 So welcome back to the afternoon session. This is a lab session But before the actual lab, we will have a small demo over here if about approximately one hour on dvwa and how you would attack You would launch a XSS attack on a vulnerable web application That will also be accompanied by a demo of complete exploit Involving an Nmap, Nessus and Metasploit. So the new thing over here is Metasploit Good afternoon everyone First I am going to talk about the cross-site scripting attacks So we will be using the same application which we have used in SQL injection dvwa So what is cross-site scripting? First of all I will give a brief introduction about it because Saras discussed in his lecture About the cross-site scripting. So what is cross-site scripting? It is an attack which enables attacker to inject client-side script into the webpages viewed by other user So these client-side scripts could be Java script, VB script, anything And what are the types of these cross-site scripting attacks? First is non-persistent, which is also known as reflected XSS second one is persistent XSS which is also known as stored XSS because these scripts Which these client-side scripts are permanently stored on the webpages That's why it is called stored or persistent. The next one is DOM-based XSS So for our demo purposes, we will be only demonstrating only non-persistent and the persistent XSS Not DOM-based XSS. So I will now quickly move to the demo So I will be using the same application we used in the SQL injection, which is dvwa application Now it is asking for your username and the password. Now it has default username is admin and the password is password So now I will click on the login Now I'm logged in into the dvwa application. Before moving on to dvwa and actually showing you the attack. Do you know what is a cookie and why it is used for? Because cookie is a very important thing in session hijacking and Cross- help scripting is mainly used for the session hijacking. So you should know what is a cookie. So anybody know? I mean HTTP cookie or web browser cookie Text file. So what this text file contain? Cookie stores the information which we send from one client web page to server web page and server to client web page At any moment we can Delete the cookie. Why? Okay. So this is a random string sent by the server. So why it is used? To track the user activity To track the user activity So you are talking about persistent cookie actually there is another cookie called session cookie Do you know about it? Which will be given by the server to communicate from client to server in the next future communications So why it is it is a 16 bit ID which will given by the server itself and it will be stored at the client Yeah, sure. So suppose you are using this application now you give your credentials say Like admin and the password server will give you a cookie for future. Why means Next time whenever the client wants to interact with the server with that 16 bit 16 characters ID, it will Contact you with the server. Yes. So cookie cookie is replayed actually. Yes, it's called cookie replaying So what happens is because of the HTTP protocol that is a stateless protocol It's stateless means when you provided your credentials initially. So means server it does not differentiate between the multiple HTTP cookies HTTP sorry HTTP requests. So that's why it is called stateless It does not maintain any state of the user So that's why it sends when you log inside an application It gives you a random string called the cookie and these cookies replayed in every subsequent Request you send the cookie and server will again send back the cookie. So that is called the session cookie So when you log out from the system these cookies deleted and server also delete that cookie So that is a session cookie. Now someone mentioned the tracking cookie So, yeah, what is that tracking cookie that is also called persistent cookie? There are two types of there are many types, but these two are main. What is persistent cookie with stores at client side? Basically session is maintained by the server only and the cookies are stored at client side session I'm not going to store at this client side Session cookie will not be stored in the client side. You are saying that no at that Session session is maintained by the server and server is only handling the sessions Whereas the cookie cookie is totally stored at the client side and That means it if it is a stored activate it is a persistent cookie persistence means they are not stored at the client browser So actually I want to clarify that cookies are always stored on the client side Whether it is a session cookie or the persistent cookie session cookie is for a particular session Suppose I log out it will be deleted persistent cookie stays for a long after the session also So persistent cookies also called the tracking cookie So suppose you are using any e-commerce site like Mintra or Flipkart and you browser on some pages like you are searching for some track pants And you are searching only the track pants for in the website now the server Set a cookie called the persistent cookie in your browser Which instruct this when again you go to the website after some time it will show you some suggestions So how it is making those solutions because because in the previous session it has stored a persistent cookie in your browser Which indicates the which pages you have access last? So that's why this is called the persistent cookie because it last over the session after the session also So this is a difference of between the persistent on Session cookie Yeah, there will be expiry date also for every cookie there will be expiry for session cookie last with the session and For persistent cookie it will be for one over a one year or that depends on that depends. Yes, sure Yes, yes, yes So suppose I want to I have logged into the dvw application. I want to see what cookies it has stored in my system So one thing I can do. There's a plug-in called Inspect element inside the Mozilla Firefox. You can see here in the last this is a inspect element with firebug if you click here So here is a section called cookies when you click it you can see there are two cookies are set PHP Says ID, which is a name of the cookie and this is a random number random string, which is given by the web application to the client Fine and there is another cookie that is a security cookie So currently my application is security level is medium So to differentiate between the request because