2017 OWASP Top 10: Cross-Site Scripting (XSS)
HTML-код
- Опубликовано: 11 сен 2024
- New 2021 OWASP Lightboard Series:
• 2021 OWASP Top Ten
Video 7/10 on the 2017 OWASP Top Ten Security Risks.
John Wagnon discusses the details of the #7 vulnerability listed in this year's OWASP Top 10 Security Risks: Cross-Site Scripting. Learn about this security risk and how to keep your Web Applications safe!
community.f5.c...
Thank you so much, this is the most insightful introduction of XSS I have found on RUclips.
glad you enjoyed it!
now i understand XSS thank you!
You're welcome...glad you enjoyed the video!
Though I found your presentation really neat and useful, I find it even 'neater' that you had logo on your shirt sewn backwards, to appear as it should once you mirror your video(s).
Kudos to you, good sir. I cant think of any other way you made this, unless you're actually writing mirrored which i highly doubt......
OgaDuby this guy..
Excellent video and exactly the right length. A topic like this needs a lengthy explanation to get one's head around it. Too many other vids try to sum it up in a few minutes only to leave the learner not really understanding what XSS is at the end of it.
glad you enjoyed it!
What a terrific video - very clear and concise - yet comprehensive and easy to understand!
Glad you enjoyed it!
@@devcentral❤
sexy videos dio
9:39
This video is amazing! I understood so much about XSS, Thank you!
glad you enjoyed it!
You guys are great. I can always be sure to see a quality video when clicking on F5 stuff.
Thank you! This is the best explanation I have ever seen!!!!!
appreciate the comment!
its now 7 because they change marking criteria for OWASP top 10 its now calculated by risk not for a number of attacks. XSS is still most popular attack but its not that dangerous like others ;)
great info...thanks for the clarification!
That's great info, even I too had impression that rating based on popular not by risk...but YES that's sound sense too.
you can't say it's not dangerous. because attacker steal cookie with help of XSS. and phishing also very dangerous. attacker use help of phishing email sending xss alert script and shows pop message. that way steal victim confidential data. why don't think that's not dangerous
@@joshwaphilip9840 yes u are right, sorry for my English back then ;p
Thank you
glad you enjoyed it!
Really like this example and the breakdown! Thanks for making the OWASP Top 10 a bit more available! :)
Thanks! Glad you are enjoying the videos...
Very good and simply explained!
glad you enjoyed it!
Really enjoyed this series so thanks for producing it. In this example, wouldn't the victim's system execute the attackers code and do a POST (including the session cookie) to the attackers server and not a GET?
Great question, Mark! In this case, the attacker would have set up his "evil.com" site to accept the GET request sent by the victim and would be looking for the parameter value in that GET request. Based on the way the attacker set up the malicious post on the vulnerable web application (the one that the victim visits), the GET request would include a parameter that has the victim's cookie value. The attacker could then take the site cookie and start down the path of more nefarious actions. For more on GET requests that include parameters, here's a good thread to look at: stackoverflow.com/questions/514892/how-to-make-an-http-get-request-with-parameters
I hope this helps...thanks!
@@devcentral I was also thinking same. Thanks for clarifying.
REALLY awesome video, thanks so much!
Glad you enjoyed it!
It seems Web Application Firewall is solution to most of the OWASP 10 problems.
thank you very useful and clear but still didn't hear you talking about input validation in the video witch is one of method of mitigation
Good video full of clarity on the topic
glad you enjoyed it!
Amazingg..your way of explaining things❤ loved it..nice video..
Glad you enjoyed it!
Thanks a lot you cleared my concept of cross site scripting !!!
glad you enjoyed it!
Why don't you split the Webapp in two: server and froendend (client)?
thanks
@10:52 - How can a firewall around Web app can prevent XSS, as the script is posted in an input field, right?
So, How can a firewall check what an attacker is entering into the fields like username, password , etc.??
Thanks for the great questions! When you put a Web Application Firewall (WAF) in front of your web application, then all requests to the web application have to pass through the WAF before they get to the application itself. The WAF will learn all about your web application and know what parameters are used, what fields are used, what URLs are used, what file types are allowed/disallowed, etc. So, when a user sends a XSS attack to an input field of the web application, the WAF will know that the request is destined for the input field on the web app, and it will check the request against a variety of signatures, etc to determine if that particular request is malicious or not. If the WAF determines that the request is malicious (i.e. it detects stuff like xyz123) then it will block the request. Hope this helps!
