1
00:00:13,150 --> 00:00:21,230
Let us start with excesses, that is cross site scripting in this video, we will have an overview to

2
00:00:21,250 --> 00:00:26,740
what is cross site scripting, crosschecks scripting attacks, exposed vulnerabilities in dynamically

3
00:00:26,740 --> 00:00:33,610
generated Web pages, which enables malicious attackers to injure clients script into Web pages viewed

4
00:00:33,760 --> 00:00:34,960
by other users.

5
00:00:35,530 --> 00:00:43,180
Attackers inject malicious JavaScript, VB script Actimel or Flash and many more for execution on victim

6
00:00:43,190 --> 00:00:46,270
system by hiding it within legitimate requests.

7
00:00:46,690 --> 00:00:51,160
Many Web applications and websites are still vulnerable to these security threats.

8
00:00:51,490 --> 00:00:54,630
Crossette scripting is one of the most common application.

9
00:00:54,640 --> 00:01:00,700
There will be attacks, exs vulnerabilities, target scripts embedded in a page that are executed on

10
00:01:00,700 --> 00:01:03,310
the client side rather than on the server side.

11
00:01:04,060 --> 00:01:09,590
Exercice in itself is a threat that is brought about by the internal security weaknesses of the client

12
00:01:09,590 --> 00:01:13,470
side scripting languages such as JavaScript, A.T.M..

13
00:01:13,990 --> 00:01:19,810
The concept of exercise is to manipulate clients Allscripts of the web application to execute in the

14
00:01:19,810 --> 00:01:22,270
manner desired by the malicious user.

15
00:01:22,390 --> 00:01:28,540
Such a manipulation can embed a script in a page that can be executed everytime the page is loaded or

16
00:01:28,540 --> 00:01:30,910
whenever an associated event is performed.

17
00:01:31,720 --> 00:01:37,450
From the image on the screen, you can see that the attacker has injected a malicious script into that

18
00:01:37,450 --> 00:01:38,110
login form.

19
00:01:39,130 --> 00:01:43,610
And when the user types his username and password, all the details in the login from the list, the

20
00:01:43,680 --> 00:01:46,800
username and password will be fetched by the attacker.

21
00:01:47,020 --> 00:01:48,850
So how does X's works?

22
00:01:49,660 --> 00:01:55,630
There are many ways in which an attacker can entice a victim into initiating reflect two X's request.

23
00:01:55,840 --> 00:02:01,210
For example, the attacker could send the victim a misleading email with a link containing malicious

24
00:02:01,210 --> 00:02:04,000
JavaScript if the victim clicks on the link.

25
00:02:04,270 --> 00:02:09,730
The HTP request was initiated from the victim's browser and sent to the vulnerable application.

26
00:02:10,360 --> 00:02:16,180
The malicious JavaScript is then deflected back to the victim's browser were executed in the context

27
00:02:16,180 --> 00:02:22,510
of the victim's user session by exploiting the ex's vulnerabilities and attacker can perform malicious

28
00:02:22,510 --> 00:02:28,420
actions, such as hijacking an account, spreading web firms, accessing browser history and Kliper

29
00:02:28,420 --> 00:02:34,780
contents, controlling the browser remotely scanning and exploiting the Internet or Internet appliances

30
00:02:34,780 --> 00:02:35,450
and applications.

31
00:02:35,470 --> 00:02:43,180
So what connections do exist can impersonate or masquerade the victim user to carry out any action that

32
00:02:43,180 --> 00:02:44,800
the user is able to perform.

33
00:02:45,400 --> 00:02:51,040
Indeed, any data that the user is able to access capture the user's login credentials.

34
00:02:51,370 --> 00:02:57,970
But from what you defacement of the website and finally in the Crutzen functionality into the website,

35
00:02:58,750 --> 00:03:02,260
in the next lecture we will see types of exercice.