Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,660 --> 00:00:01,920
Welcome back to another video.
2
00:00:02,100 --> 00:00:05,580
In this video, we're going to talk about same origin policy.
3
00:00:06,660 --> 00:00:14,280
Browsers are often used as claims to access applications, but in reality, a browser is one of the
4
00:00:14,280 --> 00:00:20,490
most complicated software programs in your straight SIM origin policies, one of the features that many
5
00:00:20,490 --> 00:00:24,390
browsers support to protect users from a variety of attacks.
6
00:00:25,020 --> 00:00:31,710
Before we discuss about SIM origin policy, it is important to understand what origin is.
7
00:00:32,520 --> 00:00:38,970
When content is loaded from different sources on the Web, browsers should be able to differentiate
8
00:00:38,970 --> 00:00:41,190
between the content from different sources.
9
00:00:42,030 --> 00:00:44,310
This is where origin comes into picture.
10
00:00:44,850 --> 00:00:52,890
Origin is used to define different parties and draw boundaries between them more precisely, and this
11
00:00:52,890 --> 00:00:56,250
origin is represented as steam host.
12
00:00:56,250 --> 00:01:03,900
Portable scheme refers to the protocol used, for example, its GDP or hatred heterogeneous that we
13
00:01:03,900 --> 00:01:05,460
almost always see.
14
00:01:06,240 --> 00:01:12,520
And the host refers to the domain name and port refers to the port no configured on the web.
15
00:01:12,540 --> 00:01:19,110
So if you see the example that is shown on the screen here, there are two domains here which are considered
16
00:01:19,110 --> 00:01:21,210
to be from different origins.
17
00:01:21,540 --> 00:01:29,040
The reason is in the first domain, the scheme is Hedgepeth, and in the second domain, the scheme
18
00:01:29,040 --> 00:01:30,500
is heterodoxy.
19
00:01:30,990 --> 00:01:34,320
That's one differentiator if the scheme is different.
20
00:01:34,620 --> 00:01:37,740
These two domains are from two different origins.
21
00:01:38,250 --> 00:01:40,530
Similarly, we can check the host.
22
00:01:41,040 --> 00:01:44,610
The host in the first domain is legit dot com.
23
00:01:45,300 --> 00:01:47,640
In case of the second domain it is evil.
24
00:01:47,640 --> 00:01:52,500
Dot com, little dot com and even dot com are two different domains.
25
00:01:52,860 --> 00:01:56,850
And there's these two domains are from different origins.
26
00:01:57,300 --> 00:02:04,380
Similarly, the port in the first case is ForFour three by default because we are using IDP's and in
27
00:02:04,380 --> 00:02:08,010
the second domain case the port is eight zero eight zero.
28
00:02:08,430 --> 00:02:14,760
Once again, these ports can be used to determine if these two domains are from the same origin or not.
29
00:02:15,420 --> 00:02:20,910
Remember, it is enough for one of these three to be different in these two domains.
30
00:02:21,210 --> 00:02:28,320
For instance, Heggarty be able dot com eight zero eight zero is one domain and Heggarty be evil.
31
00:02:28,320 --> 00:02:31,770
Dot com eight zero eight nine is another domain.
32
00:02:32,160 --> 00:02:38,550
Since the port number in these two domains is different, they are still considered to be from different
33
00:02:38,550 --> 00:02:39,260
origins.
34
00:02:39,750 --> 00:02:42,150
So that's how origin is defined.
35
00:02:42,750 --> 00:02:49,290
Communications between these different origins are generally known as cross origin interactions.
36
00:02:49,980 --> 00:02:55,650
Though crosseyed and interactions are beneficial, they are also the cause of several netbacks.
37
00:02:56,550 --> 00:03:02,760
Some cross origin requests can be potentially dangerous and can cause a change in the state of remote
38
00:03:02,760 --> 00:03:04,800
server crosseyed request.
39
00:03:04,800 --> 00:03:08,670
Forgery, or CSIR is an example of such an attack.
40
00:03:09,360 --> 00:03:17,220
Now that we understood what origin is, let's try to understand the same origin policy, same origin
41
00:03:17,220 --> 00:03:25,560
policy or S.O.P is a browser level security control which dictates how a document or script served by
42
00:03:25,560 --> 00:03:29,460
one origin can interact with a resource from some other origin.
43
00:03:30,270 --> 00:03:37,080
This ensures that scripts running under one origin cannot read data from another origin.
44
00:03:37,440 --> 00:03:45,450
So by same origin policy, typically cross origin rights are allowed, but cross origin rights are typically
45
00:03:45,450 --> 00:03:46,050
not allowed.
46
00:03:46,680 --> 00:03:48,900
Even when it comes to cross origin rights.
47
00:03:48,900 --> 00:03:54,720
There are some restrictions in certain cases where additional requests will be sent by the browser to
48
00:03:54,720 --> 00:04:00,270
perform things like pre-flight checks, which is typically the case in XML HDB requests.
49
00:04:00,870 --> 00:04:06,330
But typically HTML form submissions are allowed by same origin policy.
50
00:04:06,900 --> 00:04:13,260
Now, keeping these concepts in mind, let's try to understand how some of the commonly seen vulnerability's
51
00:04:13,260 --> 00:04:18,810
like crosseyed scripting and cost site request forgery are related to same audit in policy.
52
00:04:19,240 --> 00:04:21,780
Let's first talk about cross site scripting.
53
00:04:22,380 --> 00:04:29,010
As I mentioned earlier, cross origin groups are typically not allowed when you try to perform across
54
00:04:29,010 --> 00:04:30,090
site scripting attack.
55
00:04:30,330 --> 00:04:36,540
We typically try to execute JavaScript on the target domain and we try to read sensitive information
56
00:04:36,540 --> 00:04:37,410
like cookies.
57
00:04:37,920 --> 00:04:44,730
Now, this is typically not allowed by same origin policy, so you cannot set up an attacker's domain
58
00:04:45,030 --> 00:04:51,900
and execute some JavaScript there in a way that it retrieves the cookies of the victims website.
59
00:04:52,440 --> 00:04:58,920
And that's exactly the reason why you will have to find a way to execute JavaScript on the victims website.
60
00:04:59,830 --> 00:05:06,500
That's Crosseyed scripting, so because of this same ideas in policy, Crossfade script cannot be performed
61
00:05:06,680 --> 00:05:10,210
by executing JavaScript on an attacker controlled domain.
62
00:05:10,900 --> 00:05:17,600
Now, when it comes to CSR of CSR, Rove is typically performed by submitting a form which can make
63
00:05:17,600 --> 00:05:18,920
some state changes.
64
00:05:18,920 --> 00:05:23,690
On the server side, you're not expecting to read any response from the server.
65
00:05:24,440 --> 00:05:27,770
This means we are just required to make across our region.
66
00:05:27,770 --> 00:05:31,330
Right, which is typically allowed by same Autogen policy.
67
00:05:31,700 --> 00:05:38,270
So when you're conducting a quasi request forgery attack, you can host your payload on an attacker
68
00:05:38,270 --> 00:05:39,330
controlled website.
69
00:05:39,860 --> 00:05:46,090
So this is how Crosseyed scripting and CSR are related to seeing Autogen policy.
70
00:05:46,280 --> 00:05:53,100
So same ideas in policy is a foundation to understand Crosseyed scripting and Crossfade request forgery
71
00:05:53,120 --> 00:05:53,690
attacks.
7911
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.