1
00:00:00,300 --> 00:00:03,520
OK, so another Web application venerability that's very common.

2
00:00:03,540 --> 00:00:08,070
We're going to look into is Crosseyed scripting and you're going to commonly see this witness exercise.

3
00:00:08,340 --> 00:00:13,710
So Croci scripting Mirabilis or some of the most common reliabilities that exist in Web apps.

4
00:00:13,920 --> 00:00:15,390
And there are three types of them.

5
00:00:15,570 --> 00:00:20,460
So first, the historic CROSSEYED scripting, which is where malicious code is actually stored inside

6
00:00:20,480 --> 00:00:21,180
a Web page.

7
00:00:21,600 --> 00:00:28,780
Every time that page is loaded, this malicious code actually executes then is reflected crosseyed scripting,

8
00:00:28,800 --> 00:00:36,600
which is where this malicious code is actually executed via visiting like a specific you URL that's

9
00:00:36,600 --> 00:00:40,210
crafted to execute, you know, that code.

10
00:00:40,500 --> 00:00:42,970
It's kind of similar to cross site request forgery.

11
00:00:43,530 --> 00:00:48,750
And then there's Donbass across a script in which is less common typically, but it's within DOM environment

12
00:00:48,750 --> 00:00:55,080
of the browser is actually modified and makes the page load in an unexpected manner, they say.

13
00:00:56,100 --> 00:01:02,760
So crosseyed scripting are typically just involves injecting malicious code into the request for a web

14
00:01:02,760 --> 00:01:05,400
page or into the Web page itself.

15
00:01:05,400 --> 00:01:08,700
And that leads to a being executed when that page is loaded.

16
00:01:08,810 --> 00:01:16,350
When that request is made and you know it's possible because the scripting is only possible when input

17
00:01:16,350 --> 00:01:21,090
that's given to a app is accepted without being sanitized properly first.

18
00:01:21,540 --> 00:01:30,840
And Crosseyed scripting is very commonly used to redirect users to like a malicious link and one of

19
00:01:30,870 --> 00:01:36,280
the forms of crosshatch scripting that we're going to do, as well as called content injection.

20
00:01:36,480 --> 00:01:43,190
So it's like a sneaky way to conduct is like the stored crosseyed scripting what it is called containerisation.

21
00:01:43,950 --> 00:01:51,180
So instead of redirecting to another site, we just inject links in the pages that we direct users to,

22
00:01:51,360 --> 00:01:52,890
which then executes the payload.

23
00:01:52,900 --> 00:01:55,300
So we're going to see kind of like an example of this as well.

24
00:01:55,650 --> 00:01:58,620
OK, so we're at our reflecting Crosseyed scripting page.

25
00:01:58,620 --> 00:02:04,310
We have our security levels at the low for now and let's try to see if we can do some crosseyed scripting.

26
00:02:04,950 --> 00:02:07,490
So let's look at the source code for this first.

27
00:02:08,820 --> 00:02:17,400
So this source code just once again, just code and is just echo is taking in what you're putting like

28
00:02:17,400 --> 00:02:25,470
is asking for your name and then it's saying hello and then just putting what is rendering whatever

29
00:02:26,190 --> 00:02:29,460
was passed in as name as HTML on the page.

30
00:02:29,700 --> 00:02:37,260
So this is bad because it's not checking the code to make sure that you know, any malicious, any malicious

31
00:02:37,260 --> 00:02:39,810
characters we use or any malicious code is inside of it.

32
00:02:39,960 --> 00:02:41,850
So we can potentially take advantage of this.

33
00:02:42,090 --> 00:02:45,550
So I would use it as as you know, as intended.

34
00:02:46,350 --> 00:02:47,040
What's your name?

35
00:02:47,040 --> 00:02:47,530
Anthony.

36
00:02:47,550 --> 00:02:48,130
There we go.

37
00:02:48,630 --> 00:02:50,220
So it says Hello, Anthony.

38
00:02:50,370 --> 00:02:51,120
OK, cool.

39
00:02:51,130 --> 00:02:57,870
So we know that whatever we type in there is going to render in HTML on this page.

40
00:02:58,770 --> 00:03:05,550
So one thing that we can do is try to to test for crosseyed scripting on web apps.

