1
00:00:00,610 --> 00:00:06,810
Welcome back, and it is time that we cover another version of SARS attack, which is called stored

2
00:00:06,870 --> 00:00:07,570
excess.

3
00:00:08,480 --> 00:00:13,760
In the previous video, we covered the reflected exercice, and this is pretty much the same thing.

4
00:00:13,790 --> 00:00:15,290
It is the same vulnerability.

5
00:00:15,470 --> 00:00:22,580
Just this time our code will get stored on the server side and it is more dangerous because everyone

6
00:00:22,580 --> 00:00:28,510
that visits that page from the time that we injected our JavaScript code will also run that code.

7
00:00:28,850 --> 00:00:31,820
You don't have to send them any link or anything else.

8
00:00:32,150 --> 00:00:38,960
The code will run by itself as soon as they visit that page and we already know where we can find the

9
00:00:38,960 --> 00:00:40,300
example of stored access.

10
00:00:40,310 --> 00:00:43,790
So let us just go to our metastable IP address.

11
00:00:47,360 --> 00:00:56,990
NDTV w a and let us log in, as usual, make sure that your website is running and make sure that the

12
00:00:56,990 --> 00:00:58,970
intercept is turned off.

13
00:00:59,840 --> 00:01:08,540
I will zoom this in so we can see everything better and let us first navigate to the security and check

14
00:01:08,570 --> 00:01:09,740
low right here.

15
00:01:10,400 --> 00:01:14,500
After we do that, let us submit and go to the stalled access.

16
00:01:14,990 --> 00:01:17,750
So once again, this is the same vulnerability.

17
00:01:17,870 --> 00:01:22,560
We want to inject JavaScript code in user input field.

18
00:01:23,000 --> 00:01:25,520
So what do we got here inside of our application?

19
00:01:25,820 --> 00:01:32,750
Well, it asks for name and message, vulnerability stored crosseyed scripting.

20
00:01:32,960 --> 00:01:34,510
And why is this stored?

21
00:01:34,610 --> 00:01:39,710
Well, if we take a look at down here, it seems that someone already made a comment.

22
00:01:40,720 --> 00:01:49,330
Name is Test, and the message or comment says this is a test comment and you might already see why

23
00:01:49,330 --> 00:01:52,510
this is taught, it is already on the page.

24
00:01:52,690 --> 00:01:56,300
And anyone that visits this page will also see this comment.

25
00:01:56,560 --> 00:02:03,210
So this is something that everyone that close the page will also load this comment as a strength.

26
00:02:03,760 --> 00:02:07,860
But what happens if we try to, for example, input JavaScript code?

27
00:02:08,290 --> 00:02:09,730
Will they also know that?

28
00:02:10,390 --> 00:02:11,390
Yes, they will.

29
00:02:11,800 --> 00:02:13,170
Let me show you an example.

30
00:02:13,600 --> 00:02:15,940
First, let us create a regular comment.

31
00:02:15,950 --> 00:02:20,380
So I'm just going to type Aleksa and hello there.

32
00:02:20,830 --> 00:02:22,120
Can you see me?

33
00:02:23,810 --> 00:02:30,770
And let's sign Guestbook and we can see right here, our comment has been added, so everyone will also

34
00:02:30,770 --> 00:02:31,730
be able to see this.

35
00:02:32,480 --> 00:02:36,480
But what happens if we, for example, try to inject JavaScript code?

36
00:02:36,760 --> 00:02:42,560
Let's go with simple alert script, script alert.

37
00:02:44,120 --> 00:02:51,700
And if we continue typing, we will notice that we cannot freely type anymore in this field.

38
00:02:52,130 --> 00:02:57,410
So it could be that this field is limited to only a certain amount of characters.

39
00:02:58,190 --> 00:03:00,620
So let's just leave that on test.

40
00:03:01,800 --> 00:03:04,260
And let's try to inject the code here.

41
00:03:04,620 --> 00:03:09,750
If I go onto the script, then alert and I alert one.

42
00:03:11,530 --> 00:03:19,720
And they closed the script text here, we can input the entire script, so let's sign guestbook and

43
00:03:19,990 --> 00:03:21,930
our JavaScript code executes.

44
00:03:22,420 --> 00:03:24,320
There is no user input filtering.

45
00:03:24,490 --> 00:03:29,680
Therefore, since we are on low level, we will inject a simple code as alert one.

46
00:03:30,730 --> 00:03:37,720
Now, the good part about this is that now, since this comment has been added to this list every time

47
00:03:37,720 --> 00:03:38,890
we visit that page.

48
00:03:40,990 --> 00:03:48,430
Every time they will execute our code or we will execute our code so we don't have to type it once again

49
00:03:48,940 --> 00:03:55,720
as we had to with access reflected, remember, if we type inside of the reflected a simple alert script,

50
00:03:57,580 --> 00:03:58,630
it will execute.

51
00:03:58,630 --> 00:04:03,550
But once we change a page and go back to the accesses reflected, there is no code running.

52
00:04:03,730 --> 00:04:10,750
However, on Stort we will run this code every time and that is why it is more dangerous.

53
00:04:11,080 --> 00:04:15,430
For example, if you did the same attack as from the previous video where we stole cookies, if you

54
00:04:15,430 --> 00:04:22,540
inject that code here, then anyone that fixes this page there, cookie will be sent to you and you

55
00:04:22,540 --> 00:04:28,390
can then perform session hijacking or something else if cookies are configured correctly.

56
00:04:29,260 --> 00:04:32,260
And this will also happen if we look out of the page.

57
00:04:32,270 --> 00:04:37,270
For example, if I go out and I go back to the page.

