1 1 00:00:01,200 --> 00:00:02,660 Now let's talk about 2 2 00:00:02,660 --> 00:00:05,303 how we can prevent XSS vulnerabilities. 3 3 00:00:06,280 --> 00:00:09,510 The way these vulnerabilities happen is because 4 4 00:00:09,510 --> 00:00:12,590 whenever a user enters something into a text box 5 5 00:00:12,590 --> 00:00:17,590 or into a parameter, that input is displayed into the HTML 6 6 00:00:17,820 --> 00:00:21,580 so it's treated as if it's part of the page and therefore 7 7 00:00:21,580 --> 00:00:25,003 if there is JavaScript in it, the code is being executed. 8 8 00:00:25,930 --> 00:00:30,060 So, to prevent this exploit, the best thing to do is to try 9 9 00:00:30,060 --> 00:00:33,550 and minimize the usage of untrusted inputs 10 10 00:00:33,550 --> 00:00:36,130 so any time a user inputs something or any time 11 11 00:00:36,130 --> 00:00:40,380 something is input from parameters, try to minimize that. 12 12 00:00:40,380 --> 00:00:44,340 Also, make sure that you always escape whatever that's going 13 13 00:00:44,340 --> 00:00:48,230 to be displayed or used into the HTML page 14 14 00:00:48,230 --> 00:00:51,820 because XSS cannot only be injected into places 15 15 00:00:51,820 --> 00:00:53,760 where the things are displayed on the page 16 16 00:00:53,760 --> 00:00:57,060 but it can also be injected into parameters 17 17 00:00:57,060 --> 00:00:59,873 of certain elements of the HTML page. 18 18 00:01:02,050 --> 00:01:05,040 So what I mean by escaping is converting 19 19 00:01:05,040 --> 00:01:07,100 each of these characters to what 20 20 00:01:07,100 --> 00:01:10,550 they would be represented by in HTML. 21 21 00:01:10,550 --> 00:01:13,010 You can do that using scripts and you can do that 22 22 00:01:13,010 --> 00:01:14,353 using your own script. 23 23 00:01:15,310 --> 00:01:16,850 Now let me show you how this happens. 24 24 00:01:16,850 --> 00:01:20,250 Now, I'm here at my Vulnerable web page that we were using 25 25 00:01:20,250 --> 00:01:23,520 and I'm gonna go to the stored one and obvious (talks) 26 26 00:01:23,520 --> 00:01:27,180 can see that every time we click on that, the XSS runs. 27 27 00:01:27,180 --> 00:01:29,030 So let's inspect this element. 28 28 00:01:29,030 --> 00:01:32,870 Now this element is where we injected our alert 29 29 00:01:32,870 --> 00:01:36,700 and if we right click and go on inspect element, 30 30 00:01:36,700 --> 00:01:41,700 it will show us the HTML of this page or the HTMl 31 31 00:01:41,820 --> 00:01:44,453 of this particular element right here highlighted. 32 32 00:01:46,210 --> 00:01:47,783 So I'm gonna make this bigger. 33 33 00:01:49,420 --> 00:01:51,540 And if we look at it right here, 34 34 00:01:51,540 --> 00:01:55,280 you'll see that we have the name and that's Zaid 35 35 00:01:56,460 --> 00:01:59,690 and then the other input which is the message, 36 36 00:01:59,690 --> 00:02:02,430 it's a script and the script (talks) the script does, 37 37 00:02:02,430 --> 00:02:05,960 it does alert XSS so it's exactly what we injected 38 38 00:02:05,960 --> 00:02:07,893 into it when we did the comment. 39 39 00:02:09,390 --> 00:02:11,410 So every time we run this page, 40 40 00:02:11,410 --> 00:02:14,670 this piece of code is executed. 41 41 00:02:14,670 --> 00:02:17,250 So we need to do is we need to make sure every time 42 42 00:02:17,250 --> 00:02:20,500 a user enters something and that something will be displayed 43 43 00:02:20,500 --> 00:02:24,130 on a page or that something would be used somewhere 44 44 00:02:24,130 --> 00:02:28,140 in the element so even the id here or even the H, 45 45 00:02:28,140 --> 00:02:31,970 the id is just, for example is a parameter of the div, 46 46 00:02:31,970 --> 00:02:34,360 it's not displayed, you never see this id 47 47 00:02:34,360 --> 00:02:38,070 but this can be injected as well. 48 48 00:02:38,070 --> 00:02:40,820 So hackers can actually try to inject stuff 49 49 00:02:40,820 --> 00:02:43,360 into the parameters, they can try to inject stuff 50 50 00:02:43,360 --> 00:02:45,650 into the image attributes for example, 51 51 