1
00:00:01,070 --> 00:00:08,119
OK, we're starting off where we finished from the last lecture, we managed to bypass a simple filter

2
00:00:08,150 --> 00:00:15,620
on our access, reflect the page, but right now we want to see how we can also exploit the excess stored

3
00:00:15,830 --> 00:00:16,160
on.

4
00:00:17,750 --> 00:00:20,320
So navigates to distort access.

5
00:00:20,600 --> 00:00:22,470
And this is the application that we have.

6
00:00:23,060 --> 00:00:24,740
It's a comment section.

7
00:00:24,860 --> 00:00:33,260
We type in our name and the message Hello World, and we sign the guest book and it will add it right

8
00:00:33,260 --> 00:00:34,330
here on the page.

9
00:00:34,790 --> 00:00:41,180
We already know that these comments are getting stored on the server, so anyone loading this page will

10
00:00:41,180 --> 00:00:42,750
also see our comment.

11
00:00:43,550 --> 00:00:46,100
Same goes with the JavaScript code that we inject.

12
00:00:46,100 --> 00:00:51,980
Anyone loading the page will also load our JavaScript code because we injected it straight into the

13
00:00:51,980 --> 00:00:53,150
Web page storage.

14
00:00:54,180 --> 00:00:58,410
Now, let's try it on low level to execute our JavaScript.

15
00:00:58,440 --> 00:01:05,220
So let's go to a security, let me change it to low and navigate back to the store access.

16
00:01:06,400 --> 00:01:16,180
Let's try to inject both fields, hmm, if we try to continue to type in the name field, it won't allow

17
00:01:16,180 --> 00:01:16,420
it.

18
00:01:16,940 --> 00:01:21,120
I guess it has some filter of how many characters we can input.

19
00:01:21,790 --> 00:01:29,290
So let's just try to go with past thread here and let's inject our JavaScript code or our simple alert

20
00:01:29,290 --> 00:01:31,900
function in the message field.

21
00:01:32,510 --> 00:01:39,240
If I sign my guestbook and let me just load this a little bit more so you can see it better, then I

22
00:01:39,250 --> 00:01:40,480
click on Sign Guestbook.

23
00:01:40,960 --> 00:01:43,270
Well, here it is on low level.

24
00:01:43,270 --> 00:01:44,860
It's really easy to exploit.

25
00:01:44,860 --> 00:01:46,510
It has no filters at all.

26
00:01:46,510 --> 00:01:52,180
And all we have to do is type in our script tags, alert function and it will run on the page.

27
00:01:53,490 --> 00:01:56,780
Now, let's give it a try on the medium security.

28
00:01:57,700 --> 00:01:59,190
If I type submit.

29
00:02:00,280 --> 00:02:06,840
Go back to the store decks, assess we load our previous alert window because it's stored on the page

30
00:02:07,420 --> 00:02:09,550
and now let's try it again.

31
00:02:09,669 --> 00:02:16,630
If I take a test and a simple alert function between script tags.

32
00:02:21,730 --> 00:02:28,750
Well, the window that we just floated was from the previous low level security script, if we managed

33
00:02:28,750 --> 00:02:34,130
to execute this one, we would get to Windows and just so we can differentiate them.

34
00:02:34,150 --> 00:02:39,580
Let's run the script alert and in this window, we're going to type in.

35
00:02:39,580 --> 00:02:40,000
Hello.

36
00:02:40,180 --> 00:02:45,290
Just speaking different from the previous script that's already stored on the page, as you can see.

37
00:02:45,310 --> 00:02:47,050
This is not the one that we just ran.

38
00:02:47,320 --> 00:02:48,700
It's from the previous attack.

39
00:02:49,180 --> 00:02:52,960
The one that says hello is not getting executed.

40
00:02:54,060 --> 00:02:56,400
Now, if we take a look down here.

41
00:02:57,610 --> 00:03:05,290
It appears that that our script tags are getting removed and also we are getting these back slashes

42
00:03:05,290 --> 00:03:09,750
before our single quotes, so it's getting filtered.

43
00:03:10,510 --> 00:03:17,530
But let's try to inject inside of the name field if I type here, script

44
00:03:20,260 --> 00:03:26,290
alert and we know that we have the character limitation, but let's just leave it like that for a moment

45
00:03:26,290 --> 00:03:27,610
and sign the guestbook.

46
00:03:31,790 --> 00:03:34,830
Our script tags appear to be filtered as well.

47
00:03:35,390 --> 00:03:36,620
So what are we going to do?

48
00:03:37,100 --> 00:03:40,070
Well, let's take a look at the source code of this page.

49
00:03:40,910 --> 00:03:43,550
Let's see how it performs the filtering.

50
00:03:44,420 --> 00:03:46,040
So this is the code of this page.

51
00:03:46,040 --> 00:03:53,870
And we have a part of the code incentivizes the message input and part of the code for the name input.

52
00:03:54,800 --> 00:04:01,310
Now, by looking at the message input code, I can already see that this is getting filtered a whole

53
00:04:01,310 --> 00:04:03,820
lot better than the name input.

54
00:04:04,130 --> 00:04:04,480
Why?

55
00:04:04,730 --> 00:04:11,770
Well, because it has this HTML special chars function that removes all the characters from our message.

56
00:04:12,350 --> 00:04:14,550
But this is not being used in our name.

57
00:04:15,320 --> 00:04:22,250
We only have the same filter that we had from the previous video inside of our name input.

