There's a comment in a Javascript project I worked on that says: [bunch of checks for user input] //You know, if the users could just be more considerate //I wouldn't have to do any of this.
I love these videos because they explain how people have broken into webpages to re-write them, steal info, etc. You always hear how vulnerable stuff can be but never the specifics about how people get in. Great videos as usual, Brady!
*Apparently HTML Works in RUclips Comments, judging by the large amount of bold comments* Can I put bootstrap into my comments to make them look pretty?
Another cool thing for input dropdowns, is changing the value of one of the s in the , and then submitting. Especially if the output does something with the value of the dropdown, for example with an age input where the output has control over the date format, it completely screws up. Example: I change my birthday to "Cake Pie 1000BC". That will, on a lot of sites with profiles that use this dropdown system for birthdays, completely break the thing when it's trying to convert the month number for example to the month name, since there is no "Pie"th month in the year. It's quite harmless, unless the site actually displays the thing you entered in the input directly on the page, in which case you might indeed be able to insert a script tag. PS: I've managed to cause my profile to completely break by doing this on a site once, after which it just gave me back an error 500. Great fun. I decided to change it back afterwards though. (keep in mind that if your birthday is loaded onto your settings page too, you might also get an error on the settings page, and you won't be able to change it back)
Tom Scott is definitely my new favorite, especially considering all of Brady's other channels have slowed down. Tom is making a very good showing. Keep it up.
I would just like to thank who ever's idea it was to do the Audible promotion because audio books are expensive and getting a free one was a really nice gesture.
So Wikipedia describes him as a comedian to which I agree, but... Does he have a Masters in computer science or a title alike? He's got an amazing skill to explain complex stuff!
Client side filtering is a good idea because it can make it easier on the legitimate user. E.g. tell them the phone number is invalid before they hit submit, saving them time. But client side prefiltering does not add any additional security. All inputs must be fully validated at the server. There is no guarantee that an attacker will be using a polite client that follows your prefiltering rules. An attacker can download the page and remove the rules.
I'm a BS Physics student(first year) I really want to learn more about Cyber Security, I want to shift but I would waste my scholarship so yeah I'm watching your videos...Thank you!
You're right that it's not on the server, but you can certainly use this technique to change things there: If I can have the site display my script within your browser session, I can take over your account. That means, deleting your inbox, transferring your money, etc. It all happens through the "front door" as far as the server knows, but it's being done through a hijacked session.
Its worth mentioning (and possibly a future video topic) that even if your website's forms are supposedly "secure" anybody can make a form on their own site that submits to yours. No matter what make sure ALL input processed by your website is properly escaped.
They are two different tags. b is for text that is supposed to be bold, but not for styling reasons. strong is for text that is supposed to be styled in a way that makes it more prominent than the rest of the text.
Short answer is complexity. In some cases there are automatic filters, but it isn't always clear to each system which input is trusted and which isn't. MySQL, for example, doesn't know whether it's talking to an administrator sending handwritten commands, or the web app itself. Parts of your 'site' may include 3rd-party JavaScript pulled from advertisers, or analytics, or a database. There might be a WYSIWYG editor on your site that allows users to mark up their comments with HTML, etc...
Actually, Brady doesn't need to end the computerphile logo with >/computerfile> because there are some html elements that do not use closing tags, like the meta, link, and input tags.
Omegle had that same problem for a bit when they introduced Spy Mode. They weren't sanitizing their question inputs, so for a while I would go around sticking JS in there that froze the computers of whoever got stuck with my question XD They fixed it in a few days, though.
That's probably more because it's more user-friendly. You can't control what the user sends to the server by using specific controls. As a visitor, you can actually change a page's appearance. For example, in Google Chrome, right click the RUclips search bar, go to element inspection, right click the highlighted line in the bottom section and add an attribute type="number". It will change into a number input. You can do something like this to a dropdown and make it a text input instead.
don't understand how this could be dangerous.For example anyone can click inspect element and type some text into their web browser and change a COPY of the page they're looking at no one else will ever use that copy you have changed.In this same manner, how would me writing a script inside of my copy of a webpage effect someone else's copy?
