Cross-Site Scripting (XSS) Explained

This has truly been a lifesaver. My college professor told us to research this for a paper and gave us no source material whatsoever. Everywhere I look, the explanations are so technically written that it goes right over my head with my limited knowledge. (Usually, if I have to look up 3 terms before I finish the first paragraph, I'm out)
Thank you SOOOOOO much for describing this in detail without weighing it down with an excess of unnecessary jargon and high-level concepts.

00:50 SOP, the browser checks, blocks read and write 02:10 JS, access, DOM API, javascript injection technique, 03:21 basic classic example 05:35 reflected 05:54 stored 07:31 DOM XSS

dwangoAC of the custom Twitch chat XSS segment - thanks for including it! We had difficulty classifying it as well, and the realtime nature made it hard to say if it was truly stored XSS or not. The volunteer who wrote it learned valuable lessons that day.

I read so many explanations about XSS recently and yours is by far the best. Keep up the great work !

Upload more frequently! :)

This lesson was sooooo well done my dude! It was great, lots of specifics but not so complicated that everything flew right over my head. Thank you!

Absolutely loved this video! The intro video, your style of talking, those amazing blue and pink (I guess they are called pastel colors?) colors. It was really fun to watch this video and get a general knowledge about XSS. Keep this us, buddy! Definitely sub from me!

hey man , good to see you after a long time.. plan some frequent uploads ..

i do not leave comments often but.. my dude holy crap this was great. thank you. much more in depth and easy to understand compared to professor messer. loves the visuals. keep it up

The day has come
I finally got an xkcd reference :)

I gotta say bro, your content is helping me out a fugh-ton. I've been brushing up on my security since ive been interviewing for a few months and realized my understanding of some sec principles werent complete or in some cases simpler than i had originally thought. thanks!

Been struggling to wrap my head around what xss was exactly for a while, and this cleared up a lot of things. Thank you. :)

Dude! You vids are amazing. Very technical which is great and your graphical explanations leave no room for guessing! Love it! Keep these going!

You're the best online teacher that I ever had! Keep uploading more vulnerabilities pls, tomorrow I will try some xss challenge of your website, thank you for all your hard work

The fact that you didn't edit out the differentiation thingy just earned you a subscribe

What you do for the community is awesome man. Thanks for the game and the great videos

this is the first video ive watched of yours and I already love how you approach the over acrhing concept!

This has got to be the best UA-cam tutorial, HANDS DOWN. Lmao! Subscribed.

You are super funny man love how you have a good time while making the explanations. Underated and I wish you well in your future I will be subscribing and supporting!

Happy to see u back I missed u

Your videos are so awesome. You explain stuff in such an easily-digestable manner. Please make more :)

Came here from the deserialization vid. Awesome content, well done. +1 Sub.

Hello ! I finally understood XSS ! Thank you man ! You're the best! Keep those videos coming. #subscribed

This was the first video I saw from you but I have to say, I am really glad I’ve found this channel. Big subscribe and I hope that you will have a successful UA-cam carrier

Corrections on the same origin policy. You can "write" or "send" regardless of origin but the browser will hold onto any response that is coming from an untrusted origin.
This is the reason CSRF is not prevented by SOP.
This isn't hate mail btw, I love your videos and you helped me a ton in the past.
P.S. glad to see you're back!

Bruh! I don't know who you are, but I will find you and hug you! (maybe after covid) Your explanations has been spot on with the perfect amount of words and video. You should teach class at university that way students will actually get what they are supposed to be studying! Hats off to you good sir.

"Lets talk about SOP, so that were all on the same page" nailed it

Dude your video editing skills are next level. Keep up the good work!

Very helpful I keep learning, understanding, and then forgetting XSS. This time it stuck with me 👍

yo pwn function, i love your vids, please try to post more. i have watched all ur vids and learned a ton from each which I thought i wouldn't have so ur channel has been an all around big help. I love ur content so maybe just trying to post when u can will be great...

Huge respects bro! You have a great and unique way of teaching

Waiting for next video! You're making top content!

I wish I've found this channel way before, great content!❤️

Samy worm reference caught! Great video btw, very clear and useful

I love your video making style, it makes it fun to look at

Liked and subscribed! Thank you so much! This was really really well done and explained!
Edit: Was I subscriber nr 14.000?!

Can't believe more people haven't seen this, very well explained and at a very good pace.

Incredible video, I have been drinking allot of concepts from a water hose for my CySA+ and XSS for whatever reason was one I really struggled to conceptualize.

Top Notch explanation of a difficult topic. Loved the graphics and animation. Barvo!!

One of the best explanation for XSS. Thank you very much for this video and also for learning resource.

FINALLY! a great video on XSS! Thank you!

This should be at the top of my youtube search! I keep seeing random half assed videos on XSS.
But this kinda gold is down the list for some reason.

