Web App Penetration Testing - #10 - XSS(Reflected, Stored & DOM)
Key Takeaways
The video demonstrates how to perform Cross-Site Scripting (XSS) attacks, including reflected, stored, and DOM-based XSS, using tools such as Kali Linux, OS Broken Web Applications (BWA) project, WebGoat, VirtualBox, and VMware.
Full Transcript
[Laughter] hey guys hackersploit here back again with another video and welcome back to the web application penetration testing series in this video we are going to be looking at something that is extremely important and something that should be understood completely and that is cross site scripting all right now before we get started i'm just going to explain what we're going to be looking at in this video so we're going to start off with explaining what cross-site scripting is i'm going to be showing you the environment that we'll be using for testing any of these uh any of these attacks just because they allow us to illustrate or they allow me to explain how everything works because that's the most important thing for me is that you understand what you're you're listening to and you have a good representation of what's going on all right so i'll be explaining stored um i'll be explaining reflected stored and dom uh cross-site scripting all right so let's get started with me explaining what environment i'm currently running so you can see that i'm running currently running so you can see that i'm running kali linux right now but i am going to be using the os broken web applications project which was recommended by a lot of you uh because you are getting tired of using uh you know the damn vulnerable web application with meta exploitable too so a lot of you recommended that i use the os bewap project or you know whatever you want to call it so i'll have this in the description section it is essentially a virtual machine that you can easily just run on virtualbox or vmware i'm currently running it here as you can see i just got the local ip it's 192.168.1.111 all right so i have that running and i'm running this on kali linux and i already have opened up the url in my browser so you can see uh from here i've opened up bwap and i've opened up web go to because that's what i'm going to be using to explain each of these cross-site scripting attacks so if i was to do that if i was to just open up 192.168.1.111 yours could be different it it should be different depending on your ip configuration and subnet then it will take you to the os bwa or the os broken web applications project the latest version as of recording this video is version 1.2 so we will be using web good and b web um or the broken web application project uh for uh for this demonstration so the default credentials for web goat are going to be guest for the username and guest for the password and for bwap it should give you the prompt right over there i i think it's going to be a bug app or something like that but irregardless it will tell you what it is all right so make sure you open that up and you have that all set up so i've logged into bweb and i have a web goat started up right here all right so let me close that up and we are ready to go now before we even move on into performing these attacks it's very important to understand what's going on here with uh with cross-site scripting what it is how it works and what are you exactly taking advantage of all right now this is where a lot of people make mistakes and if you want to be a successful web application penetration tester you need to understand you know from a fundamental level what's going on here all right so let's get started what is cross site scripting well simply put it is the process of injecting a script into a into the parameter in a url to attack a user of the site or to potentially attack the server side of uh of the website or the web application right so it essentially is the inject the injection of a script into the parameter over url all right that's essentially what it is now of course this may be quite confusing but don't worry i'll explain what's going on here so let's start off with uh with first of all explaining the the three types of uh cross site scripting all right the first one is reflected and then we have stored and dom so with reflected what's happening here is uh the the data is inputted and then you know reflected directly back um back on the screen so i'll explain this in a second all right so uh if we are to look at this from a fundamental perspective i'll show you how to access this you know how to navigate the b web uh just give me a second let me explain what's going on so essentially what's happening with reflected cross-site scripting is that the input is going to be stored in the parameter of the url all right and i'll explain how this differs with each type of attack because many of you will point out and say well it's not only to to do with parameters and don't worry i'll explain all of this all right so we can essentially manipulate the uh the parameter of the url uh so that we can essentially run a script now what type of script we can run a malicious script that is based in javascript and i'll explain that right now so you can see with our portal you don't want to touch anything here you can set the security level but for now i recommend setting it to low not that that's going to hurt anyone's ego because remember you have to be humble to to begin and you need to understand what's going on first so we will open up the choose the bug section here and we want to go down into cross-site scripting and we want to go into reflected which uh essentially deals with the get uh the get request so we're gonna start off with that and this will really make you understand what's going on here so if i click on that um and i just hit hack all right so now it's going to give us a prompt here and you might be asking well what's what do you mean what exactly is going on if i was to not enter any details into the um you know into these fields right here so for example you can see i just had a suggestion there that's because i was testing it out but if i was to hit go you can see that in the url we do have the input here so you can see the values can be edited directly into the form so you can see first name has the no volume and then we have the