+Curran Hyde If i understood the video correctly it is when someone else visits your webpage that the script gets executed. If I make a website and add a script in the middle of its html, it will run when you or anyone else loads the page, thus enabling attacks. Again, that's at least how I understood it, could be wrong
+Curran Hyde It only becomes a problem for sites which allow users to post something which gets displayed to other users. Like this comment here (only that youtube is smart enought to filter out code). If you don't have a filter active that say... replaces "" with "
"That's JavaScript code! I'm gonna run that!"
Gotta love the childlike enthusiasm of this personification of web browsers.
That's Javascript! I'm gonna run that!!! -Quote of the year.
now, should we keep that end graphic? :)
why in the world are you doing this in a hotel lobby?
There's a comment in a Javascript project I worked on that says:
[bunch of checks for user input]
//You know, if the users could just be more considerate
//I wouldn't have to do any of this.
The guy who found the Facebook vulnerability was actually rudely rejected by Facebook and got his well deserved money as donations!
I love Tom Scott's enthusiasm for this stuff!
*-html styling does not work in youtube comments. believe me-*
I love these videos because they explain how people have broken into webpages to re-write them, steal info, etc. You always hear how vulnerable stuff can be but never the specifics about how people get in.
Great videos as usual, Brady!
"Which is not entiiiirely legal under the computer misuse act, but no one pressed charges"
I didn't know he was such a rebel XD
*Apparently HTML Works in RUclips Comments, judging by the large amount of bold comments*
Can I put bootstrap into my comments to make them look pretty?
Another cool thing for input dropdowns, is changing the value of one of the s in the , and then submitting. Especially if the output does something with the value of the dropdown, for example with an age input where the output has control over the date format, it completely screws up. Example:
I change my birthday to "Cake Pie 1000BC". That will, on a lot of sites with profiles that use this dropdown system for birthdays, completely break the thing when it's trying to convert the month number for example to the month name, since there is no "Pie"th month in the year. It's quite harmless, unless the site actually displays the thing you entered in the input directly on the page, in which case you might indeed be able to insert a script tag.
PS: I've managed to cause my profile to completely break by doing this on a site once, after which it just gave me back an error 500. Great fun. I decided to change it back afterwards though. (keep in mind that if your birthday is loaded onto your settings page too, you might also get an error on the settings page, and you won't be able to change it back)
In a very dark place that wouldn't let us use a light! - its the Renaissance Hotel at St Pancras, London >Sean
I love this guys enthusiasm when explaining. Makes it more interesting.
I didn't understand a single word of what that guy just said but he's super engaging and the 8 minutes flew by.
Tom Scott is definitely my new favorite, especially considering all of Brady's other channels have slowed down. Tom is making a very good showing. Keep it up.
This man has a lot of energy and enthusiasm for this topic.
I would just like to thank who ever's idea it was to do the Audible promotion because audio books are expensive and getting a free one was a really nice gesture.
The ending doesn't have a dash because you are supposed to binge the next 20 computerphile videos after it...
XSS is even more dangerous when coupled with Cross-site Request Forgery (CSRF). A video on CSRF would probably be a nice follow-up to this.
"Cross site scripting is the number one vulnerability on the web today"
me watching in 2023: hmmmm, sounds legit...
2:35 I've never seen a JavaScript code that looks like "i+i=2", it looks more like an equation :D
Defiantly the most ecstatic video you've done, really entertaining, whilst also quite educational.
So Wikipedia describes him as a comedian to which I agree, but... Does he have a Masters in computer science or a title alike? He's got an amazing skill to explain complex stuff!
Tom Scott is really good at explaining things and I LOVE the concepts he explains.
More from Mr. Scott? :3
This video just helped me notice an XSS vulnerability on one of my sites. Thank you. :|
I like the dark lighting. Makes it feel more laid back and down to earth :D
Tom explains this in 8 mins better than my Network security professor in an entire lecture
The content of this video is true, however, none of it is about cross-site scripting.
12 years later, I find this video, Tom Scott thanks for the information and your enthusiasm)
*bold*
_slant_
-strike-
*_-Magic-_*
Great video. I wish I had been taught at school by someone speaking passionately about their subjects like he does!
