1
00:00:00,150 --> 00:00:04,740
Now onto stored cross-eyed scripting and this is the big one right.

2
00:00:04,740 --> 00:00:10,590
This is where you really can prove impact and you can make some good money when it comes to bug bounties

3
00:00:10,590 --> 00:00:11,940
as well.

4
00:00:11,940 --> 00:00:13,580
If you think about this.

5
00:00:13,680 --> 00:00:14,730
So think about it.

6
00:00:14,730 --> 00:00:22,220
In this sense say there's a comment form or something out there and you post a comment in that comment

7
00:00:22,230 --> 00:00:27,420
can affect an administrator you as a regular user can infected administrator.

8
00:00:27,420 --> 00:00:34,230
Now you as a regular user have stored this vulnerability that steals cookies you steal the administrators

9
00:00:34,230 --> 00:00:38,820
cookie you hijacked the account and you log in as the administrator.

10
00:00:38,820 --> 00:00:42,110
That's how this can become very dangerous very quick.

11
00:00:42,150 --> 00:00:43,740
When it's stored.

12
00:00:43,740 --> 00:00:49,290
So here we're going to look at what we were looking at last time and actually let's go back and go to

13
00:00:49,290 --> 00:00:54,640
the scoreboard before we move on and we're going to just grab the payload recommendation.

14
00:00:54,640 --> 00:01:01,520
OK so go to the scoreboard and we're going to say OK we're after the classic store.

15
00:01:02,280 --> 00:01:08,290
So it says perform a cross site scripting attack with script alert cross-eyed scripting script let's

16
00:01:08,300 --> 00:01:13,440
guide and copy that and I'm going to point you a little bit in the direction where we already were.

17
00:01:13,430 --> 00:01:19,590
Let's go to our account in our testing profile and let's try to set our user name using this payload

18
00:01:21,080 --> 00:01:23,730
and look at what we have as a payload and look what returns.

19
00:01:23,730 --> 00:01:30,890
All right so we've got script L E R T X s OK.

20
00:01:30,910 --> 00:01:33,930
Well what just happened.

21
00:01:34,000 --> 00:01:35,710
They took off something right.

22
00:01:35,710 --> 00:01:36,610
What did they take off.

23
00:01:36,610 --> 00:01:39,620
They took off script.

24
00:01:40,660 --> 00:01:47,920
So I'm going to space this out here to me what this looks like is it's filtering this whole thing right.

25
00:01:47,920 --> 00:01:56,350
It's filtering script a So we need to think about how can we maybe bypass this and there's a few different

26
00:01:56,350 --> 00:01:57,900
ways that we can do this.

27
00:01:58,300 --> 00:02:04,950
But what we really want to do is we want to say hey what can we do here to where we can start.

28
00:02:04,950 --> 00:02:11,950
This have something maybe filter out because it identifies it and then maybe because it doesn't identify

29
00:02:11,950 --> 00:02:18,850
the rest then we can go ahead and just you know put the rest over here and I wonder actually if I delete

30
00:02:18,880 --> 00:02:22,680
this just here and I say set username does it keep that.

31
00:02:22,780 --> 00:02:23,440
It does.

32
00:02:23,440 --> 00:02:23,710
Right.

33
00:02:23,710 --> 00:02:28,070
So it's looking for something here very specific that it's going to filter out.

34
00:02:28,300 --> 00:02:32,320
So why don't we do something along the lines of maybe I don't know.

35
00:02:32,350 --> 00:02:33,510
Let's look at this.

36
00:02:33,550 --> 00:02:40,750
Let's say we put our our script back in here and we'll just close this out make it look like it was

37
00:02:41,020 --> 00:02:47,290
and then let's go ahead and just put script a back in here right.

38
00:02:47,620 --> 00:02:53,440
So what's going to happen is it should say hey I've got this built in mechanism security mechanism that

39
00:02:53,440 --> 00:02:58,080
gets rid of script day and then I'm going to go ahead and just leave the rest.

40
00:02:58,090 --> 00:02:58,660
But guess what.

41
00:02:58,660 --> 00:03:03,760
When it leaves the rest this is all going to fill back in or should let's go ahead and take a look.

42
00:03:03,760 --> 00:03:04,330
How.

43
00:03:04,360 --> 00:03:08,110
Look at that stored cross-eyed scripting OK.

44
00:03:08,140 --> 00:03:12,650
So it is now stored here.

45
00:03:12,680 --> 00:03:13,410
OK.

46
00:03:13,520 --> 00:03:14,870
And that's really cool.

47
00:03:14,870 --> 00:03:16,510
Look and it says classic stored.

