1
00:00:01,180 --> 00:00:09,880
OK, we went through a bunch of different exercice attacks, but on our own SBW, a machine, we have

2
00:00:09,880 --> 00:00:14,110
even more examples of different access possibilities.

3
00:00:14,320 --> 00:00:21,010
And if I were to choose on which of these applications that we have available, on which one we have

4
00:00:21,010 --> 00:00:26,310
the most examples of excess, I would go with an application B.

5
00:00:26,320 --> 00:00:26,650
What?

6
00:00:27,590 --> 00:00:34,970
On Boyup, we have most access examples, and I advise it to go through all of them just so you can

7
00:00:34,970 --> 00:00:37,460
practice this vulnerability even more.

8
00:00:38,030 --> 00:00:43,670
We're going to cover two or three at the beginning and then I will let you go through the rest of the

9
00:00:43,670 --> 00:00:44,120
attacks.

10
00:00:44,720 --> 00:00:47,190
So we're already familiar with this app.

11
00:00:47,210 --> 00:00:56,540
We log in using B and Buck as username and password, and here we choose our vulnerability.

12
00:00:56,930 --> 00:01:05,180
If we scroll all the way down here, all of the excess attacks that this application offers and they're

13
00:01:05,209 --> 00:01:06,380
all different.

14
00:01:06,380 --> 00:01:11,980
As we can see, this is an example of reflected get request access.

15
00:01:12,410 --> 00:01:15,590
This is an example of posts request access.

16
00:01:15,890 --> 00:01:21,070
We have Jason Exercice and have a bunch of others as well.

17
00:01:21,440 --> 00:01:25,890
Towards the end, you even have some stored access examples.

18
00:01:26,630 --> 00:01:30,770
Let's start with first three and let's see how we can solve them.

19
00:01:31,580 --> 00:01:37,780
So let's click on Reflected Access, click on Hack and here's the application.

20
00:01:38,090 --> 00:01:41,140
So enter your first and last name.

21
00:01:41,240 --> 00:01:44,060
So let's enter first test one last name.

22
00:01:44,270 --> 00:01:46,790
Test two weekly can go.

23
00:01:48,210 --> 00:01:49,450
Nothing happens.

24
00:01:49,470 --> 00:01:54,890
The only thing that changes is that it prints out while contest one test, too.

25
00:01:55,150 --> 00:01:58,390
So both of these fields get reflected on the page.

26
00:01:58,950 --> 00:02:08,250
We can try to inject both of them with our script just to see if they both

27
00:02:11,370 --> 00:02:11,820
executed.

28
00:02:12,420 --> 00:02:18,300
So let's alert hello and let's close our script, click and go.

29
00:02:18,810 --> 00:02:25,610
And of course, we get two different Pop-Up windows for both of our alert functions.

30
00:02:25,620 --> 00:02:29,700
So both of these inputs are vulnerable to the exercise attack.

31
00:02:30,660 --> 00:02:37,110
Once you go through that one, we can navigate to the next one, which is post request access, and

32
00:02:37,110 --> 00:02:39,510
in this one we get the same application.

33
00:02:39,510 --> 00:02:44,970
Just if I type test one and test two, we get the same output.

34
00:02:44,970 --> 00:02:49,140
But our parameters are not being sent within the link.

35
00:02:49,410 --> 00:02:53,910
So we will not be able to inject our JavaScript code inside link.

36
00:02:54,210 --> 00:02:57,220
However, we can still inject it right here.

37
00:02:57,600 --> 00:02:59,610
Matter of fact, let's copy.

38
00:03:00,860 --> 00:03:07,370
Our previous code, and let's go, and it will also execute twice on this page as well.

39
00:03:07,850 --> 00:03:12,340
So this was rather simple, but these are also the attacks that we already covered.

40
00:03:12,950 --> 00:03:21,200
But right now, I want to cover another attack with the access that we didn't encounter yet, and that

41
00:03:21,200 --> 00:03:23,300
is the access over Jaiswal.

42
00:03:23,900 --> 00:03:25,460
So let's click on that one.

43
00:03:25,940 --> 00:03:26,750
Click on Hack.

44
00:03:27,380 --> 00:03:29,540
And this is the application that we get.

45
00:03:30,200 --> 00:03:32,450
So we have a single input.

46
00:03:32,450 --> 00:03:34,610
It says Search for a movie.

47
00:03:35,240 --> 00:03:38,630
If we type in movie named Test with click on Search.

48
00:03:39,260 --> 00:03:43,370
Well, the output that we get is test free question marks.

49
00:03:43,400 --> 00:03:45,890
Sorry we don't have that movie.

50
00:03:47,060 --> 00:03:54,650
What if we try to inject JavaScript called our regular alert function search?

