Hey there, welcome back. In our previous lessons,
we focused on stored cross-site scripting
attacks and distinguish them from those that are reflected cross-site
scripting attacks. We're about to wrap
up this module. But before we do, I want to address how dangerous these
attacks can truly be. In this lesson, I will
give you some examples of real-world vulnerabilities
that resulted in these kinds of attacks. After this lesson, you'll
be able to discuss the dangers associated with
cross-site scripting attacks, give real-world examples, and explain why it is
so important to have a secure programming
professional equipped to protect against
these types of attacks. Let's get started.
Cross-site scripting attacks are one of my favorite
types of attacks because no matter
how hard we try, there always seems to
be a way to attack it, and there's always
vulnerabilities. Famously, Google has made
a game against cross-site scripting to show and demonstrate how these
vulnerabilities are created, and they often make mistakes
even on their own platforms, and there's been several cross-site scripting
vulnerabilities noted on their webpages. Developers have to work very hard to properly sanitize
and encode there data that is being
displayed to the users to protect the users against
these types of attacks. As we discussed, cross-site
scripting vulnerabilities execute in the user's machine
and in their browser. The code then is
often used to steal credentials or make posts against the vulnerable websites. But given their level of
the access to the user, meaning running
JavaScript as the user, the code could practically
do much more damage. You can make requests
on behalf of the users against
the vulnerable webpage, or even other resources
the user has access to. Now, if you've ever worked in an enterprise, in
a large enterprise, you see that a lot
of resources like shared drives, web portals, printers, IoT devices, don't require users
to authenticate. By that I mean, typing
the username and password. It magically happens
in the background. That's because
enterprises employee various authentication
schemes in the background like NTLM, SAML, or Kerberos. Now, if you've never heard
of those technologies, don't worry about it, but just know that those
do authentication in the background so the user is not interrupted and asked for
their username and passwords. In this type of setup, JavaScript running in
the user's browser could do far more than just
steal credentials. The JavaScript could
run scripts to authenticate to various services that the enterprise provides, making it tremendously
dangerous because in this case, the attackers are
acting on behalf of the user inside of an enterprise. A notable version of this is a talk that was
given at Black Hat, where the attackers were able to write a port scanner to scan the open ports and map out the internal organization
from inside the network. So regardless of
all the firewalls at the enterprise had employed
to protect their perimeter, the inside of
the network was still compromised by
this type of attack. There are several major cross-site scripting
vulnerabilities that you may have heard
of in the industry. Most recently in 2017, eBay had a persistent cross-site scripting vulnerability that allowed attackers to steal credentials and
session tokens from the user. I'll leave a link to that article in case
you're interested. One of the most famous cross-site scripting vulnerabilities is from back in
the days of Myspace. If you're familiar with Myspace, that's great if you're not, think of it as a Facebook, what came before Facebook, and Samy wrote this cross-site scripting
vulnerability that wormed its way through Myspace and got them into
quite a bit of trouble. But essentially,
what Samy's worm did was anytime anyone
visited Samy's page, Samy would simply add himself
as a hero to the visitor. So Samy would then be added
to the list of heroes, and it would also upload Samy's cross-site scripting
code onto that users page. So now, that anybody who
visited Samy's page or that first infected user would then get Samy
added as their hero, and they themselves
would be infected to go on and infect
more and more users.