last name which again has no value and you can see that it is submitting a form so what we can do is run some javascript code in here and the most common way of of explaining what's going on here of course not running a very malicious code right now essentially explaining and demonstrating that it does work is i can run a piece of code here now of course when you put this into a practical perspective many sites are going to filter the content that you can enter in in these fields or these forms and will essentially we will not allow you to run javascript code you know obviously to protect uh to protect the site from these type of attacks uh but what you can do is encapsulate it to encode it in a different type of language or as i said i'll show you how everything or how all of this works so this right right now being the current security level is low we are it will not uh it will not essentially encode it will not verify or validate what we're entering in here what input is being given so if we were to type in a script here so we can say script and you can see the recommendation there's script that's mine so if i was to type in alert and this is javascript so i'm pretty i'm pretty sure you can you know what's going on so we can say hello world um this is an example of a reflected um xss or cross site scripting and we can close that up right now and then we need to close the script so we can do that in the next field or the next parameter most people like doing it from the start but this is just to show you how robust this can be so i type in i close the script then i hit go and as you can see it gives us the alert which is what we and we which is what we used as our form of of me showing you that it does work and it will be processed uh the input will be processed and will be sent back to you you being the client and we can just hit ok and that was an example of reflected access cross site scripting using the get method now of course we can i can replicate this many many times using the other types of cross-site scripting for example with the post etc etc we'll be looking at all of that but for now we need to understand what's going on here now next we need to look at stored cross-site scripting this is probably my favorite because of the potential that it does have all right so let's go into the choose your bug menu here and we want to go into cross-site scripting and we want to go um we want to go for the blog cross-site scripting stored cross-site scripting and we're going to select block and i'll explain why in a second all right so first let me explain what stored cross-site scripting is so essentially with this with the cross-site scripting attacks more specifically the stored attacks uh essentially what's happening is you're attacking the input and you're essentially attacking the input that is to be stored or you're attacking the data or essentially i i'll explain this really simply so you're attacking the input that is to be stored on a database so what you're doing is your essentially injecting malicious code that will be saved into a database or that is going to be saved by the server or the web application server and then you can definitely uh you since it's being stored you can access it later on or other users can access it and for example if it's running malicious code it can trigger different things like opening the webcam of a user stealing different type of information i'm not going to go into what you can do with it but you can really do a lot of stuff a lot of malicious stuff with code all right so let me explain what's going on here so with the stored cross-site scripting you can essentially inject uh malicious code into the database again that then uh that when accessed runs this malicious code all right so if you can see this is an example of a blog let me explain what i mean the best places to implement stored cross-site scripting is in places like comments uh you know forums and again as you can see right here blog in the form of comments that you know or pages that can be accessed later or data that is being stored in directly into the database any database for that matter as long as it's being stored okay so we can type in here something like hello and we can submit that to the database and you can see it's getting stored and you have the different tables you have the uh the number the owner the date and the entry so now we can also run a script in here all right so what if we were to enter javascript and again this data given our security level is any of the data that we're entering is not being validated so you can essentially enter it raw uh now in reality if you go and try and enter a script in the data will not be accepted because again they're protecting their site against that that's one way of mitigation very basic i'm sure you know what i'm talking about all right so enough of me rambling on so if we are to enter the same script we entered uh so we have to say script and we then say alert for example we can you can use any type of javascript code you want here and you can experiment you know you these web applications are there for you to experiment and test your skills out so yeah for us to say hello world this is stored oops door uh cross site scripting and we just close that up there and of course we have to close the script because we know that that will not execute if we do not code it correctly okay so now we can we can add that uh and uh if i was to just hit submit right now you can see that it's going to store and be that being the latest blog post you can see it's going to tell you it's going to execute the script and it's going to say hello world this is stored across that scripting so an example of a blog if you are to post this on a page or a or you know to make a blog post and inject this script in anyone who opens that page will essentially run that malicious code and whatever that code does can then further more you know cause damage to the user or to the server depending on what you want it to do so it's all dependent on what the attacker is to do remember what i told you in the first video of this series it's all about your mindset and your your willingness to break things and to find out what does and doesn't work okay so that was an example of stored cross-site