51
00:03:55,760 --> 00:04:02,540
Hmm, it doesn't execute, but we do get this part of code right here.

52
00:04:03,560 --> 00:04:09,740
Let's go to the inspect element to see where exactly is our script on this page.

53
00:04:10,490 --> 00:04:13,190
So let's select this one.

54
00:04:14,000 --> 00:04:14,640
Here it is.

55
00:04:15,170 --> 00:04:17,630
So we have open script tags.

56
00:04:17,899 --> 00:04:22,600
We have far or variable Jason response string.

57
00:04:23,000 --> 00:04:25,700
And this could be a little bit hard to read.

58
00:04:25,710 --> 00:04:28,910
So let's go and open page source.

59
00:04:29,630 --> 00:04:36,610
Let's enlarge this just so we can see a little bit better and let's search for the alert function.

60
00:04:37,010 --> 00:04:41,070
And here is the script that we are trying to input.

61
00:04:41,090 --> 00:04:42,350
It's right here.

62
00:04:43,480 --> 00:04:48,760
But it's not executing we have a similar example as in the previous video.

63
00:04:49,660 --> 00:04:56,830
This part of code that we see right here is the part of code that is being written on the page after

64
00:04:56,830 --> 00:04:59,060
we try to inject our script.

65
00:04:59,650 --> 00:05:02,750
So how can we make this execute?

66
00:05:03,490 --> 00:05:07,990
Well, the first thing that you should have noticed, because we did cover it in the previous video

67
00:05:07,990 --> 00:05:15,940
is that in this example, we're already injecting our JavaScript code inside the JavaScript code.

68
00:05:16,810 --> 00:05:23,310
We already have this script that's open right here and we also have enclosed right here.

69
00:05:23,710 --> 00:05:26,440
So our input is somewhere inside.

70
00:05:27,450 --> 00:05:32,010
So one of the things that we need to specify at the start is a closed script at.

71
00:05:33,150 --> 00:05:39,310
We also have this very right here that starts with a single quote, then we have curly brackets.

72
00:05:39,320 --> 00:05:42,650
We also have the square brackets, another color brackets.

73
00:05:43,070 --> 00:05:48,290
And here where our input is, we have an open single quote.

74
00:05:49,130 --> 00:05:58,040
So we must first escape this very we want to close all of these brackets in order to continue writing

75
00:05:58,040 --> 00:06:06,470
our script outside of this Jason response, Trink, the easiest way that we can figure out which characters

76
00:06:06,470 --> 00:06:13,850
we need to specify at the beginning of our comment is by going right here and simply copying these characters

77
00:06:14,120 --> 00:06:19,480
set, all of these characters are something that we need at the beginning.

78
00:06:20,180 --> 00:06:27,530
If we take look at the source code, we will see that these characters are corresponding to the open

79
00:06:27,650 --> 00:06:33,430
brackets and also the double quotes right here and these single quotes right here.

80
00:06:34,010 --> 00:06:41,330
And we also have this semicolon at the end to replicate the end of the line that we have in JavaScript

81
00:06:41,330 --> 00:06:41,630
code.

82
00:06:42,970 --> 00:06:54,010
After that, we want to close our scripts since we are inside of the script and we want to open another

83
00:06:54,010 --> 00:06:54,370
script.

84
00:06:55,480 --> 00:07:01,390
We can do that by running something like this and then alert.

85
00:07:01,820 --> 00:07:02,320
Hello.

86
00:07:03,920 --> 00:07:11,270
And we closed the script at the end, so this is our current Paillot, we have these brackets right

87
00:07:11,270 --> 00:07:17,750
here, close cryptics, open script, tax alert function, and at the end, another close script.

88
00:07:18,320 --> 00:07:19,360
Let's click on Search.

89
00:07:19,850 --> 00:07:20,840
And here it is.

90
00:07:20,840 --> 00:07:22,280
We finally got it to work.

91
00:07:23,060 --> 00:07:26,660
So if I go to the source code of this page.

92
00:07:29,260 --> 00:07:34,330
And they once again find the alert function, here is our code.

93
00:07:35,510 --> 00:07:42,200
The Jason response drink is getting close with these brackets and the semicolon at the end of the line,

94
00:07:42,590 --> 00:07:49,010
and then we are injecting our JavaScript code after recalls the previous script text.

95
00:07:49,760 --> 00:07:50,200
Awesome.

96
00:07:50,510 --> 00:07:55,550
As you can see there, a bunch of different examples as to how we can exploit access.

97
00:07:55,550 --> 00:08:03,260
And I advise you to continue with the other examples right here to really grasp the concept of this

98
00:08:03,260 --> 00:08:03,870
vulnerability.

99
00:08:04,400 --> 00:08:08,540
Nonetheless, thank you for watching and I'll see you in the next lecture.