41
00:03:05,550 --> 00:03:10,800
You want to take these kind of boxes where you can submit things and try to see if you can get some

42
00:03:10,800 --> 00:03:13,780
JavaScript to actually load.

43
00:03:13,950 --> 00:03:18,600
So what we're going to do JavaScript just scripting language that's used for like, you know, having

44
00:03:18,600 --> 00:03:24,780
dynamic Web pages, pretty much very, very common use pretty much everywhere on websites.

45
00:03:25,120 --> 00:03:28,700
So there's something called the alert.

46
00:03:28,860 --> 00:03:33,600
So to start a JavaScript, you know, line of JavaScript code.

47
00:03:33,750 --> 00:03:39,810
So all we have to do is actually do the two less than the arrows and type in script.

48
00:03:41,010 --> 00:03:44,220
And then that's going to be that's the start of a script.

49
00:03:44,220 --> 00:03:47,400
It's kind of HMO like where you have like the body tag.

50
00:03:47,430 --> 00:03:48,540
So this is starting the script.

51
00:03:49,140 --> 00:03:52,460
So then what we're going to do is we're going to use the alert function.

52
00:03:52,800 --> 00:03:55,620
And what this does is just pops up with like a text box.

53
00:03:57,010 --> 00:04:03,400
That says whatever you put inside of the parentheses here, so we're going to put hello?

54
00:04:04,360 --> 00:04:06,630
I just got hacked.

55
00:04:07,750 --> 00:04:09,900
Hash tag, cross site scripting.

56
00:04:10,360 --> 00:04:10,940
There we go.

57
00:04:10,960 --> 00:04:11,290
Cool.

58
00:04:12,220 --> 00:04:18,070
And then after you know, after we put that, we want to close the tag just like HMO.

59
00:04:18,500 --> 00:04:24,100
So this is just going to be this the to the less than agree the area again.

60
00:04:24,220 --> 00:04:27,160
And then it's going to be a four slash and then it's just a movie script.

61
00:04:27,730 --> 00:04:29,480
And so we have that in there.

62
00:04:29,500 --> 00:04:33,520
So this submit this and see if you know crosseyed scripting is actually possible.

63
00:04:35,270 --> 00:04:35,960
So, bam!

64
00:04:35,990 --> 00:04:42,080
OK, so we hit it and now, like I said before, it takes what we put into the box and actually renders

65
00:04:42,080 --> 00:04:43,110
an e-mail.

66
00:04:43,340 --> 00:04:48,370
So if you put JavaScript into an e-mail page and JavaScript is going to execute.

67
00:04:48,590 --> 00:04:51,010
So it actually executed that alert script.

68
00:04:51,230 --> 00:04:54,700
So I just got hacked hashtag crosseyed scripting.

69
00:04:55,340 --> 00:05:01,580
So knowing this, we can actually point, you know, to a malicious script, you know, on our machine.

70
00:05:02,840 --> 00:05:09,360
So what we can do is I actually have a file, I call it Poun Digest.

71
00:05:09,650 --> 00:05:11,930
So this is the same JavaScript file.

72
00:05:11,930 --> 00:05:18,400
You just give it the dog's extension at the end so we can go ahead and do this right here.

73
00:05:18,440 --> 00:05:19,070
So bam.

74
00:05:20,330 --> 00:05:23,900
So this is a very, very basic JavaScript file.

75
00:05:24,050 --> 00:05:30,290
So we're creating a function just like other languages, you know, when you create functions or function

76
00:05:30,290 --> 00:05:31,780
the functions called IMG.

77
00:05:32,540 --> 00:05:40,610
So pretty much it's creating a variable right here called IMG stands for image and it's creating an

78
00:05:40,610 --> 00:05:42,320
image element inside the page.

79
00:05:42,350 --> 00:05:47,160
And this we're putting the source of the image to be our Caleigh machine.

80
00:05:47,930 --> 00:05:52,430
So this is the address of our machine over this port seven three three one.

81
00:05:52,610 --> 00:05:59,570
And then on top of that, we're adding the the cookie that's inside of the browser.

82
00:05:59,720 --> 00:06:01,040
And what this is going to do.

83
00:06:01,050 --> 00:06:07,730
So if someone were to execute this function, it's going to connect our to our machine over this port

84
00:06:08,780 --> 00:06:15,980
and it's going to also copy the cookie over so we can actually steal their cookie if they were to execute,

85
00:06:16,550 --> 00:06:17,570
you know, this code.

