1
00:00:00,870 --> 00:00:06,540
So this year, we're going to learn the theory about this Crozet scripting and this crossover script

2
00:00:07,080 --> 00:00:13,710
called Exercice Extensor, Crosslands cited scripting this type of winnability episode for any number

3
00:00:13,710 --> 00:00:20,790
of applications and what this one attachments this excessive attacks and allows attackers to Ukraine.

4
00:00:20,940 --> 00:00:23,190
Subscription to the police will be added to this.

5
00:00:23,340 --> 00:00:30,620
So this accidents so we can inject our client script, which is a JavaScript we can send through this

6
00:00:30,630 --> 00:00:34,580
HDMI request and that will be passed by the server.

7
00:00:34,590 --> 00:00:38,220
And if there is any misconfiguration, this is where it occurs.

8
00:00:38,340 --> 00:00:45,300
And the script are the payload, which is written in the JavaScript that will be accepted by the server

9
00:00:45,300 --> 00:00:47,880
and that is reflected in our browser.

10
00:00:48,570 --> 00:00:54,300
So this is somewhat background about this axis and Microsoft, including using the term crosshairs grouping

11
00:00:54,300 --> 00:00:55,410
in January 2000.

12
00:00:55,920 --> 00:01:00,920
And you can read the background information about this across scripting in Wikipedia.

13
00:01:01,320 --> 00:01:10,620
And there are some types of this exercise that I just say and explain briefly without, uh, explaining

14
00:01:10,620 --> 00:01:11,580
all these paragraphs.

15
00:01:11,850 --> 00:01:13,730
So first one is non persistent.

16
00:01:14,670 --> 00:01:19,920
So what this means is if you want to send the script along with the request.

17
00:01:21,150 --> 00:01:24,150
And then it will be executed by the Observer.

18
00:01:24,450 --> 00:01:30,470
So after execution, you will get the same execution on the, uh, brother.

19
00:01:31,080 --> 00:01:32,300
So that is correct.

20
00:01:32,460 --> 00:01:37,620
So whatever the execution, the observers say that will be reflected in our process.

21
00:01:37,740 --> 00:01:45,810
That is factor and next to is persistent are still so in this exercise or you will send the Jamelske

22
00:01:46,320 --> 00:01:51,510
as usual, but it will be stored in a database or any other file format.

23
00:01:51,780 --> 00:01:52,350
So.

24
00:01:53,300 --> 00:01:58,400
That shorter period will get executed whenever you are watching this.

25
00:01:58,580 --> 00:02:05,180
So if suppose, let's say example, this is Iraq and this is where you are, I'm sending the period

26
00:02:05,690 --> 00:02:12,770
by putting the hash out something in the water and that will be stored in a database.

27
00:02:13,700 --> 00:02:21,770
So whenever I wrote this, uh, Web page automatically, the period, according respect to this website,

28
00:02:21,770 --> 00:02:22,580
will get through the.

29
00:02:24,030 --> 00:02:25,930
So don't worry, this sounds confusing.

30
00:02:25,950 --> 00:02:30,870
We'll do the demo in the studio, so simply understand this still exists.

31
00:02:30,870 --> 00:02:34,740
Our JavaScript script will be stored in a database.

32
00:02:34,740 --> 00:02:41,790
And whenever I, uh, just visit this website, that will be triggered.

33
00:02:42,000 --> 00:02:47,250
So it will it is very dangerous because it will affect our other users also.

34
00:02:47,430 --> 00:02:49,440
And you can also steal the keys.

35
00:02:49,650 --> 00:02:52,390
And we can also use this dataset.

36
00:02:52,590 --> 00:02:56,550
And you can also do this, uh, website.

37
00:02:57,090 --> 00:02:57,510
Uh.

38
00:03:02,510 --> 00:03:09,470
Website before so this, uh, some of these attacks you can do with Exercice, so Nashton is done based

39
00:03:09,470 --> 00:03:10,060
on this.

40
00:03:10,070 --> 00:03:17,560
In this we will modify the HDMI, uh, content and we press the, uh, using this.

41
00:03:17,780 --> 00:03:19,730
We have already seen this one.

42
00:03:19,740 --> 00:03:23,030
And so we can use this a.l elements.

43
00:03:23,180 --> 00:03:25,490
We can access these elements with the DOM.

44
00:03:25,490 --> 00:03:31,170
And you can just instead of putting some values, we can put the Dallas Crippler.

45
00:03:31,700 --> 00:03:34,340
So this is a sulphurous and mutator axis.

46
00:03:34,610 --> 00:03:42,380
So disservices is not an actual axis because, uh, this is not stored on a server, not, uh, reflected

47
00:03:42,380 --> 00:03:42,920
on a server.

48
00:03:42,920 --> 00:03:49,340
But we will bring the user into executing this exercise so users may find easy redoes.

49
00:03:49,610 --> 00:03:57,740
But, uh, you are you can just use a shock to, uh, uh, hide the pillar.

50
00:03:58,130 --> 00:04:01,470
So these are the basic types of this, uh, axis.

51
00:04:01,470 --> 00:04:04,680
This one is the reflector and the self.

52
00:04:05,000 --> 00:04:13,880
So this is, uh, so in each time we need to send the crippler and then it will execute and the observer

53
00:04:13,880 --> 00:04:20,330
and we get the reflection and then the stored fuel cell, once the better it will be stored in the database

54
00:04:20,330 --> 00:04:21,500
until it resets.

55
00:04:21,650 --> 00:04:27,290
And then whoever it is that will set and that corresponding will get executer.