1
00:00:00,420 --> 00:00:06,420
‫So the same origin policy is a critical security mechanism to Web applications.

2
00:00:07,640 --> 00:00:12,980
‫And it restricts how a document or script is loaded from one origin.

3
00:00:13,880 --> 00:00:17,930
‫How we can interact with another origin makes sense.

4
00:00:18,890 --> 00:00:26,240
‫So in other words, it helps to isolate potentially malicious documents and reduces the possible attack

5
00:00:26,240 --> 00:00:26,870
‫vectors.

6
00:00:27,920 --> 00:00:34,970
‫On the other hand, cross origin resource sharing is a relaxation of the same origin policy implemented

7
00:00:34,970 --> 00:00:45,320
‫in modern browsers, and series uses additional HTTP headers to tell browsers to give a web application

8
00:00:45,320 --> 00:00:50,000
‫running at one origin access to selected resources from a different origin.

9
00:00:51,140 --> 00:00:52,670
‫So I don't know.

10
00:00:52,700 --> 00:00:59,870
‫I think we can say this mechanism supports secure across origin request and data transfers between browsers

11
00:00:59,870 --> 00:01:00,590
‫and servers.

12
00:01:02,090 --> 00:01:10,430
‫And also, for security reasons, browsers restrict cross origin HTTP requests initiated from scripts.

13
00:01:11,770 --> 00:01:15,940
‫So that means in this lesson, we are going to examine CRC features.

14
00:01:17,610 --> 00:01:22,770
‫So after you log in to be Web open cross origin resource sharing from the menu.

15
00:01:23,660 --> 00:01:26,000
‫And it's a simple page, isn't it?

16
00:01:27,290 --> 00:01:28,610
‫But here's a different scenario.

17
00:01:29,060 --> 00:01:30,680
‫So there's a link on this page.

18
00:01:31,880 --> 00:01:38,120
‫And based on the security level, we are going to try to read the content of the file that this link

19
00:01:38,120 --> 00:01:38,710
‫points to.

20
00:01:40,020 --> 00:01:44,370
‫So there are some cross origin obstacles to pass.

21
00:01:45,630 --> 00:01:50,130
‫OK, so now let's start with the first level enable foxy proxy.

22
00:01:51,080 --> 00:01:55,430
‫Then we'll click on the secret link and the request will appear in Burp.

23
00:01:57,210 --> 00:01:59,280
‫Now, look at the first line of the request.

24
00:02:00,090 --> 00:02:03,120
‫It is secret, cause one that.

25
00:02:05,040 --> 00:02:07,110
‫But it doesn't look like there's anything suspicious.

26
00:02:08,050 --> 00:02:08,860
‫So forward it.

27
00:02:10,080 --> 00:02:15,360
‫Now you can see the response message, and it contains this secret of Neo.

28
00:02:16,990 --> 00:02:18,340
‫But also look at the headers.

29
00:02:19,810 --> 00:02:26,920
‫There is access control allow margin header with a value asterisk that means accept requests from all

30
00:02:26,920 --> 00:02:27,460
‫origins.

31
00:02:28,800 --> 00:02:34,500
‫That's why the secret court is one page, except our request and shows the secret.

32
00:02:35,880 --> 00:02:38,490
‫OK, so then forward that response to the browser.

33
00:02:39,870 --> 00:02:41,670
‫All right, so now change the level of medium.

34
00:02:43,230 --> 00:02:44,790
‫And we have a new superhero.

35
00:02:45,000 --> 00:02:45,930
‫Wolverine.

36
00:02:47,230 --> 00:02:52,690
‫And we need his secret, but his secret is hidden behind this link.

37
00:02:53,350 --> 00:02:54,910
‫So click on the secret link.

38
00:02:55,960 --> 00:02:58,030
‫And Burp has a request now.

39
00:02:59,670 --> 00:03:03,090
‫And the first line is different from the previous request, huh?

40
00:03:04,320 --> 00:03:08,820
‫But now we are requesting secret corners to page.

41
00:03:09,870 --> 00:03:12,150
‫And there's nothing interesting here.

