in this video we're going to talk about cross-sight scripting you'll sometimes see this abbreviated as XSS the reason we don't refer to this as CSS which would be cross-ite scripting is because we're already using that term for cascading stylesheets so instead of being confused between what CSS we're referring to cross- sight scripting uses XSS we originally called this cross-sight scripting because there were multiple sites involved due to browser security issues cross-ite scripting allowed one site to share information with another site browsers today restrict any type of information exchange between different websites but we are still able to inject these scripts using different mechanisms that we'll discuss in this video you'll also find that there are a large number of cross-sight scripting vulnerabilities and we're constantly discovering new vulnerabilities with different applications this type of attack takes advantage of the trust that a user has for a site and as many of us have seen once you log into a website you are often trusted on that website for a certain amount of time this cross-ite scripting attack takes advantage of that trust to gain access to information that might be on that third party website the script in cross-ite scripting is commonly associated with JavaScript although this is not the only type of script that can take advantage of XSS but almost all browsers use JavaScript and very few people have disabled JavaScript from running inside of their browser so many websites are using JavaScript to display information on the screen that completely disabling JavaScript is probably not a viable option here's a common implementation of cross-ite scripting we have you the victim that has your browser on your laptop there's a trusted website that you've probably already logged into and then there is the attacker that is going to try to use cross-ite scripting to gain access to this website that normally they would not have access to first the attacker needs to get this malicious script to the victim one very easy way to get scripts sent to someone is in their email inbox so our attacker is going to send an email to the victim and inside that email is a link that is going to run that malicious script once the user clicks that link the link is going to redirect the user to this trusted website and it's going to run a script on that trusted website the attacker is going to receive information from that trusted website this might be information about the user's account or this script might take the user's session cookie send that session cookie to the attacker and now the attacker has the same access to that website as the victim does let's watch a cross-sight scripting attack take place in real time i am on a website that is an intentionally vulnerable application through Webgoat this is a shopping cart application you can see there's a few things in the shopping cart and just like most shopping carts you provide a credit card number and a three-digit access code and you click purchase and it goes through the process of purchasing whatever you have in your cart to get to this point we've had to log into this website we probably have an account already in place and we might even have our credit card information already stored on this website so now that we've logged in there is a level of trust that we the victim have with this website that we'd like to buy things from if the attacker knows this they can send us a malicious script either through email or some other method that will cause us to send this information into this trusted website so the script that we're going to run is the one that you see on the screen here you can see it has simply an alert now normally we would not be seeing an alert on our screen but for the purposes of understanding what's happening behind the scenes I'm going to have this alert message pop up on the screen what would normally happen is the information would be sent directly to the attacker rather than appearing on our screen this is going to show my session information and it's going to provide my session cookie on the screen this is the cookie that would normally be sent to the attacker that they can then use to log in as if they were us so let's copy this information and we're going to put it into any of these fields that we have on this particular website i'm going to delete what's already in one of these fields and I'm going to simply paste in that entire script and when I hit enter the script runs and as you can see it says my session information shows my session cookie and now that information could be in the hands of the attacker this would normally be sent to the attacker and they now would have full access to this website as if they were logged in with my account so they can purchase things they can change account information and they might even have access to my stored credit card information another type of cross-ite scripting attack is one where the script is always stored somewhere for people to access we refer to this as a persistent cross-ite scripting attack or a stored XSS attack in a persistent attack the malicious script is stored on a public web page and anyone visiting that web page is going to run the script it's hard to direct this kind of attack because you don't know who's going to visit that particular web page you might be able to focus in on a certain number of victims or it may just be anyone who happens to visit that page imagine on a social media site an attacker putting this malicious script and now anyone who visits that particular page on social media now is running that script inside of their browser one of my favorite cross-ite scripting attacks was in 2017 where Aaron Guzman found a vulnerability with an automobile specifically it was a Subaru when you log into the Subaru website each user gets a login token we saw an example of that in the cross- sight scripting attack that we did this token however never expires once you log in initially to the Subaru website you are always logged in on that browser this means if you could get the session token for any user that is logging in you would have access to their account indefinitely this means you might have access to change someone's profile information so you could change it from their email address to your email address and in the case of our more modern automobiles you might be able to change things in the car itself for example from this web front end you might be able to unlock all of the doors to the car and of course Aaron found that on the Subaru website there was this cross-ite scripting vulnerability in the web front end itself thankfully this vulnerability was not exploited by any attackers and was resolved thanks to the hard work from the research team one way to prevent a cross-ite scripting attack is to prevent the script from running at all so you should never click links inside of an email message or click any links on a web page that's not trusted you could also consider disabling JavaScript but we use JavaScript so much on our modern browsers that it might not be a very useful way to browse the internet instead you might want to use thirdparty utilities that are looking for these type of exploits and will stop them in real time instead of passing that script to another website sometimes these type of attacks are due to a vulnerability in a browser or in an application so keeping everything up to date may allow you to stop this problem before it even becomes an issue and ultimately application developers need to make sure that they validate all of the inputs that are being put into their application so that someone can't run any type of script malicious or otherwise by making sure the application is secure we can prevent any type of cross-ite scripting attack from occurring