Cross-Site Scripting Attacks: What You Need to Know Now

00:00

hello team welcome to my session on

00:01

coffee with PR and today we're going to

00:04

discuss about cross-side scripting it is

00:06

part of my application security Series

00:08

so there was a lot of feedback I was

00:10

receiving from the subscriber and please

00:12

do some videos on that area so I thought

00:14

let me start this initiative so in this

00:16

video we're going to discuss about

00:17

Crosset scripting and how it is

00:19

different from Crosset request FY in my

00:21

next video I'm going to discuss about in

00:23

detail about the cross request fery my

00:26

name is bra ner for more information do

00:28

check my Lin profile and if you're new

00:30

to the channel do subscribe to my

00:32

YouTube channel and click on the Bell

00:33

icon to make sure you should not miss my

00:35

future videos on a similar topic so

00:37

without wasting a time let's start with

00:39

the first part thank

00:42

[Music]

00:56

you okay before we going to discuss

00:59

about what is cross-site scripting let's

01:02

first understand the concept of scripts

01:04

see when you're talking about script is

01:06

basically um is the activity which is

01:09

run on the server and on the client side

01:12

you know if you want to perform any

01:14

action or if you want to perform any

01:16

activity in the system okay any kind of

01:19

automations and all that it is basically

01:21

done with the help of script okay so

01:25

example like you know when you visit any

01:26

website some graphical representation

01:28

that show on the browser site right

01:29

right capture you know popup so this is

01:32

basically done through the help of

01:33

script only script is the one which

01:35

basically pop up Suddenly visit one

01:38

website you can see the chat popup so

01:40

that is basically because of the script

01:41

now when we talking about script script

01:44

is actually two type one is basically

01:47

called as a client side script and one

01:49

is basically called as a server side

01:51

script first of all you need to remember

01:52

cross-site scripting is a client side

01:55

vulnerability so client side script is a

01:57

script which is running on the client

01:59

side and server side script is running

02:00

on the server s side so here you can see

02:01

the client side script refer to a script

02:03

that are executed on the user browser

02:05

rather than the server how suppose this

02:08

is the user we have okay and there is a

02:13

system okay he visit one website which

02:16

is called suppose infos

02:20

train.com infos tr.com page is basically

02:23

loaded in his

02:27

browser okay infos in page loaded in his

02:30

browser now he can see some popup of

02:33

chat he can see the discount popup he

02:36

can see the graphical representation so

02:38

this is basically running on the browser

02:40

because of the client side script it

02:41

means script which is running on the

02:43

client side browser so example like form

02:46

validation so example like when we

02:47

browse the page we get a registration

02:49

page portal where you need to enter

02:51

details if you feel some values in valid

02:54

and all that immediately there itself it

02:55

stop it's a invalid value right sometime

02:58

registration page is there it ask for

02:59

the invalid valid value so because there

03:00

is a client side script which is running

03:02

on the client site okay so we have a

03:04

image slider you know image is basically

03:06

change we have an interactive map we

03:08

have animation so the execution is the

03:10

script is execute on the user device

03:12

after the web page has been loaded and

03:14

it was there because it is used to

03:16

improve the performance of the uh

03:18

website and it is basically used to give

03:20

a good environment to the user so this

03:22

is called as a client side script on the

03:24

other side the server s side script is a

03:27

web server technology in which user

03:28

request is full fill uh you know by the

03:32

by the server how so example like this

03:34

is the client we

03:40

have and this is basically my

03:44

server now please try to understand okay

03:47

so user basically requests for a

03:50

page the page is basically

03:56

load

03:58

okay on client

04:02

device so the page was load now here we

04:05

have some scripts offer offer like this

04:08

kind of a script was there offer click

04:12

to claim so client what he did he click

04:15

on this particular link it mean he

04:17

requested server please open the script

04:20

for me so there's a script which is

04:21

running on the server side which review

04:23

which receive the request and then they

04:25

process the script on the server site

04:27

and according to that it provide the

04:28

result back to the user so the script

04:30

which is running on the server side that