42
00:03:13,050 --> 00:03:14,460
‫So for were the request.

43
00:03:16,430 --> 00:03:20,540
‫But doesn't look like we can read the secret.

44
00:03:21,330 --> 00:03:23,180
‫It's just a plain response message.

45
00:03:24,330 --> 00:03:25,200
‫So let it go.

46
00:03:27,380 --> 00:03:29,810
‫OK, so there is a hint here on the page.

47
00:03:30,730 --> 00:03:34,930
‫So the requested page can only accept a request from this origin.

48
00:03:35,650 --> 00:03:39,550
‫OK, so before going any further, let's have a look at the code.

49
00:03:42,930 --> 00:03:44,610
‫So this one is the main page.

50
00:03:45,770 --> 00:03:49,850
‫And based on the security level, it redirects us to the superhero pages.

51
00:03:51,160 --> 00:03:53,680
‫So scroll on down to the main part below.

52
00:03:54,940 --> 00:03:57,130
‫And it just brings the values nothing more.

53
00:03:58,390 --> 00:03:59,140
‫So we can exit.

54
00:04:00,380 --> 00:04:02,240
‫And view the as one file.

55
00:04:04,880 --> 00:04:07,490
‫And it just sets the header for all origins.

56
00:04:08,580 --> 00:04:09,840
‫And Prince, the secret.

57
00:04:11,010 --> 00:04:11,490
‫And so on.

58
00:04:13,050 --> 00:04:13,770
‫So exit.

59
00:04:14,960 --> 00:04:17,150
‫So what is inside course to?

60
00:04:18,620 --> 00:04:24,710
‫And it's not letting us read the secret, so it checks for a specific origin.

61
00:04:25,820 --> 00:04:31,970
‫So if somehow we can add this origin header to our request, we'll be able to read the secret for Wolverine.

62
00:04:33,210 --> 00:04:35,370
‫So let's accept this and view cause three.

63
00:04:39,580 --> 00:04:44,260
‫And on this page, there are no headers and extra security checks.

64
00:04:45,300 --> 00:04:47,190
‫So close that and go to Firefox.

65
00:04:48,860 --> 00:04:50,330
‫OK, now quick, the secret again.

66
00:04:51,340 --> 00:04:56,110
‫The request is in the proxy, and I'm going to add the origin header.

67
00:04:57,020 --> 00:04:59,390
‫You can add it anywhere, except for the first line.

68
00:05:00,550 --> 00:05:06,610
‫So this means the origin of my request is internet that it's easy Gamescom.

69
00:05:07,540 --> 00:05:09,160
‫So go ahead and forward it.

70
00:05:11,420 --> 00:05:12,440
‫And that's perfect.

71
00:05:12,470 --> 00:05:14,450
‫We are able to get Wolverine Secre.

72
00:05:16,010 --> 00:05:16,970
‫So let it go now.

73
00:05:18,410 --> 00:05:22,520
‫A few seconds ago, we intercepted the request and added the urgent header, right?

74
00:05:23,150 --> 00:05:30,740
‫But the developer wants us to try with Ajax, so open your terminals and I'll prepare an Ajax file.

75
00:05:31,890 --> 00:05:36,960
‫You can download all the files and then after you download, move them to your web root directory and

76
00:05:36,960 --> 00:05:39,150
‫Kelly because we're going to use them.

77
00:05:40,650 --> 00:05:43,950
‫OK, so I need to go to Weber directory.

78
00:05:44,980 --> 00:05:48,610
‫And the files in this directory are just like that.

79
00:05:49,720 --> 00:05:53,170
‫And I'm going to use the one that starts with cause.

80
00:05:54,100 --> 00:05:57,550
‫So just type them cause dot p.

81
00:05:59,940 --> 00:06:02,030
‫All right, so this is a simple file.

82
00:06:02,490 --> 00:06:04,200
‫It just includes the Ajax script.

83
00:06:05,280 --> 00:06:10,530
‫OK, so exit and view the JavaScript, file them caused Dot, yes.

