulus, first thing to understand is with S.O.P is we cannot directly inject this script into any other 24 00:01:53,550 --> 00:01:54,000 domain. 25 00:01:54,510 --> 00:02:02,760 If we if we try to do that, it could be allowed based on three rules, based on three criteria, as 26 00:02:02,760 --> 00:02:03,290 I would say. 27 00:02:03,750 --> 00:02:07,350 First, the protocol should match on both the domains. 28 00:02:08,190 --> 00:02:11,610 Second, the domain should match the domain name. 29 00:02:11,610 --> 00:02:11,910 Right. 30 00:02:11,910 --> 00:02:16,760 The domain name of the website should match third as the port. 31 00:02:16,910 --> 00:02:17,460 The port. 32 00:02:17,470 --> 00:02:19,450 No, maybe the DCP board. 33 00:02:19,740 --> 00:02:21,780 That we are talking about by default. 34 00:02:21,780 --> 00:02:26,130 SDP runs on 80 steeps, works on four for three. 35 00:02:26,680 --> 00:02:30,700 Even both of them has a different protocol and the board number as well. 36 00:02:31,170 --> 00:02:37,170 So we won't understand until we take the real example here. 37 00:02:37,170 --> 00:02:41,370 We take we need to take the example to understand how exactly it would work. 38 00:02:41,790 --> 00:02:48,540 So we'll be taking a different set of you are and will try to understand if that really works, if the 39 00:02:48,540 --> 00:02:49,920 redirection would really work. 40 00:02:50,580 --> 00:02:53,710 So this is our source website. 41 00:02:53,730 --> 00:02:56,280 This is our originating Web site. 42 00:02:56,330 --> 00:02:58,890 OK, this is where you are at this moment. 43 00:02:58,900 --> 00:03:06,360 The example, Decider's Abdali example, dot com Anzar in certain directory and dot e-mail, because 44 00:03:06,360 --> 00:03:09,160 that's where you have some JavaScript go into it. 45 00:03:09,190 --> 00:03:09,440 Right. 46 00:03:10,200 --> 00:03:14,820 So let's understand if the redirection from here to the next would happen or not. 47 00:03:15,270 --> 00:03:22,050 If you are Alastair's in this case, you will see the URL is Abdali example. 48 00:03:22,060 --> 00:03:30,660 Dot com slash does now slash other bodansky if you see the same same right as HDB. 49 00:03:30,870 --> 00:03:35,400 The DP protocol is same domain name is same Abdah example. 50 00:03:35,400 --> 00:03:41,250 Dot com domain names, same borders, same because SCDP both works on it. 51 00:03:41,550 --> 00:03:44,280 I mean it really works on A B and both are. 52 00:03:45,990 --> 00:03:48,600 So it works through that action would happen. 53 00:03:48,600 --> 00:03:58,200 I mean the S.O.P policy is satisfied so it would be successful injection of not really redirection, 54 00:03:58,200 --> 00:04:02,490 it's the injection of JavaScript code would be happening. 55 00:04:02,580 --> 00:04:02,970 Right. 56 00:04:04,260 --> 00:04:12,150 Second, if you see in this case, you have a domain name, same Abdah example, dot com directories, 57 00:04:12,150 --> 00:04:13,440 exactly the same again. 58 00:04:13,800 --> 00:04:22,490 But hey, what you have SCDP is that breaks the rule because the board has been steeps works on forefoot 59 00:04:22,510 --> 00:04:23,400 for four, three. 60 00:04:23,730 --> 00:04:32,280 And again, this is a different scheme altogether and it's not going to work near the in an injection 61 00:04:32,280 --> 00:04:32,940 of the code. 62 00:04:33,150 --> 00:04:37,530 The insertion of the JavaScript code won't really happen. 63 00:04:37,530 --> 00:04:38,280 Won't work. 64 00:04:38,940 --> 00:04:44,610 Next SCDP ab dot example, dot com. 65 00:04:44,610 --> 00:04:45,810 That's code going. 66 00:04:45,810 --> 00:04:46,470 Oh my God. 67 00:04:46,860 --> 00:04:47,910 This works on board. 68 00:04:47,910 --> 00:04:48,780 Eighty one. 69 00:04:49,890 --> 00:04:53,040 Hey I just told you about it. 70 00:04:53,040 --> 00:04:56,960 Works on it but will understand this way. 71 00:04:57,060 --> 00:04:59,890 This is the default Budapest UDP at. 72 00:04:59,980 --> 00:05:07,400 And even work on any random boat, no, except the default one, you can run it on eighty one, eighty, 73 00:05:07,400 --> 00:05:09,250 eighty, eighty one, eighty one. 74 00:05:09,610 --> 00:05:15,790 And in an unknown number, if the boat number changed, then the S.O.P policy changes. 75 00:05:15,790 --> 00:05:20,500 Well, and you cannot insert JavaScript code in that situation. 76 00:05:22,330 --> 00:05:29,120 And finally, example, dot com, it's again the DP, but with the domain name has been changed. 77 00:05:29,120 --> 00:05:31,000 It's a different subdomain altogether. 78 00:05:31,000 --> 00:05:32,890 Subdomain is again a goldmine. 79 00:05:33,380 --> 00:05:45,130 And so because the domain has been changed S.O.P policy, the S.O.P rule breaks and the injection of 80 00:05:45,130 --> 00:05:47,200 JavaScript won't happen. 81 00:05:47,620 --> 00:05:56,050 I hope you got this sense about what exactly all this and this might have given you a sense of sense 82 00:05:56,050 --> 00:06:01,540 of understanding about when the JavaScript code can be inserted and when not. 83 00:06:01,990 --> 00:06:10,330 And by using this technique itself, by making and making this S.O.P itself in your mind, we have to 84 00:06:10,630 --> 00:06:14,150 play across it to perform or hacking. 85 00:06:14,500 --> 00:06:14,910 All right. 86 00:06:15,280 --> 00:06:16,900 I hope you got the idea so far. 87 00:06:17,320 --> 00:06:20,580 This is a solution. 88 00:06:20,590 --> 00:06:28,690 Remember, this S.O.P is a solution to take care of the entire domain JavaScript code, insertion or 89 00:06:28,690 --> 00:06:29,400 injection. 90 00:06:30,460 --> 00:06:32,440 That's why this cannot be performed. 91 00:06:32,650 --> 00:06:35,650 This cannot be converted into the hacking in a way. 92 00:06:36,010 --> 00:06:41,830 So being in Hacker, we have to find some alternate solution to take care of it. 93 00:06:41,830 --> 00:06:42,160 Right. 94 00:06:42,640 --> 00:06:47,890 So let's get started from our growth, said scrutinization from the next lecture. 95 00:06:48,010 --> 00:06:48,730 We'll see you then.