Website Hacking Demos using Cross-Site Scripting (XSS) - it's just too easy!
Рет қаралды 315,473
Күн бұрынIt's just too easy to attack websites using Cross Site Scripting (XSS). The XSS Rat demonstrates XSS attacks. XSS Rat explains and demos cross-site scripting (xss) attacks.
// MENU //
00:00 ▶️ We are taking over the world!
00:16 ▶️ Introducing//XSS Rat//Wesley
01:28 ▶️ What is XSS/ Cross Site Scripting?
02:59 ▶️ Types of XSS
05:15 ▶️ Reflected XSS
06:22 ▶️ Example of data sanitization
07:35 ▶️ Circumventing filtering with the img tag
11:01 ▶️ Sending a Reflected XSS Attack to Someone
12:01 ▶️ Using HTML comments as an attack vector
13:49 ▶️ Using single quotes to break out of the input tag
15:14 ▶️ Don't use alert() to test for XSS
17:33 ▶️ What you can do with Reflected XSS
19:26 ▶️ Stored XSS
20:31 ▶️ Using comments for XSS
21:05 ▶️ Example #1 of Stored XSS on Twitter
21:42 ▶️ Example #2 of Stored XSS
22:12 -▶️ The answer to the ultimate question of life, the universe, and everything.
22:56 ▶️ Stored vs Reflected XSS
24:22 ▶️ AngularJS/Client Side Template Injection
25:06 ▶️ Don't use JavaScript?
26:09 ▶️ Where to learn more//XSS Survival Guide
27:04 ▶️ DOM Based XSS
29:36 ▶️ List of DOM sinks
30:12 ▶️ jQuery DOM sinks
32:15 ▶️ XSS Rat Live Training
33:00 ▶️ Support XSS Rat//Wesley
34:06 ▶️ Closing//Thanks, Wesley!
// Demo Sites //
hackxpert.com/labs
hackxpert.com/ratsite
// David's SOCIAL //
Discord: / discord
Twitter: / davidbombal
Instagram: / davidbombal
LinkedIn: / davidbombal
Facebook: / davidbombal.co
TikTok: / davidbombal
KZfaq: / davidbombal
// XSS Rat SOCIAL //
Twitter: / thexssrat
KZfaq: / thexssrat
Website: thexssrat.podia.com/
// XSS Rat's Udemy course //
XSS Survival Guide: www.udemy.com/course/xss-surv...
// XSS Rat's courses and bootcamps //
thexssrat.podia.com/
// MY STUFF //
www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
xss
cross site scripting
portswigger
ajax
jscript
javascript
xss attack
xss video tutorial
xss attack tutorial
xss explained
xss attack example
xss bug bounty
xss tutorial
xss vulnerability
xss vs csrf attack
xss example
xsser
xsssa facebook
xsssa
kali linux
penetration testing
ethical hacking
bug bounty
cross site scripting
cross-site scripting
red teaming
cyber security
kali linux install
kali linux 2022
ethical hacker course
ethical hacker
javascript
ajax
jquery
node js
node js hacking
portswigger
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
#xss #javascript #hacking
@davidbombal 2 жыл бұрын
// MENU // 00:00 ▶ We are taking over the world! 00:16 ▶ Introducing//XSS Rat//Wesley 01:28 ▶ What is XSS/ Cross Site Scripting? 02:59 ▶ Types of XSS 05:15 ▶ Reflected XSS 06:22 ▶ Example of data sanitization 07:35 ▶ Circumventing filtering with the img tag 11:01 ▶ Sending a Reflected XSS Attack to Someone 12:01 ▶ Using HTML comments as an attack vector 13:49 ▶ Using single quotes to break out of the input tag 15:14 ▶ Don't use alert() to test for XSS 17:33 ▶ What you can do with Reflected XSS 19:26 ▶ Stored XSS 20:31 ▶ Using comments for XSS 21:05 ▶ Example #1 of Stored XSS on Twitter 21:42 ▶ Example #2 of Stored XSS 22:12 -▶ The answer to the ultimate question of life, the universe, and everything. 22:56 ▶ Stored vs Reflected XSS 24:22 ▶ AngularJS/Client Side Template Injection 25:06 ▶ Don't use JavaScript? 26:09 ▶ Where to learn more//XSS Survival Guide 27:04 ▶ DOM Based XSS 29:36 ▶ List of DOM sinks 30:12 ▶ jQuery DOM sinks 32:15 ▶ XSS Rat Live Training 33:00 ▶ Support XSS Rat//Wesley 34:06 ▶ Closing//Thanks, Wesley! // Demo Sites // hackxpert.com/labs hackxpert.com/ratsite // David's SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal KZfaq: kzfaq.info // XSS Rat SOCIAL // Twitter: twitter.com/theXSSrat KZfaq: kzfaq.info Website: thexssrat.podia.com/ // XSS Rat's Udemy course // XSS Survival Guide: www.udemy.com/course/xss-survival-guide/ // XSS Rat's courses and bootcamps // thexssrat.podia.com/ // MY STUFF // www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
@cryptocause9285 2 жыл бұрын
Thanks! Love your Instagram posts
@HybridMonster19 2 жыл бұрын
@@CodeWithJoe please elaborate
@faran4536 2 жыл бұрын
Wow David you're collaborating with awesome people ♥️♥️.. here you dropped this king 👑
@davidbombal 2 жыл бұрын
Thank you Faran!
