1 00:00:01,110 --> 00:00:07,110 ‫Input and output manipulation is the most important part of hacking websites and Web apps. 2 00:00:07,320 --> 00:00:13,620 ‫The two most well-known vulnerabilities, excesses and sequel injection are the subjects of this section. 3 00:00:13,680 --> 00:00:19,590 ‫If the inputs and or outputs of a website are not adequately validated, they might be the subjects 4 00:00:19,590 --> 00:00:21,030 ‫of exploitations. 5 00:00:21,120 --> 00:00:26,550 ‫But before we start talking about input and output manipulation, we should understand a few terms and 6 00:00:26,550 --> 00:00:27,630 ‫policies first. 7 00:00:28,170 --> 00:00:30,990 ‫One of them is same origin policy. 8 00:00:31,410 --> 00:00:39,270 ‫A web browser permits scripts contained in a first web page to access data in a second webpage, but 9 00:00:39,750 --> 00:00:43,020 ‫only if both web pages have the same origin. 10 00:00:43,290 --> 00:00:49,470 ‫This policy prevents a malicious script on one page from obtaining access to sensitive data on another 11 00:00:49,470 --> 00:00:53,340 ‫web page through that web pages document object model. 12 00:00:53,550 --> 00:00:59,280 ‫Thanks to this rule website, A cannot access the session idea of web site B. 13 00:01:00,170 --> 00:01:07,550 ‫An origin is the combination of protocol used for the communication, entire hostname and port. 14 00:01:08,720 --> 00:01:13,910 ‫Let's have a look at a few pages and see if they can access use Mientkiewicz file. 15 00:01:14,510 --> 00:01:20,990 ‫This page can access the Use Me Dargis script because of the protocol, host and port are the same. 16 00:01:22,240 --> 00:01:29,860 ‫Remember, if we don't specify the port, the default port is used and the default port for FTP protocol 17 00:01:29,860 --> 00:01:30,550 ‫is 80. 18 00:01:33,650 --> 00:01:36,710 ‫This page cannot access the script resources. 19 00:01:39,670 --> 00:01:40,870 ‫The hostnames are different. 20 00:01:41,440 --> 00:01:42,040 ‫Be careful. 21 00:01:42,400 --> 00:01:47,440 ‫www.YouTube.com is not the same as ABC.com. 22 00:01:47,470 --> 00:01:49,270 ‫These are two different domains. 23 00:01:50,050 --> 00:01:55,780 ‫In most cases, you go straight to the WW W page, even though you don't put it into the URL. 24 00:01:56,080 --> 00:02:03,880 ‫For example, if you write Google.com in the address bar of a browser, you reach the WW W Dot Google.com 25 00:02:03,880 --> 00:02:04,300 ‫page. 26 00:02:04,810 --> 00:02:07,720 ‫Now, that doesn't mean that these two addresses are the same. 27 00:02:08,200 --> 00:02:14,710 ‫That means Google servers redirect you to WW Dot Google.com address. 28 00:02:14,860 --> 00:02:16,810 ‫When you try to reach Google.com. 29 00:02:18,030 --> 00:02:22,110 ‫And look at that, the ports are different. 30 00:02:23,060 --> 00:02:31,130 ‫JavaScript is a high level interpreted programming language alongside HTML and CSS, JavaScript is one 31 00:02:31,130 --> 00:02:34,790 ‫of the three core technologies of worldwide web content production. 32 00:02:35,690 --> 00:02:39,920 ‫It is used to make Web pages interactive and provide online programs. 33 00:02:41,110 --> 00:02:45,380 ‫It's the JavaScript codes that run the browsers. 34 00:02:46,000 --> 00:02:52,210 ‫The majority of Web sites employ it, and all modern web browsers support it without the need for plug 35 00:02:52,210 --> 00:02:52,570 ‫ins. 36 00:02:53,110 --> 00:02:57,520 ‫JavaScript can be used in an HTML file in three different ways. 37 00:02:58,210 --> 00:03:04,660 ‫You can write JavaScript codes into a different source file and call it from the HTML page. 38 00:03:05,230 --> 00:03:09,730 ‫You can write script codes into the HTML file using script tags. 39 00:03:10,720 --> 00:03:17,890 ‫You can write script codes in event handlers, so everything exchanged between the browser and the server 40 00:03:17,890 --> 00:03:24,490 ‫are inputs or outputs of the web application, text or edited boxes on the web page. 41 00:03:25,090 --> 00:03:32,290 ‫Headers of the request sent to the app Hidden Fields or even the header that does not exist in the original 42 00:03:32,290 --> 00:03:38,650 ‫request might be an input field for the application to minimize the risk of threats. 43 00:03:38,890 --> 00:03:44,530 ‫One of the most important principles is validation of input and output fields. 