1
00:00:00,900 --> 00:00:01,670
Welcome back.

2
00:00:02,310 --> 00:00:08,640
In this video, we're going to take a look at two more examples of HTML injection, and with this,

3
00:00:08,640 --> 00:00:10,960
we're going to finish off with this vulnerability.

4
00:00:11,850 --> 00:00:17,220
Now, before we start off with these examples, it's important to note is that this is not the most

5
00:00:17,220 --> 00:00:20,280
critical vulnerability that we can find on a page.

6
00:00:20,550 --> 00:00:24,570
But we did start with it just because it's simple to perform.

7
00:00:25,690 --> 00:00:32,439
The effect that it can have is, well, with the injection, you can pretty much change anything on

8
00:00:32,439 --> 00:00:38,860
the pitch, you can change the code, you can make it redirect to a different pitch that we saw an example

9
00:00:38,860 --> 00:00:39,690
in the previous video.

10
00:00:39,940 --> 00:00:45,910
So what you can, for example, do is you can create a fake page that looks exactly like the page that

11
00:00:45,910 --> 00:00:46,620
you're testing.

12
00:00:47,320 --> 00:00:54,250
You can add a form, perhaps a log in form there, and then you can redirect the real page to the fake

13
00:00:54,250 --> 00:00:55,840
page that looks exactly the same.

14
00:00:56,050 --> 00:01:00,400
And the user that gets redirected wont really notice anything.

15
00:01:00,700 --> 00:01:06,220
They might type their information, such as usernames and passwords on the fake page and you would be

16
00:01:06,220 --> 00:01:07,570
able to get all of that.

17
00:01:07,990 --> 00:01:14,230
And that is the HTML injection because a regular user won't really see the difference between a real

18
00:01:14,230 --> 00:01:15,610
page and a fake page.

19
00:01:16,090 --> 00:01:17,900
Nonetheless, enough of talking.

20
00:01:17,920 --> 00:01:20,190
Let's get straight into these two examples.

21
00:01:20,650 --> 00:01:25,030
So the first one that they want to show you is once again under the injection.

22
00:01:25,030 --> 00:01:32,670
And then let's go HTML via injection and let's select HTML5 storage here.

23
00:01:32,860 --> 00:01:41,650
We do have some Web storage, and if we type something in in these user input fields and click on ADD,

24
00:01:41,920 --> 00:01:46,240
it will get reflected on this table that we can see on this page.

25
00:01:47,270 --> 00:01:51,230
Now, there are a few things that we might notice right here.

26
00:01:51,560 --> 00:01:53,450
There are a couple of things reflecting.

27
00:01:53,960 --> 00:01:58,400
We have our test getting reflected here and here.

28
00:01:59,090 --> 00:02:07,890
We also get test getting reflected here, but we also get our user agent field getting reflected here.

29
00:02:08,460 --> 00:02:14,320
Now, we will not be injecting this because we already saw an example of injecting the user agent field.

30
00:02:14,330 --> 00:02:19,430
It would probably work and we could probably reflect our HTML code right here.

31
00:02:19,940 --> 00:02:21,150
But let's give it a try.

32
00:02:21,290 --> 00:02:22,820
Under these two types.

33
00:02:24,120 --> 00:02:30,450
So the first thing that we will notice is that if we turn on the intercept and we type something in.

34
00:02:32,840 --> 00:02:40,220
Well, we didn't really intercept anything, our request didn't get interrupted, we simply just added

35
00:02:40,220 --> 00:02:42,880
another test value on this storage.

36
00:02:43,310 --> 00:02:51,920
But even though we can't really intercept this request, we can still try to write HTML code and let's

37
00:02:51,920 --> 00:02:54,290
hope it is right here.

38
00:02:55,590 --> 00:02:59,460
And pasted on this second input tab as well.

39
00:03:00,980 --> 00:03:07,010
And we do get an injection, we just don't get it here, we get it right here.

40
00:03:07,700 --> 00:03:14,540
As we can see, our input got filtered and it simply just added our HTML code as a regular string.