You are good at explaining.
If all your videos are going to be like this, consider you have a new subscriber .

that 'same page' joke is what got you a thumbs up.

thank you so much, a lot of websites and forums just say like: blah blah if you write blah blah blah in blah you will get blah blah blah. but now i get how it works

Realy a great content that you made~ I really like it & thank you for creating this.
I hope you'll make another content more frequent~

Great explanation. And that video of the streamer 100% go watch it everyone!! I am so thankful you put that link there for us, haven seen such an amazing video for a while xD

Thank you very much sir! you cleared all my doubts :) . Your way of presentation of topics is really really good! :D

Random tidbit: I had a phone interview with the guy who coined the term "XSS" (allegedly), he was absolutely obnoxious and made sure to let me know he came up with that term every 5 minutes.

I actually subscribe after the first few animations. Clean tutorial.

Excellent videos, amazing production value

Simple, entertaining, and engaging. Subbed. Teach me more. -Cyber Security student

Amazing explanation of XSS. Kudos mate

Concept

This was amazing! Thanks for the upload, currently exploring your channel :)

In my view, the biggest fundamental flaw of the same origin policy is the fact that it is purely a client side implementation.
Case and point: fork Chrome, turn the flag off you have a CORS-less browser. Why you'd want that when it would be a detriment to your own good is another question. But you can do it. You don't even need to change the code. As far as I know, there still exists a flag you can pass when launching Chrome (and other browsers) to turn it off.
And now we have "Local Overrides" in Chrome's dev tools. This is a wonderful tool that has helped me debug a number of issues in production, but it also is a wonderful asset to performing XSS attacks on sites you shouldn't have authority over.
It's also possible to manipulate the perception of who you're communicating with by modifying your local hosts file. Add break points to another site's scripts, pause execution at important points, retarget your domain to a local server you're serving assets from, revert hosts file, resume execution as desired.
I'm sure there's a number of brighter people than me here who have even better examples of how easy it is to circumvent the minimal protection that is there, so it leaves me wondering why we have an entire ecosystem of technology built around such shaky ground.
It seems to me that we should have implemented better security mechanisms for these sort of things in the actual protocol level. In the same way in which we introduced websockets by "upgrading" connections, it feels like more should be done in this area to mitigate the weak protection client-side CORS policies provide.

Hey man, great content as always. Please make more content like this :)

It's a perfect video! I finally understand everything. Thank you so much!!!!
By the way, the video fragment was so funny))

Samy is my hero....the classic myspace prank... loved the reference

GREAT video man, keep the content!

Please make more videos on different Web Vulnerability types , And maybe some more demos on them .
Love your channel ❤️

First time watching ur vid. Love the icon!

Thank you for getting us all on the same page ;)

Welcome mate , Please more videos

a webpage to practice xss with examples? i think i love you

Awesome explanation man! Hats off! 👌

Cleared my doubts Thanks bro ✌️

keep up the good work, very nice animation and super clear explanation thank you

Yo, I can confirm this vidoe is better than a QS top 100 uni lecture video, sorry professor :)

Dude your content is awesome omg! I guess what finally made me click was you saying that the name XSS is probably not the best one (stopped focusing on the name to realize it's just an injection technique :)

Thank you for your work! Amazing explanation!

My hero 👏👏👏

Pretty cool explainer video on XSS!

Lil Bobby tabels you forged his name to Bobby script!! Xoxo love from India... keep up the good work cheers

hahaha love the "Samy is my Hero!" blip thrown in there

This was so well done. By the way, what software do you use to do the drawing on your videos?

bro you just taught me what I wanted.
big fan 😊❤

Good quality content and thanks for explaining XSS

wow what a great video. I hope you will do a lot more videos like this!

Here before this channel blows up

Love the graphics and explanation 👌

my mind are blowing up. when seen the beginning of your video that mention my name. 😓😓😓

hey man please make videos more frequenty and put here for us to learn. I love your work man!!

u are great dude, happy i found u out

Dude you're awesome 👌
Your explanation and example is exactly what I was looking to properly understand
Thanks.
Do you have a video on XSRF also???

Thanks brooo. A little late onto security. But it was a great learning experience 🥳💐

Awesome video as always!

Awesome content! Keep doing it!

why this was not recommended to me

Great video man. Btw, how do you do these animations? IPad recodings?

What happen to you man!
Many of them are waiting for your video
You are such a awesome youtuber i saw earlier
im still waiting for the next video
When i saw your video at first time i didnt understand that much .then i watch many times and understand the concept of the vulnerability
i hope you upload your next video on november
You are literaly awesome
regards,surya

You have made my life easier. Thanks

Thank you for building that website!
And for this video

Wow its been long time, nice video

1:51 I don't know much about hacking,, i recently read about open redirect vulnerability,, Is it possible that SOP gives access to that if Open redirect vulnerability is there?

this guy has the coolest intro

Amazing video. Keep them coming

Damn this channel is so damn good!

I love that easter egg "Sammy is my hero"

God exists, ladies and gentlemen and his youtube channel's name is PwnFunction