we can set multiple many levels of Security in inside this application. So how it differentiates the levels? So it has set a cookie called security, which is set to medium So if I changes my security level to low Suppose going to dvw security then changing it to low then submitted now. I will check again What is my cookie? So you can see the security cookie has been changed to low Fine the PHP session ID is same until I log out This is a Session cookie actually in this particular for this particular application if you log out and again login of different again login then this dvw application have default Level to set a level is set to be high Yes, yes for each session there will be two cookies then there will be two cookies for this particular application There may be another application which may be using several of cookies like seven cookies ten cookies depending on their uses For security applications, it will be not for security by application boss for this dvw application for this particular dvw application Yeah, there is a plug-in also for inspire like you can do it on the chrome also you can do it on the internet explorer Then at chrome, but I didn't find this inspect element at internet explorer. So there may be There are the name is not inspect element I think for internet explorer the name is different if you want I can show you later if you want in my computer in Internet Explorer So moving ahead so though we know that cookie is very important part of a session So what happens if someone stole your cookie? suppose you have logged in and application given you a cookie now this why this cookie should be a secret What happened if I this cookie is stolen by another user what he can do How how you how you're saying that it will be still Yes, the get method that data will be stored on the cookie Whenever if any another person logged on to the system He can open the cookie file. He can he can look at the sensitive information and at that at that I can also stole that information So yes, that's what before coming out from the when he Will try to leave delete those cookies from the action outside if you go to net net centers Yeah, I have to delete them. Yes. Yes, otherwise they may stole that and it's sensitive information Actually what happens is suppose you are logged into the Facebook and they have stored a session cookie inside your browser Now if I stole your cookie I stole your cookie then I can make the Request to the server Facebook server with this cookie now he will think the Facebook server will think I'm you not Because the cookie is set to this he will match the cookie and this cookie is yours So my your home page will be logged in inside my browser So that is used for that. That's how the session checking happens if just someone I can install your cookie Okay, so basically what Naman is saying is that that cookie contains authentication information So if you are in the middle of a session and through XSS or some other thing I'm able to hack your cookie and get your cookie then I can impersonate you I can use that same cookie to Do what you could have done? Yes, so okay, so moving right Now we have seen the what is a cookie session cookie and persistent cookie now I will show you the reflected XSS So there are three kind there were the three kind of the XSS. I will be explaining the reflected and the stored So suppose This is our application and this is asking for your name This is some sample application in this it is asking for your name. Suppose I type this Naman I type Naman So I have to have Naman I submitted It is saying hello and Naman Okay, it is asking for the my name now suppose I type this 1234 it is saying hello 1234 it is not Restricting me to any enter anything else now suppose I type some garbage value some Value which contains some spatial characters also like semi-urban and code It is also reflected back Can you see it? Now if I type this what should happen and this is the input Why is that why it is not printing hello and this is script alert and something something It will not go to the server no it will go to the server Yes, exactly exactly so what will have what is happening here whenever I am giving an input say Naman It is going to the server a request is made to the server and the server is Extracting those parameter and reflecting it back So in the previous examples like Naman 1234 there is no this is not the executable code For browser this is executable script is a executable code browser things This is executable code because it is written written in that way, but Naman and 1234 is not executable code It renders as it is so what if I type this and click the submit button You can see the script is executed. This is a XSS attack So why is that because in the reflection in the HTML page contain this script and a browser when browser is parsing that Descript it executes it So any doubts What sir Hello is for the server hello is by default is there hello Naman hello 1234 hello is server is reflecting Hello then hello hello If I type hello Anything it will reflect. Okay, so now this is a suppose. I'm an attacker now I want to execute some malicious script. This is some normal script which is says alert This is the accessor attack now. I want this script to be executed inside the victims browser right now survey Until now what I what happened is Attacker has type some script I reflect and execute inside the attackers web browser, right now How attacker can craft an attack so that this script is executed inside the victims browser any idea? And I could upload my profile, okay, so when someone visits my profile it could be executed at that point Okay, that is actually stored XSS you are talking about it does script is not stored on the server suppose, okay You are saying if I'm go browse around from two different apps suppose here and come back here The script is gone. No script is not there, right? Say for example, I am a user of a LinkedIn. Yeah, sure. Okay. I could create my profile. Yes in the profile field Somewhere I would upload a script. Okay, the malicious script. Yeah, malicious script Yes, when someone visits my profile that thing would be downloaded on his browser and that would be executed What what you have done is you have actually stored that script inside the server page, right? Yeah Now that is a stored accessor actually here. What is happening? You have given your script and it is reflecting back at the same time. It is not stored on the server Okay Fine Okay, so Okay, so you are talking about like