scripting and as i've mentioned the most important thing to understand is this in this scenario the data is not being validated if it is being validated and i'll show you that in a second uh or probably in the next set of videos we'll increase the security level and i'll show you how to get you know past this you can see how things change as you move along in terms of security levels so i was going to use the uh bwap this is my first time using it uh so i had to get a bit of an introduction through the documentation and i realized they don't have dom uh cross-site scripting so i that's why i had to use web goat they are the only ones i know who actually allow us to run it so i've zoomed in right now by the way the credentials are guest for the username and guest for the password so uh essentially i went through cross-site scripting and again they didn't have the the dom in here all they were focusing on is stored and again uh reflected so i found it to be in the iax or ajax what how whatever you want to call it and we have the uh the dom based uh cross-site scripting let me explain why it's saying uh this is based in arc security this is uh because dom cross-site scripting focuses on the client side so any data or input that is entered whether it be a malicious code etc etc is going to be processed by the client not the server so any of the attacks will be based of course on the client now let me explain what i mean uh if i am to run remember javascript server side client side i ax for example so if i am to run for example a javascript code in this entry here so script and again i type in alert just being the example and i say hello let's keep that simple and i close the script here you can see that we will probably not be left with anything will not get any result that's because it's being processed by the client not by the server so no uh no result or no data will be reflected back to us if it was you know if it was reflected cross-site scripting it the server processes it and then is reflected back to the client so if i was to submit here you can see that nothing happens here and that it is going to be taken as code now what if we were to enter or use a language uh that that a client can understand so let's say we were to to say uh let's see um html what you want to use html so i can say in here img for example that's a very this is the way we learned it so img src and we don't have an image source so we can leave that like that and then we can use the on error in case we get an error of image which we will get because the image has no source on error we can say that is going to be uh that is going to be equal to uh alert um and then the alert we can then put in here we can say hello oops hello world and we can close that up and once we have closed it you can see that we can uh we can close that there and there you are so it is going to be processed by the client and you get the the dialog box or the alert with the message hello world so you can see that with dom based cross-site scripting uh it is all being processed all the input whether it be malicious or not is being processed by the client and ax is one of the la these languages that can be used so you can also incorporate ax if you wanted to or test it out remember it's all about experimentation and understanding and i've been working a lot of the on this and you guys have been wondering why i haven't been uploading you know cross-site scripting and videos that are very advanced and that's because i want you to understand what's happening because there's no point of me making a video of me going through it you know blazing through a video extremely quickly i want everyone to understand what's going on you know whatever skill level you are even if this is your first time going through this you know i hope that you you've got an understanding of what cross-site scripting is how it can be used to manipulate data whether it be on the client side on the database and how you can easily just transfer data with you know bad security in place of course this is these attacks will be very uncommon now but again this was focused on more on on an explanation point of view now of course in the next set of videos in this series we'll be taking a look at how to perform these attacks on high level uh security as you can see we can tweak the security up to a high level and set that there and then things are going to be a little bit different because the data is now going to be validated and might not be processed in the way that you think it is all right so that is going to be it for this video guys hopefully uh you found value in it if you did please leave a like down below if you have any suggestions or questions let me know in the comment section on my social networks or you can hit me up on my website so without further ado that's going to be it for this video i'll be seeing you in the next video peace guys you
Original Description
Hey guys! HackerSploit here back again with another video, in this video, I will be demonstrating how to perform XSS attacks.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
OWASP BWAP: https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
⭐Help Support HackerSploit by using the following links:
🔗 NordVPN: https://nordvpn.org/hacker
Use the link above or the code below for 77% Off your order
Promo Code: hacker
Patreon: http://patreon.com/hackersploit
I Hope you enjoy/enjoyed the video.
If you have any questions or suggestions feel free to ask them in the comments section or on my social networks.
🔗 HackerSploit Website: https://hsploit.com/
🔗 HackerSploit Android App: https://play.google.com/store/apps/details?id=com.hsploitnews.hsploit&hl=en
🔹 Support The Channel
NordVPN Affiliate Link: https://nordvpn.org/hacker
Patreon: http://patreon.com/hackersploit
🔹 Get Our Courses
Get a special discount on our courses:
The Complete Deep Web Course 2018:
https://www.udemy.com/the-complete-deep-web-course-2017/?couponCode=DWCBP2017
🔹 SOCIAL NETWORKS - Connect With Us!
-------------------------------
Facebook: https://www.facebook.com/HackerSploit/
Instagram: https://www.instagram.com/alexi_ahmed/
Twitter: https://twitter.com/HackerSploit
Patreon: http://patreon.com/hackersploit
--------------------------------
Thanks for watching!
