1 00:00:10,380 --> 00:00:17,580 In the last lecture, we had a brief overview of this practical, but we exploit that vulnerability 2 00:00:17,580 --> 00:00:19,240 at a very low level of security. 3 00:00:20,100 --> 00:00:24,660 Now, in today's life, the applications might not have that level of security. 4 00:00:25,230 --> 00:00:29,790 So let us see how we can exploit this attack at a medium level security. 5 00:00:30,240 --> 00:00:37,200 Now, I will login to my colleague machine and then start the machine, but I won't show you the exact 6 00:00:37,380 --> 00:00:38,940 all the process again and again. 7 00:00:38,940 --> 00:00:44,200 So just make sure that you are logged into your DVD player, which is installing candy machine. 8 00:00:44,580 --> 00:00:47,250 Again, we are not using the metastable here. 9 00:00:47,490 --> 00:00:51,150 We are using the unbelievably solid force. 10 00:00:51,150 --> 00:00:56,850 Before we start, just go to set up RESAY database before you start in the practical to make sure you 11 00:00:56,850 --> 00:01:00,120 scroll down and click create a reserve database. 12 00:01:00,270 --> 00:01:00,780 That's it. 13 00:01:01,050 --> 00:01:02,250 Now go to security. 14 00:01:03,560 --> 00:01:05,900 And set the security to medium. 15 00:01:09,540 --> 00:01:17,520 And then let us this time use as reflected, so what's your name, let us type Mark and let's see how 16 00:01:17,520 --> 00:01:18,480 it is getting reflected. 17 00:01:18,510 --> 00:01:22,520 OK, now let us try to inject each injection. 18 00:01:22,530 --> 00:01:31,340 So let's just type B so we can see the market is getting bold, which means that each injection is working. 19 00:01:31,710 --> 00:01:37,730 Now, let us type of the ATM tag on it is now in the script tag here. 20 00:01:38,070 --> 00:01:39,810 So I just type underscore script. 21 00:01:42,130 --> 00:01:45,220 Alert one to check whether. 22 00:01:46,810 --> 00:01:48,370 This script is working. 23 00:01:53,060 --> 00:01:54,380 And let us click submit. 24 00:01:54,650 --> 00:01:59,090 OK, now we didn't get Texases alert, it is showing alert one. 25 00:01:59,510 --> 00:02:03,830 Now, why it is doing like that, why it is not accepting the script. 26 00:02:03,830 --> 00:02:07,520 Let us see the page source if you maximize it. 27 00:02:07,850 --> 00:02:09,270 Is there any input? 28 00:02:09,550 --> 00:02:10,190 Yes. 29 00:02:10,670 --> 00:02:13,740 If name exists, then go to the next step. 30 00:02:14,570 --> 00:02:19,360 Now the next line that is Dollard name is equal to string replace. 31 00:02:19,820 --> 00:02:23,870 There is a catch what the source code is doing. 32 00:02:24,080 --> 00:02:32,840 It is if it identifies the script tag, it is replacing that with a blank piece you can see. 33 00:02:33,870 --> 00:02:42,570 Dahler name is equal to string underscore replace in open brackets script, comma, blank, comma Dahler 34 00:02:42,570 --> 00:02:43,440 get name. 35 00:02:44,760 --> 00:02:47,850 Therefore, it is just removing a script tag. 36 00:02:48,180 --> 00:02:56,100 Now we know that it is removing the script tag, let us see if we can either try using the script again, 37 00:02:56,100 --> 00:02:57,100 another differently. 38 00:02:57,360 --> 00:03:03,560 We all know that JavaScript is case sensitive but are not case sensitive. 39 00:03:03,870 --> 00:03:08,610 And in this case, script here is working as an HTML tag. 40 00:03:08,610 --> 00:03:15,630 Therefore, we can just try different alphabet in uppercase and lowercase and let us see if that works. 41 00:03:16,020 --> 00:03:20,880 Now just hit submit and it should probably work. 42 00:03:22,280 --> 00:03:22,850 There you go. 43 00:03:22,880 --> 00:03:29,830 We have got one, which means that the program is just removing the specified characters. 44 00:03:30,320 --> 00:03:35,750 So let us try to get document, not Cookie, if we can retrieve that also. 45 00:03:43,960 --> 00:03:50,350 Instead of one, let us write document that cookie and we should get decision idea as well. 46 00:03:50,950 --> 00:03:51,440 There you go. 47 00:03:51,460 --> 00:03:59,230 We have got the S.A.T. Now, as a security expert, you should be able to identify what must be the 48 00:03:59,590 --> 00:04:02,240 code that is that is used to secure. 49 00:04:02,260 --> 00:04:04,840 So let's again go to the page source. 50 00:04:05,680 --> 00:04:08,860 Sorry, Alex, again, go to the source code. 51 00:04:09,130 --> 00:04:13,470 And now in that place that is accepting the input. 52 00:04:13,630 --> 00:04:14,140 Yes. 53 00:04:14,140 --> 00:04:18,510 At that place, it should not just remove the script tag. 54 00:04:18,520 --> 00:04:25,420 What it should do is it should individually scan the string and it should remove the characters SCIRI 55 00:04:25,420 --> 00:04:28,600 party, whether in uppercase or lowercase. 56 00:04:28,810 --> 00:04:35,260 It should also remove all the brackets that is opening brackets, opening and closing angular bracket. 57 00:04:35,590 --> 00:04:40,020 In this way, as a security expert, you should know how to secure the court. 58 00:04:40,030 --> 00:04:47,050 This practice is known as securing coding, and therefore we always tell students that you should always 59 00:04:47,050 --> 00:04:53,120 have the basic knowledge of JavaScript, HTML and data structures and how to basically code. 60 00:04:53,680 --> 00:04:58,660 So this was how we exploded the excesses vulnerability at a medium level. 61 00:04:58,690 --> 00:05:04,930 Now you can also write the same story as the difference is that the script will get stolen in the next 62 00:05:04,930 --> 00:05:05,490 lecture. 63 00:05:06,010 --> 00:05:12,190 We will try to exploit the highest level of CROSSEYED scripting and I will again show you some different 64 00:05:12,190 --> 00:05:13,110 methods to do that. 65 00:05:13,330 --> 00:05:15,400 I will see you in the next lecture.