04:32

is basically called as a server side

04:34

scripting example when you enter usern

04:36

and password that information goes to

04:37

server server is the one which validate

04:38

that password authenticate the password

04:40

there's a script which is running on the

04:42

server so sometime what happen we create

04:44

a script in such a way to Target the

04:46

server we create a script in such a way

04:48

to Target the client but this is

04:49

basically where the script running on

04:51

the server side so it is often used to

04:53

create interactive website and to the

04:55

interface to database and execution is

04:58

the script is executed on the the server

05:00

and only result is sent to the client

05:01

browser okay so user authentication

05:05

retrieving displaying data from the

05:06

database processing user data so these

05:08

are the examples we have for the server

05:10

site scripting

05:13

okay okay so now you understood about

05:16

cross side scripting sorry you

05:18

understood about the client side and

05:20

server side now now let's understand how

05:23

cross-site scripting works so first we

05:25

basically go by the description so if

05:27

you see the description it say attacker

05:29

inject the malitia script into the web

05:31

content that is then served to user and

05:33

when user browser render the web pay the

05:35

malitia script is executed on the client

05:37

side that is a user browser to

05:39

understand this in detail let me explain

05:41

you with the help of diagram okay so

05:43

this is basically my

05:46

client okay so we have a client

05:51

here okay and uh let me change the

05:57

color and this is basically my server

06:07

now just imagine this this basically a

06:09

server is just like a

06:12

forum a very known Forum people use to

06:15

post lot of content there lot of people

06:17

visit the Forum and review the content

06:19

and all that so now what happened we

06:22

have a hacker

06:25

here we have a

06:28

hacker

06:33

or

06:34

researcher what he found that server is

06:38

basically accepting server is basically

06:41

accepting any input it mean the server

06:44

is vulnerable for

06:47

input

06:51

validation now when we say input

06:53

validation input validation mean without

06:55

verifying it process the input example

06:57

if I say it to my friend 1+ one I said

06:59

so I told him 1+ 1 is three he said yes

07:01

you right three but without verifying he

07:03

just reply and say yes but when I say 1+

07:06

1 3 no no no it's not 1 + 1 3 it is 1 +1

07:10

2 understood so here he verified the

07:12

input and he react so here we understood

07:14

server accepting all the input without

07:16

any verification okay so what hacker did

07:18

hacker basically discovered like this

07:21

website is basically have a great

07:23

reputation in the market a lot of people

07:24

visit this page so in this particular

07:27

page he injected one

07:31

script like this

07:37

way

07:40

dumps

07:42

100% so now what happen

07:44

server accept this particular input and

07:47

now that server on server that script is

07:50

pop up on that Forum now this is the

07:53

client is preparing for some

07:55

certification he visit this particular

07:58

website

08:00

and the server basically load the

08:05

page

08:07

page okay for the

08:14

user so now what happened the page was

08:17

loaded on the client side now when the

08:20

page load he can see there is a popup

08:22

Dump Dump

08:24

Dump what he did he click on that link

08:28

it mean he want want to see what is this

08:30

dump all about that request is basically

08:33

sent to the

08:36

server

08:41

request sent

08:44

to server server without verifying it

08:47

process the script and the script was

08:51

executed on the client site and it lead

08:54

to like server got client got hang the

08:57

credential was stolen that script has

08:59

has basically installed the thren so if

09:01

you notice in this attack what happened

09:02

hacker basically inject the script on

09:04

the

09:05

server script is now pop up on the page

09:08

client visit the page he brows the page

09:11

on his browser he click on the link the

09:12

link request spent to the server server

09:14

thought user want to open that server

09:16

without verifying he process back on the

09:18

client and based on that server trust

09:21

client basically open the script and

09:23

that basically crash the client system

09:25

so here we exploit the trust okay of the

09:28

server sorry export the trust of the

09:30

client toward the server see Crosset

09:32

scripting is basically occur okay

09:35

because of two things one the data enter

09:39

a web application through untrusted

09:41

source and second is data is included in

09:43

the dynamic content which is sent to the

09:45

web user without being validated from

09:48