this, okay Suppose here you type some name and here you're typing the script, right? Now if you sign this guest book Now here you have actually stored that script in this page. Now if you browse around and Come back here again like you were saying that if another user came then script again executed Okay, that is stored actually. So what is reflected? So to understand the reflected accesses you need to understand how the parameter are passed to the server There are two methods HTTP get and HTTP post. Any idea about that? Basically it gives all the information at the URL Information you are talking about the parameters you have passed in the forms. Yes parameters are Can be seen at the URL. Yes at the post method. We have a streams internal streams parameters goes in With the with the help of streams over there. Okay. Yes, you're right So in the get meta this application is using the get method actually. So how do I know that suppose? I type naman and submit it Then you have to see the URL Like she was saying then the get request the parameter are passed in the URL If you are not able to see it, I will just read it out local host the IP address of this Application then the name name is the name of this input field Equals to the my name whichever which I have passed naman Okay Now this request is made to the server server extract these value from the URL and reflect their back But while in the post in the post it does not send the parameters in the URL it sends Parameter after the HTTP header as a stream like she was saying Okay, so here I will be using the get method now suppose instead of typing my name Now the attacker can craft a URL attacker will craft URL like this HTTP. It is is it visible? So HTTP local host dvwa vulnerability. This is a URL of my application Till here after that there is a question mark which Specifies now the parameter values name value pairs will be a starting Now here you can say the name here You can see the name which is the name of the input field and after that my script which is a malicious script Okay, so what about the length of get and post? If you are using post we can send a large amount of time. Yes, you are right In the get there are some limitation on the length of the input Get Yes, if for the length for the get is less the post it is unlimited. Yes. Yes Yeah, because what happens is in the get request you can the URL is stored in the bookmarks also So if another user came he can see that your bookmarks or your history So there will be a values of your user name and the password then he can track you Okay, so in the crafted URL which is a tag attack will craft a URL which is saying the name equals to this script Okay, which is a malicious script now this URL will be sent to the victim through email safe and This and and saying click on this URL. You may win something if victim is foolish enough he will click here and A request will be generated from his browser to this application and that Script which was inside the name is reflected back inside the victims browser and executes Is it clear? That's how an attacker can craft a URL and execute the malicious scripts Any questions? Yeah, okay, so now attacker wants to execute a malicious script inside the victims browser, right? So now what he can do he can craft a URL like this the URL of the application and after that the name of the input field and after that the malicious script as an input because When we sauna that if we type nummon then I'll get request regenerated to the server and server reflected Reflect it's back now. He will craft this URL and send this URL to the victim Victim in the victim email victims email now if victims email victim clicks on this URL This request is generated from his browser to the server and server extract this script malicious script and reflect that script to the Browser of the victims browser and that executes and their scripts can steal the cookies of the Victim and send his back sends this cookie to attacker This is possible, but it is slightly complicated Yes, that it is possible, but the idea would be different idea is to some to create a form and submit those parameter Summit and enter the script here there Attacker will create a page in that page. There will be a form and that form Okay, the how the attacker will know whether the application use the post method or get method. He can know now if He has he also has access to the application, right? I had the Access to this application attacker will have access to the application He can see if the parameters are going in the URL. It is a goat if it is get sorry if it is not going then it is a post My favorite exam question is can XSS also be implemented if the request is not get and it is Disposed instead. So the answer is actually yes It's a little bit round about using forms and so on but you can still attack. Okay, so this is what I am done with the Reflected XSS now I will move on to the stored access if you are using captica image captica Any any car size site scripting can be occurred. Sorry in the page We are using the captica in Google capture. Yeah, then it's not possible. Yes, that is a protection against it Yeah Yeah, what so what is the same? Say suppose there is a link and once we establish a session With that particular website all the pages that would be coming from that site would be trusted So if I have this and this site suppose I received an email and This email was from the another domain So it is from the different origin Yeah, so it may not be executed. Why not because when that you click on that URL that Request is generated from your browser. You are not checked. Yes browser generates that request But when I have a same origin policy in place it is coming from the different domain. So will it be executed? Yes It is coming from the different domain But request is made to the same application and the same application is reflecting those parameter with to your browser In same origin, what happens? Okay? I will tell you the same origin same origin policy is implemented by the browser. So what happens? Suppose there are You can use the iframes if you iframes, you know HTML Code so in the iframe you can load different domain inside the same page So you can open a facebook.com and gmail.com in the same page using the iframes, right? So if Gmail wants to execute some code some JavaScript inside the facebook.com Then it won't browser won't allow the facebook.com to Oh, sorry gmail.com to execute a script inside the facebook.com. That is same origin policy Here