48
00:03:16,530 --> 00:03:18,290
We go to actually accountants take a look.

49
00:03:18,350 --> 00:03:19,850
Oh it's there again.

50
00:03:19,940 --> 00:03:22,090
This is stored cross-eyed scripting.

51
00:03:22,190 --> 00:03:23,340
I love this stuff.

52
00:03:23,750 --> 00:03:27,410
So this is a classic classic example.

53
00:03:27,410 --> 00:03:31,780
And I love this one because it shows you a little bit of thinking outside the box.

54
00:03:31,850 --> 00:03:36,650
And once you get into web application pen testing and you really start to dive into the weeds you're

55
00:03:36,650 --> 00:03:42,860
going to understand a little bit more that you know there's all these different kinds of office station

56
00:03:42,860 --> 00:03:48,800
that you might have to use in order to actually execute these payloads in something that you might need

57
00:03:48,800 --> 00:03:55,220
to think about is running something like this maybe through burp intruder say you you have intruder

58
00:03:55,220 --> 00:04:01,760
here and you or a proxy we intercept that we say set username we come in here and we send this over

59
00:04:01,760 --> 00:04:03,320
to repeater.

60
00:04:03,710 --> 00:04:09,690
And then in here maybe we'll say we're actually sorry we send this over to intruder and over here we

61
00:04:09,690 --> 00:04:12,050
say go ahead position.

62
00:04:12,170 --> 00:04:18,620
I want to set this specifically and then I'm going to go ahead and run payloads here.

63
00:04:18,620 --> 00:04:20,830
Well how do we get payloads.

64
00:04:20,830 --> 00:04:25,360
You know we just go to Google and that's going to hang because we have the proxy.

65
00:04:25,400 --> 00:04:30,440
We just go to Google and we say something like cross-eyed scripting payloads.

66
00:04:30,440 --> 00:04:31,490
I literally do this.

67
00:04:31,490 --> 00:04:32,960
This is this is what I do.

68
00:04:33,260 --> 00:04:33,610
OK.

69
00:04:33,620 --> 00:04:36,030
So this is my methodology spot on.

70
00:04:36,170 --> 00:04:40,340
You come here you click the first one on github or one of these other ones that you might want.

71
00:04:40,400 --> 00:04:42,510
Look at all these different ones here.

72
00:04:42,530 --> 00:04:44,200
You can copy all these come through.

73
00:04:44,210 --> 00:04:50,000
Try to grab it you know and see if you can't get one of these to pop.

74
00:04:50,000 --> 00:04:55,610
So food for thought how you might try to get this to work and even like things like this.

75
00:04:55,610 --> 00:04:58,800
Look all these different obfuscations look at this one here OK.

76
00:04:58,820 --> 00:05:04,130
It's using you know uppercase and lowercase because maybe it's just looking at that lower case script

77
00:05:04,180 --> 00:05:04,970
a.

78
00:05:05,160 --> 00:05:11,270
So we can maybe try that one or they start getting into you know these weird H2 mail inserts or you

79
00:05:11,270 --> 00:05:18,230
might even have like you are L encoded and these all look very different and you'd be surprised something

80
00:05:18,230 --> 00:05:18,710
like this.

81
00:05:18,710 --> 00:05:24,500
I've gotten something like this to pop before just because it's obvious skated more so than you know

82
00:05:24,500 --> 00:05:29,590
just a regular type of the regular type of payload that we would use.

83
00:05:29,630 --> 00:05:32,060
So as a test I've actually never tried this out before.

84
00:05:32,090 --> 00:05:34,880
Let's set the username like this and see if it works it doesn't.

85
00:05:34,910 --> 00:05:40,370
So it's actually converting this to lowercase or it knows how to filter this out in the first place.

86
00:05:40,370 --> 00:05:45,560
So good on them but again thinking outside the box here is just the way to do it.

87
00:05:45,590 --> 00:05:51,700
Having these payloads maybe firing them through intruder and looking at how they look what they might

88
00:05:51,700 --> 00:05:56,450
you know what the responses are and how it might store is always another good move as well.

89
00:05:56,450 --> 00:05:58,810
So just keep your wheels spinning.

90
00:05:58,820 --> 00:06:02,670
Go ahead and go do that Dom base cross-eyed scripting next.

91
00:06:02,720 --> 00:06:06,980
Once you have all those through go ahead and meet me in the next video and we talk about the defenses

92
00:06:07,010 --> 00:06:09,550
and what we can do to prevent these kind of things.

93
00:06:09,860 --> 00:06:13,250
And then from there we'll move on into the next vulnerability.

94
00:06:13,310 --> 00:06:14,840
So I'll get you over in the next video.