41
00:03:14,870 --> 00:03:20,000
But here, where it also reflects, we got test written in header size one tax.

42
00:03:20,920 --> 00:03:22,780
OK, so this was a simple example.

43
00:03:22,790 --> 00:03:27,770
We got our code right here, so we know that it's vulnerable to the injection.

44
00:03:28,160 --> 00:03:30,890
But let's take a look at more advanced example.

45
00:03:31,740 --> 00:03:35,930
To navigate to that more advanced example, even that one is rather easy.

46
00:03:36,320 --> 00:03:41,600
We can't go to the injection and let's go, for example, to the first one.

47
00:03:41,630 --> 00:03:46,160
And let's go to this one, those back buttons.

48
00:03:46,940 --> 00:03:47,810
Click on that.

49
00:03:48,510 --> 00:03:50,660
Oops, we still have intercept on.

50
00:03:50,660 --> 00:03:51,680
Let's turn it off.

51
00:03:52,010 --> 00:03:56,350
And this is the page that we get once again, no user input felt.

52
00:03:57,080 --> 00:03:59,720
So what are we going to inject?

53
00:04:00,630 --> 00:04:08,220
We can't even see in this text that anything from our headers gets reflected well, besides this one,

54
00:04:08,220 --> 00:04:13,860
which is standard thing on every page that forbids it, we're just going to ignore it at the moment.

55
00:04:15,010 --> 00:04:21,820
But if we read this discussion right here, it says the large back about an image appears automatically

56
00:04:21,820 --> 00:04:27,300
on most pages and they're probably referring to this arrow and this back button right here.

57
00:04:27,880 --> 00:04:32,620
If the image is correct, the user is redirected to the previous page.

58
00:04:33,280 --> 00:04:40,660
The button works by executing a JavaScript statement which sets document location that HSF equal to

59
00:04:40,660 --> 00:04:42,850
the HTTP header refer.

60
00:04:43,800 --> 00:04:51,330
Hmmm, this might already give us enough information if we give it a try, for example, let's turn

61
00:04:51,330 --> 00:04:58,840
on the intercept and we click this back button if we find the refer header, which is right here.

62
00:04:59,520 --> 00:05:00,780
Well, it is correct.

63
00:05:00,930 --> 00:05:06,000
We do get the link to the page that we want to visit, which is the previous page to this one.

64
00:05:06,240 --> 00:05:09,690
Since we click the back button, it will redirect us to the previous page.

65
00:05:09,900 --> 00:05:15,450
And the link to that previous page is in the river of our HTP headers.

66
00:05:16,080 --> 00:05:17,550
But how does that help us?

67
00:05:17,790 --> 00:05:21,100
It doesn't get reflected anywhere on the page.

68
00:05:21,120 --> 00:05:24,870
At least this link doesn't get reflected anywhere on the page.

69
00:05:25,800 --> 00:05:26,940
Or does it?

70
00:05:27,730 --> 00:05:34,980
Well, let's take a look, let's go right here and let's go under the inspect element.

71
00:05:36,210 --> 00:05:40,890
And for to inspect element, to work better, let us just turn off the intercept.

72
00:05:42,430 --> 00:05:47,300
And go back to our those back buttons example.

73
00:05:47,560 --> 00:05:53,940
So here it is, let's go on it and let's try to find the code of this back button.

74
00:05:54,370 --> 00:06:00,290
So usually just by going over these lines of code, you will be able to select different parts of pages.

75
00:06:00,290 --> 00:06:03,730
So let's just select this one since it's the entire page.

76
00:06:04,830 --> 00:06:15,930
Let's go to this one as it also takes our back button inside and let's go to this one next and this

77
00:06:15,930 --> 00:06:23,580
one here, we should be able to find it with open tech, which covers our button, which in our case

78
00:06:23,580 --> 00:06:25,590
is this one right here.

79
00:06:26,220 --> 00:06:27,360
And here's the button.

80
00:06:27,870 --> 00:06:34,950
If we click on lower error, we're going to get this open, a tag that says unclick document, dot location,

81
00:06:34,950 --> 00:06:35,820
dot a trough.