the malicious content so this is the

09:50

example what we have seen was the

09:51

example of the stored crossed scripting

09:54

so crossed scripting are exit on the

09:55

client side the vulnerability enabled

09:57

the attack can present in both servers

09:59

and client but I'm talking about the

10:01

vulnerability in the server without

10:02

verifying input but by the end of the

10:03

day it is a client side attack because

10:04

we want to crash the client by

10:07

exploiting a trust toward the server so

10:09

attacker inject a script into the

10:11

comment section of a Blog which

10:12

basically steal cookies from any user

10:15

viewing the content okay so that is how

10:17

it works now when we're talking about

10:19

impact what is happen is impact is that

10:22

script when it running on the client

10:23

site it can identify the theft it can uh

10:26

do the data theft it can defas the

10:28

website also because the script which he

10:31

request for open might be it is Target

10:33

on the server it crashed the server also

10:35

server thought client has requested

10:36

client thought server has requested so

10:38

that is how this attack is basically

10:40

initiated so when we're talking about

10:42

cross-site scripting we have a two type

10:45

of crossed scripting one is basically

10:47

called reflected and one is basically

10:49

stored the example which I shown you

10:52

right now was the example of the stored

10:54

crossed scripting because in a stored

10:56

crossed scripting the Malicia scripts

10:58

permanently is stored on the server and

11:00

serve to user view that the stored

11:02

information so attacker post a comment

11:05

containing a malicious script on the

11:06

blog and every user who view the comment

11:09

section of the blog will have a script

11:11

execute on the browser the same example

11:13

we have discussed right so we have a we

11:15

have a client

11:18

here okay we have a

11:21

server client basically post the script

11:23

on the server use sorry hacker basically

11:26

post the script on the server now user

11:30

is there he basically visit the page

11:32

page is loaded on a client browser and

11:34

that script crashed the system okay so

11:37

this is basically what is happened in

11:38

the case of um stored cross scripting

11:42

but here in this attack we are waiting

11:44

for the user to click on the link okay

11:46

but if my target is very specific so in

11:49

that case I will basically perform the

11:52

uh reflective Crosset scripting okay so

11:54

how it works so example like here is a

11:57

hacker

11:59

this is the

12:03

hacker okay he know his Target is

12:06

specific domain okay the domain is

12:09

basically

12:12

suppose kk.com and there is a user is

12:16

basically name is user at

12:19

theate

12:21

kk.com okay so instead of sending a

12:25

script directly or sending a posting a

12:28

script on the server he sent the script

12:31

by the URL on his email so this is

12:33

basically where we sent the URL here we

12:35

have he sent a script on an email like

12:37

this way

12:40

HTTP okay gmail.com so he basically used

12:44

one legitimate domain slash he add the

12:51

script he add the script just give me a

12:55

second he add the script like uh script

13:01

scpt hi and

13:04

script so this is the script he

13:07

basically inserted with this URL and

13:10

sent a fishing email to this user which

13:14

is called kk.com so when user receive a

13:16

email he click on the link when he click

13:18

on the link it redirect to

13:21

Gmail Gmail received the complete URL

13:24

gmail.com with script so Gmail thought

13:27

user has requested for the script

13:29

without verifying he process script back

13:31

on the client system and by this way the

13:33

client system basically got crashed so

13:35

here we are not posting any script on

13:37

the server okay we using a script

13:40

embedded in the website web page web URL

13:43

sorry and we sent the script directly to

13:45

the client okay by a fishing link user

13:48

click on the link it basically request

13:51

server to open the

13:52

script if server is vulnerable for the

13:54

input validation it revert back the

13:56

script on the client system so this is

13:59

how the cross-site scripting reflective

14:01

cross scripting work that's why it's

14:03

called reflective it is a URL Bas it's

14:05

also called as a non-persistent stored

14:07

attack is called as a persistent and

14:09

reflected is called as a non-persistent

14:12

that's why we say malitia script

14:13

embedded in the URL executed immediately

14:15

upon clicking the link and the script is

14:18

not stored on the server so attacker

14:19

send a link containing a malitia script

14:21

and a URL parameter when user click the

14:24

link the server include the script in

14:25

the response execute in the user browser

14:28

so let me discuss how to identify

