Cross-Site Scripting Explained with Examples and How to Prevent XSS with Content Security Policy
Рет қаралды 56,249
Күн бұрынIn this video, I discuss XSS Cross-Site scripting attacks and how to prevent them.
0:00 Intro
2:40 XSS Stored Attacks
The injected script is stored permanently on the target servers. The victim then retrieves this malicious script from the server when the browser sends a request for data.
4:50 Reflected XSS Attacks
When a user is tricked into clicking a malicious link, submitting a specially crafted form, or browsing to a malicious site, the injected code travels to the vulnerable website. The Web server reflects the injected script back to the user's browser, such as in an error message, search result, or any other response that includes data sent to the server as part of the request. The browser executes the code because it assumes the response is from a "trusted" server which the user has already interacted with.
8:00 Source Code Explained
9:50 Prevent XSS Attacks with CSP
16:00 Prevent all scripts with CSP
Source Code
github.com/hnasr/javascript_p...
🏭 Backend Engineering Videos
• Backend Engineering (B...
💾 Database Engineering Videos
• Database Engineering
🛰 Network Engineering Videos
• Network Engineering
🏰 Load Balancing and Proxies Videos
• Proxies
🐘 Postgres Videos
• PostgresSQL
🚢Docker
• Docker
🧮 Programming Pattern Videos
• Programming Patterns
🛡 Web Security Videos
• Web Security
🦠 HTTP Videos
• HTTP
🐍 Python Videos
• Python by Example
🔆 Javascript Videos
• Javascript by Example
👾Discord Server / discord
Become a Member
/ @hnasr
Support me on PayPal
bit.ly/33ENps4
Become a Patreon
/ hnasr
Stay Awesome,
Hussein
@galfrasian 4 жыл бұрын
Love your spirit man. You keep regularly updating your videos. Great job.
@hnasr 4 жыл бұрын
Saumya yadav ❤️
@DennisIvy 3 жыл бұрын
Great video Hussein!
@asderex 4 жыл бұрын
Great video Hussein. I’ve heard of XSS but never had them explained so clearly. Would love to see more security related videos if the inspiration hits you! This has become my favourite back end channel - thanks for your effort making these.
@hnasr 4 жыл бұрын
Thanks for the encouragement ❤️ well sure keep them coming whenever Inspiration hits. I put all my security related videos on this playlist. Check it out kzfaq.info/sun/PLQnljOFTspQU3YDMRSMvzflh_qXoz9zfv
@TheMessanger 2 жыл бұрын
@@hnasr Wao I just saw the playlist this is overwhelming!
@NishaJakhar26 3 жыл бұрын
Oooooo Mama......... :D Your Accent/tone/speech/words/humor is just perfect. Thank you that i found you.
@hnasr 3 жыл бұрын
Oh thank you!
@user-mb9vk8vq8w 7 ай бұрын
0:34 😂😅
@dean6046 4 жыл бұрын
Thanks man! You've been shooting out amazing content lately like multiple times a week! Keep up the good work
@hnasr 4 жыл бұрын
Constantine thanks whenever I feel inspired I put some content out before the inspiration dies. 😊 I love making videos
@dean6046 4 жыл бұрын
@@hnasr I appreciate the answer! I have to change my mindset about making content and use your philosophy. I make a lot of content but I just keep trying to perfect it so I never release anything publicly.
@hnasr 4 жыл бұрын
You should release your work! You have no idea who your work will help 🙏
@potaraju92 3 ай бұрын
Love your style of teaching, man, you are awesome.
@virendrabhati6685 3 жыл бұрын
Wow!! Very informative. I lean new things again in less time.... It will help me a lot to prevent outside to come in to my server scripts.
@urmur 2 жыл бұрын
this is so easily digestable! thank you
@jakealert1722 4 жыл бұрын
Another Hussein Nasser video woohoooo! Would be really awesome if you could make a video purely about CSP. How to set it up and what the best practices are :)
@subhajitshome2175 3 жыл бұрын
Thank you Naseer ! This is very helpful
@HayBeseret 3 жыл бұрын
FYI - its a "reflected" since your code is "reflecting" the search item on the return results page @2:24, thus executing the script.
@tech3425 Жыл бұрын
Mahn! Incredibly fun to watch! Love your content bro
@Wojmasz 4 жыл бұрын
Thank you very much and keep doing your job :)
@Lena-of7wd 2 жыл бұрын
Great explanation, thanks!
@paschalokafor9043 6 ай бұрын
I just subscribed. You are awesome bro. Thank you loads.
@mysticaltech 3 жыл бұрын
Awesome made it all clearer 🙏
@danielrocha5774 2 жыл бұрын
thanks for the nice explaining it was very enjoyable.