82
00:06:36,300 --> 00:06:41,730
And here is where our referral link gets reflected.

83
00:06:42,240 --> 00:06:44,910
It is right here in our HTML code.

84
00:06:45,330 --> 00:06:47,250
We can see it inside the apex.

85
00:06:47,820 --> 00:06:50,350
But how can we inject right here?

86
00:06:51,000 --> 00:06:56,400
Well, we could try to inject a simple HTML code in the refer button.

87
00:06:57,380 --> 00:07:05,750
But you will notice that it won't work if I type H1 and then test and then close Frontex and forward

88
00:07:05,750 --> 00:07:09,830
the packet, then turn off the intercept and never get back to the page.

89
00:07:09,860 --> 00:07:14,500
Well, we didn't really get our HTML code reflected anywhere.

90
00:07:14,840 --> 00:07:17,180
So could it be that it's not vulnerable?

91
00:07:17,780 --> 00:07:20,170
Well, let's give it a closer look to our code.

92
00:07:20,570 --> 00:07:27,830
So here is our bottom, where we now injected the HTML code instead of the referral link, which relates

93
00:07:27,830 --> 00:07:28,730
to the previous page.

94
00:07:29,000 --> 00:07:31,060
And it looks like this.

95
00:07:31,070 --> 00:07:38,990
So we have open attacks on click document location ref and under the open single quotes.

96
00:07:39,020 --> 00:07:43,400
This is equal to our HTML code, as we can see right here.

97
00:07:44,240 --> 00:07:47,570
So let's copy this line of code.

98
00:07:48,930 --> 00:07:51,900
I'm not sure what they copied, but we're going to give it a try.

99
00:07:52,320 --> 00:07:54,300
Let's go neno HTML code.

100
00:07:56,090 --> 00:08:04,610
But just so we can write our HTML payload right here, and for some reason it copied this, but nonetheless,

101
00:08:04,610 --> 00:08:07,400
I'm just going to type it in so we can see it better.

102
00:08:07,760 --> 00:08:11,510
OK, I wrote the entire code right here, so this is how it looks like.

103
00:08:12,230 --> 00:08:19,220
But we can see that this HTML code that we inject, it belongs to this document, dot dot HSF.

104
00:08:19,650 --> 00:08:27,230
So in order for our HTML code to get processed as an HTML code, we must escape these APACS and this

105
00:08:27,230 --> 00:08:29,390
document application location somehow.

106
00:08:30,080 --> 00:08:31,910
Well, here's what we can do.

107
00:08:32,450 --> 00:08:38,510
Let's try to write our payload down here so it will start with unclick.

108
00:08:39,860 --> 00:08:40,360
Oops.

109
00:08:40,429 --> 00:08:42,400
And I misspelled right here.

110
00:08:42,440 --> 00:08:50,630
So on click document dot location dot a traffic equals Chilpancingo quote in.

111
00:08:50,630 --> 00:08:55,490
The first thing to notice is that this document starts with double quotes.

112
00:08:56,120 --> 00:09:04,850
So perhaps what we can do is we can make it end right here by adding the closing quotes instead of just

113
00:09:04,850 --> 00:09:07,320
starting to write our HTML code right here.

114
00:09:07,850 --> 00:09:11,990
So now perhaps if we write our HTML code,

115
00:09:15,590 --> 00:09:18,240
it would look something like this, right?

116
00:09:18,500 --> 00:09:25,650
So our document altercation should end right here, but we still got our HTML code between the attacks.

117
00:09:26,270 --> 00:09:33,790
So what we can do is we can also close the attacks right here after the double code that we inject it,

118
00:09:34,400 --> 00:09:41,120
we can type closing tags that we have right here and closing a tax.

119
00:09:43,920 --> 00:09:50,520
Now, you might notice some similarities because we pretty much just moved this entire part of characters

120
00:09:50,880 --> 00:09:59,550
right before our HTML code, as you can see right here, here was it before and now we have it here.

121
00:09:59,850 --> 00:10:07,860
So we're essentially making this open a tags with the document location and sooner and as soon as it

122
00:10:07,860 --> 00:10:14,410
ends with this line, we are moving on to our next line of HTML code that we are injecting.