14:31

whether you are vulnerable or not see

14:33

when we talking about Crosset scripting

14:36

we look for many places where the user

14:37

input is expected like example where the

14:40

entering the text fields we basically

14:42

enter the search bar in the search bar

14:44

we also enter the scripts forms we have

14:48

user registration forms we have there we

14:49

enter then we have a URL parameters in

14:52

HTTP header we add there so this is how

14:54

the we enter the script script alert

14:56

script so this is the message which is

14:58

display okay

15:00

so sometime what happen we also need to

15:01

check how the application is basically

15:03

handle and render the user input if I

15:05

enter some suppose how to test so there

15:07

is a user form we have okay in which we

15:10

have a username and password in which I

15:12

will try to enter this particular script

15:15

if I enter the script and click on

15:16

submit and I'm getting a pop called xss

15:18

it means the server is vulnerable for

15:19

Crosset scripting if it's say invalid

15:22

value it mean it is protect from Cross

15:23

scripting so this is how you can able to

15:25

check how the application handle the

15:27

input sometime we have to review the

15:28

code and search for the place where the

15:30

input from HTTP request could possibly

15:32

make in a way of HTML output so these

15:35

are basically the parameters we have

15:37

that we consider so the question is now

15:39

how to basically secure so to secure the

15:42

things we basically use HTTP only and

15:45

secure flag in a cookie preventing

15:47

settings okay so this is something we

15:49

are using Okay so let's discuss this in

15:53

detail so first we're going to discuss

15:55

about uh HTTP only flag

15:59

see if you see the statement HTTP only

16:01

flag is used to enhance security by

16:04

restricting

16:05

access to cookies data from a client

16:08

side

16:09

script so question is how it work see

16:12

when any

16:13

cookie is basically set with the HTTP

16:17

only or HTTP only flag okay it is

16:21

basically tell the browser that

16:23

particular cookie should only be

16:25

accessed by the

16:26

server it mean this is basically a

16:28

client we have and he basically access

16:31

this particular site okay so this is the

16:34

site we have so this cookie is basically

16:36

access for this site only this cookie

16:37

cannot be misplaced or misused by any

16:39

other user because cookie is the way by

16:41

which we can able to track the session

16:43

because it's a HTTP is a stateless

16:45

protocol so any attempt to access the

16:47

cookie from a client side script which

16:49

is called Java is basically block and

16:51

this is particularly important in the

16:53

content of cross side scripting attack

16:55

so if any attacker manage to inject a

16:58

delicious script into the web page they

17:01

won't able to access the cookie marked

17:03

with the HTTP only which basically

17:05

prevent the script from stealing the

17:07

cookie data because when the script is

17:09

basically running on the client side the

17:11

script is trying to Fest the cookie so

17:13

here it basically prevent that so that

17:15

is why it is one of the most effective

17:17

Technique we are using in the Crosset

17:18

scripting second is basically we using a

17:21

secure the flag so secure flag is used

17:23

to ensure cookies are sent over the

17:25

secure channel so how it works is

17:28

normally what happen um you know when

17:30

when cookie set with secure flag overall

17:33

okay when cookies is basically set with

17:35

the secure flag it instruct the browser

17:37

to only send the cookie if the request

17:39

has been made over the secure protocol

17:41

such as https and this mean the cookie

17:44

will not sent over the unencrypted HTTP

17:46

which reduce the risk of cookie theft by

17:48

man in the middle attack so summar is

17:50

that HTTP only flag is primarily about

17:54

protecting the um cookie data from from

17:58

being accessed by unauthorized client

18:00

side script and thereby mitigating the

18:03

impact of Crosset scripting attack and

18:05

the secure flag Ure that cookies are

18:07

only transmit over the secure encrypted

18:09

connection protecting against the man in

18:11

the middle attack and both are the

18:13

essential for the robust web application

18:16

security

18:18

posture so the question is basically how

18:21

to review so when we talking about the

18:23

vulnerability detections okay so we

18:25

identify the user input source as a set

18:28

when user input the source and all that

18:30

input the value so that need to be

18:31

verified we also do the manual testing

18:34

on accss payload where we have a

18:35

security review the code and search for

18:37

all the PRS where input from HTTP

18:39

request could make it possible for HTML

18:42