@@devcentral thank you very much
Please explain types is xss attacks.
Thanks for the comment! The example I gave in the video is a stored/persistent XSS example. here's a great article that outlines all the different types and gives some good examples as well: portswigger.net/web-security/cross-site-scripting
This sure sounded like CSRF vulnerability. Remote XSS == CSRF ?
Salute !!!
Glad you enjoyed it!
Thanks man!
glad you enjoyed it!
What tool you use to make these kind of videos?
You seem to write in your right hand, but...
Please answer.
They have a pane of glass between him and the camera, he writes naturally but the video is flipped vertically.
Its a very nice video, Thanks.
Whatever the example you mentioned in the video is related to a type of XSS i.e, Stored/Persistent XSS.
Similarly can you explain about other types of XSS like Reflected, Blind and DOM Based XSS attacks?
great question! the example I gave in the video is a stored/persistent XSS example. here's a great article that outlines all the different types and gives some good examples as well: portswigger.net/web-security/cross-site-scripting
if the words he's writing are not laterally inverted,means he is right-handed?
Thanks!
subscribed liked and shared.......
glad you enjoyed it!
Amazing, thanks!
great job
glad you enjoyed it!
Is injection still number 1?
Yes it is: owasp.org/www-project-top-ten/
great job!
thanks...glad you enjoyed it!
What is different between Redirected XSS and CSRF?
Thank you sir...
glad you enjoyed it!
Hi, thank you for making Owasp video but there is not all the owasp top ten video only I found 5 to 6 Please make it all...
Hi tarun. Thanks for the comment. I am in the process of making all 10 videos, but I've only finalized 7 of them so far. Be sure to stay tuned to our channel as the remaining 3 will be published here as well.
okay & thanks, guys..........
FYI...we created a playlist on our channel that has the OWASP Top Ten videos. We haven't finished all the videos yet (March, 2018), but once they are all finished, the playlist will have them all. ruclips.net/video/rWHvp7rUka8/видео.html
is he writing reverse on glass?
Yep. I'm imprressed
thanks.. creative --- on glass board. ;)
glad you enjoyed it!
are you writing backwards or flipping the screen 😕
check out this video to show you how we do it: ruclips.net/video/U7E_L4wCPTc/видео.html
my question is what browser will sent the cookies of example.com to another site, evil.com ? is this posible ?
the bad runs in the context of example.com page. browser will give it all the cookies of that domain, right? It will then send them to evil.com. The script will send the cookies names and values... not the browser.
is instructor Wagnon writing backwards?
No, the video is horizontally flipped. And if you ask about the logo on the shirt, I assume it is specially printed in mirrored form for this kind of video
destroyWebsite();
lol...looks like the RUclips comments section has included secure coding practices!
Wait wait is he writing it in reverse?? 🤥 Someone please tell me there's some trick to it.
no, he flips the video after recording it
@@picklecrash So what about the logo on his shirt?
@@petervtzand sewn in reverse
Joshua Clougherty then wouldn’t one be backwards and the other not? Lmfao
@@petervtzand hehe. I thought the commenter was right when he said he flips the video after recording it but then you pointed out the logo on his shirt. Very astute!
What is post script
Hi Deepti...just wanted to get some clarification on what you are asking. What exactly are you referring to when you say "post script"? There's a post script in reference to printing, but I'm not sure if that's what you are talking about here. We are glad to help clarify, but need some more context around what you are referring to. Thanks!
Non script terminal back doors is the latest
Ex:
Are you drawing all of that backwards??? Lol
this is how we do these: ruclips.net/video/U7E_L4wCPTc/видео.html
Mobile browser the function character is %
Why do we need a victim
what is nutshell
Hi Suren. The phrase "in a nutshell" means to sum it up, or to say it concisely or briefly. I hope this helps...thanks!
The shell that holds a nut. Nutshell.
more videos pls
glad you enjoy these videos!
alert("hacked!");
Looks like the RUclips comment feature has been designed properly to handle this attack! :)
i appreciate your try
alert(1)
dang didnt work