1
00:00:01,290 --> 00:00:01,950
Welcome back.

2
00:00:02,490 --> 00:00:05,730
Let's discuss a dorm based access.

3
00:00:06,689 --> 00:00:13,630
So in the previous few videos, we covered a couple of examples of reflected and access.

4
00:00:13,980 --> 00:00:19,830
We also saw some of the possibilities, such as stealing cookies, getting the IP address, changing

5
00:00:19,830 --> 00:00:23,960
the contents of the page, and also injecting a file to download.

6
00:00:24,390 --> 00:00:31,470
We also bypass the filters that removed our script tags and we managed to bypass the Mac's character

7
00:00:31,470 --> 00:00:32,040
security.

8
00:00:32,759 --> 00:00:38,130
Now let's navigate to the password generator in access vulnerability.

9
00:00:38,580 --> 00:00:45,420
You can do that by going to all WASP, then navigating to cross site scripting and under the term injection

10
00:00:45,450 --> 00:00:47,910
you want to select password generator.

11
00:00:48,720 --> 00:00:55,290
And this password generator, once we click on this simple button, generates a random password every

12
00:00:55,290 --> 00:00:55,560
time.

13
00:00:56,220 --> 00:01:04,920
Now, the first thing you will notice with access is that if you tried to intercept this request, it

14
00:01:04,920 --> 00:01:06,150
will not work.

15
00:01:06,390 --> 00:01:13,530
You're not going to intercept anything once clicking on that button, even though the intercept is turned

16
00:01:13,530 --> 00:01:13,740
on.

17
00:01:14,670 --> 00:01:21,930
That's because no requests are being sent, as we can see, nothing is happening, so we can turn this

18
00:01:21,930 --> 00:01:22,310
off.

19
00:01:22,860 --> 00:01:30,270
But if we take a look at closer at the link, we'll have this username equals Anonymous, so let's try

20
00:01:30,270 --> 00:01:30,990
to inject it.

21
00:01:31,380 --> 00:01:41,940
If I type our usual alert function by opening script tags and closing script tags, press enter.

22
00:01:43,110 --> 00:01:50,760
Hmm, it doesn't work, at least we think that it doesn't work, we didn't get the pop up window, but

23
00:01:50,760 --> 00:01:57,360
what we did get is this part right here and this looks like a part of code.

24
00:01:57,780 --> 00:02:03,210
So let's try to find in the source code, where exactly is this located?

25
00:02:03,570 --> 00:02:05,880
Let's open page source.

26
00:02:07,930 --> 00:02:14,710
And let's copy this, for example, and let's try to find it right here.

27
00:02:16,070 --> 00:02:17,750
We can't seem to find it.

28
00:02:18,320 --> 00:02:20,600
Let's try just finding it manually.

29
00:02:22,500 --> 00:02:29,730
Or we can try to find all of the alerts on this page, here is one alert.

30
00:02:30,960 --> 00:02:35,830
Here is another alert and here is where our code is getting injected.

31
00:02:36,300 --> 00:02:43,010
This is the error message that we get, as we can see right here, and this is our code to inject it.

32
00:02:43,350 --> 00:02:45,240
So it's still getting there.

33
00:02:45,240 --> 00:02:47,180
Just it's not getting executed.

34
00:02:47,230 --> 00:02:49,420
Let's see why it is not getting executed.

35
00:02:50,260 --> 00:02:57,710
Well, if we take a closer look at this part of the code, we'll notice that we already have open script

36
00:02:57,720 --> 00:02:58,170
tax.

37
00:02:59,140 --> 00:03:04,780
So our JavaScript code is actually getting injected inside of a JavaScript code.

38
00:03:06,080 --> 00:03:15,260
That means these script tags are not needed or we need to specify close script tags before we open them

39
00:03:15,260 --> 00:03:16,610
to run our ad function.

40
00:03:17,420 --> 00:03:19,530
So how can we bypass this?

41
00:03:20,360 --> 00:03:27,890
Well, since we already have open script tags, we can just first close the script tags for this part

42
00:03:27,890 --> 00:03:34,460
of JavaScript code from the page, and then we can open the script tags once again to run our alert

43
00:03:34,460 --> 00:03:34,980
function.

44
00:03:35,510 --> 00:03:36,440
Let's give it a try.

45
00:03:36,800 --> 00:03:38,060
If I go to this page.

46
00:03:39,100 --> 00:03:46,570
I delete my previous payload, what I'm first going to do is I am first going to close the script text

47
00:03:47,860 --> 00:03:53,460
and then I'm opening script tags right after, then typing my alert function.

48
00:03:53,620 --> 00:04:00,000
Let's specify hello as pop up message and I close the script tags again.

49
00:04:00,550 --> 00:04:04,050
So this is how our payload looks like right now.

50
00:04:05,070 --> 00:04:06,360
If I press enter.

51
00:04:07,890 --> 00:04:15,540
Now it's getting executed now we managed to run our JavaScript code by closing the previous JavaScript

52
00:04:15,540 --> 00:04:18,870
code and opening the new alert JavaScript code.

53
00:04:19,800 --> 00:04:21,899
Let me show you how that looks like.

54
00:04:22,810 --> 00:04:30,100
Now that we ran it successfully, let's try to find our alert function once again.

55
00:04:32,270 --> 00:04:39,140
And here it is, as you can see, the script tag that is getting opened by the code itself is getting

56
00:04:39,140 --> 00:04:41,240
close by us right here.

57
00:04:41,390 --> 00:04:43,170
Here is our closing Riptech.

58
00:04:44,000 --> 00:04:50,290
And right after we did that, we opened another JavaScript function that will run the alert message.

59
00:04:50,900 --> 00:04:51,920
Then we closed it.

60
00:04:52,250 --> 00:04:59,660
And the thing that we see outputted right here as an error is actually a part of code that we get right

61
00:04:59,660 --> 00:05:05,990
after we close our script, because this is no longer belonging to these JavaScript script.

62
00:05:06,680 --> 00:05:09,790
This is getting processed as a regular text on the page.

63
00:05:09,800 --> 00:05:12,550
Therefore, it's getting outputted right here.

64
00:05:13,400 --> 00:05:20,030
So we managed to execute our JavaScript code by taking a look at the source code and seeing what we

65
00:05:20,030 --> 00:05:25,120
need to adjust in our payload in order for it to be able to execute us.

66
00:05:25,820 --> 00:05:31,640
Now, that video that we're going to take a look at, another example of access or a different example

67
00:05:31,640 --> 00:05:34,400
of access in the next lecture.