1
00:00:00,120 --> 00:00:08,160
‫Stored as also known as persistent excess, is the most dangerous type of excess, stored excess generally

2
00:00:08,160 --> 00:00:14,340
‫occurs when user input is stored on the target server, such as in a database in a message form.

3
00:00:14,370 --> 00:00:20,310
‫Visitor log comment field, etc. and then a victim is able to retrieve the stored data from the web

4
00:00:20,310 --> 00:00:21,030
‫application.

5
00:00:21,420 --> 00:00:27,030
‫Without that data being made safe to render in the browser, the attacker prepares the email request

6
00:00:27,030 --> 00:00:28,360
‫and sends it to the server.

7
00:00:28,380 --> 00:00:31,350
‫The servers stores the input sent in the request.

8
00:00:31,350 --> 00:00:37,260
‫Any time a visitor visits the page, which contains the output produced using the malicious request,

9
00:00:37,350 --> 00:00:39,750
‫the tampered page is returned to the visitor.

10
00:00:40,080 --> 00:00:45,150
‫Since the malicious code is stored in the server, the attacker does not have to convince anyone.

11
00:00:46,470 --> 00:00:53,700
‫Every visitor is a victim now, so let's see the stored excess in an example, we use -- vulnerable

12
00:00:53,700 --> 00:00:55,590
‫web applications for this example.

13
00:00:55,680 --> 00:00:58,950
‫Go to the OWASP Broken Web Applications Home page.

14
00:01:00,510 --> 00:01:03,510
‫And click Dam Vulnerable Web application like.

15
00:01:05,140 --> 00:01:08,920
‫Log into the application using user slash user credential.

16
00:01:11,160 --> 00:01:12,900
‫Go to store access page.

17
00:01:13,620 --> 00:01:17,250
‫Now this is a guest book which stores visitors messages.

18
00:01:19,330 --> 00:01:24,910
‫When we submit our message, it's stored and displayed to the visitors in each visit, as you see the

19
00:01:24,910 --> 00:01:31,240
‫application produced an output using the user input to examine if the application validates the input.

20
00:01:32,260 --> 00:01:35,350
‫We submit some script code with a script tag.

21
00:01:42,280 --> 00:01:43,270
‫And done.

22
00:01:43,300 --> 00:01:49,720
‫The output contains the script, and the script is interpreted by the browser since a script is stored

23
00:01:49,720 --> 00:01:50,320
‫on the server.

24
00:01:50,350 --> 00:01:54,790
‫It will be sent whenever the page is visited or to whomever visits the page.

25
00:01:55,710 --> 00:02:00,900
‫Of course, the attacker is able to do way more than just giving alert messages.

26
00:02:01,500 --> 00:02:04,500
‫Let's prepare a message to collect the victim's cookies.

27
00:02:05,100 --> 00:02:08,430
‫So for this time, we create a new image in the script.

28
00:02:19,590 --> 00:02:25,980
‫We reached the max length of the edit box, but we already know how we can keep going, so let's change

29
00:02:25,980 --> 00:02:27,180
‫the max length of the box.

30
00:02:29,910 --> 00:02:30,990
‫Said the image source.

31
00:02:32,170 --> 00:02:33,610
‫As a Takaka.

32
00:02:34,000 --> 00:02:38,470
‫So the victim sends a request to attacker ICOM to get the image.

33
00:02:42,300 --> 00:02:48,810
‫We give Document Cookie as a parameter of the request, which sends the victim's cookie to attack Dot.

34
00:02:49,290 --> 00:02:54,650
‫Now this point, let's watch the traffic between the browser and the server using Burp Suite.

35
00:03:03,020 --> 00:03:09,290
‫As you see, the victim's browser has sent a request to attack rcom and sent the cookie of the victim

36
00:03:09,530 --> 00:03:10,490
‫as the parameter.

37
00:03:11,060 --> 00:03:15,470
‫Now the attacker has a list of cookies, which contains the cookies of all visitors.

38
00:03:15,950 --> 00:03:20,510
‫If you have this session idea of a user, you can act as that user in the application.

39
00:03:21,050 --> 00:03:23,210
‫So here's a nifty example from the real world.

40
00:03:23,960 --> 00:03:25,520
‫Remember when MySpace was big?

41
00:03:26,210 --> 00:03:29,870
‫MySpace is a site for keeping up with friends, meeting new people.

42
00:03:30,290 --> 00:03:36,800
‫It allows you to set up a profile and web page with a limited ability to make it look and feel how you

43
00:03:36,800 --> 00:03:37,160
‫want it.