00:02:45,650 --> 00:02:48,830 they can do an image and inject stuff into the source 52 52 00:02:48,830 --> 00:02:50,250 or into the URL. 53 53 00:02:50,250 --> 00:02:53,280 So this is just an example here and every time 54 54 00:02:53,280 --> 00:02:56,830 a user's input is going to be used anywhere on the page 55 55 00:02:56,830 --> 00:02:59,960 so even if you don't see it, if you usually don't see it, 56 56 00:02:59,960 --> 00:03:03,080 you need to make sure that you escape that input 57 57 00:03:03,080 --> 00:03:05,940 and make sure that it does not contain any code 58 58 00:03:05,940 --> 00:03:08,700 and if it contains any code then it's converted 59 59 00:03:08,700 --> 00:03:11,660 to an equivalent that the code will not be running 60 60 00:03:11,660 --> 00:03:15,070 so it's converted to its http equivalent so that 61 61 00:03:15,070 --> 00:03:17,100 you'll actually, once you escape this, 62 62 00:03:17,100 --> 00:03:19,240 you will actually see this in the message 63 63 00:03:19,240 --> 00:03:22,250 so you'll see the message as script alert XSS 64 64 00:03:22,250 --> 00:03:25,110 but it will never be executed, 65 65 00:03:25,110 --> 00:03:27,670 this script will never actually be executed 66 66 00:03:27,670 --> 00:03:29,723 on the target person when they run it. 67 67 00:03:32,280 --> 00:03:36,230 Now, as a user, to prevent yourself from being used 68 68 00:03:36,230 --> 00:03:39,750 into an XSS attack, now the URL coming to you 69 69 00:03:39,750 --> 00:03:42,860 will probably look like a URL of a trusted website 70 70 00:03:42,860 --> 00:03:46,180 for example let's assume that you work in a company 71 71 00:03:46,180 --> 00:03:48,520 and there was an XSS in your company 72 72 00:03:48,520 --> 00:03:50,530 and you are logging in to your company 73 73 00:03:50,530 --> 00:03:52,600 and the code gets executed on you, 74 74 00:03:52,600 --> 00:03:54,930 then there isn't much you can do yourself 75 75 00:03:54,930 --> 00:03:56,270 but you need to be careful. 76 76 00:03:56,270 --> 00:03:59,630 So with BeEF we saw in order to exploit the vulnerabilities, 77 77 00:03:59,630 --> 00:04:02,220 we were showing for example a fake update, 78 78 00:04:02,220 --> 00:04:05,530 so make sure when you, if you get a message always 79 79 00:04:05,530 --> 00:04:08,470 that there's an update, make sure you actually go 80 80 00:04:08,470 --> 00:04:11,410 to the website that provides that application 81 81 00:04:11,410 --> 00:04:13,560 so if Firefox said that there's an update, 82 82 00:04:13,560 --> 00:04:17,350 go to the website of Firefox and see if 83 83 00:04:17,350 --> 00:04:19,980 there is actually an update and if there is, 84 84 00:04:19,980 --> 00:04:22,770 download it from that website, don't download it 85 85 00:04:22,770 --> 00:04:25,090 from the notification that you got. 86 86 00:04:25,090 --> 00:04:28,860 Also, make sure you're downloading it from a https website 87 87 00:04:28,860 --> 00:04:32,650 and once you download it, you can inspect it and check it 88 88 00:04:32,650 --> 00:04:35,260 the same way that we've seen before to make sure that 89 89 00:04:35,260 --> 00:04:38,608 there's no backdoors or anything in it. 90 90 00:04:38,608 --> 00:04:41,830 You can also check the md5sum to make sure that the file 91 91 00:04:41,830 --> 00:04:45,580 hasn't been manipulated while it was being downloaded. 92 92 00:04:45,580 --> 00:04:47,880 The same when we did the fake Facebook login 93 93 00:04:47,880 --> 00:04:51,660 when you were with BeEF so what you can do is 94 94 00:04:51,660 --> 00:04:54,050 whenever you're told that you got logged out 95 95 00:04:54,050 --> 00:04:57,100 and please log back in, again, ignore that, 96 96 00:04:57,100 --> 00:05:00,770 go to facebook.com, make sure it's going through https 97 97 00:05:00,770 --> 00:05:02,563 and then log in to Facebook. 98 98 00:05:04,870 --> 00:05:08,930 So always try to be careful with notifications popping up 99 99 00:05:08,930 --> 00:05:10,640 telling you you need to do stuff. 100 100 00:05:10,640 --> 00:05:12,713 Always be wary and never trust them.