1
00:00:00,840 --> 00:00:01,589
Welcome back.

2
00:00:02,100 --> 00:00:09,030
Let's take a look at a different usage of HTML injection and what else can we do with it once we find

3
00:00:09,030 --> 00:00:09,410
it out?

4
00:00:10,500 --> 00:00:14,180
Well, let's take a look at a different example this time.

5
00:00:14,190 --> 00:00:22,020
So in the last video, we injected our HTML code in the user agent, HTP Heathfield, and that is when

6
00:00:22,020 --> 00:00:27,630
we found out that it's possible to inject the code without having any user input field.

7
00:00:27,910 --> 00:00:34,610
We just intercept the request in our burset and we injected the code in our user agent field.

8
00:00:35,430 --> 00:00:37,760
Now let's take a look at another example.

9
00:00:37,770 --> 00:00:41,200
So navigate once again to USB metadata.

10
00:00:42,090 --> 00:00:50,100
Let's go to the HTML injection and let's try this one HTML injection via cookie injection.

11
00:00:50,130 --> 00:00:52,140
That is the one that we haven't tried yet.

12
00:00:52,890 --> 00:00:58,530
So let's go and capture data page and let's take a look at this page.

13
00:00:59,280 --> 00:01:06,840
So once again, we don't really have any user input field that we can type our HTML code, but we do

14
00:01:06,840 --> 00:01:08,640
get this printed out.

15
00:01:08,820 --> 00:01:15,810
And if we take a look at a little bit closer to here, we will have this data or this string written

16
00:01:16,050 --> 00:01:16,830
on this page.

17
00:01:17,520 --> 00:01:19,620
Now, what does this look like?

18
00:01:20,130 --> 00:01:27,630
Well, it looks like a cookie Bilu, as we can see, session ID and then we get the value right here.

19
00:01:28,510 --> 00:01:35,020
So could it be that our cookie value reflects on this page, but we already know how we can check that

20
00:01:35,320 --> 00:01:38,820
we can simply just intercept the request inside of the burset.

21
00:01:38,950 --> 00:01:43,380
So let's reload the page and here we get the request.

22
00:01:43,420 --> 00:01:49,870
Here is the session ID and let's compare these values right here.

23
00:01:51,480 --> 00:01:52,600
And that's pretty much it.

24
00:01:52,620 --> 00:01:58,620
This is getting reflected on this page, so we already know how it would go about doing this.

25
00:01:58,650 --> 00:02:01,050
We will just inject our code.

26
00:02:01,410 --> 00:02:06,450
We would reflect the code on the page, and we would conclude that the page is vulnerable.

27
00:02:06,840 --> 00:02:10,770
But let's try to inject something else than just the HTML headers.

28
00:02:10,949 --> 00:02:16,380
Let's try to redirect this page to Google dot com with the help of HTML code.

29
00:02:17,070 --> 00:02:18,210
So how we can do that?

30
00:02:19,050 --> 00:02:20,860
Well, we can write this code.

31
00:02:21,060 --> 00:02:32,700
Let me just open NENO real quick html redirect code dot deep code of text and we are going to write

32
00:02:32,700 --> 00:02:33,270
this code.

33
00:02:33,270 --> 00:02:43,530
So open tags, meta http dash equiv equals open double quotes, refresh codes, double quotes, then

34
00:02:43,530 --> 00:02:47,310
let's add space content equals five.

35
00:02:47,310 --> 00:02:49,850
And we're going to explain this in just a second.

36
00:02:49,860 --> 00:02:50,880
It's rather simple.

37
00:02:51,420 --> 00:02:56,160
Then semicolon and then Eurail equals https.

38
00:02:56,640 --> 00:03:03,930
Dash dash w w w Google dot com close double quotes and close the HTML text.

39
00:03:04,940 --> 00:03:06,500
So what are we doing right here?

40
00:03:07,070 --> 00:03:10,210
Well, first of all, let me just delete these two dots.

41
00:03:10,280 --> 00:03:11,460
We don't need two of them.

42
00:03:11,630 --> 00:03:13,270
One is just enough.

43
00:03:13,700 --> 00:03:22,130
And what this code does is it refreshes the page where we inject this code and redirected to Google

44
00:03:22,130 --> 00:03:22,720
dot com.

45
00:03:23,240 --> 00:03:30,560
And this content equals five is simply just the amount of seconds that it's going to wait before it

46
00:03:30,560 --> 00:03:31,490
redirects the page.

47
00:03:31,760 --> 00:03:36,970
If we write five, it will wait for five seconds and then it'll redirect the page.

48
00:03:37,730 --> 00:03:42,030
If we set right here one or zero, it will redirect it straight away.

49
00:03:42,500 --> 00:03:43,550
So let's give it a try.

50
00:03:43,880 --> 00:03:50,720
Instead of injecting HTML header sites one like we did in previous video, let's try to inject this

51
00:03:51,050 --> 00:03:52,460
under the cookie value.

52
00:03:53,440 --> 00:03:56,860
Inside of our request and here it is.

53
00:03:57,760 --> 00:04:00,070
OK, let's forward this.

54
00:04:01,190 --> 00:04:08,540
And let's turn off the intercept navigates right here, and in five seconds, this page should get redirected

55
00:04:08,540 --> 00:04:09,500
to Google dot com.

56
00:04:10,190 --> 00:04:10,960
Here it is.

57
00:04:10,970 --> 00:04:17,040
We didn't type anything either redirected automatically due to our code being processed as an.

58
00:04:18,589 --> 00:04:26,720
Now, if you want to, you can do this, but with a quick injection captured data, let's intercept

59
00:04:26,720 --> 00:04:29,540
the request and let's refresh the page.

60
00:04:30,080 --> 00:04:31,720
You can also do this straight away.

61
00:04:31,730 --> 00:04:35,810
You don't need to wait for five seconds in order to redirect the page.

62
00:04:36,170 --> 00:04:43,190
All you have to do is navigate to the content and change it to zero, then forward the request or turn

63
00:04:43,190 --> 00:04:47,840
off the intercept, go back and it will get redirected straight away.

64
00:04:48,850 --> 00:04:49,810
How cool is that?

65
00:04:50,320 --> 00:04:55,360
OK, so this was another tag that we could have done with the injection, we can simply just redirect

66
00:04:55,360 --> 00:04:55,810
the page.

67
00:04:56,530 --> 00:05:01,890
And we also saw another way that we can perform the injection, which is through the cookie value.

68
00:05:02,200 --> 00:05:08,410
We change the cookie value with the code and it got executed because it got reflected on our page.

69
00:05:10,220 --> 00:05:16,150
So in the next video, we're going to take a look at another example of the injection and then in a

70
00:05:16,150 --> 00:05:21,350
video or two, we're about to move on to the next more serious and dangerous vulnerability.

71
00:05:21,860 --> 00:05:22,910
See you in the next lecture.