1
00:00:00,360 --> 00:00:02,400
Hello everybody and welcome back.

2
00:00:02,430 --> 00:00:05,690
And let us continue with our cross-eyed scripting attack.

3
00:00:05,760 --> 00:00:12,180
So in the previous video we discover that this page right here is vulnerable to the reflected cross-eyed

4
00:00:12,180 --> 00:00:14,670
scripting as we checked with the alert.

5
00:00:14,670 --> 00:00:15,280
Hello.

6
00:00:15,330 --> 00:00:15,920
Uh.

7
00:00:15,930 --> 00:00:16,770
Function.

8
00:00:16,770 --> 00:00:22,870
And it opened up a window where it says hello and it can also be used to send over a link to any victim.

9
00:00:22,980 --> 00:00:25,080
And that is the reflected cries.

10
00:00:25,320 --> 00:00:28,250
Uh cross site scripting attack.

11
00:00:28,320 --> 00:00:34,950
Now these cross scripting can be done both over get and over post methods.

12
00:00:34,950 --> 00:00:41,490
This one right here was an example get method as we can see in the link we're sending it.

13
00:00:41,490 --> 00:00:49,700
So it means it is over get method we can I can show you once again so we can just type Here open this

14
00:00:50,610 --> 00:00:59,360
and then intercepted in burps it and then submit it and you will see that it is get method I just can't

15
00:00:59,360 --> 00:01:02,440
see that packet which is a little bit weird.

16
00:01:02,480 --> 00:01:03,500
Did I click on it.

17
00:01:05,180 --> 00:01:05,990
Submit

18
00:01:08,780 --> 00:01:14,810
weird it doesn't want to work it doesn't matter at this time.

19
00:01:14,820 --> 00:01:20,100
So just trust me on my word it is the you get method.

20
00:01:20,100 --> 00:01:23,370
So let us continue with D next attack.

21
00:01:23,370 --> 00:01:27,950
So let us open up our little machine once again.

22
00:01:28,260 --> 00:01:36,630
Let me just open up freshly page first open page and right now where you want to go if you want to find

23
00:01:36,630 --> 00:01:42,590
the wacko Pico Page let me just find this right here.

24
00:01:42,660 --> 00:01:43,260
There it is.

25
00:01:43,290 --> 00:01:46,060
So just click on it.

26
00:01:46,150 --> 00:01:50,710
It will lead you to a page that we did in Korea that we didn't visit previously.

27
00:01:51,250 --> 00:01:57,100
So it is new for us where we want to go right here is we want to go to the guest book right here

28
00:02:03,300 --> 00:02:10,350
it is is taking a little bit to load up and as you can see right here it loaded the shallow window screen

29
00:02:10,560 --> 00:02:18,190
for me now for you it will not load that since I already tested some of the comments on this Web site

30
00:02:18,510 --> 00:02:26,490
and on this a certain page guestbook page and every time now that I visit this uh it will prompt me

31
00:02:26,550 --> 00:02:30,410
with the yellow screen what that means.

32
00:02:30,440 --> 00:02:36,000
Basically it means that this is the example of us toward cross-eyed scripting attack.

33
00:02:36,070 --> 00:02:36,920
Why is it stored.

34
00:02:37,010 --> 00:02:44,690
Well basically anyone who anywhere please visits this page will get that window shown and in the previous

35
00:02:44,690 --> 00:02:49,950
attack you would have to send that over a link in order for that window to show since that is reflected

36
00:02:49,950 --> 00:02:51,470
across scripting attack.

37
00:02:51,500 --> 00:02:57,590
This is a more dangerous version of the cross-eyed scripting and it will save the the part of the code

38
00:02:57,620 --> 00:03:03,080
on the Web site and it will show it to anyone who visits this page.

39
00:03:03,080 --> 00:03:06,230
So basically what I did here is access this test

40
00:03:08,930 --> 00:03:16,910
and I type here script and then the same script that we used in the previous video so shallow or we

41
00:03:16,910 --> 00:03:22,490
can just type here something else let's say capital hill and see if it runs that as well.

42
00:03:22,580 --> 00:03:29,830
And then we closed this script and if we submit it you can see that it prints out with big letters.

43
00:03:29,850 --> 00:03:30,710
Hello.

44
00:03:30,820 --> 00:03:34,310
Now you do not have to send any link to the victim.

45
00:03:34,310 --> 00:03:42,110
Basically what the victim has to do is just open up the page by themselves without any official link

46
00:03:42,110 --> 00:03:47,940
or anything like that and they will also get prompted with both of those screens.

47
00:03:47,960 --> 00:03:53,320
So that us just check out and let us pretend that we're victim from different parties and different

48
00:03:53,360 --> 00:04:01,910
B.S. and we click right here on guestbook and we could see we get the hero right here and that's why

49
00:04:01,970 --> 00:04:05,650
this is dangerous or more dangerous than the previous attack.