58
00:04:39,470 --> 00:04:43,590
And go back to the axis toward this executes once again.

59
00:04:44,210 --> 00:04:49,940
Now, if this starts getting annoying because you want to start testing other examples as well, what

60
00:04:49,940 --> 00:04:54,990
you can do is you can go to setup right here and create or reset database.

61
00:04:55,400 --> 00:05:00,620
Once you click on this button, never get back to the system and you will no longer have the comments

62
00:05:00,620 --> 00:05:02,420
that we added in this video.

63
00:05:02,570 --> 00:05:05,540
You will only have this test comment that is there by default.

64
00:05:06,320 --> 00:05:07,040
OK, great.

65
00:05:07,370 --> 00:05:13,040
Now let's take a look at the medium level security figure on medium submit.

66
00:05:14,010 --> 00:05:18,360
Go back to The Exorcist and I tried to input right here.

67
00:05:19,590 --> 00:05:26,360
Hmm, it still seems to be limited characters so we can type longer words than this.

68
00:05:27,090 --> 00:05:29,220
Let's give it a try right here.

69
00:05:29,400 --> 00:05:32,310
So script alert one.

70
00:05:35,750 --> 00:05:37,610
And here we can they test.

71
00:05:39,280 --> 00:05:48,400
Hmm, it doesn't work, it seems that we get these slashes before our single quotes, so let's take

72
00:05:48,400 --> 00:05:52,240
a look at the source code just to see what is happening inside the bubble fields.

73
00:05:53,050 --> 00:05:59,590
And it tells us right here in the comments that this code right here sanitizes the message input or

74
00:05:59,590 --> 00:06:05,580
in other words, the common input, and this sanitizes or filtered the name input.

75
00:06:06,070 --> 00:06:11,710
So it seems that we have this HTML special chars function on top or comment.

76
00:06:11,890 --> 00:06:18,160
And usually once you have that, there will be no access vulnerabilities since it filters all the characters

77
00:06:18,160 --> 00:06:20,700
that you can use to perform access attack.

78
00:06:20,950 --> 00:06:25,830
So most likely this part doesn't have any vulnerability.

79
00:06:26,290 --> 00:06:31,050
So message input or comment input is not something that we are going to try to attack.

80
00:06:31,540 --> 00:06:33,370
But what about this name input?

81
00:06:33,700 --> 00:06:40,050
It only has this string replace regular script with empty space, which we saw in the previous video.

82
00:06:40,060 --> 00:06:44,020
We can simply just bypass this with a capital script tech.

83
00:06:44,530 --> 00:06:46,870
But there is another problem that we encounter.

84
00:06:47,260 --> 00:06:51,940
We cannot specify more than a couple characters in the name field.

85
00:06:53,000 --> 00:06:55,010
Is that something that we can bypass?

86
00:06:56,060 --> 00:07:02,960
Well, if I type like this, I will not be able to type more than this, but if I go and inspect element

87
00:07:02,960 --> 00:07:03,710
of this page.

88
00:07:06,270 --> 00:07:11,970
I find the name inputs right here, and I can do that by going right here on DEVE.

89
00:07:13,520 --> 00:07:21,110
Navigating to here, navigating to for then from the forum, this table, and I want to select this

90
00:07:21,110 --> 00:07:22,820
name input right here.

91
00:07:23,760 --> 00:07:27,270
So let us give it a try and see which one it is.

92
00:07:27,300 --> 00:07:28,820
It is this first one.

93
00:07:29,280 --> 00:07:37,260
And if I click on this last arrow, we can see right here that once we select the name input field.

94
00:07:38,220 --> 00:07:41,280
Right here, we got the max length of 10.

95
00:07:42,630 --> 00:07:44,100
Is that something that we can change?

96
00:07:44,370 --> 00:07:45,690
Well, let's give it a try.

97
00:07:45,720 --> 00:07:54,360
If I select that and instead of 10, I type one hundred press enter and I try to continue typing.

98
00:07:55,350 --> 00:07:57,300
Well, now it works.

99
00:07:57,630 --> 00:07:59,340
We navigated to this field.

100
00:07:59,460 --> 00:08:05,730
We found the input name field and it said the max length was sent, but we just added another zero and

101
00:08:05,730 --> 00:08:08,360
now we can type even more characters.

102
00:08:08,850 --> 00:08:09,960
So let's give it a try.

103
00:08:11,430 --> 00:08:15,980
Remember, the only filtering that is inside of the name field is the script text.

104
00:08:15,990 --> 00:08:17,220
Let us make it capital.

105
00:08:19,160 --> 00:08:24,210
Then here we can type anything, since we know that this is most likely not vulnerable to the attack.

106
00:08:24,230 --> 00:08:30,500
And if I click on Sign Guestbook, there it is, here is our excess vulnerability.

107
00:08:31,010 --> 00:08:34,400
And that is all about stored access.

108
00:08:35,060 --> 00:08:38,120
It is completely the same as the refactored exercise.

109
00:08:38,120 --> 00:08:44,600
Just this will get stored on this server page and anyone reloaded once visiting that page.

110
00:08:45,330 --> 00:08:45,770
Great.

111
00:08:46,160 --> 00:08:52,010
Now that we cover it exists in the next video, I want to talk about a small vulnerability that many

112
00:08:52,010 --> 00:08:58,730
penetration testers skip one testing for Web application vulnerabilities, and that is called HTML injection.

113
00:08:58,970 --> 00:09:05,270
And we are also going to mention why we should never skip checking for the HTML injection see in the

114
00:09:05,270 --> 00:09:05,810
next video.