1 00:00:00,090 --> 00:00:01,360 All right, welcome back, everyone. 2 00:00:01,380 --> 00:00:07,190 This is resonation, this session is about reflected excessed says that's crosseyed scripting. 3 00:00:07,560 --> 00:00:08,640 Let's get started. 4 00:00:09,480 --> 00:00:13,400 So reflected exosomes reflected X. 5 00:00:13,470 --> 00:00:13,860 S. 6 00:00:14,010 --> 00:00:22,890 S is an attack where basically what happened is it makes use makes use of of of a vulnerability, basically, 7 00:00:23,190 --> 00:00:27,540 wherein the website is not performing any kind of output. 8 00:00:27,540 --> 00:00:28,410 Sanitisation. 9 00:00:28,410 --> 00:00:28,720 Right. 10 00:00:29,070 --> 00:00:36,390 And in this situation, whatever the script given to the website from the user, come back, come back 11 00:00:36,390 --> 00:00:43,410 to the user itself without performing any sanitisation or without looking at what exactly is going out. 12 00:00:43,740 --> 00:00:44,040 Right. 13 00:00:44,550 --> 00:00:51,450 So let's go back a bit in the earlier session where we have discourse about our script and we discuss 14 00:00:51,450 --> 00:00:58,030 about what are the loopholes and the points where the problem may arise when it comes to the Web application. 15 00:00:58,410 --> 00:01:03,720 There is only two points in let's say let's say if it is this is the website. 16 00:01:03,720 --> 00:01:03,960 Right? 17 00:01:04,170 --> 00:01:05,050 There's two points. 18 00:01:05,100 --> 00:01:07,770 One is the inbound and another one's in the out form. 19 00:01:08,040 --> 00:01:15,270 If we don't have the input, essentially, if we don't have the input sanitisation in that situation, 20 00:01:16,650 --> 00:01:21,060 the the the the the attack can send any sort of data. 21 00:01:21,060 --> 00:01:21,350 Right. 22 00:01:21,600 --> 00:01:24,450 And that's where it can perform the Escorial injection attack. 23 00:01:24,480 --> 00:01:24,750 Right. 24 00:01:25,230 --> 00:01:29,220 To the point where we don't perform the input sanitisation. 25 00:01:29,220 --> 00:01:35,460 I mean, in terms of we don't really look at what we are taking inside and giving it to the database. 26 00:01:35,970 --> 00:01:41,760 We can we can be a victim of a sequel injection attack or any sort of injection or death. 27 00:01:42,300 --> 00:01:49,290 But on the other side, if we don't really look at what really going out of the website or web application 28 00:01:49,740 --> 00:01:55,140 that leads to the attacks like this, which is gartside scripting attack. 29 00:01:55,140 --> 00:01:55,500 Right. 30 00:01:55,830 --> 00:01:57,180 And that's what we discuss. 31 00:01:57,180 --> 00:02:03,120 And when we are talking about JavaScript, this is the two points where the application attack could 32 00:02:03,420 --> 00:02:09,690 actually happen when the input sanitisation is not happening and when the output sanitisation is not 33 00:02:09,690 --> 00:02:16,200 happening throughout the script, side scripting will especially be focusing on the output sanitisation, 34 00:02:16,560 --> 00:02:21,890 and that leads to that vulnerability, leads to this crosseyed scripting attack. 35 00:02:21,900 --> 00:02:27,900 I hope you got the sense let's understand especially what exactly that reflected is also reflected is 36 00:02:27,900 --> 00:02:28,320 the point. 37 00:02:28,620 --> 00:02:33,600 It's a vulnerability that reflects the malicious code back to the victim browser. 38 00:02:34,200 --> 00:02:42,720 So reflective script could be simply a script sent to the web browser and come back to back f whatever 39 00:02:42,720 --> 00:02:44,370 that code as the malicious. 40 00:02:44,370 --> 00:02:48,780 So that goes to the website and come back to the user as it is. 41 00:02:48,790 --> 00:02:53,340 So that becomes the Reflektor crosseyed scripting attack also. 42 00:02:54,060 --> 00:02:55,830 And the situation that that makes. 43 00:02:55,860 --> 00:03:02,850 As I told you earlier, attackers make use of this does make use of a website that does not perform 44 00:03:02,850 --> 00:03:04,680 any processing of data. 45 00:03:05,040 --> 00:03:06,810 So they make use of a website. 46 00:03:06,810 --> 00:03:15,360 When I see that, it means that they make use of a vulnerable site on or probably any site, but they 47 00:03:15,360 --> 00:03:18,330 first try to infect that site and compromised it. 48 00:03:18,600 --> 00:03:21,540 And then they make use of it as attack vector. 49 00:03:21,750 --> 00:03:22,110 Right. 50 00:03:23,010 --> 00:03:24,420 Or they could have their own. 51 00:03:24,810 --> 00:03:31,170 But they tried to make use of a website which is already popular, which is a bit popular, where people 52 00:03:31,170 --> 00:03:33,910 can do some transaction and go back. 53 00:03:33,910 --> 00:03:34,150 Right. 54 00:03:34,350 --> 00:03:42,780 So it is easy to it is it is a good idea for a hacker to hack those website where there are people coming 55 00:03:42,780 --> 00:03:43,780 in and going up. 56 00:03:44,640 --> 00:03:50,730 In spite of that, if they build their own site and start doing something by themselves, it is risky 57 00:03:50,730 --> 00:03:52,500 because they have to solve some things. 58 00:03:52,500 --> 00:03:58,950 They have to deliver some value, which is not right, in fact, to be an unethical hacker. 59 00:03:58,950 --> 00:03:59,350 Right. 60 00:03:59,910 --> 00:04:06,480 So that's what it is basically a hacker compromise or in fact, any normal website. 61 00:04:06,690 --> 00:04:13,540 And then they'll let the user come and then the output sanitisation is not happening that come to the 62 00:04:14,040 --> 00:04:16,330 that comes through the reflected Access's attack. 63 00:04:16,330 --> 00:04:16,510 Right. 64 00:04:17,190 --> 00:04:24,540 So remember, in this situation, the hacker will always be looking for any website, any normal standard 65 00:04:24,540 --> 00:04:29,500 website which might be infected by the reflected exercise exercice one. 66 00:04:29,970 --> 00:04:30,360 All right. 67 00:04:30,780 --> 00:04:32,910 But remember this very important point. 68 00:04:32,910 --> 00:04:34,930 It takes time and energy. 69 00:04:35,280 --> 00:04:40,290 Tell you how and hacker sitting anywhere in the world. 70 00:04:40,290 --> 00:04:40,560 Right. 71 00:04:41,640 --> 00:04:44,940 What exactly he need to do in order to perform this attack. 72 00:04:45,360 --> 00:04:47,530 He first need to send sort of an email. 73 00:04:47,550 --> 00:04:47,830 Right. 74 00:04:48,270 --> 00:04:57,600 And kind of phishing email with smart subject line and good content so that the user should open the 75 00:04:58,260 --> 00:04:59,910 user should all. 76 00:05:00,010 --> 00:05:06,160 In the e-mail box and look at what exactly the human body looks like, it could be very much like, 77 00:05:06,490 --> 00:05:13,540 you know, there's a cell, there's a gift hamper or maybe any sort of stuff over there that prompt 78 00:05:13,570 --> 00:05:19,270 user to click on the e-mail, look at the content, and then get rid of some web. 79 00:05:19,930 --> 00:05:20,810 We'll talk about it. 80 00:05:21,550 --> 00:05:24,410 So it should be an e-mail, having some links, right. 81 00:05:24,850 --> 00:05:26,040 User click on it. 82 00:05:26,200 --> 00:05:27,510 And what happened next? 83 00:05:27,730 --> 00:05:31,300 It should be the moment it click on the link. 84 00:05:31,300 --> 00:05:35,540 It should get redirected to a website which is vulnerable. 85 00:05:35,980 --> 00:05:39,760 I'm not saying this is this will be a hacker's website. 86 00:05:39,790 --> 00:05:42,940 This could be any simple e-commerce site. 87 00:05:42,950 --> 00:05:51,270 But remember, this is an infected website which which doesn't perform any sort of or output sanitisation. 88 00:05:51,610 --> 00:06:00,790 That means if that user goes to the Web site and reaches to the Web site after clicking on the emailing 89 00:06:01,390 --> 00:06:08,790 the JavaScript code, which was there on the email link, and with that it reaches to the website, 90 00:06:09,490 --> 00:06:11,910 it comes back to the user again. 91 00:06:12,580 --> 00:06:14,530 And that's what you see as a code. 92 00:06:14,860 --> 00:06:17,920 It comes back to the user as it is. 93 00:06:18,190 --> 00:06:24,220 And that's why it is reflected to the user as it is, and that's why it is called reflected crosseyed 94 00:06:24,220 --> 00:06:25,060 scripting attack. 95 00:06:25,210 --> 00:06:25,990 Now, what happened? 96 00:06:26,410 --> 00:06:34,720 Because the school has been the code has been written reflecting back to the victim that basically compromises 97 00:06:34,720 --> 00:06:36,580 the user machine. 98 00:06:37,180 --> 00:06:46,090 And that's how the user user, aka hacker hacker completely get the access to the victim machine. 99 00:06:46,600 --> 00:06:50,560 Now, you may ask, why do struggle so much? 100 00:06:50,560 --> 00:06:55,090 Why can't I directly you know, why do I really need a separate website? 101 00:06:55,420 --> 00:07:01,410 And why can't I directly attack the victim without even, you know, letting the user to Google one 102 00:07:01,420 --> 00:07:02,920 little bit site and then coming back? 103 00:07:03,280 --> 00:07:12,970 Because this makes the user to this makes then attack more sophisticated and more, you know, genuine 104 00:07:12,970 --> 00:07:16,030 for the user, in fact, to click on it or otherwise. 105 00:07:16,300 --> 00:07:17,050 Nobody. 106 00:07:17,050 --> 00:07:22,660 If even if the hacker sent any malicious code or something, it would be difficult for a user to download 107 00:07:22,660 --> 00:07:24,450 that code and all those subprime. 108 00:07:24,910 --> 00:07:31,420 But in case if that that that get redirected to some website that doesn't require any kind of a malicious 109 00:07:31,420 --> 00:07:40,610 payload, doesn't require a hacker to look into any sort of any sort of antivirus engine and all those 110 00:07:40,630 --> 00:07:42,280 bypass technique and everything. 111 00:07:42,580 --> 00:07:45,390 But this the user will be redirected to a website. 112 00:07:45,730 --> 00:07:53,260 The the JavaScript code comes back to the user again as well, which was there in the email link as 113 00:07:53,260 --> 00:07:55,480 it is right now. 114 00:07:55,480 --> 00:07:56,590 What really happened? 115 00:07:56,980 --> 00:08:02,890 Remember correctly, remember very, very closely that it is caused by the incoming request not being 116 00:08:02,890 --> 00:08:06,430 sanitized right from the server side. 117 00:08:06,430 --> 00:08:15,040 And also, if this was sent to one user, remember this thing that this has, why I told you that this 118 00:08:15,040 --> 00:08:20,890 is going to take a lot of time, because in this situation, you have to send an email to each and every 119 00:08:20,890 --> 00:08:21,780 individual user. 120 00:08:22,120 --> 00:08:28,750 So let me show you how in this situation, we send any link, we send an email to the one victim and 121 00:08:28,750 --> 00:08:34,840 exactly the same way we have to if we need to compromise like thousands of people, we have to send 122 00:08:34,840 --> 00:08:41,440 an e-mail to thousands of the user to sophisticated e-mails, and they click on the if they click on 123 00:08:41,440 --> 00:08:46,450 the e-mail, then they can get redirected within one little site and then they get the code back to 124 00:08:46,450 --> 00:08:50,330 their system and they then they only get compromised otherwise not. 125 00:08:50,650 --> 00:08:57,760 That's why I told you it takes time and energy as well, because in this situation, there is a need 126 00:08:57,840 --> 00:09:01,300 of making sophisticated e-mails and all this stuff. 127 00:09:01,780 --> 00:09:10,980 So it is it is very difficult in terms of and in terms of returns on investment for hackers. 128 00:09:10,990 --> 00:09:11,250 Right. 129 00:09:12,790 --> 00:09:15,100 And second part is sophisticated phishing. 130 00:09:15,100 --> 00:09:22,540 Gambin is really needed for making this making this campaign to be successful for any hacker. 131 00:09:23,080 --> 00:09:23,460 All right. 132 00:09:23,470 --> 00:09:29,200 So I hope you got the idea about what reflected Exercice is all about catching the next mission where 133 00:09:29,200 --> 00:09:34,060 we cover some very much important point about the same topic. 134 00:09:34,720 --> 00:09:35,200 Thank you.