1
00:00:00,570 --> 00:00:04,920
Now, this type of exercise is the most dangerous one.

2
00:00:06,410 --> 00:00:13,190
It occurs when the malicious input and an HTTP request is stored at the back end for later use.

3
00:00:14,310 --> 00:00:21,420
So here, the attacker doesn't need to perform any clever social engineering techniques because the

4
00:00:21,450 --> 00:00:27,720
malicious script is stored at the back end and then embedded into the pages that are viewed by other

5
00:00:27,720 --> 00:00:28,140
users.

6
00:00:29,390 --> 00:00:35,840
So the users trust the application and the attacker script is executed in their browser.

7
00:00:38,050 --> 00:00:43,930
It's also known as persistent or second order or type to excess.

8
00:00:46,060 --> 00:00:47,530
OK, so open up, Kelly.

9
00:00:48,700 --> 00:00:49,360
Going to be rap.

10
00:00:50,270 --> 00:00:52,700
And open access to her blog.

11
00:00:54,480 --> 00:00:55,950
And again, it's a sample page.

12
00:00:57,470 --> 00:01:03,200
So it looks just like a comment page and you can add and delete your entries.

13
00:01:04,440 --> 00:01:10,970
So let's check in here to show all the entries from the other users as well.

14
00:01:11,920 --> 00:01:14,920
And here you can see that comments are listed just like this.

15
00:01:16,630 --> 00:01:18,850
So you can view someone else's comments also.

16
00:01:21,230 --> 00:01:22,430
Let's view this horse page.

17
00:01:23,960 --> 00:01:26,990
Doesn't look like there's anything suspicious in the source.

18
00:01:28,870 --> 00:01:31,330
And the comments are listed in a table.

19
00:01:33,750 --> 00:01:39,780
OK, so now I'm going to do the same thing that we did for reflected excess has.

20
00:01:41,160 --> 00:01:47,940
I'll first try to add HTML tags, so Paiste HTML each one tag and submit.

21
00:01:49,060 --> 00:01:49,810
And it works.

22
00:01:51,230 --> 00:01:54,830
And paste an HTML link and then submit.

23
00:01:56,580 --> 00:01:59,080
It also works.

24
00:01:59,760 --> 00:02:01,620
OK, so view page source.

25
00:02:06,010 --> 00:02:10,330
And you see, the HTML tags I entered are lying in the source.

26
00:02:11,570 --> 00:02:15,440
They are not escaped, not sanitized, nothing else.

27
00:02:16,540 --> 00:02:20,050
So now over the terminal to see the code.

28
00:02:22,130 --> 00:02:23,540
And this is a code file.

29
00:02:24,470 --> 00:02:33,170
Now, don't confuse this with escarole injection functions, the actual excess, as Jack happens below.

30
00:02:34,540 --> 00:02:38,980
This just prevents you from reforming escarole injections on the same form.

31
00:02:40,820 --> 00:02:45,950
So if the level is low, there's no check and the entry is added to the database.

32
00:02:47,290 --> 00:02:50,080
And this part is reviewing the comments.

33
00:02:51,890 --> 00:02:56,420
So if show all is checked, it will use this Escorial query.

34
00:02:58,070 --> 00:02:59,810
Otherwise, it will use this one.

35
00:03:02,070 --> 00:03:07,410
And after querying the database, according to the security level, it will show the data on the page.

36
00:03:09,390 --> 00:03:13,140
Now, if the level is high, check three is called.

37
00:03:13,950 --> 00:03:19,420
For medium check, for his call and for low, there is no check.

38
00:03:20,760 --> 00:03:28,560
OK, so the best part of these vulnerable applications is this you can view the code and understand

39
00:03:28,560 --> 00:03:30,270
the hacking process better.

40
00:03:31,110 --> 00:03:33,870
So follow me, go to Firefox.

41
00:03:35,040 --> 00:03:38,220
Now, pace, the popular excess, has payload.

42
00:03:39,140 --> 00:03:42,800
And yeah, you guessed it right, document that cookie.

43
00:03:44,630 --> 00:03:47,450
So the script executes and the cookie value is printed.

44
00:03:49,050 --> 00:03:52,170
All right, so this means that we can run JavaScript on the page.

45
00:03:54,090 --> 00:03:57,630
So the next thing to do is collect the session IDs.

46
00:03:59,260 --> 00:04:01,500
And that's why I'm going to pass this payload again.

47
00:04:02,770 --> 00:04:06,730
And remember to open the web developer tool and submit it.

48
00:04:08,100 --> 00:04:15,540
As you watch the web developer tool, the base64 cookie value is sent to the cookie stealer at.

49
00:04:16,790 --> 00:04:22,040
So open the cookie stealer and refresh the page.

50
00:04:23,050 --> 00:04:24,340
And here's the cookie.

51
00:04:26,720 --> 00:04:28,040
OK, so go to the session.

52
00:04:29,300 --> 00:04:30,380
This is our user.

53
00:04:32,120 --> 00:04:34,190
And we're able to get the session, Des.

54
00:04:35,950 --> 00:04:37,180
So now go back to Kelly.

55
00:04:39,300 --> 00:04:41,520
The same change level to medium.

56
00:04:43,920 --> 00:04:45,870
And then just add the same payload again.

57
00:04:48,530 --> 00:04:51,020
Open web developer as well.

58
00:04:51,940 --> 00:04:52,690
And submit.

59
00:04:55,190 --> 00:05:00,770
And now we cannot see the request since the session and two are still wrapped.

