1 00:00:01,180 --> 00:00:06,640 Now, this type of access, as is kind of rare and hard to find. 2 00:00:07,580 --> 00:00:16,280 But it may have the consequences similar to the reflected excess, so basically in this vulnerability, 3 00:00:16,310 --> 00:00:18,140 everything happens in Dum. 4 00:00:19,480 --> 00:00:26,530 These attacks occur when the Web application uses data in the dorm with JavaScript in an unsafe way. 5 00:00:28,540 --> 00:00:31,810 OK, go to Kelly and log in to be Web. 6 00:00:33,310 --> 00:00:41,740 Now, there are different types of excess that are present in this area, but excess as does not appear 7 00:00:41,860 --> 00:00:45,110 here, so I don't know why. 8 00:00:45,830 --> 00:00:52,840 However, it's not a really big deal because we can always import our own dumb excess as example. 9 00:00:54,720 --> 00:00:57,690 So go ahead and download this sample page. 10 00:00:58,700 --> 00:01:05,510 I've coated it and integrated it to work with a BWB security model, so you can just go ahead and import 11 00:01:05,510 --> 00:01:08,510 the page into the BW folder and then use it from there. 12 00:01:09,650 --> 00:01:19,880 OK, so now I'll assume that you've already done this, so open the page to, um, excess dot HP. 13 00:01:21,080 --> 00:01:26,540 And the default level is low, as always, but before going any further, let me explain a couple of 14 00:01:26,540 --> 00:01:27,170 things. 15 00:01:28,010 --> 00:01:30,720 So previously we talked a little bit about Dom, right? 16 00:01:31,520 --> 00:01:34,310 You know, it's like a I don't know, it's like the backstage. 17 00:01:34,760 --> 00:01:42,060 So you see the stage and the show happens out there, but everything is set and controlled from backstage. 18 00:01:42,500 --> 00:01:42,890 Yeah. 19 00:01:43,490 --> 00:01:48,590 So Dom is really the backstage of browser's. 20 00:01:49,640 --> 00:01:56,740 All right, so now what if you're able to find a sink and change some of the sources it backstage, 21 00:01:57,290 --> 00:01:57,920 what happens? 22 00:01:58,930 --> 00:02:07,180 Well, naturally, the show would be affected by this change and Dome SS works a lot like that. 23 00:02:08,110 --> 00:02:15,670 So in this context, a source is JavaScript property that contains data that an attacker could potentially 24 00:02:15,850 --> 00:02:16,540 control. 25 00:02:17,690 --> 00:02:25,250 So an example of a source is location dot search, which reads input from the query string. 26 00:02:26,740 --> 00:02:35,950 And a sink is a function or dumb object that allows JavaScript code execution or the rendering of HTML. 27 00:02:37,710 --> 00:02:41,850 Now, an example of code execution's sync is eval. 28 00:02:42,850 --> 00:02:49,300 And an example of an HD Mensink is document dogsbody, that inner HTML. 29 00:02:51,420 --> 00:02:54,420 OK, so on this page, there are several sources to play with. 30 00:02:55,900 --> 00:02:57,880 I'm going to continue with the first one. 31 00:02:58,790 --> 00:03:02,450 It provides a language selection function. 32 00:03:04,040 --> 00:03:08,630 So choose a language and select the URL will change to this. 33 00:03:09,850 --> 00:03:18,190 Type parameter specifies the source type and the langue parameter defines the chosen language, so view 34 00:03:18,190 --> 00:03:19,660 the source like we always do. 35 00:03:21,430 --> 00:03:25,030 And as you can see, here is JavaScript code. 36 00:03:26,410 --> 00:03:30,130 And it uses the data in the document that you URL source. 37 00:03:31,440 --> 00:03:34,350 So it looks for the langue parameter in the early. 38 00:03:35,410 --> 00:03:40,510 Then uses the decoded value of this parameter in the HTML option tag. 39 00:03:42,200 --> 00:03:50,150 So then this Java code is what you're going to see when you view the source now, there's no way to 40 00:03:50,150 --> 00:03:54,160 understand for me from the source because I chose Spanish. 41 00:03:54,680 --> 00:03:58,190 But if you do view Dom, it differs. 42 00:03:58,790 --> 00:04:05,830 So open the developer tool, then pick dropdown element and look at the code in the inspector tab. 43 00:04:06,530 --> 00:04:10,490 It shows the latest source for the browser to display the chosen language. 44 00:04:12,180 --> 00:04:14,970 So we can determine the chosen language here. 45 00:04:16,220 --> 00:04:21,710 Now, enable Foxe proxy and choose English, then submit. 46 00:04:23,250 --> 00:04:27,330 Berp gets the request very straight and forward. 47 00:04:29,100 --> 00:04:36,420 And the response comes up, so let's look here, there's really no way to understand the German language 48 00:04:36,420 --> 00:04:37,410 directly, right. 49 00:04:38,250 --> 00:04:43,560 But the JavaScript code uses that you are elsewheres and detects the language. 50 00:04:44,770 --> 00:04:52,030 So now let's turn this into a mechanism that will execute scripts for us. 51 00:04:53,140 --> 00:04:55,930 Just add an alert code to the end of the URL. 52 00:04:57,150 --> 00:05:00,090 And yes, it works. 53 00:05:01,700 --> 00:05:04,580 So open web developer and pick the element. 54 00:05:06,140 --> 00:05:07,910 And you see here, this is our payload. 