44 00:03:45,160 --> 00:03:52,150 ‫When the input source is not reliable 100 percent, the input is not reliable and shouldn't be used 45 00:03:52,150 --> 00:03:55,240 ‫inside the system before validating client side. 46 00:03:55,240 --> 00:04:02,740 ‫Input validation is done by script, JavaScript, VB, script, etc. The main purpose of client side 47 00:04:02,740 --> 00:04:04,690 ‫controls is the performance. 48 00:04:05,710 --> 00:04:12,370 ‫Users are warned about their mistakes before sending their request to the server from the security perspective, 49 00:04:12,640 --> 00:04:16,330 ‫client side controls can easily be bypassed. 50 00:04:17,590 --> 00:04:24,160 ‫Remember, we are able to intercept the traffic between the browser and the server using personal proxies, 51 00:04:24,430 --> 00:04:25,570 ‫for example, Burp Suite. 52 00:04:26,820 --> 00:04:29,600 ‫So let's see another way to bypass client side controls. 53 00:04:42,820 --> 00:04:45,280 ‫We leave a message to a friend's guestbook. 54 00:04:45,760 --> 00:04:48,130 ‫But the maxlength of the message field is 50. 55 00:04:48,790 --> 00:04:50,590 ‫We want to leave a longer message. 56 00:04:53,870 --> 00:04:58,340 ‫Right click investigate element and increase maxlength value. 57 00:04:58,400 --> 00:05:01,100 ‫Now we're able to leave a longer message. 58 00:05:07,980 --> 00:05:12,000 ‫So for this reason, client side controls are good for performance. 59 00:05:13,030 --> 00:05:18,760 ‫In addition, server side controls have got to be done for security reasons. 60 00:05:20,160 --> 00:05:27,100 ‫While validating input parameters, we can talk about two different approaches in the first approach. 61 00:05:27,150 --> 00:05:29,910 ‫We have a black list and the second approach. 62 00:05:30,180 --> 00:05:31,290 ‫We have a white list. 63 00:05:32,350 --> 00:05:37,060 ‫The first approach does not allow the inputs which exist in the list. 64 00:05:37,090 --> 00:05:41,770 ‫The second approach only allows the inputs which exist in the list. 65 00:05:41,890 --> 00:05:48,250 ‫The first approach is called negative data validation, and the second approach is called positive data 66 00:05:48,250 --> 00:05:48,940 ‫validation. 67 00:05:48,970 --> 00:05:50,020 ‫The first approach? 68 00:05:50,260 --> 00:05:55,420 ‫Negative data validation is dangerous, and it's not advised to use. 69 00:05:55,720 --> 00:06:00,670 ‫First, the number of malicious inputs are theoretically indefinite. 70 00:06:01,360 --> 00:06:09,040 ‫Developers should think of every possible form of the characters capitalized and coded or escaped seriously 71 00:06:09,050 --> 00:06:10,090 ‫anything you could think of. 72 00:06:10,750 --> 00:06:17,380 ‫Secondly, developers should be careful about the algorithm of this sanitization method. 73 00:06:18,700 --> 00:06:22,840 ‫Output validation is as important as input validation. 74 00:06:23,660 --> 00:06:28,910 ‫Outputs which are sent to the client should be sanitised just before they're sent by the server. 75 00:06:29,630 --> 00:06:34,100 ‫Even if we validate inputs, we should validate outputs as well. 76 00:06:34,490 --> 00:06:40,430 ‫The output prepared to be sent to the client on the server side may have turned into a harmful value 77 00:06:41,090 --> 00:06:41,810 ‫encoding. 78 00:06:42,290 --> 00:06:48,740 ‫Also known as character escaping, is an effective approach for both input and output validation. 79 00:06:49,370 --> 00:06:54,650 ‫If you encode the special characters, they are not going to be interpreted and just printed out. 80 00:06:55,400 --> 00:07:01,490 ‫For example, we have a blog and we would like to publish a post that includes these lines. 81 00:07:05,870 --> 00:07:08,000 ‫While testing for excess. 82 00:07:09,050 --> 00:07:09,860 ‫First, try this. 83 00:07:13,170 --> 00:07:14,430 ‫We prepared this page. 84 00:07:19,740 --> 00:07:25,680 ‫Show the page without H.M. encoding when we call the page, we get the message on the screen because 85 00:07:25,800 --> 00:07:32,960 ‫script tags are interpreted by the browser and this script runs if we encode the smaller than character, 86 00:07:32,970 --> 00:07:34,800 ‫it's no more a tag starter. 87 00:07:34,800 --> 00:07:37,050 ‫It's just a character to print out now. 88 00:07:37,080 --> 00:07:38,880 ‫Escape smaller than character. 89 00:07:38,890 --> 00:07:41,130 ‫Save the file, call it from Firefox. 90 00:07:41,130 --> 00:07:42,030 ‫Show the result.