WEBVTT 00:00.800 --> 00:07.240 Okay, now let's go and very fast create another method to test excesses on a form. 00:07.280 --> 00:07.680 Okay. 00:08.200 --> 00:10.840 So in here I'm going to create this method. 00:11.040 --> 00:13.000 Let's create this by the name of. 00:13.520 --> 00:17.280 This exists in a form something like that okay. 00:17.520 --> 00:23.960 This is an end of our something like this. 00:24.280 --> 00:28.520 So first we need to give the self keyword to this method. 00:28.520 --> 00:30.200 And then we need to give a form. 00:30.680 --> 00:33.720 And then the very important thing which is the URL. 00:34.280 --> 00:38.560 So here I'm going to give the script. 00:38.600 --> 00:39.400 Okay. 00:39.440 --> 00:40.760 It is going to be excesses. 00:40.760 --> 00:45.760 Underscore is underscore script. 00:46.320 --> 00:53.520 It is going to be equal to in here I need to give the script. 00:58.120 --> 01:01.640 And in here let's provide the thing we want. 01:01.680 --> 01:04.120 For example, it is going to be an alert. 01:06.120 --> 01:15.040 X is S, and if it is filtered that you are not able to use this, then you can add some change here. 01:15.040 --> 01:22.680 For example, make this C capital here and also P or one other letter capital here. 01:22.680 --> 01:27.360 So it bypass the filter okay. 01:28.080 --> 01:33.200 And the next thing is to use the submit form. 01:33.200 --> 01:39.400 So I'm going to create another variable name it response. 01:41.000 --> 01:45.840 So it is self dot submit form. 01:46.200 --> 01:52.040 And in here we are going to give the format as the first variable as the first argument. 01:52.040 --> 01:58.000 The next one is going to be the value okay. 01:58.160 --> 02:05.150 Now the value is going to be x axis test script, and the next one is going to be I think URL. 02:06.310 --> 02:07.950 So here add some. 02:10.070 --> 02:10.990 Space okay. 02:12.590 --> 02:18.150 The last thing is that we need to check okay. 02:19.230 --> 02:31.670 We need to check if this x s is test script is in response that we just get it okay. 02:31.670 --> 02:34.190 Just we got that content. 02:34.870 --> 02:36.510 Then let's return something. 02:36.510 --> 02:39.790 Return true. 02:39.790 --> 02:48.430 And right now as you see, this x s test script is a something like string. 02:48.710 --> 02:56.270 And also this response dot content is object or it is byte object. 02:56.590 --> 03:01.750 So if you want to change this to this and then check it because there is string. 03:01.750 --> 03:03.710 We cannot check it inside here. 03:03.990 --> 03:07.430 So we need to change this to a byte object. 03:07.950 --> 03:09.950 So byte type object. 03:10.070 --> 03:13.590 To do that we use encode method here. 03:13.630 --> 03:13.830 Okay. 03:13.870 --> 03:14.870 So it will encode that. 03:14.870 --> 03:17.190 Then we will be able to check it here. 03:18.550 --> 03:28.950 Now save this and then go to here in this part as you see here we are using Submitform. 03:29.230 --> 03:32.550 So I'm going to remove this or let's check it first. 03:32.550 --> 03:34.750 Here we have extract form. 03:34.750 --> 03:36.710 So it will extract this from this link. 03:36.750 --> 03:37.790 No problem okay. 03:37.830 --> 03:38.990 That is what we want. 03:39.190 --> 03:41.110 And the next one is submit form. 03:41.110 --> 03:48.670 So I don't want this okay I want something else I want the method that just I created. 03:48.670 --> 03:51.990 It is called test cases in form. 03:51.990 --> 03:56.270 And the first thing I need to give is the form itself. 03:56.270 --> 03:58.060 So the form come from here. 03:58.140 --> 04:05.420 The next one is a URL that we don't have a value here, so I will remove the value. 04:06.180 --> 04:07.220 Let me show you. 04:08.220 --> 04:12.060 You see we have the first thing as here form. 04:12.060 --> 04:13.340 The next one is URL. 04:13.940 --> 04:17.580 And the same thing goes here we have the form and then we have the URL. 04:17.580 --> 04:20.540 So I will start checking that in here. 04:20.540 --> 04:28.860 Then we print the content not the content, only the response okay now if I save this and then if I 04:28.900 --> 04:31.540 come back here use Ctrl S to save this. 04:32.140 --> 04:35.580 And let's go and execute this to see what is going to happen. 