1
00:00:12,320 --> 00:00:15,010
Hey, guys, welcome back to another episode on How to Hack.

2
00:00:15,470 --> 00:00:20,630
So we're here at Mutal today, which is a vulnerable Web application platform for us to learn about

3
00:00:20,630 --> 00:00:25,150
ethical hacking, penetration testing on common web vulnerabilities.

4
00:00:25,160 --> 00:00:29,750
And this is all supported on the left side, as you can see, open web application security project.

5
00:00:29,750 --> 00:00:30,340
Twenty, seventeen.

6
00:00:30,700 --> 00:00:33,400
And today we're going to look at cross site scripting.

7
00:00:33,590 --> 00:00:38,540
So right here, OK, we have this page, which is the password generator page.

8
00:00:38,900 --> 00:00:44,480
So you can access this from about twenty seventeen, go under one injection order and then you can go

9
00:00:44,480 --> 00:00:48,400
ahead and click under JavaScript injection and click under password generator.

10
00:00:48,440 --> 00:00:49,460
OK, go ahead and click on it.

11
00:00:50,180 --> 00:00:52,280
So once you're in you can see the following.

12
00:00:52,320 --> 00:00:52,550
Right.

13
00:00:52,760 --> 00:00:54,470
Making strong passwords is in point.

14
00:00:54,710 --> 00:00:56,570
Click the button below to generate a password.

15
00:00:57,140 --> 00:00:58,670
This password is for anonymous.

16
00:00:58,670 --> 00:01:03,500
So once you click Gennari password, you can see that it will automatically generate some recommended

17
00:01:03,500 --> 00:01:09,950
passwords in a straw, has 10 characters in a birth mixture of Apple with cases and symbols.

18
00:01:10,700 --> 00:01:19,000
So the next thing for us to do is in terms of examining this webpage, where is the injection point?

19
00:01:19,340 --> 00:01:24,100
Where exactly can we go after and input our payload into the system?

20
00:01:24,110 --> 00:01:28,130
So that's the key question to ask when you're examining a webpage.

21
00:01:28,910 --> 00:01:33,850
So what we can do now is I can go ahead and use magnifier so that it's easier for you to see.

22
00:01:34,220 --> 00:01:39,380
So the number one injection point that we can go after is actually on the URL.

23
00:01:39,980 --> 00:01:42,260
So as you can see here, we have the following.

24
00:01:42,260 --> 00:01:50,930
You have indexed PXP, questionmark page, equal password dash generated and username equal.

25
00:01:51,410 --> 00:01:56,690
OK, and this is a really important part because all I'm going to do is just change the username equal.

26
00:01:56,840 --> 00:01:59,390
Let's say I change it to Loy Yang Yung.

27
00:02:00,020 --> 00:02:07,280
I hit enter on this and we can update this password is for Lioy down so immediately we can see the changes

28
00:02:07,430 --> 00:02:13,940
and this is going to be the input you for us to be able to inject into the website, injecting our own

29
00:02:13,940 --> 00:02:19,160
script into the website which is called Cross Site Scripting, injecting our own script into the site.

30
00:02:19,820 --> 00:02:25,700
So what I can do next is go to the top right corner and you can go ahead and click on the preferences

31
00:02:26,420 --> 00:02:31,370
and in preferences, scroll all the way down to the right, click under network settings and select

32
00:02:31,370 --> 00:02:33,080
menu proxy configuration.

33
00:02:33,080 --> 00:02:33,250
All right.

34
00:02:33,300 --> 00:02:35,340
So we have the proxy.

35
00:02:35,720 --> 00:02:36,080
All right.

36
00:02:36,080 --> 00:02:40,030
This is one two seven zero zero one and on port eighty eighty.

37
00:02:40,070 --> 00:02:41,090
So click OK on this.

38
00:02:41,600 --> 00:02:48,350
And what I can do is to go ahead and open up a terminal and all I got to do is enter upsweep hit enter

39
00:02:48,350 --> 00:02:48,830
on this.