123
00:10:15,150 --> 00:10:19,160
So our final payload will look something like this.

124
00:10:19,530 --> 00:10:25,620
We want to inject this into the page, open OpenEdge one text.

125
00:10:28,500 --> 00:10:29,550
This is our payload.

126
00:10:30,670 --> 00:10:32,920
Let's see if it works, so if we call it.

127
00:10:34,270 --> 00:10:36,940
Go back to page, turn on the intercept.

128
00:10:37,210 --> 00:10:46,120
We can lower this, refresh the page, and under the refer, we didn't really need to remove this link.

129
00:10:46,120 --> 00:10:50,680
We can just append our payload straight at the end of the link.

130
00:10:51,250 --> 00:10:52,480
So let's paste.

131
00:10:52,480 --> 00:10:53,920
And here it is.

132
00:10:54,380 --> 00:11:02,260
We got double quotes, close tags, close APACS, open header, one text, we wrote test and we closed

133
00:11:02,280 --> 00:11:03,220
header one tax.

134
00:11:03,610 --> 00:11:08,980
Lets forward this packet and turn off the intercept and we go back.

135
00:11:09,130 --> 00:11:12,760
Here is our HTML code getting reflected on the page.

136
00:11:13,150 --> 00:11:18,430
We successfully performed HTML injection that we couldn't get to work at the beginning.

137
00:11:19,150 --> 00:11:25,990
And this right here is the leftover code that we pretty much cut off once we injected our HTML code.

138
00:11:26,260 --> 00:11:33,830
And in order for us to take a look at how this code looks in the HTML page, we can navigate to our

139
00:11:33,850 --> 00:11:35,200
button, which is right here.

140
00:11:35,200 --> 00:11:39,670
And here is the open, a text that we have before we closed it right here.

141
00:11:39,670 --> 00:11:45,520
As we can see, this is the first part of our code where we close the double quotes and we close the

142
00:11:45,520 --> 00:11:46,120
attacks.

143
00:11:46,570 --> 00:11:52,660
And down here it processed our H1 headers with test written inside of it.

144
00:11:52,840 --> 00:11:54,970
So it processed it as HTML.

145
00:11:55,120 --> 00:11:59,850
And here is that leftover part that we cut off from this line right here.

146
00:12:00,850 --> 00:12:09,190
So once again, in case you're confused, what we did is we took the original code, which looked like

147
00:12:09,190 --> 00:12:09,580
this.

148
00:12:09,580 --> 00:12:16,120
Once we inject our H1 headers, we moved the closing tags before we type in our HTML code.

149
00:12:16,510 --> 00:12:25,060
Then it closed this entire line of eight tags and it processed our HTML code as a separate line and

150
00:12:25,060 --> 00:12:27,270
it wrote it on the page right here.

151
00:12:28,090 --> 00:12:31,630
So this was a little bit more advanced example HTML injection.

152
00:12:31,630 --> 00:12:34,420
And with this we are done with this vulnerability.

153
00:12:35,020 --> 00:12:41,170
So it was rather easy to perform, as we already mentioned, but it does not have that big of an impact.

154
00:12:41,170 --> 00:12:47,020
The best thing that you can do with this is pretty much change stuff on the page or redirect the page.

155
00:12:48,040 --> 00:12:54,280
Nonetheless, if you want, you can take a look at the other examples of HTML injection on this and

156
00:12:54,280 --> 00:12:59,150
on other pages of our vulnerable virtual machine, you can see there are too many.

157
00:12:59,170 --> 00:13:01,180
Of course, we're not going to cover all of them.

158
00:13:01,180 --> 00:13:04,990
So you can practice this vulnerability on different examples.

159
00:13:05,380 --> 00:13:10,930
And we are going to continue with the next vulnerability in the next section, which is going to be

160
00:13:10,930 --> 00:13:13,320
a more serious and a more dangerous one.

161
00:13:13,690 --> 00:13:17,470
And it is called command injection scene in the next lecture.