44
00:03:38,490 --> 00:03:46,290
‫In 2005, Sami Comcar has decided to make his MySpace profile cool after a little bit of messing around.

45
00:03:46,620 --> 00:03:52,920
‫He found that he could put in a longer headline than what they allowed and of course, he put cool effects

46
00:03:52,920 --> 00:03:53,700
‫onto his page.

47
00:03:54,510 --> 00:03:58,680
‫Then he put a code to his profile, which does two major things.

48
00:03:59,220 --> 00:04:06,030
‫First, anyone who viewed his profile who wasn't already on his friends list would inadvertently add

49
00:04:06,030 --> 00:04:06,780
‫him as a friend.

50
00:04:07,470 --> 00:04:11,490
‫Second, the code added itself to the visitor's profile.

51
00:04:11,850 --> 00:04:19,110
‫Now, that means anyone who views their profile also adds, Sami is a friend and then anyone who hits

52
00:04:19,110 --> 00:04:24,330
‫those people's profiles, adds Sami as a friend and so on and so on.

53
00:04:24,630 --> 00:04:31,530
‫So if five people viewed his profile that five new friends, if five people viewed each of their profiles.

54
00:04:31,680 --> 00:04:40,440
‫That's 25 more new friends MySpace, Wurman, Sami, Comcar hiker Jesse Collins https colon slash slash

55
00:04:40,440 --> 00:04:43,890
‫Sami Dot pls slash popular slash.

56
00:04:44,490 --> 00:04:48,370
‫OK, so let's have a look here before the code is added.

57
00:04:48,390 --> 00:04:50,160
‫Sami has 73 friends.

58
00:04:50,550 --> 00:04:56,130
‫One hour later, Sami has 73 friends and one friend request.

59
00:04:56,280 --> 00:05:03,960
‫Seven hours later, he has 74 friends and 221 friend requests one hour later.

60
00:05:04,320 --> 00:05:08,700
‫He has 74 friends and 480 friend requests.

61
00:05:09,920 --> 00:05:15,620
‫An hour after that, he has more than 500 friends and more than 500 friend requests.

62
00:05:16,370 --> 00:05:22,940
‫Three hours after that, he has 2500 friends and more than 6000 friend requests.

63
00:05:23,570 --> 00:05:30,410
‫Five hours later, he has 2500 friends and more than 900 17000 friend requests.

64
00:05:31,220 --> 00:05:35,030
‫Three seconds later, more than 900 18000.

65
00:05:35,940 --> 00:05:39,710
‫Another three seconds later, more than 900 19000.

66
00:05:40,900 --> 00:05:45,040
‫And a few minutes later, he has more than one million friend requests.

67
00:05:45,910 --> 00:05:49,900
‫And after a while, Sammy's profile is down for maintenance.

68
00:05:51,480 --> 00:05:57,330
‫Before talking about the dam based exercise, I should tell you a little something about the document

69
00:05:57,330 --> 00:05:58,320
‫object model.

70
00:05:58,710 --> 00:06:06,420
‫So dumb document object model abbreviated as dam, is a cross platform and language independent convention

71
00:06:06,420 --> 00:06:10,590
‫for representing and interacting with objects in HTML.

72
00:06:11,220 --> 00:06:18,500
‫The nodes of every document are organized in a tree structure called the Dom tree dom based excess,

73
00:06:18,500 --> 00:06:23,200
‫as can be thought of as a subclass of reflected excess.

74
00:06:23,910 --> 00:06:26,800
‫The malicious data does not touch the web server.

75
00:06:26,820 --> 00:06:32,550
‫Rather, it is being reflected by the JavaScript code fully on the client side.

76
00:06:33,040 --> 00:06:37,350
‫Now, in reality, these three access types overlap.

77
00:06:37,770 --> 00:06:41,430
‫You can have both stored and reflected DOM based access.

78
00:06:41,550 --> 00:06:46,350
‫You can also have stored and reflected non-dom based access to the since.

79
00:06:46,350 --> 00:06:47,340
‫That's confusing.

80
00:06:47,820 --> 00:06:49,110
‫So to help clarify things.

81
00:06:49,350 --> 00:06:56,070
‫The researchers proposed using two new term to help organize the types of access that can occur.

82
00:06:56,610 --> 00:06:59,320
‫Server access client access.

83
00:06:59,640 --> 00:07:00,540
‫Pretty simple, huh?