40
00:02:49,070 --> 00:02:54,080
And this was started purposely to intercept all those information that we sent from the browser into

41
00:02:54,080 --> 00:02:55,220
the web application system.

42
00:02:55,910 --> 00:03:00,770
So I can click close, I can click NACS and I can use Fort's click Sukhbir.

43
00:03:03,230 --> 00:03:08,300
So once we're in, go under the proxy tab and make sure that you have to intercept is on.

44
00:03:08,450 --> 00:03:13,280
All right, so once intercept is on, go back to Firefox, OK, I can do a refresh.

45
00:03:13,690 --> 00:03:14,090
All right.

46
00:03:14,270 --> 00:03:17,330
And right here we have intercept it so I can do it right.

47
00:03:17,330 --> 00:03:19,190
Click send to repeater.

48
00:03:19,340 --> 00:03:19,550
Right.

49
00:03:19,610 --> 00:03:23,300
Go in and click on the repeater so you can see the repeater tap in orange now.

50
00:03:24,010 --> 00:03:24,330
Right.

51
00:03:24,500 --> 00:03:26,990
And right here we can see we have to get.

52
00:03:27,170 --> 00:03:27,560
All right.

53
00:03:27,590 --> 00:03:28,780
And then we had a beautiful day.

54
00:03:29,030 --> 00:03:30,140
Pass the generator.

55
00:03:31,160 --> 00:03:31,360
Right.

56
00:03:31,370 --> 00:03:36,070
And username equal so you can just click send and I can do a quick search.

57
00:03:38,120 --> 00:03:41,060
And this is the part that is displaying.

58
00:03:41,090 --> 00:03:41,380
All right.

59
00:03:41,390 --> 00:03:43,600
Using dot html.

60
00:03:43,850 --> 00:03:46,160
So there is a document, don't get Elliman.

61
00:03:46,670 --> 00:03:51,890
So this is an element inside the e-mail page, which is called ID username input.

62
00:03:52,100 --> 00:03:52,510
All right.

63
00:03:52,520 --> 00:03:57,230
And don't in HTML, this password is for Loy Yang Yang.

64
00:03:57,230 --> 00:04:02,480
So they are actually updating the information through this JavaScript, as you can see here.

65
00:04:02,660 --> 00:04:09,110
And we have to script, OK, and we have try, we have document, get Elliman by ID and we have catch

66
00:04:09,110 --> 00:04:10,850
alert it as an arrow.

67
00:04:11,030 --> 00:04:14,790
You would actually display the error message using it on message.

68
00:04:14,900 --> 00:04:21,110
OK, so it's very important for us to actually understand JavaScript HTML and how is being used to actually

69
00:04:21,110 --> 00:04:22,570
represent information.

70
00:04:22,620 --> 00:04:22,890
All right.

71
00:04:23,060 --> 00:04:26,780
How is being used to give the user a different kind of customer experience?

72
00:04:27,470 --> 00:04:31,550
So what we can do next is to go ahead and copy this whole chunk of script.

73
00:04:32,330 --> 00:04:35,060
All right, do it right click and you can just click on a copy.

74
00:04:35,060 --> 00:04:39,500
You can just do a control C go ahead and open them up, for example, mousepad.

75
00:04:39,520 --> 00:04:39,750
All right.

76
00:04:39,770 --> 00:04:45,500
Or you can use any of the IDs to actually paste the code over.

77
00:04:45,810 --> 00:04:49,760
OK, and I'm going to explain to you precisely what it all means.

78
00:04:49,770 --> 00:04:55,490
How are we able to generate a payload that allow us to actually hijack into the JavaScript?

79
00:04:55,760 --> 00:04:58,940
OK, so over here, this is the value.

80
00:04:59,120 --> 00:05:02,110
The one highlighted in purple is the value that we are trying to replace.

81
00:05:02,120 --> 00:05:03,920
So we're trying to replace it with our own screen.

82
00:05:04,760 --> 00:05:08,730
So, of course, what we can do next is that we can go ahead.

83
00:05:08,960 --> 00:05:12,320
OK, I already have the payload on the top here, as you can see.

