Cross-Site Scripting (XSS) Explained
HTML-код
- Опубликовано: 26 сен 2024
- #XSS #WebSecurity
This time we are going to explore the world of Cross Site Scripting under 12 minutes.
🔗 Links
✨ XSS Game: xss.pwnfunctio...
⭐ Code: github.com/Pwn...
Custom Twitch Chat XSS: • This is why you saniti...
🐤 Twitter: / pwnfunction
🎵 Track: Warriyo - Mortals (feat. Laura Brehm)
NCS link: • Warriyo - Mortals (fea...
This has truly been a lifesaver. My college professor told us to research this for a paper and gave us no source material whatsoever. Everywhere I look, the explanations are so technically written that it goes right over my head with my limited knowledge. (Usually, if I have to look up 3 terms before I finish the first paragraph, I'm out)
Thank you SOOOOOO much for describing this in detail without weighing it down with an excess of unnecessary jargon and high-level concepts.
DARYL YOU ARE WELCOME
Liveoverflow is also a good channel
@Daryl Ann It's funny how university and college just ends up being a scam where you pay $100k for a piece of paper. It is literally just a legalized scam if you think about it.
@@inspectorlunge3887 😂👍
You are lucky your professor told you about this, my professor did not even bother to mentioned these kind of attacks
Upload more frequently! :)
Wish I could double like this comment... I absolutely LOVE and RELY ON your content
No :)
00:50 SOP, the browser checks, blocks read and write 02:10 JS, access, DOM API, javascript injection technique, 03:21 basic classic example 05:35 reflected 05:54 stored 07:31 DOM XSS
dwangoAC of the custom Twitch chat XSS segment - thanks for including it! We had difficulty classifying it as well, and the realtime nature made it hard to say if it was truly stored XSS or not. The volunteer who wrote it learned valuable lessons that day.
I read so many explanations about XSS recently and yours is by far the best. Keep up the great work !
This lesson was sooooo well done my dude! It was great, lots of specifics but not so complicated that everything flew right over my head. Thank you!
The day has come
I finally got an xkcd reference :)
hey man , good to see you after a long time.. plan some frequent uploads ..
i do not leave comments often but.. my dude holy crap this was great. thank you. much more in depth and easy to understand compared to professor messer. loves the visuals. keep it up
Dude! You vids are amazing. Very technical which is great and your graphical explanations leave no room for guessing! Love it! Keep these going!
Glad you like them
This was the first video I saw from you but I have to say, I am really glad I’ve found this channel. Big subscribe and I hope that you will have a successful RUclips carrier
Been struggling to wrap my head around what xss was exactly for a while, and this cleared up a lot of things. Thank you. :)
Because you're a furry. Ropes are cheap
@@MechanicalMooCow bruh xd
Incredible video, I have been drinking allot of concepts from a water hose for my CySA+ and XSS for whatever reason was one I really struggled to conceptualize.
What you do for the community is awesome man. Thanks for the game and the great videos
"Lets talk about SOP, so that were all on the same page" nailed it
why this was not recommended to me
The fact that you didn't edit out the differentiation thingy just earned you a subscribe
You are super funny man love how you have a good time while making the explanations. Underated and I wish you well in your future I will be subscribing and supporting!
this is the first video ive watched of yours and I already love how you approach the over acrhing concept!
Bruh! I don't know who you are, but I will find you and hug you! (maybe after covid) Your explanations has been spot on with the perfect amount of words and video. You should teach class at university that way students will actually get what they are supposed to be studying! Hats off to you good sir.
Very helpful I keep learning, understanding, and then forgetting XSS. This time it stuck with me 👍
Hello ! I finally understood XSS ! Thank you man ! You're the best! Keep those videos coming. #subscribed
Your videos are so awesome. You explain stuff in such an easily-digestable manner. Please make more :)
Random tidbit: I had a phone interview with the guy who coined the term "XSS" (allegedly), he was absolutely obnoxious and made sure to let me know he came up with that term every 5 minutes.
