Hello, and welcome to secure JavaScript programming with Vladimir De Turkheim. In this video, we will talk about a stored and blind XSS attacks. Here we've got a simple form. If you just watch the reflected XSS video, you probably already know it. It's a simple form to subscribe to a newsletter or website. It's not really important. We have someone named John Doe and [inaudible] their e-mail address. We tell them a confirmation message that they would get an e-mail. Also, we have a subscription and paint that lists all the people who have subscribed. Here we've got gender and their e-mail address. Of course, the set point should probably be behind authentication. But that's not the very interesting part right now. What's interesting is that that comes from a database I can reload. Unlike the previous video, the many [inaudible] payload, so the content of the page is not coming from the request. If a subscribed another user with an XSS attack in it, if there is no excesses here because there is no reflective XSS in this page anymore. But if I go there, here, I've got the code executing. Because here in the table, yes, I'm the last person on Earth that use HTML table, there is a script that has been injected and they can reload this page as much as I want. This is staying. So that's what's called a stored XSS. It has been placed there, and everyone who load this page will get the attack, meaning that the legs are reflected XSS, that's usually targeting a single person at once. These attack can target everyone who has access to this page. Let me restart the app to do that. Now, I cleared the database, and now let's say I want to do mg SSE equals http slash slash dot 0 slash this and now I close the image. I could, using a script, have the URL of the image contain the cookies. So instead of doing an EMG SSC, I would create an image part and I will update its URL later with a script always in this field that will actually contain the cookies. It's a complicated way of doing, I want to do this. But because I put that on an image URL, the browser will do a get request to that URL and the remote server is a malicious servers that they have crafted to look every incoming requests. I am able here, I just have these, but now it actually load the contents of the cookies. So you have no cookies in this app and that's probably a failure for me. But these lobes is the content of the cookies, ad I could do an image request to a remote server. The CSS request tuning remote server, which are not actually limited by Cross Origin Resource Sharing policy by default and a leak the cookie later. When this happens and the attacker is aware, knows in which page it actually will render if this page subscribe all world renewal or at least reliable Basie attacker. This is what's called a stored XSS because it's just stored and the attacker knows where this going. When the attacker injects a malicious payload and that they don't know where it will render, so just inject as many issues payload. There's a cadenza database and hope it will render that sweats called a blind XSS. That means that it's a stored XSS but you don't know what the result will be and you have to monitor your remote server to know if that worked or not. This has been created by my good friend Adam ballerinas, a concept that's pretty cool. How to protect against stored XSS? Well, so first layer of defense is once again to escape everything you render in the template. That's actually very important. Second layer of defense is actually prevents writing weird stuff into your database. Either you want to Web Application Firewall to detect the attempts. Either you want also to sanitize with sanitizing Libraries, things that gets into your app. Sadly, because browsers are very permissive and what they execute, a lot of sanitization is a limited in what it can actually really achieve. It will not be a silver bullet, the real way is actually to use either that, either a single-page application, that in that case you may be vulnerable to DOM based XSS, and I don't want to spoil the next video. Thanks so much for watching this short video that reflected stored and blend XSS. See you soon.