58
00:04:23,260 --> 00:04:25,220
But we do have another problem.

59
00:04:25,270 --> 00:04:28,090
We have character limitation inside the name inpart.

60
00:04:28,090 --> 00:04:29,870
So how we're going to bypass that?

61
00:04:30,400 --> 00:04:32,140
Well, we can do something like this.

62
00:04:33,010 --> 00:04:39,480
We can type script alert and we get to the character limitation.

63
00:04:40,630 --> 00:04:44,080
So in order to bypass it, we go inspect element.

64
00:04:44,800 --> 00:04:48,510
We find this name input inside of our code.

65
00:04:49,060 --> 00:04:50,470
It's in this form.

66
00:04:50,770 --> 00:04:57,880
Let's open the table, open the body of this table and it's right here.

67
00:04:58,660 --> 00:05:01,450
It's this line that I have selected.

68
00:05:02,050 --> 00:05:05,340
And in this line we have max length equals 10.

69
00:05:06,070 --> 00:05:16,000
So if we double click on this and change 10 to 100 press enter now I go back and I can continue typing

70
00:05:16,000 --> 00:05:16,780
in this field.

71
00:05:17,590 --> 00:05:24,310
Now I can type the entire script statement and remember, our script tags are getting filtered, so

72
00:05:24,310 --> 00:05:29,950
we're just going to bypass it the same way that we bypassed it in the previous lecture by adding capital

73
00:05:29,950 --> 00:05:30,790
letters script.

74
00:05:31,900 --> 00:05:37,060
And if I click sign guestbook now, we'll load the first alert from the low security level.

75
00:05:39,210 --> 00:05:42,720
And it doesn't appear that follow that this second alert.

76
00:05:44,380 --> 00:05:46,000
Let's give it a try once again.

77
00:05:48,880 --> 00:06:00,910
Of course, we need to increase this to 100 retype uppercase script, text and alert and let's just

78
00:06:00,910 --> 00:06:03,970
differentiated by typing hello in the brackets.

79
00:06:05,680 --> 00:06:06,550
Close the script.

80
00:06:07,900 --> 00:06:11,680
We can type anything in the message since that is getting filtered.

81
00:06:11,680 --> 00:06:13,630
Well, and we signed the guestbook.

82
00:06:15,290 --> 00:06:15,950
Here it is.

83
00:06:16,310 --> 00:06:21,170
Here is our alert script getting executed, we get our message.

84
00:06:21,170 --> 00:06:21,620
Hello.

85
00:06:22,280 --> 00:06:24,140
So it worked perfectly.

86
00:06:24,830 --> 00:06:32,030
Now I want to show you another thing that you can do with access or with HTML injection in general.

87
00:06:32,360 --> 00:06:38,870
You can inject a link for a file download, for example, for the purposes of this, I'm just going

88
00:06:38,870 --> 00:06:48,380
to go back to law so I can inject it in the message field, go back to stored here without our two access.

89
00:06:48,380 --> 00:06:56,000
And here I'm going to type test and to inject a code that will allow the user to download a file from

90
00:06:56,000 --> 00:06:56,660
your comment.

91
00:06:57,640 --> 00:07:06,430
We can type something like this, open APACS, a dress of equals, and in between the double quotes,

92
00:07:06,430 --> 00:07:12,760
we specified the link that will lead to the file that we want the users of this page to download.

93
00:07:14,020 --> 00:07:21,700
So for the purposes of this, what we can do is we can, for example, go to this info copied path to

94
00:07:21,700 --> 00:07:23,410
this file, let's call it.

95
00:07:24,460 --> 00:07:25,180
Go back.

96
00:07:27,400 --> 00:07:36,520
And paced that path right here between the brackets, so open attacks, a Trev equals this link and

97
00:07:36,520 --> 00:07:41,060
now we want to type space download oops.

98
00:07:41,080 --> 00:07:47,920
We also have character limitation right here so we can bypass it the same way that we did previously

99
00:07:48,430 --> 00:07:55,610
by finding that in our HTML code and increasing the max length to a hundred.

100
00:07:56,470 --> 00:08:04,990
Now, if I type download till the end, it will work and I close the tags and type the filename so the

101
00:08:04,990 --> 00:08:07,990
file name can be pretty much anything that we want.

102
00:08:07,990 --> 00:08:13,150
We can just call it pop info dot.

103
00:08:14,710 --> 00:08:19,720
We close the attacks at the end and we signed the guestbook.

104
00:08:20,470 --> 00:08:22,060
Let's click on OK.

105
00:08:24,050 --> 00:08:28,340
And here it is, we injected a link for file download.

106
00:08:28,370 --> 00:08:33,230
If I click on it, it will ask me whether I want to save this file on my PC.

107
00:08:33,620 --> 00:08:38,720
So that is also something that you can do with this vulnerable input.

108
00:08:38,720 --> 00:08:43,549
Whether you inject an HTML code that will download the file or JavaScript code that will download the

109
00:08:43,549 --> 00:08:44,740
file, it doesn't matter.

110
00:08:44,930 --> 00:08:51,410
What matters is that the possibilities with this are limitless, especially when you can inject JavaScript

111
00:08:51,410 --> 00:08:51,740
code.

112
00:08:52,460 --> 00:08:53,490
OK, awesome.

113
00:08:53,960 --> 00:08:58,220
Now that we covered both reflected installed access on the TV.

114
00:08:59,150 --> 00:09:04,370
Let's take a look at the DOM access on our Motyl the page in the next lecture.