@MisterK-YT 2 жыл бұрын
That’s mine bruh.
@ffgangbd4984 2 жыл бұрын
@@MisterK-YT 😂
@jpierce2l33t 2 жыл бұрын
LOL David I just started following the XSS Rat not long ago! Either you're in my head, or I'm on the right track...'cause this just keeps happening! 🤣 Love that you're helping expose these gems of our community to the masses...great stuff man!
@juliusrowe9374 2 жыл бұрын
Once again great vlog David! Your channel is so awesome, you always have a great wealth of knowledge from all the guest that appear on the channel. I'm very appreciative of learning new things every time I tune in.
@bloudengaming8736 2 жыл бұрын
Your videos are also so informative and entertaining! Thanks David!
@davidbombal 2 жыл бұрын
Thank you! Glad you like them!
@bertrandfossung1216 2 жыл бұрын
David you’re just the best. Keep pouring these contents . I’m really having fun .
@aramv898 2 жыл бұрын
As a developer this is pretty useful. Thanks for the great value David
@rajmaharjan9828 2 жыл бұрын
This channel is on fire! Loving these videos David!
@youssefbouchara1179 2 жыл бұрын
Best content creator in the field Cybersecurity by far, informative and entertaining!
@fredrickawinyo 2 жыл бұрын
Damn!!! Loving these talks; learning so much and it's all thanks to you David, thanks 👍🏽
@DF-ss5ep 2 жыл бұрын
Tutorials on the net about this stuff are so confusing. Sometimes they appear to contradict one another. It's no wonder they have mistakes. Good video
@TheRich464 2 жыл бұрын
Amazing video, questions and demo very well done. I always find it amazing how you can look at one thing differently and your in. *looking at the wall with security guard checking ID’s. Wall is only 3 feet wide. Just walk around. I’m excited to see how I will look at my own code differently. Thanks again!
@davidbombal 2 жыл бұрын
Thank you! Glad it was helpful!
@charlesmarseille123 Жыл бұрын
He is ridiculously clear in his explanations. Beautiful.
@Uranium-bh7kt Жыл бұрын
Bro i learned so much from this guy, videos like this are terrific, please do as many as you can. Wish you the best!
@sexyeur 2 жыл бұрын
WOW! Wesley is so awesome! Thank you so much, David Bombal!!! All love. Always.
@noi.d609 2 жыл бұрын
Third time watching through. I will be signing up for the boot camp thank you for this.
@edmorris4720 2 жыл бұрын
great work david, nice questions!!
@premiumwaale9728 2 жыл бұрын
Thanks for providing me some supercool testing scenarios David..Love u 3000 man❤️..👍😀
@_taconator 2 жыл бұрын
Great video! thanks for the awesome content David
@jamesblock8384 2 жыл бұрын
Dang.... you know I've used templating frameworks for so long like handlebars, angular and most recently Vue. I never considered the possibility of script being injected through these templating engines but it makes perfect sense now that I've seen it.
@wojciechneugebauer5926 2 жыл бұрын
Awesome content as always! Wesley seems pro and really nice guy!
@TheXSSrat 2 жыл бұрын
Thank you friend :D
@katok9938 2 жыл бұрын
@@TheXSSrat you're cool man!