04:43.500 --> 04:44.060 Okay. 04:44.060 --> 04:49.820 After a while you see we have none here and I know that is why. 04:51.860 --> 04:53.180 We have none. 04:53.180 --> 04:56.420 And it is uh, it has a reason. 04:56.500 --> 05:01.780 But if we could be if you if you were able to to do the attack. 05:02.140 --> 05:04.140 So you must see a true here. 05:04.180 --> 05:04.420 Okay. 05:04.460 --> 05:06.220 But you didn't saw that. 05:07.420 --> 05:10.620 And that is because of a high security. 05:11.100 --> 05:21.780 Because this, this machine you see here, it has, uh, something in here that has, uh, security 05:21.820 --> 05:23.100 keyword that is high. 05:23.140 --> 05:26.780 Now we need to change it to low or medium to test our script here. 05:26.820 --> 05:27.780 Okay. 05:27.780 --> 05:34.980 So, uh, you need to come to this location var ww vw VW includes. 05:34.980 --> 05:38.980 And in here we could find the file or let me go there. 05:39.020 --> 05:39.660 Okay. 05:39.700 --> 05:51.780 You see the var w ww and then dv w a dv w a. 05:51.780 --> 05:55.260 And then we have in quotes and then hit enter reduce lz. 05:55.540 --> 06:02.410 In here we have a file called dv w a page dot inc dot php. 06:02.690 --> 06:04.490 So we need to edit this. 06:04.530 --> 06:06.130 I'm going to use nano here. 06:06.770 --> 06:07.370 Nano. 06:07.410 --> 06:11.210 Then let's use sudo first okay sudo nano. 06:11.330 --> 06:17.170 And then we have dv w a page. 06:19.690 --> 06:22.650 DV a dv w. 06:24.850 --> 06:28.770 H dot inc dot php okay. 06:29.330 --> 06:35.210 Now let's hit the down arrow and come down here. 06:35.250 --> 06:36.530 It doesn't have any line. 06:36.530 --> 06:44.450 So in here you see we have setcookie and it is security is. 06:44.450 --> 06:44.690 Hi. 06:44.730 --> 06:45.250 Okay. 06:45.290 --> 06:49.330 We need to change this I'm going to change it to medium okay. 06:51.290 --> 06:51.770 Medium. 06:51.770 --> 06:56.690 And then use control x and then And why? 06:57.170 --> 06:58.210 And then hit enter. 06:59.170 --> 07:00.410 And that is it. 07:00.410 --> 07:00.810 Okay. 07:01.730 --> 07:08.370 Now, if I came back here and re-execute the program after a while, you see, we have true here. 07:08.410 --> 07:09.290 Okay. 07:09.330 --> 07:11.730 That means it happened successfully. 07:11.730 --> 07:15.730 You are able to execute your script. 07:15.730 --> 07:16.890 That is here. 07:16.930 --> 07:17.930 Okay. 07:17.970 --> 07:19.810 A small script here. 07:19.810 --> 07:23.130 You were able to execute that in here. 07:23.130 --> 07:23.850 In this form. 07:23.850 --> 07:24.890 In this location. 07:25.290 --> 07:30.090 So let me show you that here once again we have script. 07:31.570 --> 07:33.450 And again we have. 07:35.490 --> 07:36.370 Script. 07:37.530 --> 07:39.770 And then we have alert here okay. 07:46.770 --> 07:48.450 For example is going to be XSS. 07:48.850 --> 07:49.970 Now if I hit enter. 07:53.490 --> 07:54.490 Just a moment. 07:54.920 --> 07:58.920 If I hit submit, you see that we get XSS here, okay. 08:00.560 --> 08:03.320 And the same thing goes with the script. 08:03.360 --> 08:03.640 Okay. 08:03.680 --> 08:08.200 I was able to execute my script here. 08:09.040 --> 08:09.320 Okay. 08:09.360 --> 08:17.400 First I extracted this form and then I entered the the thing I wanted, which was the script. 08:17.400 --> 08:18.880 And then I hit submit. 08:18.960 --> 08:23.080 And you saw that we got the true, uh, keyword here. 08:24.200 --> 08:24.400 True. 08:24.440 --> 08:27.600 That means we are able to do that. 08:27.600 --> 08:32.800 Now I am able to use this functions here. 08:32.840 --> 08:33.440 Okay. 08:33.480 --> 08:39.800 But before that, let's go and see how we can do this kind of attack on, uh, links as well. 08:39.840 --> 08:40.040 Okay. 08:40.080 --> 08:44.080 So here you saw how we did this on a form. 08:44.440 --> 08:48.120 And we will be able to now to test that to use it here. 08:48.920 --> 08:52.920 And I will complete this in the next videos.