Corrections on the same origin policy. You can "write" or "send" regardless of origin but the browser will hold onto any response that is coming from an untrusted origin.
This is the reason CSRF is not prevented by SOP.
This isn't hate mail btw, I love your videos and you helped me a ton in the past.
P.S. glad to see you're back!
Yes, the browser makes the call on whether to let a site read/write to other @ 1:20
Haha no worries, I take them any day! Cheers!
*Edit:* I had some second thoughts. You are actually correct in that you can't edit or overwrite the DOM of other pages using JavaScript from your page. If that's what you meant by saying "write" I don't know if SOP is the technology that is preventing that though. Because I don't see how you'd target DOM elements for editing using XHR. Is it just a JavaScript limitation or is SOP stepping in? Hmm...
@@Hope-kf1nl As far as I'm aware, SOP checks are performed before performing any kinda cross origin actions which include making network requests or accessing document of a different origin.
@@PwnFunction Yes, it is a browser-based protection. I know that it will prevent requests that must be preflighted, limiting all requests to a GET/POST. SOP is a firewall and will check any requests that are not "simple"
For example, JSON with Padding was a hack developers used to get around SOP before CORS was adopted. We used to send over JSON containing JS functions within a callback. Then developers would insert that callback into a set of tags.
SOP wasn't preventing that type of write / send because the requests were still considered simple because the JavaScript was inside the GET parameters and not part of the HTTP Body. So the MIME wasn't getting preflighted.
@@Hope-kf1nl Sure thing, not all kinds of "reads" violates the policy - web.dev/same-origin-policy/#what-is-permitted-and-what-is-blocked . But I guess it just boils down to a policy, affecting cross origin actions.
yo pwn function, i love your vids, please try to post more. i have watched all ur vids and learned a ton from each which I thought i wouldn't have so ur channel has been an all around big help. I love ur content so maybe just trying to post when u can will be great...
Came here from the deserialization vid. Awesome content, well done. +1 Sub.
I wish I've found this channel way before, great content!❤️
Huge respects bro! You have a great and unique way of teaching
In my view, the biggest fundamental flaw of the same origin policy is the fact that it is purely a client side implementation.
Case and point: fork Chrome, turn the flag off you have a CORS-less browser. Why you'd want that when it would be a detriment to your own good is another question. But you can do it. You don't even need to change the code. As far as I know, there still exists a flag you can pass when launching Chrome (and other browsers) to turn it off.
And now we have "Local Overrides" in Chrome's dev tools. This is a wonderful tool that has helped me debug a number of issues in production, but it also is a wonderful asset to performing XSS attacks on sites you shouldn't have authority over.
It's also possible to manipulate the perception of who you're communicating with by modifying your local hosts file. Add break points to another site's scripts, pause execution at important points, retarget your domain to a local server you're serving assets from, revert hosts file, resume execution as desired.
I'm sure there's a number of brighter people than me here who have even better examples of how easy it is to circumvent the minimal protection that is there, so it leaves me wondering why we have an entire ecosystem of technology built around such shaky ground.
It seems to me that we should have implemented better security mechanisms for these sort of things in the actual protocol level. In the same way in which we introduced websockets by "upgrading" connections, it feels like more should be done in this area to mitigate the weak protection client-side CORS policies provide.
Happy to see u back I missed u
thank you so much, a lot of websites and forums just say like: blah blah if you write blah blah blah in blah you will get blah blah blah. but now i get how it works
Realy a great content that you made~ I really like it & thank you for creating this.
I hope you'll make another content more frequent~
that 'same page' joke is what got you a thumbs up.
Dude your video editing skills are next level. Keep up the good work!
One of the best explanation for XSS. Thank you very much for this video and also for learning resource.
Liked and subscribed! Thank you so much! This was really really well done and explained!
Edit: Was I subscriber nr 14.000?!
Absolutely loved this video! The intro video, your style of talking, those amazing blue and pink (I guess they are called pastel colors?) colors. It was really fun to watch this video and get a general knowledge about XSS. Keep this us, buddy! Definitely sub from me!