@user-on6zh1zx5y 3 ай бұрын
graet video, your guest seems to be a nice instructor, easy to understand him as well
@Cyber_AR15 2 жыл бұрын
Wow, there is so much to learn. That was a really good informative video.
@rizekishimaro 2 жыл бұрын
A Gold Tutorial Video For Me I was Learned SQLI but Still Confused XSS this Video help me alot.Nice David.From Burma
@Bharath-wb8uy 2 жыл бұрын
Thank you buddy all things you do to the community if not for you people like me coming from poor backgrounds would have faced a lot of difficulty to break into cyber security
@ptyspawnbinbash 2 жыл бұрын
As always, amazing content!
@Arayankodesouth 2 жыл бұрын
Hi David, It would be great if these type of videos include 'how to prevent being a victim of these types of attacks'.
@skeptisch2751 2 жыл бұрын
I saw wesley for the first time in an interview with nahamsec. I immediately subscribed to his Chanel and watched his amazing videos 👍 java script is for me as network guy a little bit complicated but I learned the basics of reflect attack and found some vulnerability (I reported them ). Thank you David and wesley for this amazing video! ✌
@davidbombal 2 жыл бұрын
Congratulations! That is fantastic :)
@Angel_Santiago27 Жыл бұрын
Very nice video, I really loved it! I think I just found my new path in the IT world.
@timvw01 2 жыл бұрын
Great video! Can you do a video on webassembly safety? Its an exiting new tech, and probably has some security pitfalls. For example, webassembly cannot run when you have csp headers. Cheers
@adityaroy7196 2 жыл бұрын
YOU CONTINUE TO BEING THE BEST
@thevotrozz 2 жыл бұрын
Thanks David, I finally understood Cross Site Scripting
@Nunn_the_wiser 2 жыл бұрын
What a really likable guy and great teaching methods. I've signed up on Udemy
@ClassicRiki 10 ай бұрын
Yeah he does seem nice. You can tell he really loves it but is up for a laugh as well
@alanwilson7792 2 жыл бұрын
In addition to complex scripting, bad actors could also, for example, add unwanted images to your sites via the anchor tag - one method to screen out all offending tags in user content is to replace "
@alfatech8604 2 жыл бұрын
this xssrat guy is a demon at bypassing wow just wow lol pls a video on javascript for hackers would be great
@TheXSSrat 2 жыл бұрын
Thank you dear friend :D
@vincentkadevra 2 жыл бұрын
Thank you so much, i just upgraded the security of my project :3
@Alain9-1 2 жыл бұрын
That's the kind of videos we love, great 🎩
@alooy 2 жыл бұрын
This was very information ! Such topics should be taught in college , not only how to write code .
@TheXSSrat 2 жыл бұрын
The thing is, I think it really helps to know JS before beginning XSS :D
@wardellcastles Жыл бұрын
What a great video. I will sign up for the Udemy course. Thank you!
@gueroloco8687 2 жыл бұрын
Interesting David thanks so much to the guy doing the teaching!!!!
@verenuspulo Жыл бұрын
Thanks! Another wonderfully didactic video!
@MSPHOTOGRAPHY-ep8by 2 жыл бұрын
Now I understand how it works thanks David ❤
@afzalmahmud1974 Жыл бұрын
Glad I know some basic of XSS security to handle as a developer. How foolish I am? . Thank you for your effort sir. Thanks a loot ❤️
@Smiley-pc7ki 2 жыл бұрын
You deserve this 🍪 ( cookie represent appreciation in modder's world).
@parexcellence8222 2 жыл бұрын
Got scared I actually bought Wesley's Udemy course right away. David continue inviting good people to your channel. I have promised to watch your videos instead of the Ukraine war news. Gives me more knowledge.
@TheXSSrat 2 жыл бұрын
Much love friend :D
@parexcellence8222 2 жыл бұрын
@@TheXSSrat I actually went to your youtube channel and subscriber there too. XSS is popular and I never understood how they were done. How you present your examples are very simple that it is very easy to understand. I see that you have the talent to teach. Thank you.
@maumotec2345 2 жыл бұрын
Amazing content :) Thank you both for it
@edmorris4720 2 жыл бұрын
with reflected xxs can a attacker make a vulnerable website on purpose and host it them selfs then make a url that downloads somthing?