55 00:05:09,710 --> 00:05:14,270 OK, so now we can use our famous payload to send this session and. 56 00:05:15,710 --> 00:05:19,510 And I'm not going to close the developer to. 57 00:05:19,700 --> 00:05:21,040 I'll need to open it again. 58 00:05:22,230 --> 00:05:27,750 And go to the network tab, then paste the payload and hit enter. 59 00:05:29,160 --> 00:05:31,770 And we can observe the cookie value we sent. 60 00:05:33,350 --> 00:05:35,300 So go to the inspector tab. 61 00:05:36,550 --> 00:05:38,050 Pick the drop down menu. 62 00:05:41,130 --> 00:05:43,500 Open these collapsed parts. 63 00:05:44,710 --> 00:05:47,860 And here is the payload that we've entered. 64 00:05:49,630 --> 00:05:51,190 So now open the Stelara. 65 00:05:52,450 --> 00:05:53,410 Refresh the page. 66 00:05:54,630 --> 00:05:57,420 And the first one is the session, and it's coming up. 67 00:05:59,010 --> 00:06:00,660 So go back to Kelly. 68 00:06:02,210 --> 00:06:04,340 OK, so now let's look at different levels. 69 00:06:05,300 --> 00:06:06,470 So changed the medium. 70 00:06:07,630 --> 00:06:09,610 First, juice the sauce again. 71 00:06:10,570 --> 00:06:16,930 Selective language to see parameters, and I'm going to paste this simple JavaScript code and go. 72 00:06:18,490 --> 00:06:22,870 OK, so it doesn't work, but remember, in this level, the script tags are not allowed. 73 00:06:24,190 --> 00:06:27,160 And actually, this phrase is not allowed. 74 00:06:29,040 --> 00:06:30,750 So we need to create another payload. 75 00:06:32,730 --> 00:06:40,590 Open developer, tool pick, yeah, pick the element now here is the option tag. 76 00:06:41,860 --> 00:06:47,800 OK, so now we need to find a way to inject the JavaScript code here to execute. 77 00:06:49,240 --> 00:06:52,150 So we're going to create the payload step by step. 78 00:06:54,150 --> 00:07:00,330 First, complete the opening option tag, then close the option tag. 79 00:07:01,970 --> 00:07:03,800 And then close this electic. 80 00:07:05,390 --> 00:07:08,900 So now we can write our payload without a script tag. 81 00:07:10,280 --> 00:07:12,620 So now I'm going to write this. 82 00:07:14,190 --> 00:07:17,580 And I'll use JavaScript in an event method. 83 00:07:19,020 --> 00:07:21,150 It's not copy it now. 84 00:07:21,210 --> 00:07:24,650 Yeah, I forgot to write something for the rest room. 85 00:07:25,230 --> 00:07:26,790 I think you can handle that. 86 00:07:26,800 --> 00:07:27,090 Yeah. 87 00:07:27,980 --> 00:07:29,330 OK, so I'm going to paste. 88 00:07:30,760 --> 00:07:35,170 But I'll close the tool and paste and then go. 89 00:07:37,410 --> 00:07:40,200 And perfect, the page executes our payload. 90 00:07:41,170 --> 00:07:44,020 Now, exploitation will be up to you. 91 00:07:45,630 --> 00:07:47,640 OK, so now enable Foxe proxy. 92 00:07:49,090 --> 00:07:50,500 And refresh the page. 93 00:07:52,570 --> 00:07:54,190 So this is what it looks like in burb. 94 00:07:55,660 --> 00:07:59,470 And here's our payload sent to the server as well. 95 00:08:00,560 --> 00:08:05,210 So if there is no check in the back end, dumb excess will arise. 96 00:08:06,190 --> 00:08:07,240 So forward all. 97 00:08:09,180 --> 00:08:10,530 And the alert appears. 98 00:08:12,130 --> 00:08:16,600 All right, so the last level, so first choose this source. 99 00:08:17,990 --> 00:08:21,350 So like the language, see the language parameter. 100 00:08:22,860 --> 00:08:27,330 And now we can add here our sample JavaScript payload. 101 00:08:28,200 --> 00:08:29,880 Yes, alerting code. 102 00:08:30,890 --> 00:08:39,620 Oh, nothing happens, so remember the code check to see if the language parameter has one of the languages 103 00:08:39,620 --> 00:08:40,490 in the box. 104 00:08:41,710 --> 00:08:44,020 So we may have a problem. 105 00:08:45,200 --> 00:08:49,190 But have no fear and no worries at all because. 106 00:08:50,350 --> 00:08:53,590 You have also seen the solution, do you remember? 107 00:08:54,990 --> 00:08:55,800 I'll take you through it. 108 00:08:55,830 --> 00:08:57,360 OK, so enabled berp. 109 00:08:59,000 --> 00:09:00,800 Base the payload and go. 110 00:09:02,150 --> 00:09:03,590 We get the request in berp. 111 00:09:04,850 --> 00:09:11,990 And see, the payload is sent to the server and this causes the air and then for the rest. 112 00:09:13,910 --> 00:09:17,270 OK, so let me go back to clear you are Al. 113 00:09:20,130 --> 00:09:22,590 And now I can paste the same payload here. 114 00:09:23,730 --> 00:09:29,850 And the way to send this payload to the server may not be obvious. 115 00:09:30,750 --> 00:09:32,100 But there is a way. 116 00:09:33,990 --> 00:09:36,600 So just put a pound symbol here. 117 00:09:37,980 --> 00:09:41,550 And the rest after this symbol won't be sent to the server. 118 00:09:44,360 --> 00:09:47,330 So let's hit enter to see look at berp. 119 00:09:49,030 --> 00:09:55,150 And the payload is not in the request forward and let it all go. 120 00:09:56,900 --> 00:09:58,580 And the alert message appears. 121 00:10:00,440 --> 00:10:03,950 And once again, I will leave the exploitation up to you.