I like the darkness, it adds to the atmosphere, and (at least I can) still see everything just fine...
Client side filtering is a good idea because it can make it easier on the legitimate user. E.g. tell them the phone number is invalid before they hit submit, saving them time.
But client side prefiltering does not add any additional security. All inputs must be fully validated at the server. There is no guarantee that an attacker will be using a polite client that follows your prefiltering rules. An attacker can download the page and remove the rules.
He's so funny yet so informative. More of this guy!
Absolutely! I adore how he speaks so strongly about these things, his rhetorical skills are very well-developed and he's a joy to listen to.
I'm a BS Physics student(first year) I really want to learn more about Cyber Security, I want to shift but I would waste my scholarship so yeah I'm watching your videos...Thank you!
Between the SQL holes video and this one, I sure am glad that Tom Scott is on our side.
wut wut
You're right that it's not on the server, but you can certainly use this technique to change things there: If I can have the site display my script within your browser session, I can take over your account. That means, deleting your inbox, transferring your money, etc. It all happens through the "front door" as far as the server knows, but it's being done through a hijacked session.
Ah yes, Bobby Tables. Definitely one of the more amusing tech jokes I've come across, still gets a good chuckle from me every time I read it. :)
Its worth mentioning (and possibly a future video topic) that even if your website's forms are supposedly "secure" anybody can make a form on their own site that submits to yours. No matter what make sure ALL input processed by your website is properly escaped.
"Someone *at Netscape* comes along and invents JavaScript!"
Please, talk this guy into having his own channel, or make more videos with him, he is awesome!
I love this guy. He really seems to love what he's doing.
They are two different tags. b is for text that is supposed to be bold, but not for styling reasons. strong is for text that is supposed to be styled in a way that makes it more prominent than the rest of the text.
Tom “You should know this” Scott
I liked the little touch of you guys putting the / in the closing tag at the end of the show.
The passion and enthousiasm is great ! More please :)
So how on earth could you use javascript to make a webpage send users info to your pc if it only affects you?
So if I typed *and closed it with* , youtube will make it bold?
Short answer is complexity. In some cases there are automatic filters, but it isn't always clear to each system which input is trusted and which isn't. MySQL, for example, doesn't know whether it's talking to an administrator sending handwritten commands, or the web app itself. Parts of your 'site' may include 3rd-party JavaScript pulled from advertisers, or analytics, or a database. There might be a WYSIWYG editor on your site that allows users to mark up their comments with HTML, etc...
The white balancing in this video confuses me.
Watching this in 2022 and this still feels so relevant.
Where did you even get dot matrix printer paper?
Actually, Brady doesn't need to end the computerphile logo with >/computerfile> because there are some html elements that do not use closing tags, like the meta, link, and input tags.
Omegle had that same problem for a bit when they introduced Spy Mode. They weren't sanitizing their question inputs, so for a while I would go around sticking JS in there that froze the computers of whoever got stuck with my question XD They fixed it in a few days, though.
That's probably more because it's more user-friendly. You can't control what the user sends to the server by using specific controls. As a visitor, you can actually change a page's appearance. For example, in Google Chrome, right click the RUclips search bar, go to element inspection, right click the highlighted line in the bottom section and add an attribute type="number". It will change into a number input. You can do something like this to a dropdown and make it a text input instead.
This is amazing! That guy should have more videos!
4:03 "Because myspace hadn't quite filtered javascript properly". Brilliant!
don't understand how this could be dangerous.For example anyone can click inspect element and type some text into their web browser and change a COPY of the page they're looking at no one else will ever use that copy you have changed.In this same manner, how would me writing a script inside of my copy of a webpage effect someone else's copy?
+Curran Hyde If i understood the video correctly it is when someone else visits your webpage that the script gets executed. If I make a website and add a script in the middle of its html, it will run when you or anyone else loads the page, thus enabling attacks. Again, that's at least how I understood it, could be wrong
+Curran Hyde It only becomes a problem for sites which allow users to post something which gets displayed to other users. Like this comment here (only that youtube is smart enought to filter out code). If you don't have a filter active that say... replaces "" with "