1 1 00:00:03,061 --> 00:00:03,894 In this lecture 2 2 00:00:03,894 --> 00:00:04,820 and the next few lectures, 3 3 00:00:04,820 --> 00:00:09,460 we're going to talk about a vulnerability called XSS. 4 4 00:00:09,460 --> 00:00:12,083 XSS is short for cross site scripting. 5 5 00:00:13,220 --> 00:00:15,980 This type of vulnerability allows an attacker 6 6 00:00:15,980 --> 00:00:19,023 to inject JavaScript into a page. 7 7 00:00:20,060 --> 00:00:22,630 So JavaScript is a programming language 8 8 00:00:22,630 --> 00:00:24,880 and using this vulnerability, 9 9 00:00:24,880 --> 00:00:27,620 an attacker would be able to execute code 10 10 00:00:27,620 --> 00:00:31,463 written in JavaScript into a certain page into a website. 11 11 00:00:33,180 --> 00:00:35,710 JavaScript is client-side language 12 12 00:00:35,710 --> 00:00:38,780 so when the code is executed, 13 13 00:00:38,780 --> 00:00:41,670 it will be executed on the client on the user, 14 14 00:00:41,670 --> 00:00:44,670 on the person who's browsing the web page. 15 15 00:00:44,670 --> 00:00:46,630 It's not gonna be executed on the server 16 16 00:00:46,630 --> 00:00:48,650 so even if your code results 17 17 00:00:48,650 --> 00:00:51,070 into giving you a reverse shell, 18 18 00:00:51,070 --> 00:00:53,160 the shell will be coming from the user 19 19 00:00:53,160 --> 00:00:54,450 who's browsing the page 20 20 00:00:54,450 --> 00:00:57,200 and it's not gonna be coming from the website. 21 21 00:00:57,200 --> 00:00:59,520 So any code you write in JavaScript 22 22 00:00:59,520 --> 00:01:03,130 will be exploited or will run on the target user 23 23 00:01:03,130 --> 00:01:04,860 on the people who see the pages 24 24 00:01:04,860 --> 00:01:07,600 and it's not on the web server. 25 25 00:01:07,600 --> 00:01:11,200 So the web server is only gonna be used as means 26 26 00:01:11,200 --> 00:01:14,563 of executing the code or delivering the code. 27 27 00:01:16,320 --> 00:01:19,620 There is three main types of XSS vulnerabilities, 28 28 00:01:19,620 --> 00:01:23,633 persistent or stored, reflected and DOM based. 29 29 00:01:26,680 --> 00:01:30,240 The stored XSS gets stored into the database. 30 30 00:01:30,240 --> 00:01:32,630 So the code that you inject will be stored 31 31 00:01:32,630 --> 00:01:34,840 into the database or into the page 32 32 00:01:34,840 --> 00:01:38,210 so that every time any person views that page, 33 33 00:01:38,210 --> 00:01:39,963 your code will be executed. 34 34 00:01:41,380 --> 00:01:42,830 And the reflected one, 35 35 00:01:42,830 --> 00:01:45,500 the code will only be executed 36 36 00:01:45,500 --> 00:01:49,510 when the target user runs a specific URL crafted 37 37 00:01:49,510 --> 00:01:51,030 or written by you. 38 38 00:01:51,030 --> 00:01:53,650 So you'll be manipulating some sort of URL 39 39 00:01:53,650 --> 00:01:55,300 and send it to a target 40 40 00:01:55,300 --> 00:01:56,840 and when they run that target, 41 41 00:01:56,840 --> 00:01:59,943 when they run that URL, the code will be executed. 42 42 00:02:02,370 --> 00:02:06,444 The DOM based results from JavaScript code written 43 43 00:02:06,444 --> 00:02:07,890 on the client. 44 44 00:02:07,890 --> 00:02:10,270 So the code will actually be interpreted 45 45 00:02:10,270 --> 00:02:12,320 and run on the client side 46 46 00:02:12,320 --> 00:02:16,120 without having any communication with the web server. 47 47 00:02:16,120 --> 00:02:17,660 These could be very dangerous 48 48 00:02:17,660 --> 00:02:21,520 because sometimes web servers apply some sort of security 49 49 00:02:21,520 --> 00:02:24,250 and filtration to check for XSS 50 50 00:02:24,250 --> 00:02:27,700 but with DOM based, the code never gets sent 51 51 00:02:27,700 --> 00:02:31,040 to the web server so the code will be interpreted 52 52 00:02:31,040 --> 00:02:34,470 and run on the web browser without even interacting 53 53 00:02:34,470 --> 00:02:36,610 with the web server. 54 54 00:02:36,610 --> 00:02:38,953 And these will be present into websites 55 55 00:02:38,953 --> 00:02:41,850 that update their content with that refresh. 56 56 00:02:41,850 --> 00:02:44,840 So we've all used websites where you put your username, 57 57 00:02:44,840 --> 00:02:46,660 for example, and it loads in straightaway 58 58 00:02:46,660 --> 00:02:48,980 without having to check with the web server 59 59 00:02:48,980 --> 00:02:51,500 or you do, you put some sort of a string 60 60 00:02:51,500 --> 00:02:53,560 and it does a search without communicating 61 61 00:02:53,560 --> 00:02:54,600 with the web server 62 62 00:02:54,600 --> 00:02:56,260 or it does something without communicating 63 63 00:02:56,260 --> 00:02:57,390 with the web server. 64 64 00:02:57,390 --> 00:03:00,030 So if you're able to inject into that, 65 65 00:03:00,030 --> 00:03:02,870 then this injection will not be validated 66 66 00:03:02,870 --> 00:03:05,193 so it'll be executed straightaway 67 67 00:03:05,193 --> 00:03:07,263 and bypass all validations.