84
00:06:12,170 --> 00:06:17,410
‫And the script makes an Ajax call to the secret cause to not be.

85
00:06:18,650 --> 00:06:20,120
‫It adds an origin header.

86
00:06:21,390 --> 00:06:22,290
‫OK, go back.

87
00:06:23,780 --> 00:06:28,580
‫Open up a new tab and request caused a profile in Cowley.

88
00:06:30,650 --> 00:06:32,030
‫OK, so it's in burp now.

89
00:06:32,980 --> 00:06:33,520
‫Forward it.

90
00:06:34,910 --> 00:06:39,710
‫And the page loads and look at the script tags, they're calling for the Ajax fire.

91
00:06:39,840 --> 00:06:40,550
‫OK, good.

92
00:06:40,560 --> 00:06:41,420
‫So forward it.

93
00:06:43,840 --> 00:06:46,710
‫And now the Ajax code is uploaded to the browser.

94
00:06:47,980 --> 00:06:52,120
‫And then send a request to secret cause to keep.

95
00:06:53,150 --> 00:06:55,040
‫By adding the origin header.

96
00:06:56,150 --> 00:06:57,470
‫And see, this is why we want.

97
00:06:59,370 --> 00:07:00,990
‫But there's a problem.

98
00:07:02,610 --> 00:07:05,400
‫The origin header value is not the same as in the code.

99
00:07:06,720 --> 00:07:10,020
‫Well, you know what, just forward it anyway.

100
00:07:11,910 --> 00:07:13,320
‫And that's really no secret.

101
00:07:14,780 --> 00:07:21,620
‫So to figure out what's just happened to open up the Web developer tool, go to the console tab.

102
00:07:22,750 --> 00:07:29,230
‫Let's have a look at the warnings because changing the origin header with Ajax in the browser is forbidden,

103
00:07:30,100 --> 00:07:31,630
‫so it points to the line.

104
00:07:32,950 --> 00:07:39,490
‫So the same margin policy refuses to read the secret court to top up file.

105
00:07:41,210 --> 00:07:44,540
‫So what do you think, I think these warnings explain everything quite well.

106
00:07:45,440 --> 00:07:47,330
‫So that means we need to find another solution.

107
00:07:48,700 --> 00:07:52,870
‫So what I like to do in these situations is use my good old friend Curl.

108
00:07:53,830 --> 00:07:54,610
‫Do you know, Colonel?

109
00:07:56,140 --> 00:07:57,760
‫You can always try a different way.

110
00:07:59,050 --> 00:08:00,610
‫OK, and then go back.

111
00:08:01,810 --> 00:08:04,450
‫Curlers also implemented in BHP.

112
00:08:05,490 --> 00:08:08,910
‫So I'm going to show you cause one dot BHP.

113
00:08:09,480 --> 00:08:12,090
‫And this is the HP Curl Code.

114
00:08:13,580 --> 00:08:17,090
‫And it will request the same page and show the response to us.

115
00:08:17,990 --> 00:08:20,450
‫And of course, it's going to add the origin header.

116
00:08:21,710 --> 00:08:24,470
‫So in this case, we are going to request this page.

117
00:08:26,160 --> 00:08:33,450
‫And then in the background, Curl will request the secret wars to add up HP page.

118
00:08:34,620 --> 00:08:36,630
‫OK, so go back to Firefox.

119
00:08:37,990 --> 00:08:42,520
‫Open a new tab and go to corners one dot BHP.

120
00:08:44,370 --> 00:08:46,050
‫And there's nothing here in this request.

121
00:08:47,060 --> 00:08:47,900
‫So just forward.

122
00:08:48,830 --> 00:08:50,960
‫Yeah, congratulations.

123
00:08:51,710 --> 00:08:55,460
‫We programmatically read Wolverine's secret.

124
00:08:56,430 --> 00:08:56,830
‫All right.

125
00:08:58,470 --> 00:09:00,000
‫We didn't even see what happens.

126
00:09:00,390 --> 00:09:03,480
‫Thankfully, Curl did everything for us.