1
1

00:00:01,150  -->  00:00:03,210
<v Zaid>So let's talk about how to discover</v>
2

2

00:00:03,210  -->  00:00:05,290
these kind of vulnerabilities.
3

3

00:00:05,290  -->  00:00:09,380
Very similar to SQL injections, the way to do this is
4

4

00:00:09,380  -->  00:00:12,570
you browse through your target and try to inject
5

5

00:00:12,570  -->  00:00:14,332
any text box or
6

6

00:00:14,332  -->  00:00:17,360
any url
7

7

00:00:17,360  -->  00:00:19,230
that looks similar to this.
8

8

00:00:19,230  -->  00:00:21,650
So whenever you see a url with parameters,
9

9

00:00:21,650  -->  00:00:23,370
try to inject these parameters
10

10

00:00:23,370  -->  00:00:25,763
or try to inject into text boxes.
11

11

00:00:28,650  -->  00:00:31,990
So let's have a look on a reflected XSS example.
12

12

00:00:31,990  -->  00:00:35,930
So these are the none persistent, not stored vulnerabilities
13

13

00:00:35,930  -->  00:00:39,110
where you have to actually send the code to the target,
14

14

00:00:39,110  -->  00:00:40,940
and once the target runs the code,
15

15

00:00:40,940  -->  00:00:42,993
it will be executed on their machine.
16

16

00:00:45,740  -->  00:00:50,740
So let's have a look on our DVWA website.
17

17

00:00:52,060  -->  00:00:53,360
And I'm just gonna log in.
18

18

00:01:01,597  -->  00:01:06,264
And then we're gonna have an example of a reflected XSS.
19

19

00:01:07,320  -->  00:01:10,160
So as you can see now, you can put your name here
20

20

00:01:10,160  -->  00:01:11,730
for this text box,
21

21

00:01:11,730  -->  00:01:13,730
and it's just gonna say 'Hello'.
22

22

00:01:13,730  -->  00:01:16,460
Now this is obviously just an example
23

23

00:01:16,460  -->  00:01:19,820
but the idea is you can inject into text boxes.
24

24

00:01:19,820  -->  00:01:23,140
Also if you have a look at the url here,
25

25

00:01:23,140  -->  00:01:24,540
you'll see that it's a get,
26

26

00:01:24,540  -->  00:01:27,730
so you can inject into the url as well.
27

27

00:01:27,730  -->  00:01:30,037
So let me start a Leafpad.
28

28

00:01:32,900  -->  00:01:36,200
And let's try to inject XSS code on this
29

29

00:01:36,200  -->  00:01:38,960
and see if the code will be executed,
30

30

00:01:38,960  -->  00:01:40,870
or JavaScript code, sorry.
31

31

00:01:40,870  -->  00:01:43,963
So what I'm going to use is a very simple script,
32

32

00:01:45,560  -->  00:01:48,750
so we're using the script and a slice script tag
33

33

00:01:48,750  -->  00:01:51,290
now there is a lot of ways into discovering
34

34

00:01:51,290  -->  00:01:52,670
these kind of vulnerabilities
35

35

00:01:52,670  -->  00:01:54,930
and a lot of ways to bypass filters,
36

36

00:01:54,930  -->  00:01:57,182
but for now we're just having a look at the basic case
37

37

00:01:57,182  -->  00:01:59,573
where we can inject a normal script.
38

38

00:02:00,470  -->  00:02:04,220
And I'm going to say 'alert', which is just a function
39

39

00:02:04,220  -->  00:02:06,830
to give an alert to give a text box,
40

40

00:02:06,830  -->  00:02:08,770
and I'm gonna say...
41

41

00:02:11,574  -->  00:02:12,407
'XSS'.
42

42

00:02:13,430  -->  00:02:15,010
So I'm gonna click on 'submit'
43

43

00:02:15,010  -->  00:02:17,493
and we'll see if this code will be executed.
44

44

00:02:21,000  -->  00:02:24,130
And as you can see now, it's actually executed my code.
45

45

00:02:24,130  -->  00:02:27,740
So instead of saying 'Hello Zaid' here, it said 'Hello'
46

46

00:02:27,740  -->  00:02:32,740
and my code has been executed and it produced this 'XSS'.
47

47

00:02:34,260  -->  00:02:37,280
So we can do the same here, if you have a look on the url,
48

48

00:02:37,280  -->  00:02:39,063
it actually already did it for us.
49

49

00:02:40,280  -->  00:02:42,410
But if we look at the url here,
50

50

00:02:42,410  -->  00:02:44,310
it's just gonna be a bit bigger there.
51

51

00:02:45,620  -->  00:02:47,720
We can see that the name has been
52

52

00:02:47,720  -->  00:02:50,440
obviously all of these characters are just
53

53

00:02:50,440  -->  00:02:52,268
html escape characters.
54

54

00:02:52,268  -->  00:02:56,380
And now if you send this url to anybody,
55

55

00:02:56,380  -->  00:03:00,500
whoever views that url, the code will be executed
56

56

00:03:00,500  -->  00:03:03,167
on their machine and it's gonna say 'XSS'.
57

57

00:03:04,500  -->  00:03:05,420
So let me show you here,
58

58

00:03:05,420  -->  00:03:07,630
you can also inject this in the url,
59

59

00:03:07,630  -->  00:03:10,340
I just wanna sow you the whole idea of that.
60

60

00:03:10,340  -->  00:03:14,597
So we have script, slice script XSS.
61

61

00:03:33,638  -->  00:03:36,500
And if I hit Enter, the code will be executed.
62

62

00:03:36,500  -->  00:03:38,690
So as I said, we can copy this
63

63

00:03:38,690  -->  00:03:40,720
and send it to a certain person
64

64

00:03:40,720  -->  00:03:44,020
and once they run that code, this code will be executed
65

65

00:03:44,020  -->  00:03:44,983
on their machine.