86
00:06:17,750 --> 00:06:28,130
And then it's going to depend upon what this creation to the the page to the same page.

87
00:06:28,550 --> 00:06:34,130
And I just put this alert right here, just, you know, just for testing debugging purposes and testing

88
00:06:34,130 --> 00:06:36,190
purposes, just to see if the code works.

89
00:06:36,200 --> 00:06:42,290
So if it works properly, it should probably this box right here when is executed, this is our script

90
00:06:42,290 --> 00:06:42,980
executed.

91
00:06:43,550 --> 00:06:47,280
And then outside of that function, you go you have to call the function.

92
00:06:47,450 --> 00:06:50,410
So we call HMG, then we should be good to go.

93
00:06:50,750 --> 00:06:53,270
So I have to do is create this file.

94
00:06:53,840 --> 00:06:55,040
Then we just do a quick.

95
00:06:56,770 --> 00:07:02,260
And one thing we have to do, and this might be a little bit new for you as well, another way we have

96
00:07:02,260 --> 00:07:07,600
to host an on a Web server and we can do that with Python.

97
00:07:07,610 --> 00:07:12,370
We usually did a party just to do it, report 80 by default, but we can do it with Python over whatever

98
00:07:12,370 --> 00:07:14,060
port that we want, wherever we want.

99
00:07:14,290 --> 00:07:22,940
So we're going to use Python three and then we're going to type dash em because we're going to be loading

100
00:07:22,940 --> 00:07:23,520
this modules.

101
00:07:23,520 --> 00:07:30,880
So HGP server and then they say seven three three one, because that is what we have inside of our file

102
00:07:30,880 --> 00:07:33,760
and that's what someone's going to try to connect to us over.

103
00:07:33,790 --> 00:07:39,730
So what this is going to do when I enter is going to start a Web server or report seven three three

104
00:07:39,730 --> 00:07:41,840
one, just like we have a report 80.

105
00:07:41,890 --> 00:07:45,580
But the root directory is the current directory that we're in.

106
00:07:46,000 --> 00:07:52,400
So now we see that we're serving SCDP, you know, on Port seven three three one.

107
00:07:52,540 --> 00:07:57,940
So someone can connect to us over that port if they're worth Brouse to it in the browser.

108
00:07:58,180 --> 00:08:00,160
So now our Web server is starting.

109
00:08:00,190 --> 00:08:03,930
So all we have to do is actually go back to the application.

110
00:08:04,120 --> 00:08:08,830
So what we're going to want to do here and you're going to see why is reflected in a minute.

111
00:08:08,840 --> 00:08:13,340
Just note that everything that we're putting, you know, into the name box is being passed into the

112
00:08:13,360 --> 00:08:13,750
URL.

113
00:08:13,930 --> 00:08:16,930
So someone goes and executes the world that we put here.

114
00:08:16,930 --> 00:08:20,960
It will do, you know, execute whatever scripts that we put into it.

115
00:08:21,190 --> 00:08:29,010
So what we can do is craft this to where he's actually going to execute upon that Jayasekara.

116
00:08:29,200 --> 00:08:36,520
So all we have to do is just just like we did before we did the script tag and then do we could do a

117
00:08:36,520 --> 00:08:43,120
source attribute inside of it and put the source as our colleague machine over Port seven three three

118
00:08:43,120 --> 00:08:48,770
one and then the phone and then point to the phone, that jazz script.

119
00:08:49,060 --> 00:08:54,880
So what this is going to do is actually execute that script when this is loaded.

120
00:08:54,890 --> 00:08:56,350
So let's go ahead and submit.

121
00:08:57,520 --> 00:09:04,330
And as we see remember from the script, we put that alert in there just to make sure that it works.

122
00:09:04,510 --> 00:09:10,720
So we know that it executed successfully, says we see this pop over here.

123
00:09:10,930 --> 00:09:15,790
So all we really have to do is get someone to browse to this.

124
00:09:15,790 --> 00:09:16,870
You are right here.

125
00:09:17,380 --> 00:09:19,270
And then we'd be able to steal that cookie.

