1
00:00:00,620 --> 00:00:08,480
So B, Web handles different aspects of excess very well, and the next example is one of them.

2
00:00:09,170 --> 00:00:15,650
So after logging into B Web, choose reflected Jason from the menu.

3
00:00:17,040 --> 00:00:19,110
And there's a search box on the page.

4
00:00:20,290 --> 00:00:22,000
So let's examine the page a little bit.

5
00:00:23,050 --> 00:00:27,010
So I'm going to type t h o r into the box.

6
00:00:28,180 --> 00:00:30,050
And yet we have that movie.

7
00:00:30,100 --> 00:00:32,320
It's a positive result.

8
00:00:33,580 --> 00:00:39,070
Now, what I type is also in the you are l the title parameter holds this value.

9
00:00:40,350 --> 00:00:42,450
OK, so now let's view the source.

10
00:00:43,440 --> 00:00:48,150
And here, as a result, the page sends Jason data.

11
00:00:49,810 --> 00:00:52,150
And this data is parsed and printed to the page.

12
00:00:53,340 --> 00:00:58,530
All right, you ready for another enter i r o n MRN without spaces.

13
00:00:59,740 --> 00:01:03,940
And a negative result comes back, but also the data is reflected.

14
00:01:04,960 --> 00:01:06,790
And the value is still in the early.

15
00:01:08,370 --> 00:01:09,840
So view the page source again.

16
00:01:11,470 --> 00:01:16,420
And this is my input and it is reflected to the page.

17
00:01:18,690 --> 00:01:22,800
So like I did in the previous lesson, paste the HTML, H1 tag.

18
00:01:24,280 --> 00:01:25,270
OK, it works.

19
00:01:26,390 --> 00:01:28,520
And paste the NBA link.

20
00:01:30,330 --> 00:01:33,480
OK, so something went wrong here as view this horse.

21
00:01:36,270 --> 00:01:37,160
Link is here.

22
00:01:38,480 --> 00:01:39,980
OK, I think I found it, did you?

23
00:01:41,150 --> 00:01:45,230
So the single quote caused the problem with Jason.

24
00:01:48,570 --> 00:01:53,880
So if I add back slashes before the quotes, it will work.

25
00:01:55,700 --> 00:02:02,090
So this problem is solved now before we go any further, I do want to show you the code.

26
00:02:02,960 --> 00:02:06,350
So open terminal and just have a look with me.

27
00:02:09,050 --> 00:02:13,670
Now, here, if the level is low, the title parameter is used as is.

28
00:02:14,800 --> 00:02:17,980
It was not low, it is checked with a function.

29
00:02:19,580 --> 00:02:21,770
Then the output is generated.

30
00:02:23,340 --> 00:02:24,450
And scroll down.

31
00:02:25,850 --> 00:02:27,230
So now here is a script.

32
00:02:28,550 --> 00:02:31,130
And the output is added into the script.

33
00:02:32,170 --> 00:02:36,520
And then, as you see, if the result is negative, the search term is sent back to the browser.

34
00:02:38,070 --> 00:02:39,780
So go back to Firefox's.

35
00:02:41,500 --> 00:02:44,860
And we can run HTML tags entered into this field.

36
00:02:46,310 --> 00:02:49,130
So let's paste this tiny script.

37
00:02:50,870 --> 00:02:51,950
OK, no, it doesn't work.

38
00:02:53,130 --> 00:02:55,740
So now to figure out what's happening, let's view the source.

39
00:02:58,500 --> 00:03:02,240
Because my input breaks the original script, right?

40
00:03:04,000 --> 00:03:11,980
Now, this part is between script tags, so it can't be executed if there's, you know, anything meaningful.

41
00:03:13,560 --> 00:03:16,110
And the rest is not between script tags.

42
00:03:17,250 --> 00:03:24,450
So the browser uses the remaining part as text, so displays text in the page.

43
00:03:24,660 --> 00:03:28,530
So now type ironmen to clear here and do the source.

44
00:03:30,950 --> 00:03:34,850
Now we can create our payload, which doesn't break the original script.

45
00:03:35,900 --> 00:03:37,810
So I'm going to just write it here.

46
00:03:39,430 --> 00:03:42,040
And step by step, I will create the payload.

47
00:03:43,330 --> 00:03:46,630
So first, let's close these double quotes around our input.

48
00:03:48,050 --> 00:03:56,240
Then using this curly bracket and then this bracket and then the single quote around the Jason data.

49
00:03:57,720 --> 00:04:00,870
And a semicolon to and this line.

50
00:04:02,740 --> 00:04:04,840
And close the opening script tag.

51
00:04:06,660 --> 00:04:10,080
So now we can start our payload.

52
00:04:12,320 --> 00:04:17,480
First alert, the cookie is always then add an opening script tag.

53
00:04:18,530 --> 00:04:21,020
And that's it, so let's copy this payload.

54
00:04:24,110 --> 00:04:26,360
And based in the search box.

55
00:04:28,570 --> 00:04:32,560
And yeah, the JavaScript code executes.

56
00:04:33,560 --> 00:04:36,190
And that's a view, the source to figure it out better.

57
00:04:42,580 --> 00:04:44,260
And this is the first part.

58
00:04:45,430 --> 00:04:47,080
So doesn't have any meaning to the page.

59
00:04:48,170 --> 00:04:50,690
And then this is our actual payload.

60
00:04:52,260 --> 00:04:54,210
And then this part is the remaining code.

61
00:04:55,170 --> 00:04:57,300
It also doesn't really have any meaning to the page.

62
00:04:58,910 --> 00:05:00,620
OK, so let's go back to the page.

63
00:05:02,300 --> 00:05:06,110
Now we can send the session value to our kookie steel wrap.

64
00:05:08,110 --> 00:05:09,430
And we have the payload.

65
00:05:10,460 --> 00:05:15,050
So I'm going to copy in and out of here instead of the alert code.

66
00:05:16,760 --> 00:05:17,950
Then copy this line.

67
00:05:19,600 --> 00:05:21,220
Open a web developer tool.

68
00:05:22,600 --> 00:05:25,570
Base the code into the search box and go.

69
00:05:27,030 --> 00:05:29,550
The requests sent from this page are below.

70
00:05:30,770 --> 00:05:34,880
And base64 cogie value is sent to our stihler application.

71
00:05:36,120 --> 00:05:37,230
So if you the source.

72
00:05:39,540 --> 00:05:41,940
So our good payload is lying in the source.

73
00:05:43,260 --> 00:05:44,670
So open this dealer at.

74
00:05:45,960 --> 00:05:46,980
Refresh the page.

75
00:05:48,140 --> 00:05:50,240
And the cookie values come up.

76
00:05:51,500 --> 00:05:53,270
So now let's go to our session.

77
00:05:55,120 --> 00:05:56,080
This is our user.

78
00:05:57,130 --> 00:05:59,530
And we are able to send the user session.

79
00:06:01,020 --> 00:06:03,060
OK, so go back to Kalli.

80
00:06:04,420 --> 00:06:08,830
Now we can use this URL to get any user session.

81
00:06:10,020 --> 00:06:14,400
So we get to see the user to click on a link comprised of this URL.

82
00:06:15,920 --> 00:06:16,880
Then get the session.

83
00:06:18,130 --> 00:06:20,410
And we've already done that in a previous lesson.

84
00:06:21,430 --> 00:06:22,780
So I'm going to leave that for you to do.

85
00:06:23,440 --> 00:06:23,860
All right.