50
00:04:05,660 --> 00:04:11,320
We also see that prints out the previous yellow which I also did before I started recording this video

51
00:04:12,800 --> 00:04:20,120
but surely we can do something better than just prompting these shallow window to the anyone visiting

52
00:04:20,120 --> 00:04:20,860
this website.

53
00:04:20,960 --> 00:04:21,410
So

54
00:04:25,170 --> 00:04:33,510
what we can do for example is we can steal cookies from anyone who comes to this page and we can perform

55
00:04:33,510 --> 00:04:36,510
the session hijacking with those cookies.

56
00:04:36,600 --> 00:04:38,420
Now it is a different type of script.

57
00:04:38,460 --> 00:04:46,530
So what you would want to do right here is basically type here so we can name this anything we want.

58
00:04:46,530 --> 00:04:47,990
It doesn't really matter.

59
00:04:48,320 --> 00:04:59,090
And what we want to do is script then what we want to close this and document not right now what I'm

60
00:04:59,130 --> 00:05:04,770
writing right here is basically just a simple javascript code in the same thing that they set for the

61
00:05:04,770 --> 00:05:10,620
ask well if you want to learn more about it you should search it online and look some of the tutorials

62
00:05:10,620 --> 00:05:12,190
about JavaScript code.

63
00:05:12,300 --> 00:05:16,890
This is just a simple one line code or two line code that we type right here in order together.

64
00:05:16,890 --> 00:05:23,070
Cookies uh there are a bunch of other options that you can do with cross-eyed scripting what we will

65
00:05:23,070 --> 00:05:26,790
not cover it in great details will only cover some of them.

66
00:05:26,790 --> 00:05:28,400
So this is one of them.

67
00:05:28,440 --> 00:05:30,690
And let us just type it right here.

68
00:05:30,690 --> 00:05:34,530
Image source equals.

69
00:05:34,530 --> 00:05:37,670
Now what is more to my typing right here is basically.

70
00:05:37,680 --> 00:05:42,780
Now I want to specify the website to where the cookies will be sent.

71
00:05:42,870 --> 00:05:50,580
Once a certain victim is the page so what you want to type right here is any website that you.

72
00:05:50,730 --> 00:05:53,340
If for example own or something like that.

73
00:05:53,370 --> 00:05:57,320
And there you will receive the cookies of the victims.

74
00:05:57,330 --> 00:06:02,660
Now we can simply just use a python server.

75
00:06:02,960 --> 00:06:07,700
Let me just close this but it sometimes doesn't work.

76
00:06:07,700 --> 00:06:14,450
Not really sure why but we can try it right now so what you want to type right here is a final exam.

77
00:06:14,510 --> 00:06:21,570
If I remember correctly it is Python minus M for the module and then entity P server.

78
00:06:22,620 --> 00:06:28,800
Which means that we will start the simple python HDP server and then we need to specify the port on

79
00:06:28,800 --> 00:06:31,250
which we want to start the server.

80
00:06:31,350 --> 00:06:34,580
So let us just do port 7 7 7 7.

81
00:06:35,160 --> 00:06:38,580
And for some reason this doesn't work.

82
00:06:38,580 --> 00:06:44,970
Let me just try a different port 8 8 8 8.

83
00:06:45,020 --> 00:06:47,070
No it does not work.

84
00:06:47,530 --> 00:06:52,220
Well maybe if we tried the Python 3 instead of the Python 2.

85
00:06:52,310 --> 00:06:53,290
So just add here.

86
00:06:53,300 --> 00:06:57,020
Python 3 and you can see right now it works.

87
00:06:57,020 --> 00:07:05,420
So we are serving in GDP on local coast or on any interface port 888 and we are listening for inbound

88
00:07:05,420 --> 00:07:07,480
connections so that is good.

89
00:07:07,490 --> 00:07:12,280
Now what you want to do is finish your script in the on the website.

90
00:07:12,290 --> 00:07:16,780
Now that we have website and now that we have a website to listen on we want to type here.

91
00:07:18,060 --> 00:07:25,200
Double quotes HDP 127 dot 0 0 0 0 1.

92
00:07:25,320 --> 00:07:33,040
Since there is where we will listen for the connections and after that we want to type here to dots

93
00:07:33,040 --> 00:07:36,400
and specify the port which I believe is 8 888.

94
00:07:36,430 --> 00:07:37,690
Let me just check that out.

95
00:07:38,170 --> 00:07:46,750
Yeah it is 88 88 so once we do that what we want to do next is uh to just go into the next line with

96
00:07:46,750 --> 00:07:47,510
this command.

97
00:07:47,560 --> 00:07:49,510
So just type your slash right.

98
00:07:50,070 --> 00:07:55,350
Uh apostrophe plus then document dot cookie.

