1
00:00:13,520 --> 00:00:19,720
In the previous lectures, we saw what the successes and also see how to exploit the vulnerability,

2
00:00:20,120 --> 00:00:24,380
but being a security expert, we should also know how to prevent such attacks.

3
00:00:24,830 --> 00:00:30,320
This course is not only about hacking and exploiting vulnerabilities, but we are also willing to tell

4
00:00:30,320 --> 00:00:31,870
you how to prevent those attacks.

5
00:00:32,390 --> 00:00:36,950
So the first measure to prevent excesses is user input.

6
00:00:37,220 --> 00:00:44,720
Escaping the first method you can and you should use to prevent excessive vulnerabilities from appearing

7
00:00:44,720 --> 00:00:48,050
in your applications is by escaping user input.

8
00:00:48,560 --> 00:00:56,240
Escaping data means taking the data and application has received and ensuring it's secure before rendering

9
00:00:56,240 --> 00:01:00,710
it for the end user by ISP escaping user input.

10
00:01:00,950 --> 00:01:07,640
Key characters in data received by a webpage will be prevented from being interpreted in any malicious.

11
00:01:08,390 --> 00:01:14,390
If your page doesn't allow users to add their own code to the page, a good rule of thumb is to then

12
00:01:14,390 --> 00:01:18,440
escape any and all the admin JavaScript entities.

13
00:01:18,920 --> 00:01:19,310
Then.

14
00:01:19,310 --> 00:01:21,920
Then the next major can be validating input.

15
00:01:22,670 --> 00:01:24,250
The theory goes like this.

16
00:01:24,650 --> 00:01:27,890
Expect any untrusted data to be malicious.

17
00:01:28,310 --> 00:01:30,790
What's untrusted data now?

18
00:01:30,800 --> 00:01:37,160
Validating input is the process of ensuring an application is rendering the correct data and preventing

19
00:01:37,160 --> 00:01:41,240
malicious data from doing harm to the site database or users.

20
00:01:41,700 --> 00:01:48,320
While listing and input validation are more commonly associated with a injection, they can also be

21
00:01:48,320 --> 00:01:51,980
used as an additional method of prevention for Exercice.

22
00:01:53,030 --> 00:01:59,420
Then, is satellite data the third way or the most important way to prevent cross site scripting attacks

23
00:01:59,420 --> 00:02:01,010
is to sanitize user input?

24
00:02:01,400 --> 00:02:09,080
We saw how the code was removing the HTML tags and script entities from the input that we had supplied

25
00:02:09,170 --> 00:02:16,320
to local sanitizing data is a strong defense, but should not be used alone to battle Xerces attack.

26
00:02:16,730 --> 00:02:22,610
It's totally possible you will find the need to use all the three methods which I have discussed earlier.

27
00:02:24,050 --> 00:02:30,680
Then is the not trust anything that is used content security policy, which means do not trust what

28
00:02:30,680 --> 00:02:31,720
user is inputting.

29
00:02:31,970 --> 00:02:38,410
You have to check each and every form of character that user is inputting in your input box.

30
00:02:39,170 --> 00:02:46,010
The last one is content security policy, which means as a last line of defense, you can use the Content

31
00:02:46,010 --> 00:02:53,030
Security Policy CSP to reduce the severity of any vulnerabilities that still occur.

32
00:02:53,270 --> 00:03:00,230
If you want to read more about CSP, we have attached a book called Ethical Hacker Playbook in which

33
00:03:00,230 --> 00:03:05,210
it is explained what is the USP, what is accesses and other prevention methods.

34
00:03:05,210 --> 00:03:08,510
Indeed, I hope this was this.

35
00:03:08,510 --> 00:03:14,840
Lectures were a brief introduction and also gave you a clear idea of exercice and also give you techniques

36
00:03:14,840 --> 00:03:15,950
for exploiting Exercice.

37
00:03:16,370 --> 00:03:19,970
Now the most common question is how common are Accessors attacks?

38
00:03:20,280 --> 00:03:26,810
That is difficult to get reliable data about real world exercice attacks, but it is probably less frequently

39
00:03:26,810 --> 00:03:29,180
exploited than other vulnerabilities.

40
00:03:29,420 --> 00:03:35,720
And again, one of the main question is what is the difference between exercise and SQL injection?

41
00:03:35,840 --> 00:03:39,050
Since in both cases user is inputting a call.

42
00:03:39,380 --> 00:03:44,060
Now, exercise is the client side of vulnerability that targets other applications.

43
00:03:44,060 --> 00:03:50,390
User while esquibel injection is a server side of vulnerability that target the applications database.

44
00:03:50,900 --> 00:03:52,730
This was all for this lecture.

45
00:03:52,940 --> 00:03:58,700
And in the next lecture we will start with another new topic that is cross site request forgery.