1
00:00:00,930 --> 00:00:07,620
So we logged into our devoir and we have used the username pass, the username admen and the password

2
00:00:07,620 --> 00:00:11,250
password to get access to our darn vulnerable Web app.

3
00:00:11,520 --> 00:00:16,890
Let's go to the set up and create or reset the database just to make sure that everything is working.

4
00:00:16,890 --> 00:00:17,660
That looks good.

5
00:00:17,670 --> 00:00:23,610
The setup was successful and then come down to the security and we're going to turn that down to low

6
00:00:23,610 --> 00:00:24,690
to get us started.

7
00:00:25,170 --> 00:00:29,790
We'll use low security so that we can try a few different types of attacks.

8
00:00:29,790 --> 00:00:33,630
The first one is going to be a cross site scripting or excess.

9
00:00:33,930 --> 00:00:36,270
Let's click on Cross site scripting reflected.

10
00:00:36,270 --> 00:00:39,950
And I'm doing this from my Microsoft Edge browser for a reason.

11
00:00:40,530 --> 00:00:44,340
This cross site scripting reflected this as the excesses reflected.

12
00:00:44,760 --> 00:00:47,970
Well, let's see how the script works if I say my name is Fred.

13
00:00:49,440 --> 00:00:55,350
And click submit, I can see that this, first of all, does a couple of things, it says Hello, Fred,

14
00:00:55,620 --> 00:01:00,570
and because I'm using low security, it not only reflects Fred to the screen or just prints whatever

15
00:01:00,570 --> 00:01:04,230
I've typed in, it also includes it in the UCLA up here.

16
00:01:04,230 --> 00:01:05,250
So name equals Fred.

17
00:01:05,250 --> 00:01:10,350
What if I said McCain equals Barney and hit enter notice?

18
00:01:10,350 --> 00:01:12,110
I just said hello, Barney.

19
00:01:12,510 --> 00:01:15,450
Well, you can see I've already talked in a script down here.

20
00:01:15,810 --> 00:01:21,840
I'm using the script tag from each to include some JavaScript.

21
00:01:23,490 --> 00:01:31,890
So I've typed in script, so angle bracket scripting, and this is what you mean by cross site scripting,

22
00:01:31,890 --> 00:01:39,990
we're actually going to launch a script in our browser instead of saying my name, they're alert l e

23
00:01:39,990 --> 00:01:42,810
r t open and close parentheses.

24
00:01:43,620 --> 00:01:51,330
Then a semicolon is optional and then we'll do an angle bracket slash script and submit.

25
00:01:52,810 --> 00:01:56,830
And you see that it pops up a window here, the side says, OK.

26
00:01:57,870 --> 00:01:59,820
And it says, hello, why didn't it say a name?

27
00:01:59,850 --> 00:02:02,050
Well, that's because it actually ran this script.

28
00:02:02,400 --> 00:02:06,840
Let's put something different inside that script instead of nothing inside those parentheses.

29
00:02:07,230 --> 00:02:11,850
Let's say, quote, You have been hacked.

30
00:02:13,650 --> 00:02:16,680
Exclamation point, quote, and submit.

31
00:02:19,230 --> 00:02:21,190
And the site says you have been hacked.

32
00:02:21,210 --> 00:02:24,930
Well, it's actually the site that has been hacked just a little bit.

33
00:02:25,200 --> 00:02:29,130
And notice it doesn't say a name down here because it said the script up there.

34
00:02:29,460 --> 00:02:33,180
But I'm going to choose that script and I'm going to highlight that whole thing.

35
00:02:33,750 --> 00:02:34,190
I'm going to.

36
00:02:35,520 --> 00:02:40,590
Control aimed to highlight it all and control see to copy it.

37
00:02:42,800 --> 00:02:46,670
And we have just run a script inside.

38
00:02:48,290 --> 00:02:58,670
A Web page from our Web server, let me go to the excess stored and put a name into Fred or whatever

39
00:02:58,670 --> 00:02:59,810
you like, is the name there.

40
00:03:00,500 --> 00:03:02,780
And you can see that this is going to be a guest book.

41
00:03:02,780 --> 00:03:04,670
So it's going to store this in a database.

42
00:03:04,670 --> 00:03:08,890
So I'm going to paste that script alert and sign the guestbook.

43
00:03:09,140 --> 00:03:11,090
Well, now the site says you have been hacked.

44
00:03:13,070 --> 00:03:17,450
And there's no message under Fred, well, if I click away and then come back restored every time I

45
00:03:17,450 --> 00:03:24,500
come to this page now it's going to say you've been hacked because it's stored that script that I wrote

46
00:03:24,500 --> 00:03:25,820
as my message.

47
00:03:25,850 --> 00:03:32,210
So instead of printing out a comment, every time I come to this page, it's going to tell me I've been

48
00:03:32,210 --> 00:03:32,900
hacked.

49
00:03:34,060 --> 00:03:38,680
Now, that's a pretty simple example here with just this one simple script.

50
00:03:40,220 --> 00:03:49,580
But you could insert a really complex script in here that pops up fake arenavirus that says an attack

51
00:03:49,580 --> 00:03:51,450
has been detected on your computer.

52
00:03:51,680 --> 00:03:55,040
Click here to remove this virus or even worse.

53
00:03:55,730 --> 00:03:57,650
Well, let's see, just one other possibility.

54
00:03:57,680 --> 00:04:02,060
Let's say that instead of letting people see this page, I want to pop up the hacked.

55
00:04:02,180 --> 00:04:07,240
And then instead of an alert, I want to say, let's go ahead and let's copy this.

56
00:04:07,790 --> 00:04:09,860
So I'm going to copy everything that I just typed.

