1 00:00:00,540 --> 00:00:03,670 Now it's time to perform the practical of exercise. 2 00:00:04,110 --> 00:00:08,010 OK, but first of all, you must follow some steps. 3 00:00:08,310 --> 00:00:13,560 So the first step to follow is find an input barometer, type anything, dear. 4 00:00:13,620 --> 00:00:16,590 And if you get a reply, then there may be excesses. 5 00:00:16,860 --> 00:00:20,930 And to confirm it, you have to inject JavaScript code there. 6 00:00:21,210 --> 00:00:25,140 And if you succeed, then there must be an excess vulnerability. 7 00:00:25,590 --> 00:00:33,660 OK, now what I mean by input parameter input parameter could be your search bar or the user name and 8 00:00:33,660 --> 00:00:39,870 password fields you've generally found on the login page or all of the fields you found on site, the 9 00:00:39,870 --> 00:00:46,580 page or your contact us page on forms or coming boxes, etc.. 10 00:00:47,250 --> 00:00:51,250 Now let's try to perform exercise attacks on my Web site. 11 00:00:52,290 --> 00:00:57,520 So here is a website which is test BHP dot villa dot com. 12 00:00:57,870 --> 00:01:04,380 OK, now this website is intentionally created vulnerable to their attacks so that students like you 13 00:01:04,380 --> 00:01:09,530 can perform a skill injection attacks or crosshatch scripting attacks on websites. 14 00:01:09,870 --> 00:01:10,200 Right. 15 00:01:10,350 --> 00:01:16,560 And this website is running on Apache Web server and is built on BHP programming. 16 00:01:16,560 --> 00:01:19,370 Language and database is minuscule. 17 00:01:20,130 --> 00:01:22,080 OK, to no other leaders. 18 00:01:22,080 --> 00:01:26,440 Visit the homepage of this website and you will find other information here. 19 00:01:27,210 --> 00:01:30,900 OK, so this would be the year in which we are using. 20 00:01:31,590 --> 00:01:34,730 Now, let's close this box, OK? 21 00:01:35,130 --> 00:01:36,810 And let us input anything here. 22 00:01:36,810 --> 00:01:37,920 Let's say hello. 23 00:01:38,870 --> 00:01:41,770 OK, so you can see it is reflecting. 24 00:01:42,150 --> 00:01:42,720 Go back. 25 00:01:42,900 --> 00:01:43,330 Hello. 26 00:01:44,130 --> 00:01:53,160 OK, now let's try to inject a JavaScript code so I will use a common script which is a script alert 27 00:01:53,820 --> 00:02:02,150 and let's say one, two, three and then script cryptic clues hit, enter and see. 28 00:02:03,150 --> 00:02:06,730 So there is a accessors vulnerability here. 29 00:02:07,470 --> 00:02:13,060 OK, now you can try this on other pages as well, like browse categories. 30 00:02:13,720 --> 00:02:21,130 OK, let's go to posters and let's say coming down this picture now here you will find two boxes. 31 00:02:21,150 --> 00:02:25,230 OK, so we are not sure about which one is believable. 32 00:02:25,710 --> 00:02:28,410 So let's try hello one. 33 00:02:29,070 --> 00:02:34,400 And here, let's say hello to and let's see which one will reflect back. 34 00:02:35,160 --> 00:02:37,810 It says hello and thank you for the comment, OK. 35 00:02:37,830 --> 00:02:40,100 That means the first feel is vulnerable. 36 00:02:40,530 --> 00:02:46,200 OK, now to make sure we have to run a script again. 37 00:02:46,200 --> 00:02:55,410 So script alert and let's say one, two, three and again closed the deck. 38 00:02:57,300 --> 00:03:02,610 OK, and here anything which you like and click on submit. 39 00:03:03,870 --> 00:03:06,010 See it is also vulnerable. 40 00:03:07,530 --> 00:03:09,430 Now let's move to sign a bit. 41 00:03:11,430 --> 00:03:16,500 Now I personally know that this is not a vulnerable OK, so I don't want to waste your time. 42 00:03:16,950 --> 00:03:20,070 Let me jump in a bit, OK? 43 00:03:20,070 --> 00:03:22,110 And let's try one of these. 44 00:03:22,350 --> 00:03:25,290 So let's say hello one, OK. 45 00:03:25,620 --> 00:03:34,170 And hello to and to retake password we have to use hello to then in the nymphal we will use let's say 46 00:03:34,710 --> 00:03:36,770 the name would be A.B.C. again. 47 00:03:36,780 --> 00:03:37,130 Good go. 48 00:03:37,140 --> 00:03:39,570 No it would be anything like one, two, three, four, five, six. 49 00:03:40,860 --> 00:03:44,850 Then the email address which would be hello and direct. 50 00:03:47,470 --> 00:03:47,950 Hello. 51 00:03:49,360 --> 00:03:55,510 Dotcom and the phone number would be anything like nine nine nine nine nine eight seven, six, five, 52 00:03:55,510 --> 00:03:55,750 four. 53 00:03:55,870 --> 00:04:02,320 OK, and in the address, let's say hello three, OK. 54 00:04:02,530 --> 00:04:09,790 And click on Sign Up and you will see that all of these fields are vulnerable right now. 55 00:04:09,790 --> 00:04:16,570 You have to try to inject JavaScript code on all of them right now. 56 00:04:16,580 --> 00:04:21,250 I hope you know about the basic attack of Crosseyed scripting. 57 00:04:21,430 --> 00:04:21,770 Right. 58 00:04:22,270 --> 00:04:25,180 So now let's try this attack on a Web site. 59 00:04:25,390 --> 00:04:27,540 So let's say would land worldwide dot com. 60 00:04:28,270 --> 00:04:31,480 Let's go to search bar and let's stay here. 61 00:04:32,110 --> 00:04:32,530 Hey. 62 00:04:33,940 --> 00:04:36,040 And see whether it is affecting or not. 63 00:04:38,050 --> 00:04:42,810 OK, this is not a cell phone, but see, OK, it's reflecting this world. 64 00:04:43,790 --> 00:04:53,410 Now let's go yet again and let's try to run the script alert and one, two, three. 65 00:04:57,340 --> 00:04:58,780 OK, hit enter. 66 00:05:00,970 --> 00:05:04,810 OK, you say suspected excesses attacked, this beach has been blocked by nightfall. 67 00:05:05,140 --> 00:05:12,490 I am using Nechvatal, whatever it is, blocking this bit, but click on visit anyway and see if it 68 00:05:12,490 --> 00:05:13,160 is vulnerable. 69 00:05:14,200 --> 00:05:17,560 OK, so this is a Web site, right? 70 00:05:20,460 --> 00:05:29,010 Now you have some more details to visit, you can try them by yourself and in the next video, I will 71 00:05:29,010 --> 00:05:31,190 increase the level of exercise attack.