@usamatahseenulhaque9125 4 жыл бұрын
You are the best explainer
@CyberSecForce 2 жыл бұрын
We appreciate your efforts
@AssFaceNFT 2 жыл бұрын
Very helpful ser!! 🙏🌹❤
@tomytoon123 7 ай бұрын
I enjoy how this guy explain :)
@immanuel7619 2 жыл бұрын
It's very informative!
@ganeshk5471 Жыл бұрын
Hello Hussein after going through video , I realised that it was you . I have watched most of your content on the design
@rahul.r 4 жыл бұрын
Glad to see you actively adding more videos. Trying to watch as many as possible. Can we expect a video on tools like Prometheus and Grafana by any chance?
@hnasr 4 жыл бұрын
Rahul it is on my list of things to research.
@rahul.r 4 жыл бұрын
Hussein Nasser great to hear that!
@harshpatel9742 3 жыл бұрын
This is $$ Gold $$. Thank you so much. You earned a subscriber!
@hnasr 3 жыл бұрын
Awesome, thank you! :D
@sariksiddiqui6059 4 жыл бұрын
This is cool man.I was on facebook console doing all things and kept getting this CSP thing, glad you cleared it up.Need to see how to implement it in nginx when delivering static website
@hnasr 4 жыл бұрын
Siddiqui Sarik should be as simple as adding that header assuming your nginx is layer 7 reverse proxying
@norah5073 Жыл бұрын
I love your videos always you are the best on youtube Thank you so much for your effort and time
@ca7986 4 жыл бұрын
Please make more videos on web security and headers! ❤️
@taytot3283 3 жыл бұрын
This was incredibly helpful thank you! How does this work with the HTML tag "meta http-equiv="Content-Security-Policy" content="default-src 'self'"? Does this tag mean I don't have to include all the lines of JS shown in your video?
@TheMessanger 2 жыл бұрын
I hope he answers looks like you may be missing code
@anushahd673 3 жыл бұрын
It was helpful, thank you
@hnasr 3 жыл бұрын
Glad to hear that!
@sigmamoon7067 2 жыл бұрын
Awesome Demo thank's
@inderkantkhandelwaal3402 Жыл бұрын
Great Explanation
@umeshb8210 3 жыл бұрын
Thank you for a beautiful explanation sir. Actually interested in learning js btw found u on Udemy.
@hnasr 3 жыл бұрын
NO Oxygen thank you for your comments I hope you enjoy the content and welcome to the channel
@mayurpatil7356 3 жыл бұрын
Such powerful stuff...
@dmitry.gashko 3 жыл бұрын
4:55 In general stored xss is more dangerous than reflected one. First - there are no user action required to run a stored xss (when a reflected xss needs a link) and second - any stored xss can also be used as a reflected xss. I mean, I can make some xss on a page no one goes to, so stored xss is not so dangerous there, but I still can make a link to that page, like with reflected xss. But, what I was thinking about, is that stored xss is more dangerous on public pages but on private pages reflected xss is more dangerous . This is because stored xss on private pages in most cases is like self xss - you make that xss, and you can "hack" yourself, but with reflected xss on private pages you can send a link to, for example, profile settings, and it would be quite regular reflected xss. p.s. of course there's always an ability that admins can go to private pages, so, any stored/reflected xss is bad and no matter where it appeared.
@TheMessanger 2 жыл бұрын
I need a coder like you trying to login into a scam site. I got my login but I want full access!
@samueladewale2987 4 жыл бұрын
Thank you for this great video, as always. Learning a lot from them. (I am trying to build a resource server for my spring boot- anugular application. Please do you know any resource that will help or any free tool I can use. Thanks for your feedback.)
@ch94086 4 жыл бұрын
Of course you could have mentioned the real problem and solution in the js code, distinguishing text from HTML encoded text. (Easier with typescript 😜) But good demo of the csp header.
@mubin986 2 жыл бұрын
ও মামা। Amazing explanation!
@NeMoZz1000 3 жыл бұрын
شكرا جدا عالشرح الواضح
@hnasr 3 жыл бұрын
❤️❤️ العفو
@vishalksahoo3599 Жыл бұрын
Anybody know how to check if a given website has xss header enabled using pyhton.
@zaylo9273 3 жыл бұрын
if it is a dynamic website, is it okay to put the main homepage link in?
@debugmedia 4 жыл бұрын
"Oooo Mama" 😂 - Hussain 2020
@rajath1964 4 жыл бұрын
is XSS relevant to only public domain sites(twitter,facebook) or even licensed webapps(jira, enterprise git..etc) can undergo XSS?
@dmitry.gashko 3 жыл бұрын
XSS is relevant to WEB in general. So, no matter jira is, github, gitlab, youtube or amazon.
@azamatabdullaev4580 2 жыл бұрын
awesome
@thegreatkris24 9 ай бұрын
What websites let you just store things on them like that?
@myjava2844 3 жыл бұрын
hi hussein I need you help/info related to one issue We have in java code like below String hname = request.getRemoteName(); // this line is showing issue in Fortify scan can you help me how to validate the hname? I used with ESAPI input validator but it could not remediate it. Please help
@debugmedia 4 жыл бұрын
I don't know if u use instagram but there was this one account who posted an insta story, It said "Some text" and below was the profile picture of the person who was viewing that story. So if i opened the story then it would be my pic. But Instagram doesnt provide any API like KZfaq does even if it did , There isn't any place to embed it. I wonder how he did it cuz it was pretty cool
@leocarvalho8051 4 жыл бұрын
what account is that?
@rahuldora1587 3 жыл бұрын
I have also seen that one of my friend gave that link to view that status and there is a image placeholder where profile pic of the status viewer will be shown
@god_ofdestruction7355 2 жыл бұрын
Does xss protection header prevents DOM xss
@amarbalu109 3 жыл бұрын
Hi Hussain.Your content is awesome. Csp attributes get fails even though it has been configured correct url.can u help me out?
@natesh1 4 жыл бұрын
At 09:13 , you said we shoudnt write script inside inline script tag. But it wasn't clear why. Can u elaborate on it please.
@hnasr 4 жыл бұрын
Natesh M Bhat Because most cross side scripting attacks uses inline script injunction too. So the best approach is to block inline script and use CSP to only load it from a url. As i explained in the end
@sharadshinde9101 2 жыл бұрын
How to implement in struts
@Cdswjp 2 жыл бұрын
great
@FordExplorer-rm6ew 4 жыл бұрын
Been just kind of defeated. Haven't even been on a computer in a long time. I do like your vids though. Still picking up theories and concepts here and there
@hnasr 4 жыл бұрын
sry828 89 it takes time I feel the same sometimes too because of the amount of information out there. I find it helpful to know that this is a marathon not sprint and I just take things easy and only jump on things that interests me. That doesn’t always happen though like today I just spent the whole day relaxing, playing video games and grilling. No engineering 😅
@FordExplorer-rm6ew 4 жыл бұрын
@@hnasr thankgs for the encouragement. Noted and definitely appreciated Thx fren :) 👍
@hardikmistry1661 2 жыл бұрын
the edvotise was so greate "click here to Boost your CPU"🤣🤣🤣
@natesh1 4 жыл бұрын
Can u make a vid on modsecurity with Nginx
@ca7986 4 жыл бұрын
❤️
@earl_the_great 3 жыл бұрын
When your mom found out that you did something wrong and she stares at you like she about to end yo career: 3:26
@CandiceKhannaApps 2 жыл бұрын
Thank you for saying SHE and including us ✨ 🙌🏽 ✨ women hack & code too (:
@tigreytigrey8537 Жыл бұрын
Oh God STFU up with that dumb brainwashed crap.
@tigreytigrey8537 Жыл бұрын
Learn to be a damn adult already.
@semirberisha Жыл бұрын
So you mean that if we do use CSP XSS can't be injected, right ?
@hnasr Жыл бұрын
they can be injected, they just won’t be triggered if inline script is disabled
@semirberisha Жыл бұрын
@@hnasr I am not getting it. So the final answer is: It can't be hcaked, right ?
@stacyobiero 3 жыл бұрын
XSS babes!
@netman87 4 жыл бұрын
This + html ping to post form :)
@hunterone7072 3 жыл бұрын
joss
@taruncharan4262 2 жыл бұрын
alert("Mad")
@DevinJohw 2 ай бұрын
alert("Hello");
@kambalavijay6800 3 жыл бұрын
alert(test attack);
@beastern1807 3 жыл бұрын
Forgot the quotes for the string
@Adarsh-Shrivastava 6 ай бұрын
alert("XSS")
@Adarsh-Shrivastava 6 ай бұрын
This proves youtube comments os safe from XSS
What is Cross Site Scripting?| Cross Site Scripting Attack | Cross Site Scripting Tutorial | Edureka
edureka!
Рет қаралды 247 М.
Hussein Nasser
Рет қаралды 27 М.
Jan Goebel
Рет қаралды 39 М.
David Bombal
Рет қаралды 316 М.
Hussein Nasser
Рет қаралды 172 М.
Buy Smart┃Магазин ноутбуков
Рет қаралды 245 М.
Blueberry Lutein
Рет қаралды 285 М.