this is something someone new to programming would fall for, i can see also self taught developers in their early days falling for this. as someone who learned programming this year i see myself doing some mistakes when i want to build something fast, which is the case for any freelancer who wants to deliver the project and doesn't have much experience. thanks for the video.
It’s requires extra effort to guard against this and usually we just want to focus on getting the functions to work so the problem persists even among veteran programmers
Thank you for sharing, I am studying this material in my ethical hacking class, and your explanation clarified some things for me about XSS. It makes more sense. I would like to work for IBM sometime.
These exist because of the hard drive cartels not releasing certain technology to the public, which kept storage prices high. It was cheaper to have multiple servers, which used XSS to connect them as a single website.
ok but how is that malicious code persisting on the server? shouldn't only apply for the hackers session? ie how has he modified the coder on the server to now include his code as part of the servers. your example would only happen once, to the attacker. this only makes sense if the xss is doing an sql injection into the server which will then serve it up for all future users
Damn I was late for class I'm interested in understanding how the industry is working to genuinely solve XSS (Cross-Site Scripting) attacks. Since trusted websites can sometimes be manipulated to execute an XSS attack, it raises an important question: How can end users know if a 'trusted service' has been compromised? While I understand that there are browser extensions aimed at detecting OWASP Top 10 vulnerabilities, I'm curious how effective they are in practice. Additionally, as a software engineer, I'm aware that methods like command injection can also exploit systems, and that attackers could theoretically use the browser API to bypass certain defenses. How does the industry address these challenges, and what are the best approaches for ensuring users' security when using trusted websites?
Great topic but the explanation is lacking of details. Show some examples of how to place malicious code in a comment on a forum with a guided instruction on how to construct malicious code that makes stuff execute with an intension of an attack when bringing up this topic. It would make difference for developers and why it is important to protect against this type of vulnerability.
The video is flipped in the horizontal axis. You can see his watch appears to be in his right hand but pretty sure he wore it on his left. Gives way for very intuitive explanation videos :)
So the Bottomline... NEVER... EVER... TRUST USER INPUT!!! As a web developer, your DEFAULT position should be... ALL USERS ARE EVIL!!! Stick to that... Along with copious amounts of paranoia!!! 😂 And the websites and apps that you build... Should be fine! 😊
that is in all honesty a terrible video...bcs it doesn't actually talk about ANYTHING really, feels like `let semantics = null` if u catch my drift... It doesn't even mention the 2 flavours of this attack, nor does it say what is it exactly that happens, that would result in a random user getting back trusted with mixed-in malicious code... This is akin to the annoying uprising of "the coding bootcamp" crap that "anybody can program" which is actually rather damaging to the industry as a whole, destroys the possibility to work with amazing engineers (ideally passionate about the topic not "just as a job") and ofc unnecessarily lowering payments for those that have actually have skills and passion for the craft... #analogy Instead of watching this, just read the OWASP wesbite on it and associated links...
@@Zbezt what exactly is it in that vid that is actually "delving" into? Except nothing... don't be rude just cuz meaningless vids satisfy your tiny brain...
this is something someone new to programming would fall for, i can see also self taught developers in their early days falling for this. as someone who learned programming this year i see myself doing some mistakes when i want to build something fast, which is the case for any freelancer who wants to deliver the project and doesn't have much experience. thanks for the video.
It’s requires extra effort to guard against this and usually we just want to focus on getting the functions to work so the problem persists even among veteran programmers
@jeffcrume indeed, thank you!
I love how he just used "validate" instead of "sanitize" which is not overwhelming to hear 🥰
Thank you for sharing, I am studying this material in my ethical hacking class, and your explanation clarified some things for me about XSS. It makes more sense. I would like to work for IBM sometime.
You are awesome sir.
You are very kind!
Thank you for adding English subtitles to make it easier for the AI to translate into Korean.
I hope I still make sense in Korean 😊
Good luck in coding script with Korean
These exist because of the hard drive cartels not releasing certain technology to the public, which kept storage prices high. It was cheaper to have multiple servers, which used XSS to connect them as a single website.
ok but how is that malicious code persisting on the server? shouldn't only apply for the hackers session? ie how has he modified the coder on the server to now include his code as part of the servers. your example would only happen once, to the attacker. this only makes sense if the xss is doing an sql injection into the server which will then serve it up for all future users
In the example I cited, the code is injected into the comment section. It will persist until the comment is deleted
Damn I was late for class
I'm interested in understanding how the industry is working to genuinely solve XSS (Cross-Site Scripting) attacks. Since trusted websites can sometimes be manipulated to execute an XSS attack, it raises an important question: How can end users know if a 'trusted service' has been compromised?
While I understand that there are browser extensions aimed at detecting OWASP Top 10 vulnerabilities, I'm curious how effective they are in practice. Additionally, as a software engineer, I'm aware that methods like command injection can also exploit systems, and that attackers could theoretically use the browser API to bypass certain defenses. How does the industry address these challenges, and what are the best approaches for ensuring users' security when using trusted websites?
This is mostly a problem for the web site owners to solve. If it were easy to do, it would have been done years ago. Unfortunately, it persists
Browser isolation
@@jeffcrume This is interesting. Thank you.
@@seansingh4421 Please explain
Great topic but the explanation is lacking of details. Show some examples of how to place malicious code in a comment on a forum with a guided instruction on how to construct malicious code that makes stuff execute with an intension of an attack when bringing up this topic. It would make difference for developers and why it is important to protect against this type of vulnerability.
I still remember the first time I read about this. It was a masterpiece. Absolutely genius!
I do too. I thought it was so convoluted that it would just go away. I was clearly wrong
great video like always
Thanks for saying so!
Great expalanation. Any recommendations for someone interested in getting into cybersecurity?
How is he able to write mirrored letters so quickly?
I think he writes normally.. it is mirrored for us in software
The video is flipped in the horizontal axis. You can see his watch appears to be in his right hand but pretty sure he wore it on his left. Gives way for very intuitive explanation videos :)
Ty u.
He’s been hijacking Amazon employees. He’s hijacking techs to edit and inject exploit code on EC2 and light sail
So the Bottomline...
NEVER... EVER... TRUST USER INPUT!!! As a web developer, your DEFAULT position should be... ALL USERS ARE EVIL!!! Stick to that... Along with copious amounts of paranoia!!! 😂 And the websites and apps that you build... Should be fine! 😊
Good point 😊
that is in all honesty a terrible video...bcs it doesn't actually talk about ANYTHING really, feels like `let semantics = null` if u catch my drift...
It doesn't even mention the 2 flavours of this attack, nor does it say what is it exactly that happens, that would result in a random user getting back trusted with mixed-in malicious code...
This is akin to the annoying uprising of "the coding bootcamp" crap that "anybody can program" which is actually rather damaging to the industry as a whole, destroys the possibility to work with amazing engineers (ideally passionate about the topic not "just as a job") and ofc unnecessarily lowering payments for those that have actually have skills and passion for the craft... #analogy
Instead of watching this, just read the OWASP wesbite on it and associated links...
It delves into cyberwarfare use your head
@@Zbezt what exactly is it in that vid that is actually "delving" into? Except nothing...
don't be rude just cuz meaningless vids satisfy your tiny brain...
You don't necessarily need to make the user interact with the XSS attack payload right? Can't it just run through the web browser loading the page?
If by “client” you mean the user, then yes.
@jeffcrume Yes thank you, changed it to say user instead.
I'm early
javascript was written in 7 days and was meant for a whole different purpose
👻🥸🤐👁️