84
00:05:12,320 --> 00:05:14,990
But I want to explain to you precisely what we are trying to do.

85
00:05:15,270 --> 00:05:15,570
All right.

86
00:05:15,590 --> 00:05:19,140
So we have this password is for the following user.

87
00:05:19,210 --> 00:05:24,470
OK, and what we're trying to do now is I'm just going to highlight to you how it looks like when we

88
00:05:24,470 --> 00:05:25,280
try to inject it.

89
00:05:25,380 --> 00:05:29,870
OK, so what we are trying to do here is to close this off.

90
00:05:30,080 --> 00:05:30,360
All right.

91
00:05:30,410 --> 00:05:31,610
So we are closing this off.

92
00:05:31,910 --> 00:05:32,350
All right.

93
00:05:32,720 --> 00:05:40,190
And again, this is a semicolon that is used in JavaScript to actually help us close off the initial

94
00:05:40,190 --> 00:05:40,770
statement.

95
00:05:40,820 --> 00:05:41,160
All right.

96
00:05:41,360 --> 00:05:46,550
And of course, the next thing you can look at is in terms of over here, so you have a clearly open

97
00:05:46,550 --> 00:05:46,940
bracket.

98
00:05:46,940 --> 00:05:48,210
Try OK.

99
00:05:48,260 --> 00:05:53,530
And then we can close it with a closing curly bracket over here so we can close it over here.

100
00:05:53,540 --> 00:05:55,160
So this will close a try statement.

101
00:05:55,610 --> 00:06:00,650
And what we can do next is to replicate what is shown over here, which is a catch.

102
00:06:00,680 --> 00:06:04,260
So we're trying to catch some error messages so I can enter catch.

103
00:06:04,280 --> 00:06:10,520
OK, so we are repeating here and then I can have a open bracket followed by closing curly bracket.

104
00:06:10,680 --> 00:06:15,980
OK, so again, we are not going to have any kind of display of data on display of information where

105
00:06:15,980 --> 00:06:17,480
we catch an error messages.

106
00:06:17,630 --> 00:06:21,450
That's not the purpose of the what we're trying to do here in the payload.

107
00:06:21,710 --> 00:06:27,350
What we're trying to do here is to have our own script and we want to test whether this site is susceptible

108
00:06:27,350 --> 00:06:28,460
to cross site scripting.

109
00:06:28,460 --> 00:06:32,030
So we will use over OK and with the alert.

110
00:06:32,450 --> 00:06:32,780
All right.

111
00:06:32,780 --> 00:06:34,400
This would then be sent.

112
00:06:34,610 --> 00:06:34,880
All right.

113
00:06:34,910 --> 00:06:36,980
Immediately or being executed immediately.

114
00:06:37,730 --> 00:06:39,270
Hacked it by Lioy.

115
00:06:39,320 --> 00:06:39,660
All right.

116
00:06:40,100 --> 00:06:43,100
And what I can do now is to have a semicolon, OK?

117
00:06:43,130 --> 00:06:46,910
And this closes off the first part f everything that you're seeing here.

118
00:06:46,970 --> 00:06:49,890
OK, so this closes off the first part of everything you're seeing here.

119
00:06:50,480 --> 00:06:55,980
So what we're trying to do next is to be able to close off the rest of the instruction.

120
00:06:56,030 --> 00:06:59,190
OK, we're trying to close off the rest of the instructions, so we have to try.

121
00:06:59,600 --> 00:06:59,960
All right.

122
00:06:59,960 --> 00:07:04,760
Then we have an open curly bracket and then you can put whatever variable name you want.

123
00:07:04,790 --> 00:07:10,580
OK, so all we got to do is over here, OK, equal and then followed by a double.

124
00:07:11,060 --> 00:07:12,980
So this double code will close off this part.

125
00:07:13,550 --> 00:07:13,880
All right.

126
00:07:13,890 --> 00:07:17,660
So this curly bracket and is double code because of this part.