you are requesting the This web application from your browser and this request goes to the server server reflects the parameters back So who will get affected? Client user user's cookies is stealing Be executed at server side no no script is executed in the client side Now the goal was to execute the malicious script inside the victims browser uh the attacker you if he wants to get your uh Banking information like your username password. Yes, you said that you are going to get a url Yes, okay when you click on that you are going to get a website where you get look and feel of total same as the bank Okay, no no no no the the whatever webpage that is being displayed that will be same as the bank So how come it come like that the reason is we are able to generate this source code if you go through the source code Okay, and you try to put your own name and then put that link to that person Obviously you will get the same look and feel Okay, so when we are trying to enter something You are using a password for such links first. We have to go to the url Where we have to find out whether it is coming from that same bank or not Yes, that is the first option. Yes. Yes. So why this has come the reason is Since the source code is being uh freely see we can view the source code freely When you just right click and then go for view source code you are able to see Is there any option where if you right click and see also you don't get this source code No, you can always see the source code of the webpage, right? No, generally we want to design a google website. Okay, so hardly it will take something like Five minutes are not more than that. The reason is if you go through the source code Copy and just copy and then put the same name. We'll get the same thing. Yes only thing Whatever links that are there images that may be not displayed If you're not using the appropriate browser No, that will be displayed if you download those images you can also use those images But the differentiation would be that is phishing actually The difference is you will not see the if you host this Fake page inside your server then the url will be different The url is different because that won't be a go at www google.com That will be your url actually your server url So to make it much harder for the hacker So can we make such a way that when he right clicks also he does not see the source code Yeah, that is a browser property. You can always see the Why why do you want to hide actually that is a so that it will be pretty It will take pretty good time for the hacker to develop such kind of website And send the same url to the if hacker is smart enough He can design his own web page like same web page if he knows this stuff But he should also know the resolution of your web page It differs from One explorer to other explorer also Yeah, that is but if he's smart enough, he can always code it, right? That is phishing actually It's not cross side scripting Okay, now I will move on to the stored accesses Okay, so this is another application which has vulnerability of stored accesses But it is it is asking it is asking for a name and a message So suppose I type say naman And some message this is a workshop and sign So now what has happened is you can see here The value the name my name And the message is permanently stored in the server. What do I what do I mean by permanently stored? Suppose I go around in some other tabs And come back here It is still there So what is the use of it say suppose in the social networking websites use some like take facebook You post something and it is viewed it is permanently stored on the page And some friend of you a friend of you can see that page and see what you have written, right? So it is same thing. So now what happens if an attacker comes And type something like this What do you think what will happen? First what will happen now? Yes, first of all in this case it will be executed inside the attacker's browser because he can see this page also As you can see this is an accesses attack This is executed inside the attackers now victim came Victim came to this application Come to this application and go to the see to see who has signed this Gas book and he comes and the script executes and this script could be malicious And stole his cookie steal his cookie and sent these cookies to attacker This is a simple and stored accesses And it out in his told accesses Accesses vulnerable you have to test it like I said in the reflected suppose some You are using you are going to e-commerce website say and you want to search for say some shirt And if it's saying that we don't have shirt Or say you are in the in min try you are searching for car We don't have car So what it is doing it is extracting those parameters and reflecting the back So if you type a script and there is no protection on the server side Then it will be reflected back and it will be executed. That is a test for reflected accesses I want to I want to make an eye on a serious problem. Yes, suppose Uh, we store the script in a dns lookup table Directly, sorry, uh, when any site is accessed. It is directly looking for a dns table Right. So if we make an entry of script by cracking a table Like if you if you type www.google.com it will run my script because ultimately The ip of the google.com is not verified by www.google.com but by with some malicious script Yeah, sure that can be a problem. Is there any solution or have you ever seen this thing? Actually the problem is not clear to me. First of all, suppose You know dns table, right dns What dns lookup will do it will uh, uh, match the ip address Yes, so suppose when google.com is, uh, search the malice script is directly executed without, uh, getting the ip address Malicious script, uh, if we crack the table dns table dns lookup table The script is stored in the dns table The script is stored in dns table. Yes, if we crack that thing, I think dns only does the Translation to domain name to the ip address. So how the script is stored on the dns table By doing some uh Move on that the dns uh dns server if we crack the dns server ultimately dns server is nothing but a Matching thing it is matching the ip address with the name side name. Yes So if we in in the entry of the ip address, uh Without using the side name if we put the script and that is possible that script will be executed when you type No, it won't be executed. There is no script actually stored on the dns Is it possible? No, it it won't be possible Okay, so now i'm done with the xss demo