1
00:00:00,090 --> 00:00:01,360
All right, welcome back, everyone.

2
00:00:01,380 --> 00:00:07,190
This is resonation, this session is about reflected excessed says that's crosseyed scripting.

3
00:00:07,560 --> 00:00:08,640
Let's get started.

4
00:00:09,480 --> 00:00:13,400
So reflected exosomes reflected X.

5
00:00:13,470 --> 00:00:13,860
S.

6
00:00:14,010 --> 00:00:22,890
S is an attack where basically what happened is it makes use makes use of of of a vulnerability, basically,

7
00:00:23,190 --> 00:00:27,540
wherein the website is not performing any kind of output.

8
00:00:27,540 --> 00:00:28,410
Sanitisation.

9
00:00:28,410 --> 00:00:28,720
Right.

10
00:00:29,070 --> 00:00:36,390
And in this situation, whatever the script given to the website from the user, come back, come back

11
00:00:36,390 --> 00:00:43,410
to the user itself without performing any sanitisation or without looking at what exactly is going out.

12
00:00:43,740 --> 00:00:44,040
Right.

13
00:00:44,550 --> 00:00:51,450
So let's go back a bit in the earlier session where we have discourse about our script and we discuss

14
00:00:51,450 --> 00:00:58,030
about what are the loopholes and the points where the problem may arise when it comes to the Web application.

15
00:00:58,410 --> 00:01:03,720
There is only two points in let's say let's say if it is this is the website.

16
00:01:03,720 --> 00:01:03,960
Right?

17
00:01:04,170 --> 00:01:05,050
There's two points.

18
00:01:05,100 --> 00:01:07,770
One is the inbound and another one's in the out form.

19
00:01:08,040 --> 00:01:15,270
If we don't have the input, essentially, if we don't have the input sanitisation in that situation,

20
00:01:16,650 --> 00:01:21,060
the the the the the attack can send any sort of data.

21
00:01:21,060 --> 00:01:21,350
Right.

22
00:01:21,600 --> 00:01:24,450
And that's where it can perform the Escorial injection attack.

23
00:01:24,480 --> 00:01:24,750
Right.

24
00:01:25,230 --> 00:01:29,220
To the point where we don't perform the input sanitisation.

25
00:01:29,220 --> 00:01:35,460
I mean, in terms of we don't really look at what we are taking inside and giving it to the database.

26
00:01:35,970 --> 00:01:41,760
We can we can be a victim of a sequel injection attack or any sort of injection or death.

27
00:01:42,300 --> 00:01:49,290
But on the other side, if we don't really look at what really going out of the website or web application

28
00:01:49,740 --> 00:01:55,140
that leads to the attacks like this, which is gartside scripting attack.

29
00:01:55,140 --> 00:01:55,500
Right.

30
00:01:55,830 --> 00:01:57,180
And that's what we discuss.

31
00:01:57,180 --> 00:02:03,120
And when we are talking about JavaScript, this is the two points where the application attack could

32
00:02:03,420 --> 00:02:09,690
actually happen when the input sanitisation is not happening and when the output sanitisation is not

33
00:02:09,690 --> 00:02:16,200
happening throughout the script, side scripting will especially be focusing on the output sanitisation,

34
00:02:16,560 --> 00:02:21,890
and that leads to that vulnerability, leads to this crosseyed scripting attack.

35
00:02:21,900 --> 00:02:27,900
I hope you got the sense let's understand especially what exactly that reflected is also reflected is

36
00:02:27,900 --> 00:02:28,320
the point.

37
00:02:28,620 --> 00:02:33,600
It's a vulnerability that reflects the malicious code back to the victim browser.

38
00:02:34,200 --> 00:02:42,720
So reflective script could be simply a script sent to the web browser and come back to back f whatever

39
00:02:42,720 --> 00:02:44,370
that code as the malicious.

40
00:02:44,370 --> 00:02:48,780
So that goes to the website and come back to the user as it is.

41
00:02:48,790 --> 00:02:53,340
So that becomes the Reflektor crosseyed scripting attack also.

42
00:02:54,060 --> 00:02:55,830
And the situation that that makes.

43
00:02:55,860 --> 00:03:02,850
As I told you earlier, attackers make use of this does make use of a website that does not perform

44
00:03:02,850 --> 00:03:04,680
any processing of data.

45
00:03:05,040 --> 00:03:06,810
So they make use of a website.

46
00:03:06,810 --> 00:03:15,360
When I see that, it means that they make use of a vulnerable site on or probably any site, but they

47
00:03:15,360 --> 00:03:18,330
first try to infect that site and compromised it.

48
00:03:18,600 --> 00:03:21,540
And then they make use of it as attack vector.

49
00:03:21,750 --> 00:03:22,110
Right.

50
00:03:23,010 --> 00:03:24,420
Or they could have their own.

51
00:03:24,810 --> 00:03:31,170
But they tried to make use of a website which is already popular, which is a bit popular, where people

52
00:03:31,170 --> 00:03:33,910
can do some transaction and go back.

53
00:03:33,910 --> 00:03:34,150
Right.

54
00:03:34,350 --> 00:03:42,780
So it is easy to it is it is a good idea for a hacker to hack those website where there are people coming

55
00:03:42,780 --> 00:03:43,780
in and going up.

56
00:03:44,640 --> 00:03:50,730
In spite of that, if they build their own site and start doing something by themselves, it is risky

57
00:03:50,730 --> 00:03:52,500
because they have to solve some things.

58
00:03:52,500 --> 00:03:58,950
They have to deliver some value, which is not right, in fact, to be an unethical hacker.

59
00:03:58,950 --> 00:03:59,350
Right.

60
00:03:59,910 --> 00:04:06,480
So that's what it is basically a hacker compromise or in fact, any normal website.

61
00:04:06,690 --> 00:04:13,540
And then they'll let the user come and then the output sanitisation is not happening that come to the

62
00:04:14,040 --> 00:04:16,330
that comes through the reflected Access's attack.

63
00:04:16,330 --> 00:04:16,510
Right.

64
00:04:17,190 --> 00:04:24,540
So remember, in this situation, the hacker will always be looking for any website, any normal standard

65
00:04:24,540 --> 00:04:29,500
website which might be infected by the reflected exercise exercice one.

66
00:04:29,970 --> 00:04:30,360
All right.

67
00:04:30,780 --> 00:04:32,910
But remember this very important point.

68
00:04:32,910 --> 00:04:34,930
It takes time and energy.

69
00:04:35,280 --> 00:04:40,290
Tell you how and hacker sitting anywhere in the world.

70
00:04:40,290 --> 00:04:40,560
Right.

71
00:04:41,640 --> 00:04:44,940
What exactly he need to do in order to perform this attack.

72
00:04:45,360 --> 00:04:47,530
He first need to send sort of an email.

73
00:04:47,550 --> 00:04:47,830
Right.

74
00:04:48,270 --> 00:04:57,600
And kind of phishing email with smart subject line and good content so that the user should open the

75
00:04:58,260 --> 00:04:59,910
user should all.

76
00:05:00,010 --> 00:05:06,160
In the e-mail box and look at what exactly the human body looks like, it could be very much like,

77
00:05:06,490 --> 00:05:13,540
you know, there's a cell, there's a gift hamper or maybe any sort of stuff over there that prompt

78
00:05:13,570 --> 00:05:19,270
user to click on the e-mail, look at the content, and then get rid of some web.

79
00:05:19,930 --> 00:05:20,810
We'll talk about it.

80
00:05:21,550 --> 00:05:24,410
So it should be an e-mail, having some links, right.

81
00:05:24,850 --> 00:05:26,040
User click on it.

82
00:05:26,200 --> 00:05:27,510
And what happened next?

83
00:05:27,730 --> 00:05:31,300
It should be the moment it click on the link.

84
00:05:31,300 --> 00:05:35,540
It should get redirected to a website which is vulnerable.

85
00:05:35,980 --> 00:05:39,760
I'm not saying this is this will be a hacker's website.

86
00:05:39,790 --> 00:05:42,940
This could be any simple e-commerce site.

87
00:05:42,950 --> 00:05:51,270
But remember, this is an infected website which which doesn't perform any sort of or output sanitisation.

88
00:05:51,610 --> 00:06:00,790
That means if that user goes to the Web site and reaches to the Web site after clicking on the emailing

89
00:06:01,390 --> 00:06:08,790
the JavaScript code, which was there on the email link, and with that it reaches to the website,

90
00:06:09,490 --> 00:06:11,910
it comes back to the user again.

91
00:06:12,580 --> 00:06:14,530
And that's what you see as a code.

92
00:06:14,860 --> 00:06:17,920
It comes back to the user as it is.

93
00:06:18,190 --> 00:06:24,220
And that's why it is reflected to the user as it is, and that's why it is called reflected crosseyed

94
00:06:24,220 --> 00:06:25,060
scripting attack.

95
00:06:25,210 --> 00:06:25,990
Now, what happened?

96
00:06:26,410 --> 00:06:34,720
Because the school has been the code has been written reflecting back to the victim that basically compromises

97
00:06:34,720 --> 00:06:36,580
the user machine.

98
00:06:37,180 --> 00:06:46,090
And that's how the user user, aka hacker hacker completely get the access to the victim machine.

99
00:06:46,600 --> 00:06:50,560
Now, you may ask, why do struggle so much?

100
00:06:50,560 --> 00:06:55,090
Why can't I directly you know, why do I really need a separate website?

101
00:06:55,420 --> 00:07:01,410
And why can't I directly attack the victim without even, you know, letting the user to Google one

102
00:07:01,420 --> 00:07:02,920
little bit site and then coming back?

103
00:07:03,280 --> 00:07:12,970
Because this makes the user to this makes then attack more sophisticated and more, you know, genuine

104
00:07:12,970 --> 00:07:16,030
for the user, in fact, to click on it or otherwise.

105
00:07:16,300 --> 00:07:17,050
Nobody.

106
00:07:17,050 --> 00:07:22,660
If even if the hacker sent any malicious code or something, it would be difficult for a user to download

107
00:07:22,660 --> 00:07:24,450
that code and all those subprime.

108
00:07:24,910 --> 00:07:31,420
But in case if that that that get redirected to some website that doesn't require any kind of a malicious

109
00:07:31,420 --> 00:07:40,610
payload, doesn't require a hacker to look into any sort of any sort of antivirus engine and all those

110
00:07:40,630 --> 00:07:42,280
bypass technique and everything.

111
00:07:42,580 --> 00:07:45,390
But this the user will be redirected to a website.

112
00:07:45,730 --> 00:07:53,260
The the JavaScript code comes back to the user again as well, which was there in the email link as

113
00:07:53,260 --> 00:07:55,480
it is right now.

114
00:07:55,480 --> 00:07:56,590
What really happened?

115
00:07:56,980 --> 00:08:02,890
Remember correctly, remember very, very closely that it is caused by the incoming request not being

116
00:08:02,890 --> 00:08:06,430
sanitized right from the server side.

117
00:08:06,430 --> 00:08:15,040
And also, if this was sent to one user, remember this thing that this has, why I told you that this

118
00:08:15,040 --> 00:08:20,890
is going to take a lot of time, because in this situation, you have to send an email to each and every

119
00:08:20,890 --> 00:08:21,780
individual user.

120
00:08:22,120 --> 00:08:28,750
So let me show you how in this situation, we send any link, we send an email to the one victim and

121
00:08:28,750 --> 00:08:34,840
exactly the same way we have to if we need to compromise like thousands of people, we have to send

122
00:08:34,840 --> 00:08:41,440
an e-mail to thousands of the user to sophisticated e-mails, and they click on the if they click on

123
00:08:41,440 --> 00:08:46,450
the e-mail, then they can get redirected within one little site and then they get the code back to

124
00:08:46,450 --> 00:08:50,330
their system and they then they only get compromised otherwise not.

125
00:08:50,650 --> 00:08:57,760
That's why I told you it takes time and energy as well, because in this situation, there is a need

126
00:08:57,840 --> 00:09:01,300
of making sophisticated e-mails and all this stuff.

127
00:09:01,780 --> 00:09:10,980
So it is it is very difficult in terms of and in terms of returns on investment for hackers.

128
00:09:10,990 --> 00:09:11,250
Right.

129
00:09:12,790 --> 00:09:15,100
And second part is sophisticated phishing.

130
00:09:15,100 --> 00:09:22,540
Gambin is really needed for making this making this campaign to be successful for any hacker.

131
00:09:23,080 --> 00:09:23,460
All right.

132
00:09:23,470 --> 00:09:29,200
So I hope you got the idea about what reflected Exercice is all about catching the next mission where

133
00:09:29,200 --> 00:09:34,060
we cover some very much important point about the same topic.

134
00:09:34,720 --> 00:09:35,200
Thank you.