Благодаря за гледането
Kiitos katsomisesta
感谢您观看
Merci d'avoir regardé
Grazie per la visione
Gracias por ver
شكرا للمشاهدة
دیکھنے کے لیے شکریہ
देखने के लिए धन्यवाद
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from HackerSploit · HackerSploit · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
How To Install Kali Linux 2.0 On Virtual Box
HackerSploit
100 Subscriber Q&A! - How I Learned Ethical Hacking
HackerSploit
BlackArch Linux Review - Better Than Kali Linux?
HackerSploit
How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
HackerSploit
Wireshark Tutorial for Beginners - Installation
HackerSploit
Wireshark Tutorial for Beginners - Overview of the environment
HackerSploit
Wireshark Tutorial for Beginners - Capture options
HackerSploit
Wireshark Tutorial for Beginners - Filters
HackerSploit
Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
HackerSploit
Complete Ethical Hacking Course #2 - Installing Kali Linux
HackerSploit
Parrot OS 3.5 Review | The Best Kali Linux Alternative
HackerSploit
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
Katoolin | How To Install Pentesting Tools On Any Linux Distro
HackerSploit
Nmap Tutorial For Beginners - 2 - Advanced Scanning
HackerSploit
Nmap Tutorial For Beginners - 3 - Aggressive Scanning
HackerSploit
Zenmap Tutorial For Beginners
HackerSploit
How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
HackerSploit
How To Setup Proxychains In Kali Linux - #2 - Change Your IP
HackerSploit
How To Change Mac Address In Kali Linux | Macchanger
HackerSploit
How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
HackerSploit
Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
HackerSploit
VPN And DNS For Beginners | Kali Linux
HackerSploit
Tails OS Installation And Review - Access The Deep Web/Dark Net
HackerSploit
Steganography Tutorial - Hide Messages In Images
HackerSploit
The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
HackerSploit
Best Linux Distributions For Penetration Testing
HackerSploit
Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
HackerSploit
Gaining Access - Web Server Hacking - Metasploitable - #1
HackerSploit
Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
HackerSploit
How To Install Kali Linux On VMware - Complete Guide 2018
HackerSploit
Q&A #1 - Best Cyber-security Certifications?
HackerSploit
Terminator - Kali Linux - Multiple Terminals
HackerSploit
Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
HackerSploit
Q&A #2 - Mr Robot?
HackerSploit
Metasploit Community Web GUI - Installation And Overview
HackerSploit
Linux Expl0rer - Forensics Toolbox - Installation & Configuration
HackerSploit
QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
HackerSploit
Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
HackerSploit
Metasploit For Beginners - #2 - Understanding Metasploit Modules
HackerSploit
Kali Linux Quick Tips - #1 - Adding a non-root user
HackerSploit
Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
HackerSploit
Spectre Meltdown Vulnerability - How To Check Your System
HackerSploit
Metasploit For Beginners - #4 - Basic Exploitation
HackerSploit
ARP Spoofing With arpspoof - MITM
HackerSploit
WordPress Vulnerability Scanning With WPScan
HackerSploit
Generating A PHP Backdoor with weevely
HackerSploit
Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
HackerSploit
How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
HackerSploit
Stacer - System Optimizer And Monitoring Tool For Linux
HackerSploit
Kali Linux 2018.1 - Kernel Updates & Patches
HackerSploit
MITM With Ettercap - ARP Poisoning
HackerSploit
Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
HackerSploit
How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
HackerSploit
Channel Updates - How To Post Questions & Video Suggestions
HackerSploit
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
Web App Penetration Testing - #2 - Spidering & DVWA
HackerSploit
Cl0neMast3r - GitHub Repository Cloning Tool
HackerSploit
Kali Linux On Windows 10 Official - WSL - Installation & Configuration
HackerSploit
DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
HackerSploit
Web App Penetration Testing - #3 - Brute Force With Burp Suite
HackerSploit
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
Social Discovery Group’s Announcement: A Communication That Raises Questions About Transparency and…
Medium · Cybersecurity
Best Cyber Security Diploma Course After 12th With Certification
Medium · AI
Best Cyber Security Diploma Course After 12th With Certification
Medium · Cybersecurity
You migrated to post-quantum crypto. Is the implementation actually conformant?
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI