1 00:00:00,810 --> 00:00:02,870 The next two exploits we're going to discuss 2 00:00:02,870 --> 00:00:05,500 are types of web application vulnerabilities. 3 00:00:05,500 --> 00:00:07,640 These are known as cross-site scripting 4 00:00:07,640 --> 00:00:09,940 and cross-site request forgery. 5 00:00:09,940 --> 00:00:11,980 Cross-site scripting occurs when an attacker 6 00:00:11,980 --> 00:00:15,650 embeds malicious scripting commands into a trusted website. 7 00:00:15,650 --> 00:00:17,630 When this occurs, the attacker is trying to gain 8 00:00:17,630 --> 00:00:19,830 elevated privileges, steal information 9 00:00:19,830 --> 00:00:22,510 from the victims cookies, or gain other information 10 00:00:22,510 --> 00:00:24,740 stored by the victim's web browser. 11 00:00:24,740 --> 00:00:26,670 During a cross-site scripting attack, 12 00:00:26,670 --> 00:00:29,510 the victim is the user, not the web server. 13 00:00:29,510 --> 00:00:32,010 The web server has already been compromised, possibly. 14 00:00:32,010 --> 00:00:34,340 A cross-site scripting attack exploits the trust 15 00:00:34,340 --> 00:00:36,490 that exists between a user's web browser 16 00:00:36,490 --> 00:00:38,730 and the web server that they're visiting. 17 00:00:38,730 --> 00:00:40,670 This often happens because the attacker is 18 00:00:40,670 --> 00:00:42,150 able to insert some malicious code 19 00:00:42,150 --> 00:00:44,250 into a web page that's being delivered 20 00:00:44,250 --> 00:00:47,100 from the server to the victim or client. 21 00:00:47,100 --> 00:00:50,180 There are three types of cross-site scripting attacks: 22 00:00:50,180 --> 00:00:54,170 stored and persistent, reflected, and DOM-based attacks. 23 00:00:54,170 --> 00:00:56,600 A stored and persistent cross-site scripting attack 24 00:00:56,600 --> 00:00:58,890 attempts to get data provided by the attacker 25 00:00:58,890 --> 00:01:02,030 to be saved on to the web server by the victim. 26 00:01:02,030 --> 00:01:04,510 Now, in a reflected cross-site scripting attack, 27 00:01:04,510 --> 00:01:07,240 the attempt here is to have a non-persistent effect 28 00:01:07,240 --> 00:01:08,870 which is activated by the victim 29 00:01:08,870 --> 00:01:11,170 clicking on a link on that site. 30 00:01:11,170 --> 00:01:13,440 In a DOM-based attack, this is going to attempt 31 00:01:13,440 --> 00:01:15,710 to exploit the victim's web browser itself 32 00:01:15,710 --> 00:01:17,070 and it's often called a client 33 00:01:17,070 --> 00:01:19,230 side cross-site scripting attack. 34 00:01:19,230 --> 00:01:20,830 This comes from the fact that the user's 35 00:01:20,830 --> 00:01:24,750 document object model or DOM is vulnerable to the attack. 36 00:01:24,750 --> 00:01:27,420 The DOM is part of the user's web browser. 37 00:01:27,420 --> 00:01:29,370 To prevent cross-site scripting attacks, 38 00:01:29,370 --> 00:01:31,100 programmers should use output encoding 39 00:01:31,100 --> 00:01:33,270 of their web applications to prevent codes 40 00:01:33,270 --> 00:01:35,830 from being injected into them during delivery, 41 00:01:35,830 --> 00:01:38,370 and they should also use proper input validation 42 00:01:38,370 --> 00:01:41,370 to prevent the ability for HTML tags to be inserted 43 00:01:41,370 --> 00:01:44,820 by users when they're entering information on a web form. 44 00:01:44,820 --> 00:01:46,960 As a user, you can help protect yourself 45 00:01:46,960 --> 00:01:48,580 from cross-site scripting attacks 46 00:01:48,580 --> 00:01:50,030 by increasing the security settings 47 00:01:50,030 --> 00:01:53,030 from your cookie storage and disabling scripting languages 48 00:01:53,030 --> 00:01:54,370 when you're browsing the web, 49 00:01:54,370 --> 00:01:56,020 just like we talked about back in the web 50 00:01:56,020 --> 00:01:59,350 browser configuration lesson of application security. 51 00:01:59,350 --> 00:02:01,730 Whereas cross-site scripting focuses on exploiting 52 00:02:01,730 --> 00:02:04,710 the trust between a user's web browser and a website, 53 00:02:04,710 --> 00:02:07,410 cross-site request forgery instead exploits 54 00:02:07,410 --> 00:02:10,140 the trust that a website has in a user. 55 00:02:10,140 --> 00:02:12,020 In a cross-site request forgery, 56 00:02:12,020 --> 00:02:14,700 the attacker forces the user to execute actions 57 00:02:14,700 --> 00:02:16,450 on a web server that they already 58 00:02:16,450 --> 00:02:17,980 have been authenticated to. 59 00:02:17,980 --> 00:02:20,010 For example, let's say that you've already logged 60 00:02:20,010 --> 00:02:21,630 into your bank's website and provided 61 00:02:21,630 --> 00:02:23,580 your username and your password. 62 00:02:23,580 --> 00:02:25,560 At this point, you're already authenticated 63 00:02:25,560 --> 00:02:27,320 and the website trusts you. 64 00:02:27,320 --> 00:02:29,640 If an attacker can send a command to the web server 65 00:02:29,640 --> 00:02:31,450 through your authenticating session, 66 00:02:31,450 --> 00:02:33,190 they are forging the request to make 67 00:02:33,190 --> 00:02:34,830 it look like it came from you. 68 00:02:34,830 --> 00:02:37,010 The attacker, in this case, will be unable to see 69 00:02:37,010 --> 00:02:39,400 the web server's response to his request or commands 70 00:02:39,400 --> 00:02:41,800 but he could still use this to transport 71 00:02:41,800 --> 00:02:44,120 funds from the victim, change their password, 72 00:02:44,120 --> 00:02:47,840 or do a myriad of other requests on the victim's behalf. 73 00:02:47,840 --> 00:02:49,620 To prevent cross-site request forgery 74 00:02:49,620 --> 00:02:51,350 from being successful, programmers 75 00:02:51,350 --> 00:02:52,960 should require specialized tokens 76 00:02:52,960 --> 00:02:54,930 on web pages that contain forms, 77 00:02:54,930 --> 00:02:57,710 such as captions, utilize special authentication 78 00:02:57,710 --> 00:03:00,930 and encryption techniques, scan any XML file submitted 79 00:03:00,930 --> 00:03:04,090 by a user, and requiring cookies to be submitted twice 80 00:03:04,090 --> 00:03:06,460 for verification to ensure they both match 81 00:03:06,460 --> 00:03:07,960 and have the proper integrity.