@trap7369 2 жыл бұрын
amazing, he realy dominates the XSS technique
@sw-code6027 2 жыл бұрын
alert() 🙃😂
@davidbombal 2 жыл бұрын
Hopefully that doesn't work as KZfaq is better than Twitter!! 😂
@sw-code6027 2 жыл бұрын
@@davidbombal One day we will find vulnerability in KZfaq and tell that "Look here's a bug" 😂 I hope we will do it one day 😂
@comeycallate9959 2 жыл бұрын
@@davidbombal and also doesn't work to all because there are a lot of comments in this video
@LearnAlongFaizan 2 жыл бұрын
Video is great, plz make further video's on these topics
@ParameshChockalingam 2 жыл бұрын
So Content security policy and access control headers should be good enough protection right ?
@z3jlewhhda376 2 жыл бұрын
You are creating amazing content!!
@user-rc6eu4jm4d 9 ай бұрын
(bro, I have a very important question for me, if you have the opportunity, please answer me, because I worry about my account every day) what should I do if I crossed a site with an XSS attack?
@CharlesBLim 2 жыл бұрын
This is the reason why If you want to be a good hacker you really need to know or understand web development.
@orbitxyz7867 2 жыл бұрын
Your regular viewer orbit xyz😉😉
@leschi4banane414 Жыл бұрын
Hey, guys, I know I am kind of late, but I have a question. How can I load and run an external JavaScript onerror? (I thought I could maybe inject beef this way!)
@SecurityTalent 2 жыл бұрын
I am buy your wireshark course.... totally Pro level course ....so so Thank you bro....
@davidbombal 2 жыл бұрын
Thank you for your support!
@gregoryjones4539 2 жыл бұрын
Keep the great content coming
@davidbombal 2 жыл бұрын
Thank you! Trying to bring the best content I can to KZfaq :)
@gregoryjones4539 2 жыл бұрын
@@davidbombal i like learning but am very adhd and most of the time i have no problem paying attention to your content i love your mind set poster that fish is going places lol
@TheXSSrat 2 жыл бұрын
@@gregoryjones4539 I also have ADHD :) Here's an idea friend, can you watch it in parts? I try to chop everything down into pieces and take those one at a time
@pollyolly851 2 жыл бұрын
I want to see the source code of the sample website. Where can I see the sample source code?
@Konvicted17 Жыл бұрын
Great INFO, Cheers !
@lexkenn Жыл бұрын
Awesome vid! 💯
@Firoz900 2 жыл бұрын
Good program guru. Thank you.
@maanzero6245 2 жыл бұрын
Thank you so much for your big efforts ❤
@headlights-go-up 2 жыл бұрын
This is really interesting stuff
@MichaelVanDelft 2 жыл бұрын
Keep up the great videos.
@davidbombal 2 жыл бұрын
Thank you Michael!
@user-of4sg8tv2d 2 жыл бұрын
can this not be solved by using .textContent instead of .innerHTML to display content on the page, or even convert the input to a string?
@smeezy845 2 жыл бұрын
If you would obfuscate your JavaScript then it would technically bypass the code that removes "Script"??
@ahmedyt5998 2 жыл бұрын
Hey David can you make a video for the reverse Engireering apktool,and i thank you for all your course
@osiris5449 2 жыл бұрын
no matter what I do, my internet on my computer and my cellphone, even using my data and turning wifi off (my identity was sold on the dark web); its like someones flooding me out of my connection. what do i do?
@dankmemes2667 10 ай бұрын
Hi! Im trying to bypass a filter on a webpage that only accepts some limited alphanumeric 11 character strings. What could be the easiest ways to do that? Is it even possible?
@agadaFrancisLouis 2 жыл бұрын
If i were a President and i had a country, I'd have given you a state to govern. Just my way of saying thank you, Mr. David🇳🇬❤❤❤
@parshantkumar2455 2 жыл бұрын
Hello David sir , I love your videos very much , but sir can you start podcast on spotify and put the conversations with people on Spotify
@justinboss4131 2 жыл бұрын
Great video…. Thanks
@noname5046 2 жыл бұрын
Nice guest 👍
@Yucifer_97 2 жыл бұрын
Can you talk about browser fingerprint?
@morganjones4281 4 ай бұрын
Can jQuery do a lot more than Javascript? Isn't jQuery mostly just prepackaged javascript functions? Kind of like a templating engine but for queries?