126
00:09:19,810 --> 00:09:23,950
And as you can see right here now, we have their cookie right here.

127
00:09:23,950 --> 00:09:27,040
So we can actually use that to maybe take advantage of their session.

128
00:09:28,300 --> 00:09:31,680
So and that's how you do crosseyed scripting.

129
00:09:32,110 --> 00:09:38,770
So it's very, very neat and very useful, you know, vulnerability if you're trying to exploit the

130
00:09:38,770 --> 00:09:39,280
website.

131
00:09:39,430 --> 00:09:44,410
So I definitely think that you guys should look into crosscutting getting a little bit more so.

132
00:09:45,410 --> 00:09:53,780
Now, let's move on to start scripting, OK, so if a store across our scripting, like I said before,

133
00:09:54,230 --> 00:10:02,600
this is a we can inject malicious code into the page and every time that page is loaded, it will load.

134
00:10:03,710 --> 00:10:06,960
You know, they will execute that that malicious code.

135
00:10:07,230 --> 00:10:11,600
So let's see if we were to use this as intended, you know, just be, you know, a name.

136
00:10:11,600 --> 00:10:19,910
Anthony, hey, I'm going to hack you a new job and then we sign the guestbook and now it pops up right

137
00:10:19,910 --> 00:10:20,060
there.

138
00:10:20,060 --> 00:10:22,610
So we know that is a pending this data to the page.

139
00:10:22,910 --> 00:10:29,900
And if we look at the source code of the page, it's not doing any checks for the most part to make

140
00:10:29,900 --> 00:10:35,990
sure that it's not using any, you know, malicious characters I can use for crosseyed scripting.

141
00:10:38,180 --> 00:10:44,870
So what we can do is actually just take advantage of this so way that we can once again just test for

142
00:10:44,870 --> 00:10:45,020
it.

143
00:10:45,860 --> 00:10:51,400
We need to do Anthony right there and then we can just put a script and we could do alert again.

144
00:10:51,410 --> 00:10:52,820
So let's see script.

145
00:10:53,160 --> 00:10:54,410
And then there's two alerts.

146
00:10:55,730 --> 00:11:00,740
And this time we're going to say this won't go away.

147
00:11:02,030 --> 00:11:03,120
There you go, bam.

148
00:11:03,560 --> 00:11:09,410
And then let's close out the script and then all we have to do.

149
00:11:10,570 --> 00:11:17,070
Is his song, guest book, and now this won't go away, that popped up because the page reloaded.

150
00:11:17,350 --> 00:11:23,740
So if we go and actually reload the page again or actually we just click on this right here is going

151
00:11:23,740 --> 00:11:24,710
to pop every time.

152
00:11:24,730 --> 00:11:27,730
So imagine if you are to sort of like a malicious script.

153
00:11:28,030 --> 00:11:32,920
If you were to find this vulnerability on a website or by that you would insert a malicious script that

154
00:11:32,920 --> 00:11:38,830
maybe steals cookies or excuse some malicious code and gets into somebody's computer browser and you

155
00:11:38,830 --> 00:11:40,330
can do whatever you want.

156
00:11:40,330 --> 00:11:43,030
So you can use that.

157
00:11:43,030 --> 00:11:51,340
You can link out to that poster and actually once again and actually get to like actually get their

158
00:11:51,340 --> 00:11:51,760
cookie.

159
00:11:51,880 --> 00:11:54,180
And you can do a lot of other things as well.

160
00:11:54,490 --> 00:11:58,570
So that's just the different types of crosseyed scripting right there.

161
00:11:58,580 --> 00:12:01,330
So it's pretty neat, pretty fun to exploit.

162
00:12:01,420 --> 00:12:05,020
OK, so now we know how to perform web application penetration testing.

163
00:12:05,020 --> 00:12:05,740
So what's next?

164
00:12:06,010 --> 00:12:10,840
So now we're going to go over we're going to, you know, dial it back a little bit and go over some

165
00:12:10,840 --> 00:12:17,230
mobile security topics just to help you stay still, stay safe on your mobile devices and help you guys

166
00:12:17,230 --> 00:12:19,570
just not get hacked.

167
00:12:20,260 --> 00:12:23,980
So I appreciate you guys for listening to this bar.

168
00:12:24,010 --> 00:12:25,390
And I'll see you guys in the next section.