60
00:05:02,610 --> 00:05:05,640
So then just right, click on the page and view source.

61
00:05:07,100 --> 00:05:12,230
So now, look, the backstage passes are added in before this sign and double quotes.

62
00:05:14,720 --> 00:05:18,470
And this prevents the JavaScript payload to execute.

63
00:05:19,990 --> 00:05:25,720
So remember, in the code, there is an excess check for function, and that's called for the medium

64
00:05:25,720 --> 00:05:26,080
level.

65
00:05:28,230 --> 00:05:32,790
And this function calls another be built in function and slashes.

66
00:05:33,990 --> 00:05:37,140
So that's why we see these extra slashes here.

67
00:05:38,870 --> 00:05:42,230
Now, in order to bypass this security measure.

68
00:05:43,210 --> 00:05:47,040
There are a few ways, so I'm going to show you just one now.

69
00:05:48,670 --> 00:05:51,280
And I'll serve the actual payload code.

70
00:05:52,210 --> 00:05:54,100
On my host is a script file.

71
00:05:55,380 --> 00:06:01,890
And it is completely the same as the previous payload, except for this script, Tagg's.

72
00:06:04,560 --> 00:06:09,780
All right, so after that, I am just going to call that file from Firefox's.

73
00:06:11,080 --> 00:06:13,150
And so I'm going to pass this payload here.

74
00:06:14,330 --> 00:06:17,540
The source attribute has no single or double quotes.

75
00:06:18,780 --> 00:06:23,320
I'm not going to add them because Dom will normalize this code and add it for me.

76
00:06:24,710 --> 00:06:28,790
OK, so open developer tools and submit.

77
00:06:30,840 --> 00:06:32,340
And look at that, it is done.

78
00:06:33,800 --> 00:06:36,890
First, the page includes the script file for my host.

79
00:06:37,810 --> 00:06:42,340
And then the script executes and sends the cookie value to the steel wrap on my host.

80
00:06:44,590 --> 00:06:47,290
So go to the steel rap and refresh.

81
00:06:48,750 --> 00:06:50,280
And the session value is here.

82
00:06:52,130 --> 00:06:54,770
That's right, this is our user.

83
00:06:56,730 --> 00:06:58,140
OK, so go back to Kelly.

84
00:06:59,370 --> 00:07:01,890
Now, let me summarize what what we did here.

85
00:07:02,960 --> 00:07:09,320
We validated that there is a stored excess vulnerability on the target application.

86
00:07:10,210 --> 00:07:15,610
And why is it stored because of payloads we provide are stored at the back end in a database.

87
00:07:16,420 --> 00:07:23,440
So here's a question how can we exploit such a vulnerability to collect the session ID for users?

88
00:07:24,920 --> 00:07:30,590
The answer is we don't need to do anything because we already have.

89
00:07:31,760 --> 00:07:37,400
So we injected the excess payload into the page and now it is stored in the database.

90
00:07:38,600 --> 00:07:45,170
So any user visits his page, our excess payload will automatically execute within their browser.

91
00:07:46,690 --> 00:07:50,060
So I'm going to open Chrome and go to BW.

92
00:07:52,610 --> 00:07:56,120
And I'm going to log in as b web user number to.

93
00:07:57,830 --> 00:08:00,830
And I'm going to visit the storied ex SS page.

94
00:08:04,150 --> 00:08:08,170
And yeah, let me just zoom in here for you, check, show all.

95
00:08:09,100 --> 00:08:12,310
And write something here and submit.

96
00:08:13,770 --> 00:08:18,810
Now, scroll down to see what you display and here's your comment.

97
00:08:20,220 --> 00:08:23,070
Now, have a look, though, some of them are not displayed.

98
00:08:23,990 --> 00:08:25,820
So let's view the page source now.

99
00:08:26,730 --> 00:08:27,930
And scroll down.

100
00:08:29,730 --> 00:08:30,990
All right, so look at here.

101
00:08:32,270 --> 00:08:39,320
All JavaScript payloads that we tried are here in the page, so as soon as this user opens a page,

102
00:08:39,320 --> 00:08:41,810
these payloads are executed in his browser.

103
00:08:43,290 --> 00:08:47,040
Then over this dealer app, refresh the page.

104
00:08:48,000 --> 00:08:52,740
And a new session opens, so go to check out session.

105
00:08:53,670 --> 00:08:57,480
And all right, so perfect, we have the user session value.

106
00:08:58,980 --> 00:09:00,450
See, so this is really cool, huh?

107
00:09:01,740 --> 00:09:03,510
So go back to Firefox.

108
00:09:04,590 --> 00:09:10,080
And I want to show you just a small thing here as well, so set the level to low.

109
00:09:11,370 --> 00:09:14,640
And I'm going to paste this payload and submit.

110
00:09:18,000 --> 00:09:22,230
Now, look here, this is also a way of exploiting the users.

111
00:09:23,210 --> 00:09:28,880
So click this link and it will display multiplatform login screen.

112
00:09:30,240 --> 00:09:38,700
So this is just, you know, a matter of social engineering, little psychology, so I use this simple

113
00:09:38,740 --> 00:09:46,350
login screen, but you can detect and copy other applications of your customers as well and then serve

114
00:09:46,350 --> 00:09:52,980
the HTML interface of these apps to be able to use in social engineering attacks, perhaps against any

115
00:09:52,980 --> 00:09:54,810
of those companies employees.