@Cooliofamily Жыл бұрын
At around 10 minutes, isn’t this attack just a cross site request forgery/CSRF?
@Alireza52341 5 ай бұрын
You know..i didnt understand a thing What can we do with it? I mean i wanna access the terminal of a website host(to run node.js)can i do this?
@nuke7462 2 жыл бұрын
2:30 can be easily fixed by wrapping all open entry areas covered in [url]
@DRKSPAD3 2 жыл бұрын
Awesome video
@captainkatz1775 2 жыл бұрын
Didn't know rats were that smart, time to build an army
@davidbombal 2 жыл бұрын
XSS Rat is already doing this 😂
@gregoryjones4539 2 жыл бұрын
They did that in wanted yo
@mtthsgrr 26 күн бұрын
okay, I got it, but if I steal a cookie session, isn't that MY cookie? How does one knows whom cookie it is?
@alisenjary 2 жыл бұрын
All time the best 😊
@davidbombal 2 жыл бұрын
XSS Rat is great!
@AnnyMus-rc2zh Жыл бұрын
take a drink every time he says cross site scripting ahah
@anonymoususer1007 2 жыл бұрын
So recently, I had my bank account hacked and someone stole $2500 from my savings (surprisingly, they didn't wipe me out)- any idea as to why they didn't steal all of it? I'm thinking this is how my bank is hacked because the bank itself said, "at least once a day, someone comes into our branch and says, 'I've been hacked.'" Thankfully, they're FDIC insured and I love my bank/trust it, but I'm curious if this is how they might've stole/transferred money. I have info from them and IP address if someone could help me out. He/She accessed other accounts too, but who knows if it's really that person because they could have a "pool" of IP addresses, but definitely have one.
@tungphaminh6767 2 жыл бұрын
I heard about an attack where hacker send an image via gmail or fb and they were able to get my token at that time. Is it true that can tell me how hackers created it and how to prevent it?
@landrover827 2 жыл бұрын
Wow! I had no idea… scary.
@neverendingcoralmaze Жыл бұрын
Amazing vid!
@onlinewebsites3476 2 жыл бұрын
Sir please make video on web3 and blockchain .
@babashehumodu1463 Жыл бұрын
Thank you very much sir David
@ImAnonymous433 2 жыл бұрын
thats the reason F5 made the Web application firewall ... thats helps to protect from xss and many more attacks
@ImagineIfNot 2 жыл бұрын
thankuuuuuu thanku thankuuuuuuuuuuuuuuuuuuuuuuu luv you
@youtubvancy8929 2 жыл бұрын
Hi David, please bring Dr, chuck once again, thankyou.
@davidbombal 2 жыл бұрын
Hopefully soon. What topics you want him to talk about?
@youtubvancy8929 2 жыл бұрын
@@davidbombal its hard to choose topics, maybe more on other languages (go, etc). Mobile app development (swift, kotlin). Windows native apps (c#, pyqt), Programming + linux + networking skills, anything which involves programming, thanks.
@mashhood7534 2 жыл бұрын
Thanks ❤️ means a lot
@davidbombal 2 жыл бұрын
You're most welcome 😊
@zainvillager990 2 жыл бұрын
can someone tell me the name of david's intro music name
@sergioeduard4422 2 жыл бұрын
Great video 🖤
@albax8847 2 жыл бұрын
You are the best !!
@davidbombal 2 жыл бұрын
You are very kind 😀There are many amazing people out there 😀
@O2C69 2 жыл бұрын
for any script to execute on a local pc visiting the "infected site", if the user has no admin rights, can the script be executed to do its malicious activity or not?
@tigreonice2339 2 жыл бұрын
It can
@O2C69 2 жыл бұрын
@@tigreonice2339 just to confirm the script not requiring elevated privileges to do malicious activity?
@marekqx 2 жыл бұрын
If someone will count how many times guy said "Cross-Site Scripting" i will buy him hamburger.
@JontheRippa 2 жыл бұрын
Wow thank you, good labs 👍
What is Cross Site Scripting?| Cross Site Scripting Attack | Cross Site Scripting Tutorial | Edureka
edureka!
Рет қаралды 246 М.
Loi Liang Yang
Рет қаралды 25 М.
thehackerish
Рет қаралды 239 М.
Rozetked
Рет қаралды 599 М.
Blueberry Lutein
Рет қаралды 151 М.