127
00:07:17,950 --> 00:07:22,140
OK, close all this part and then you have a closing curly bracket.

128
00:07:22,140 --> 00:07:24,710
They will close off to try and then you have a catch.

129
00:07:25,220 --> 00:07:30,350
So this closes the rest of the other part of the script, the ending part of the earlier script that

130
00:07:30,350 --> 00:07:30,780
you saw.

131
00:07:31,220 --> 00:07:33,170
So with that, this is all payload.

132
00:07:33,590 --> 00:07:40,310
Sol Palit will start from this part, OK, which is the double code all the way to the following.

133
00:07:40,610 --> 00:07:41,720
OK, so this will be OK.

134
00:07:41,840 --> 00:07:47,930
And we'll inject this into the website to check whether this site is susceptible to cross site scripting

135
00:07:47,930 --> 00:07:48,440
attacks.

136
00:07:49,100 --> 00:07:52,370
So what I can do now is to go back OK and copy the payload here.

137
00:07:52,580 --> 00:07:53,230
OK, go ahead.

138
00:07:53,240 --> 00:07:55,780
Copied over here is the same payload.

139
00:07:55,940 --> 00:08:00,830
So I go back to say, Firefox, which is your browser and I can actually go under.

140
00:08:01,590 --> 00:08:02,260
Preferences.

141
00:08:02,300 --> 00:08:02,700
OK.

142
00:08:02,930 --> 00:08:09,290
And I can close off the proxy, no more proxy and go back to the browser and all I got to do is paste

143
00:08:09,290 --> 00:08:10,100
Paillard over here.

144
00:08:10,280 --> 00:08:14,930
OK, so let me just delete off the first name.

145
00:08:14,990 --> 00:08:15,190
All right.

146
00:08:15,200 --> 00:08:21,770
So we have the following payload into Eurail, Lioy Lengyel, WQ semicolon, closing curly bracket.

147
00:08:21,930 --> 00:08:24,730
All right, catch followed by E all right.

148
00:08:24,740 --> 00:08:27,560
And closing off of the catch statement or alert.

149
00:08:27,710 --> 00:08:27,920
All right.

150
00:08:27,920 --> 00:08:33,410
So we're trying to test whether the site is susceptible to cross site scripting attack and closing off

151
00:08:33,410 --> 00:08:36,800
the rest of the JavaScript statement.

152
00:08:36,950 --> 00:08:37,340
All right.

153
00:08:37,610 --> 00:08:40,750
So let's hit enter and see what happens right here.

154
00:08:40,970 --> 00:08:42,140
We've got a pop up.

155
00:08:42,380 --> 00:08:47,870
OK, so again, what can we do when a website is susceptible to JavaScript attacks?

156
00:08:48,020 --> 00:08:53,750
It means that we're able to see, for example, copy this whole thing, send it to a user, and once

157
00:08:53,750 --> 00:08:58,460
the user clicks onto the link, we can redirect a user, we can redirect a user to a different site,

158
00:08:58,710 --> 00:08:58,960
OK?

159
00:08:59,000 --> 00:09:04,850
We can make certain instructions, for example, taking the kookie data of the user and sending it over

160
00:09:05,000 --> 00:09:10,250
into one hour service that we have running to capture all those data and information.

161
00:09:10,490 --> 00:09:16,190
So a lot of things that you can do once you discover a cross site scripting vulnerability on a website

162
00:09:16,340 --> 00:09:19,910
and you can exploit it for a lot of different kind of payloads.

163
00:09:20,060 --> 00:09:20,320
Right.

164
00:09:20,480 --> 00:09:23,510
So once again, I hope you've learned something valuable in today's tutorial.

165
00:09:23,780 --> 00:09:27,830
And if I have any questions before you leave a comment below and I'll try my best to answer any of your

166
00:09:27,830 --> 00:09:32,270
questions and we'll like share subscribe to the channel so that you can be kept abreast of the latest

167
00:09:32,270 --> 00:09:33,320
cybersecurity tutorial.

168
00:09:33,530 --> 00:09:35,240
Thank you so much once again for watching.