Great explanation. And that video of the streamer 100% go watch it everyone!! I am so thankful you put that link there for us, haven seen such an amazing video for a while xD
Samy worm reference caught! Great video btw, very clear and useful
This should be at the top of my youtube search! I keep seeing random half assed videos on XSS.
But this kinda gold is down the list for some reason.
I love your video making style, it makes it fun to look at
Waiting for next video! You're making top content!
Top Notch explanation of a difficult topic. Loved the graphics and animation. Barvo!!
First time watching ur vid. Love the icon!
Samy is my hero....the classic myspace prank... loved the reference
Can't believe more people haven't seen this, very well explained and at a very good pace.
Thank you very much sir! you cleared all my doubts :) . Your way of presentation of topics is really really good! :D
It's a perfect video! I finally understand everything. Thank you so much!!!!
By the way, the video fragment was so funny))
You are good at explaining.
If all your videos are going to be like this, consider you have a new subscriber .
Please make more videos on different Web Vulnerability types , And maybe some more demos on them .
Love your channel ❤️
Thanks brooo. A little late onto security. But it was a great learning experience 🥳💐
This was amazing! Thanks for the upload, currently exploring your channel :)
Yo, I can confirm this vidoe is better than a QS top 100 uni lecture video, sorry professor :)
Thank you for your work! Amazing explanation!
FINALLY! a great video on XSS! Thank you!
Simple, entertaining, and engaging. Subbed. Teach me more. -Cyber Security student
I actually subscribe after the first few animations. Clean tutorial.
Excellent videos, amazing production value
Imagine they would have named it CSS (ross ite cripting)
This was so well done. By the way, what software do you use to do the drawing on your videos?
Dude you're awesome 👌
Your explanation and example is exactly what I was looking to properly understand
Thanks.
Do you have a video on XSRF also???
NM, I just found it haha
Thanks
keep up the good work, very nice animation and super clear explanation thank you
Also, we should preferably use innerText attribute to put content inside a html element
Dude your content is awesome omg! I guess what finally made me click was you saying that the name XSS is probably not the best one (stopped focusing on the name to realize it's just an injection technique :)
a webpage to practice xss with examples? i think i love you
You have made my life easier. Thanks
my mind are blowing up. when seen the beginning of your video that mention my name. 😓😓😓
Yo bobby is here!
hahaha love the "Samy is my Hero!" blip thrown in there
GREAT video man, keep the content!
Amazing explanation of XSS. Kudos mate
Lil Bobby tabels you forged his name to Bobby script!! Xoxo love from India... keep up the good work cheers
Welcome mate , Please more videos
bro you just taught me what I wanted.
big fan 😊❤
Awesome explanation man! Hats off! 👌
Thank you for getting us all on the same page ;)
Thank you for building that website!
And for this video
"bobby tables" this brought back some memories
Awesome content! Keep doing it!
What happen to you man!
Many of them are waiting for your video
You are such a awesome youtuber i saw earlier
im still waiting for the next video
When i saw your video at first time i didnt understand that much .then i watch many times and understand the concept of the vulnerability
i hope you upload your next video on november
You are literaly awesome
regards,surya
hey man please make videos more frequenty and put here for us to learn. I love your work man!!
God exists, ladies and gentlemen and his youtube channel's name is PwnFunction
this guy has the coolest intro
Good quality content and thanks for explaining XSS
Pretty cool explainer video on XSS!
Love the graphics and explanation 👌
wow what a great video. I hope you will do a lot more videos like this!
I'll learn how to do security. Thanks for showing it to me!
Helped me SO MUCH! thx!
I hope everyone is wearing their hoodies while watching this
Preeety cool video, thankyou!
Thank you, that was a very clear explanation.
Amazing video. Keep them coming
Here before this channel blows up
Nicee my hero
u are great dude, happy i found u out
best explanation on the internet!!
Instantly subscribed
This is a really great video tutorial. Thank you.
Great video man. Btw, how do you do these animations? IPad recodings?