57
00:04:09,860 --> 00:04:14,690
And I'm going to come over to Google Chrome on Windows 10 and try the same thing.

58
00:04:14,690 --> 00:04:16,190
I'll use D.W.I here.

59
00:04:16,760 --> 00:04:18,890
And admin and password.

60
00:04:20,880 --> 00:04:22,950
And I will come to the security.

61
00:04:24,130 --> 00:04:31,300
Said it to low income to the cross site scripting store, see, I'm on a different browser, different

62
00:04:31,300 --> 00:04:34,810
computer even I could be and that is going to be up there.

63
00:04:38,020 --> 00:04:40,660
But if I try to enter that same script here.

64
00:04:43,480 --> 00:04:44,810
And sign the guest book.

65
00:04:45,460 --> 00:04:51,700
It's going to tell me from Chrome that there was unusual code on this page and blocked it.

66
00:04:52,100 --> 00:04:56,380
Well, Chrome is trying to protect us from what it's called reflected cross site scripting.

67
00:04:56,980 --> 00:05:05,230
So if I come back here now says I've been hacked twice, so it protected me when I signed this and submitted

68
00:05:05,230 --> 00:05:12,370
it because Google Chrome and Firefox will both detect that you have submitted a script and it is run

69
00:05:12,370 --> 00:05:14,880
in your browser immediately on the next page.

70
00:05:14,890 --> 00:05:15,910
It's been reflected.

71
00:05:16,270 --> 00:05:23,020
But if I go back to that page, it's going to say you've been hacked several times because all of those

72
00:05:23,020 --> 00:05:24,340
are being stored in the database.

73
00:05:24,340 --> 00:05:29,440
Now, any time you want to clean that database up, you can do that out here just by coming back to

74
00:05:29,440 --> 00:05:32,130
set up and telling it to reset the database.

75
00:05:32,140 --> 00:05:36,080
We don't want to do that yet because we want to see it running on my local computer.

76
00:05:36,520 --> 00:05:41,350
Well, I'm actually going to use my host machine and open up chrome and come to the same server.

77
00:05:41,350 --> 00:05:45,550
10 dot dot three, dot five is my Métis floatable box.

78
00:05:46,180 --> 00:05:48,010
Come to TV w a.

79
00:05:49,390 --> 00:05:57,370
The username is admen and the password is password change your security, Tylo Submit.

80
00:05:58,680 --> 00:06:03,400
And come back to that cross site scripting stored and see it's pulling up all of those.

81
00:06:03,720 --> 00:06:05,250
The site has been hacked.

82
00:06:05,640 --> 00:06:12,120
Well, let's do an even sneakier across site scripting attack and even more possibly damaging attack.

83
00:06:12,480 --> 00:06:18,540
I'll just put a name visitor, but this time I'm going to paste that whole tag.

84
00:06:19,110 --> 00:06:26,700
And instead of that simple alert message inside my script tag here, I'm going to redirect this browser

85
00:06:26,700 --> 00:06:29,670
to a completely different Web page.

86
00:06:30,160 --> 00:06:34,680
That means whenever someone visits this site, they're not going to be able to stay on this page.

87
00:06:34,680 --> 00:06:39,900
It's going to pop up a couple of you've been hacked windows, but it's actually going to redirect their

88
00:06:39,900 --> 00:06:42,120
browser, take them to a different website.

89
00:06:42,120 --> 00:06:44,100
And I could put a hacker Web site.

90
00:06:44,100 --> 00:06:47,100
I could put my own attacking website or something like that in here.

91
00:06:47,370 --> 00:06:55,360
But I'm just going to say one example is window dot location equals and we just need to give it HDB

92
00:06:55,380 --> 00:07:02,100
colon slash, slash, let's say dot com, because there's a limit on the number of characters that this

93
00:07:02,100 --> 00:07:03,300
guestbook will allow.

94
00:07:03,960 --> 00:07:08,960
This should take the user to the general electorate dot com site when they load this page.

95
00:07:08,970 --> 00:07:10,260
So I'm signing the guest book.

96
00:07:13,310 --> 00:07:14,240
Page has been hacked.

97
00:07:14,270 --> 00:07:15,320
The page has been hacked.

98
00:07:15,620 --> 00:07:20,360
Well, now Google, of course, Chrome is saying there's something wrong with this page.

99
00:07:20,370 --> 00:07:21,970
It's detected something unusual.

100
00:07:22,370 --> 00:07:23,780
So we're going to say been hacked.

101
00:07:23,780 --> 00:07:24,410
You've been hacked.

102
00:07:24,420 --> 00:07:25,790
And look at that.

103
00:07:26,360 --> 00:07:28,000
So I reload this page.

104
00:07:28,010 --> 00:07:29,420
So come to cross site scripting.

105
00:07:29,420 --> 00:07:32,450
Stored, hacked, hacked and.

106
00:07:33,640 --> 00:07:39,340
I can't even open the page, it says Hacked, hacked to come to cross site scripting, stored, hacked,

107
00:07:39,730 --> 00:07:43,480
hacked and G.E. loads.

108
00:07:44,890 --> 00:07:53,060
So cross site scripting is real and it can destroy your Web page, your website, your Web application.

109
00:07:54,010 --> 00:07:59,560
Unfortunately, we can do even more complicated things besides just alerts and window dot location and

110
00:07:59,560 --> 00:08:04,330
we can actually set people up for hacking through a company's web page or website.

111
00:08:05,050 --> 00:08:13,150
An easy way to protect against this is to strip tags so that no one can enter tags directly into the

112
00:08:13,150 --> 00:08:13,640
webpage.

113
00:08:13,900 --> 00:08:19,100
We'll talk about that at the very end of this section after we see some sequel injection examples.

114
00:08:19,120 --> 00:08:20,080
Coming up next.