output and we also use some kind of

18:45

automation scanning tool by which we can

18:46

able to identify the vulnerability in

18:48

the Crosset

18:50

scripting so prevention strategies

18:52

output encoding it mean whenever any

18:54

user feed

18:55

value it need to be verify it need to be

18:58

properly validate and we also implement

19:00

the content security policy which

19:01

inspect the content along with that we

19:04

also have a best practice like regularly

19:07

patch and update your servers secure

19:09

retaining for developers so they know

19:10

what is cross scripting so according to

19:12

that they write a code regular pen

19:14

testing on the application to test the

19:15

code and we also look for the monitoring

19:18

and auditing of the application along

19:20

with that we also have additional layer

19:22

like uh we can have a secure coding

19:24

practice use a web application firewall

19:26

so V we basically installed before

19:28

firewall like mode security and all that

19:30

and through that we try to block such

19:32

inputs and do the regular security

19:34

assessment now sometime what happen when

19:36

you're going for the application

19:37

security jobs they also ask some

19:40

questions so there are some questions

19:41

which is basically asked based on a

19:43

crossed scripting so example like there

19:45

will be question on what is crosses

19:46

scripting how does it works so you need

19:48

to explain

19:50

practicality and if you're able to

19:51

explain them well with this video also

19:53

it will be great second is can you

19:55

explain the difference between stored

19:56

cross scripting and reflected we already

19:58

disc discussed how can access attack be

20:00

preventative okay so this is a very

20:02

frequent question asked in the jobs then

20:04

there's a question on we'll give you the

20:06

piece of code identify if it's

20:07

vulnerable to accesses here they want to

20:09

test your skills whether you know

20:11

application security can you write a

20:13

simple script demonstrate reflected

20:14

across the scripting here they want to

20:16

test whether you are depend on tool or

20:17

do you have a special skill to send the

20:19

malicious URL and how do you implement

20:21

the content security policy here they

20:23

want to learn about whether you have a

20:25

development knowledge okay so that is

20:27

what we have

20:29

see uh we also have a comparison between

20:31

the Crosset scripting and Crosset

20:32

request fery uh I'm not going to discuss

20:35

Crosset fery in this video I have a next

20:36

video in which I'm going to explain the

20:38

Crosset request fery my suggestion is

20:40

that do watch that video also because by

20:42

then you can able to understand the Thin

20:44

Line difference between the cross

20:45

scripting and cross request fery so

20:47

cross scripting allow the attacker to

20:49

inject malitia script into the web page

20:51

which is view by the user and cross

20:53

scripting cross request fery it's a

20:56

vulnerability to take the user into

20:57

executing wanted action on the web

20:59

application so you can see like that in

21:01

Crosser scripting we exploit the trust

21:03

user has on the server because server is

21:06

basically process the script and return

21:08

back on the user machine but in the

21:10

cross a request fery we exploit the

21:12

trust server has on the user because

21:14

whatever the user clicks Ser will trust

21:15

that primary goal in the Crosset

21:18

scripting is to execute malicious script

21:20

in the user browser and in the Crosset

21:22

fraudery perform the unauthorized access

21:25

attack Vector in the Crosset scripting

21:27

is malicious script are injected into

21:28

the web content but in the cross request

21:31

fery maltia requests are sent to the web

21:33

application without user consent we'll

21:35

discuss okay in my next video we're

21:36

going to discuss user interaction does

21:38

not require user interaction but here

21:40

the user need to perform some action uh

21:42

data validation access policy both are

21:44

same dependency does not depend on the

21:46

user being authenticated because he

21:48

click unknowingly knowingly but in this

21:50

in the cross request fery he has to rely

21:52

on the link execute the content of user

21:55

browser and domain where we execute

21:56

request to Target site with the user

21:58

credentials as I said we'll discuss this

22:00

particular Topic in detail and then I'm

22:03

going to discuss the same table in my

22:04

Crosser request fery video okay then you

22:07

get a better visibility so do let me

22:09

know how do you find this video shall I

22:10

made more videos on the application

22:12

security and uh do share your feedback

22:14

in the comment section and which help me

22:16

to improve my content better thank you

22:18

so much good day bye