WEBVTT 00:00:00.000 --> 00:00:05.970 align:middle line:90% 00:00:05.970 --> 00:00:10.690 align:middle line:84% Let's put things simply regarding XSS attack vectors. 00:00:10.690 --> 00:00:13.680 align:middle line:84% You just have to focus on user controlled data, regardless 00:00:13.680 --> 00:00:15.060 align:middle line:90% its source. 00:00:15.060 --> 00:00:18.270 align:middle line:84% URL parameters and form data may be the first things 00:00:18.270 --> 00:00:21.270 align:middle line:84% to come to your mind, but there's a lot more. 00:00:21.270 --> 00:00:24.900 align:middle line:84% You should realize that users control the HTTP request, 00:00:24.900 --> 00:00:27.750 align:middle line:84% and so request headers and cookies may also 00:00:27.750 --> 00:00:30.870 align:middle line:90% be sources of hostile data. 00:00:30.870 --> 00:00:34.020 align:middle line:84% Browser's local storage is another typical attack vector 00:00:34.020 --> 00:00:38.100 align:middle line:84% since malicious actors may be able to tamper with it. 00:00:38.100 --> 00:00:42.000 align:middle line:84% If your application expects file uploads such as photos, 00:00:42.000 --> 00:00:44.890 align:middle line:84% and then you're reading the photo's metadata, 00:00:44.890 --> 00:00:48.290 align:middle line:84% then it can also be used as an attack vector. 00:00:48.290 --> 00:00:51.500 align:middle line:84% Finally, a less obvious source of hostile data-- 00:00:51.500 --> 00:00:53.790 align:middle line:90% external services. 00:00:53.790 --> 00:00:56.670 align:middle line:84% If the application retrieves data from other services, 00:00:56.670 --> 00:01:00.240 align:middle line:84% for example, by means of APIs, malicious actors 00:01:00.240 --> 00:01:03.090 align:middle line:84% may decide to go after those third party services, 00:01:03.090 --> 00:01:06.370 align:middle line:84% indirectly compromising your application. 00:01:06.370 --> 00:01:10.390 align:middle line:84% Any data source is a potential attack vector. 00:01:10.390 --> 00:01:13.060 align:middle line:84% Keep in mind that attackers will be able to execute code 00:01:13.060 --> 00:01:16.120 align:middle line:90% remotely on victims' browsers. 00:01:16.120 --> 00:01:19.900 align:middle line:84% The first thing attackers will look for is session tokens. 00:01:19.900 --> 00:01:23.320 align:middle line:84% If they can exfiltrate such token from a victim's browser, 00:01:23.320 --> 00:01:26.350 align:middle line:84% chances are they will be able to use it in another browser 00:01:26.350 --> 00:01:28.270 align:middle line:90% to impersonate the victim. 00:01:28.270 --> 00:01:31.840 align:middle line:84% This is called session highjacking. 00:01:31.840 --> 00:01:34.270 align:middle line:84% Even if session hijacking is not possible, 00:01:34.270 --> 00:01:37.750 align:middle line:84% attackers will be able to use JavaScript to automate tasks 00:01:37.750 --> 00:01:40.330 align:middle line:84% to scrape user data from the DOM or to do 00:01:40.330 --> 00:01:42.640 align:middle line:84% some actions on victim's behalf, such as 00:01:42.640 --> 00:01:45.470 align:middle line:90% fraudulent transactions. 00:01:45.470 --> 00:01:47.510 align:middle line:84% Being able to execute code remotely 00:01:47.510 --> 00:01:50.510 align:middle line:84% in specific pages, such as the login page, 00:01:50.510 --> 00:01:53.490 align:middle line:84% may give attackers access to credentials. 00:01:53.490 --> 00:01:56.030 align:middle line:84% There are other techniques to trick the browser and password 00:01:56.030 --> 00:01:58.840 align:middle line:90% managers to leak credentials. 00:01:58.840 --> 00:02:01.600 align:middle line:84% Among other impacts, attackers will always 00:02:01.600 --> 00:02:04.450 align:middle line:84% be able to exploit the trust relationship between the victim 00:02:04.450 --> 00:02:07.900 align:middle line:84% and the website owner, driving the former to download 00:02:07.900 --> 00:02:09.960 align:middle line:90% and install malware. 00:02:09.960 --> 00:02:12.630 align:middle line:84% Technical skills are required to identify and exploit 00:02:12.630 --> 00:02:14.700 align:middle line:84% the cross site scripting vulnerability. 00:02:14.700 --> 00:02:16.950 align:middle line:84% Nevertheless, there are automated tools 00:02:16.950 --> 00:02:19.590 align:middle line:84% to assist this task and plenty of information 00:02:19.590 --> 00:02:21.630 align:middle line:90% about the subject. 00:02:21.630 --> 00:02:24.900 align:middle line:84% Threat agents may be after specific victims. 00:02:24.900 --> 00:02:26.790 align:middle line:84% Targeting an application administrator 00:02:26.790 --> 00:02:28.500 align:middle line:84% may allow attackers to gain control 00:02:28.500 --> 00:02:31.350 align:middle line:84% over a privileged account and access sensitive data 00:02:31.350 --> 00:02:33.670 align:middle line:90% or shut down the system. 00:02:33.670 --> 00:02:35.550 align:middle line:84% On the other hand, attackers may be 00:02:35.550 --> 00:02:40.480 align:middle line:84% interested in a particular individual, let's say a VIP. 00:02:40.480 --> 00:02:43.630 align:middle line:84% If your application manages sensitive data, such as health 00:02:43.630 --> 00:02:48.190 align:middle line:84% records, the XSS exploitation may give attackers 00:02:48.190 --> 00:02:52.300 align:middle line:84% access to sensitive information regarding that individual. 00:02:52.300 --> 00:02:55.810 align:middle line:84% XSS can also be used for widespread attacks. 00:02:55.810 --> 00:02:59.650 align:middle line:84% It happened already in the past, creating a worm effect. 00:02:59.650 --> 00:03:01.900 align:middle line:84% To identify threats agents, consider 00:03:01.900 --> 00:03:04.540 align:middle line:84% who may wants to gain control over your application, 00:03:04.540 --> 00:03:06.550 align:middle line:84% and how sensitive is the information 00:03:06.550 --> 00:03:11.260 align:middle line:84% your application manages, and who may want to access it. 00:03:11.260 --> 00:03:14.110 align:middle line:84% You'll find this table in the OWASP Top 10. 00:03:14.110 --> 00:03:18.000 align:middle line:84% Pause the video and take your time to carefully read it. 00:03:18.000 --> 00:03:19.810 align:middle line:84% In the next part, we will exploit 00:03:19.810 --> 00:03:24.220 align:middle line:84% XSS on our intentionally vulnerable application. 00:03:24.220 --> 00:03:25.000 align:middle line:90%