99
00:07:56,290 --> 00:08:03,810
So we are gathering the cookie and then plus and then apostrophe and then double quote We want to uh

100
00:08:03,970 --> 00:08:11,780
at the closing sign of this arrow and then we want to add another quote and close the parentheses and

101
00:08:11,780 --> 00:08:12,510
then type here.

102
00:08:12,530 --> 00:08:22,360
The script has the script is ending right here so once we do that we have our full script written right

103
00:08:22,360 --> 00:08:26,600
here and all we have to do is basically just click here on submit.

104
00:08:26,710 --> 00:08:30,160
Now why is this the lines from how to make to the tab.

105
00:08:30,160 --> 00:08:30,840
Okay.

106
00:08:30,960 --> 00:08:32,440
We do not need this page anymore.

107
00:08:32,440 --> 00:08:38,070
So let us submit the script that we have just written in order to keep together our cookies.

108
00:08:38,320 --> 00:08:42,060
And since we are loading the page again we get these two boxes.

109
00:08:42,130 --> 00:08:44,090
They prompted with Hello.

110
00:08:44,350 --> 00:08:51,190
You should get them to if you already type the alert function as we did before.

111
00:08:51,250 --> 00:08:53,050
Now let me just check something right here.

112
00:08:53,050 --> 00:08:55,040
We didn't receive anything yet.

113
00:08:55,150 --> 00:09:02,920
So if you for example pretend that we are a victim and we visit that website to a link or through our

114
00:09:02,920 --> 00:09:09,320
own Web browser and we go to the here and we go guestbook.

115
00:09:11,560 --> 00:09:15,140
Let me see if we got any cookies saved.

116
00:09:16,780 --> 00:09:17,570
OK.

117
00:09:17,580 --> 00:09:23,310
So we loaded the page and it doesn't seem that it works right now.

118
00:09:23,710 --> 00:09:26,920
As I said sometimes it works and sometimes it doesn't.

119
00:09:26,920 --> 00:09:28,220
Not really sure why.

120
00:09:28,280 --> 00:09:30,390
So let me just try to switch it up a little bit.

121
00:09:30,400 --> 00:09:35,210
So we added Miguel at another same looking script.

122
00:09:35,210 --> 00:09:37,880
So just type the same thing you typed before.

123
00:09:37,880 --> 00:09:43,690
So document write an open image source.

124
00:09:44,030 --> 00:09:56,570
Source equals double quotes and then we want to type here 0 0 0 0 and then the port which is 888 and

125
00:09:56,570 --> 00:10:11,000
then what we want to do is to add a cookie from that port so loss document cookie plus uh apostrophe.

126
00:10:11,000 --> 00:10:19,240
Double quotes and then closed brackets or closed this arrow.

127
00:10:19,350 --> 00:10:27,260
I'm not really sure if I even need that arrow since I didn't let's just try it like this.

128
00:10:27,320 --> 00:10:34,100
I possibly could be carrying some syntax error since I'm not that good at javascript I didn't really

129
00:10:34,460 --> 00:10:35,060
learn it.

130
00:10:35,060 --> 00:10:40,820
I only used it in process scripts in the text so let's just try to run this once again click here okay

131
00:10:40,820 --> 00:10:43,170
on these already alerted pages.

132
00:10:46,270 --> 00:10:50,990
And let's see if we get anything.

133
00:10:51,100 --> 00:10:52,640
The display is by my.

134
00:10:52,650 --> 00:10:56,500
That will repeat any action we send shallow shallow

135
00:10:59,330 --> 00:10:59,880
okay.

136
00:11:00,210 --> 00:11:00,510
Hello.

137
00:11:00,510 --> 00:11:01,490
The pitch is.

138
00:11:01,530 --> 00:11:07,590
And here we go if we go right here we still didn't receive anything which it doesn't really matter it

139
00:11:07,590 --> 00:11:11,130
could be the problem in my syntax or it could be the problem.

140
00:11:11,130 --> 00:11:13,800
He does this a CTP server.

141
00:11:13,800 --> 00:11:16,110
Uh it doesn't matter at the moment.

142
00:11:16,110 --> 00:11:22,030
So if you want to find some of these specific attacks you can just search on the Internet for the cross-eyed

143
00:11:22,040 --> 00:11:28,950
scripting javascript code for example you can take a screenshot of most people's browsers and all of

144
00:11:28,950 --> 00:11:31,720
the cool stuff but we will not cover all of that.

145
00:11:31,830 --> 00:11:35,970
You can find it all on the Internet for now.

146
00:11:35,980 --> 00:11:37,690
I just wanted to show you this.

147
00:11:37,730 --> 00:11:45,550
And in the next lecture I will show you a different type of the attack which basically just uh changes

148
00:11:45,550 --> 00:11:47,130
the look of the website itself.

149
00:11:48,260 --> 00:11:52,730
So we will do that in the next lecture and that's about it.

150
00:11:52,730 --> 00:11:55,840
For now I will see you next lecture and take care.

151
00:11:56,030 --> 00:11:56,300
My.