1
00:00:00,840 --> 00:00:09,000
It's time we get started with the biggest vulnerabilities or bugs on our Web page, not by biggest,

2
00:00:09,000 --> 00:00:11,400
I don't mean most dangerous.

3
00:00:11,400 --> 00:00:16,950
However, these ones are still not something that you want to have on your Web page.

4
00:00:18,150 --> 00:00:25,160
We will be starting in this section with Crosseyed scripting vulnerability or also known as access.

5
00:00:26,190 --> 00:00:32,400
Now, you might have noticed that in the upper right corner, we have this JavaScript icon.

6
00:00:33,380 --> 00:00:37,260
This can give us a hint as to what this vulnerability is.

7
00:00:37,880 --> 00:00:39,460
So let's explain it.

8
00:00:40,130 --> 00:00:44,400
First of all, access is very similar to HTML injection.

9
00:00:45,080 --> 00:00:47,890
Those two are executed almost the same way.

10
00:00:47,900 --> 00:00:54,410
And since we already covered the HTML injection, this will be a lot easier for you to understand and

11
00:00:54,410 --> 00:00:54,890
perform.

12
00:00:55,730 --> 00:01:00,850
Access is based on injecting JavaScript code in the Web page.

13
00:01:01,670 --> 00:01:08,390
As with the HTML injection, we're looking for a vulnerable user input field that reflects our output

14
00:01:08,390 --> 00:01:09,650
somewhere on the page.

15
00:01:10,690 --> 00:01:16,780
Once we find it, we try to inject simple JavaScript code to see how the page would react and whether

16
00:01:16,780 --> 00:01:18,100
it would execute.

17
00:01:19,290 --> 00:01:25,830
One thing to keep in mind is that access is not a vulnerability, that Target's server, it is a vulnerability,

18
00:01:25,830 --> 00:01:28,290
the target's clients that use that server.

19
00:01:28,920 --> 00:01:35,820
If we are able to inject our malicious JavaScript code in the Web page, then that JavaScript code will

20
00:01:35,820 --> 00:01:39,660
also run once a different client visits that Web page.

21
00:01:40,540 --> 00:01:47,500
Now, whether the client visits the Web page directly or through a link makes a difference, depending

22
00:01:47,500 --> 00:01:50,080
on what type of access vulnerability it is.

23
00:01:50,830 --> 00:01:58,030
And we will discuss different types in just a second, right after we discuss the process of why our

24
00:01:58,030 --> 00:02:01,600
JavaScript code executes on a vulnerable Web page.

25
00:02:02,580 --> 00:02:10,169
So imagine we have this code as an example, it's the same code that we showed inside of our HTML injection

26
00:02:10,740 --> 00:02:16,740
just this time, instead of injecting HTML, we want to try to inject JavaScript.

27
00:02:17,650 --> 00:02:23,110
And the most simple thing we can find with JavaScript would be the alert function.

28
00:02:24,120 --> 00:02:31,170
Of course, once embedding JavaScript inside the HTML code, we must add the open script tags where

29
00:02:31,170 --> 00:02:37,080
our JavaScript code starts and close script tags where our JavaScript code ends.

30
00:02:38,070 --> 00:02:44,520
This is how the browser will know that it's JavaScript, so it doesn't try to render it as an HTML code.

31
00:02:45,400 --> 00:02:53,350
This code being simple code that asks for someone's name and then reflected on the page would look something

32
00:02:53,350 --> 00:02:56,620
like this once we inject our alert function.

33
00:02:57,460 --> 00:03:03,340
And if the website doesn't filter the input, it will process this is JavaScript code and we will get

34
00:03:03,340 --> 00:03:06,940
a small popup window which is tied to this alert function.

35
00:03:07,880 --> 00:03:11,240
That's when we would know that there is an excess vulnerability.

36
00:03:12,120 --> 00:03:18,990
Of course, Web page can also have filters that are not properly set, usually a page can have a filter

37
00:03:18,990 --> 00:03:26,010
that says everything between the HTML tags where the user input gets reflected, process it as a regular

38
00:03:26,010 --> 00:03:31,000
string or regular text to bypass only that filter.

39
00:03:31,020 --> 00:03:33,780
We could then do something like this.

40
00:03:34,410 --> 00:03:39,810
We can first close tags for that line and then run our JavaScript code.

41
00:03:40,380 --> 00:03:47,910
In this case, the end closing tag will get left out and it will no longer consider our script as being

42
00:03:47,910 --> 00:03:50,580
as part of the open pretax.

43
00:03:51,580 --> 00:03:56,480
Of course, this is all working, considering there are no other input filters.

44
00:03:57,220 --> 00:04:01,500
Now let's talk about two main types of access and how they differ.

45
00:04:02,080 --> 00:04:07,600
These two types are called reflected exercice and stored access.

46
00:04:08,560 --> 00:04:11,370
Let's explain, reflected Exercice first.

47
00:04:12,240 --> 00:04:20,190
In reflected access, we have an attacker injecting JavaScript code inside a certain Web page, the

48
00:04:20,490 --> 00:04:27,030
webpage processes that input this JavaScript and runs it, letting the attacker know that it's vulnerable

49
00:04:27,030 --> 00:04:27,890
to access.

50
00:04:28,710 --> 00:04:35,670
Then the attacker sends the link to that Web page with the JavaScript code set as an input to the vulnerable

51
00:04:35,670 --> 00:04:36,230
parameter.

52
00:04:36,510 --> 00:04:41,850
Once the target opens the link, it will also run the JavaScript code on the vulnerable website.

53
00:04:42,600 --> 00:04:49,320
The access where the JavaScript code we inject doesn't get stored and saved on the server is called

54
00:04:49,320 --> 00:04:50,940
Reflected X. It says.

55
00:04:51,630 --> 00:04:56,460
On the other hand, stored access is the exact same attack.

56
00:04:56,460 --> 00:05:02,790
Just this time our JavaScript code gets saved and stored on the server and on the Web page.

57
00:05:03,900 --> 00:05:11,070
This can be perhaps a Web page that offers comment section, if we inject JavaScript code in the comments

58
00:05:11,070 --> 00:05:14,820
section, it will run every time someone opens that page.

59
00:05:15,660 --> 00:05:22,890
And that's the main difference between these two instant access target doesn't have to click on any

60
00:05:22,890 --> 00:05:23,550
link at all.

61
00:05:23,940 --> 00:05:28,440
They can just go straight to the Web page and it will run nonetheless.

62
00:05:29,570 --> 00:05:35,720
The stalled access is more dangerous since it doesn't require the target to open any links, they only

63
00:05:35,720 --> 00:05:38,220
need to go to that website now.

64
00:05:38,600 --> 00:05:45,950
Besides these two, there is also something called Dumex SS or Domme based Exercice, and it's an access

65
00:05:45,950 --> 00:05:52,580
attack where the attack payload is executed as a result of modifying the dorm environment in the victim's

66
00:05:52,580 --> 00:05:59,420
browser used by the original Clydeside script so that the Kleinsmith code runs in an unexpected manner.

67
00:06:00,230 --> 00:06:03,850
We will see examples of different Texas types throughout this section.

68
00:06:04,250 --> 00:06:07,340
So this is one of the most common vulnerabilities on the Web page.

69
00:06:07,420 --> 00:06:11,150
We will devote a little bit more time to it, then to other vulnerabilities.