2017 OWASP Top 10: Cross-Site Scripting (XSS)
Вставка
- Опубліковано 19 лют 2018
- New 2021 OWASP Lightboard Series:
• 2021 OWASP Top Ten
Video 7/10 on the 2017 OWASP Top Ten Security Risks.
John Wagnon discusses the details of the #7 vulnerability listed in this year's OWASP Top 10 Security Risks: Cross-Site Scripting. Learn about this security risk and how to keep your Web Applications safe!
community.f5.com/articles/lig... - Наука та технологія
Thank you so much, this is the most insightful introduction of XSS I have found on UA-cam.
glad you enjoyed it!
This video is amazing! I understood so much about XSS, Thank you!
glad you enjoyed it!
now i understand XSS thank you!
You're welcome...glad you enjoyed the video!
You guys are great. I can always be sure to see a quality video when clicking on F5 stuff.
Excellent video and exactly the right length. A topic like this needs a lengthy explanation to get one's head around it. Too many other vids try to sum it up in a few minutes only to leave the learner not really understanding what XSS is at the end of it.
glad you enjoyed it!
Really like this example and the breakdown! Thanks for making the OWASP Top 10 a bit more available! :)
Thanks! Glad you are enjoying the videos...
What a terrific video - very clear and concise - yet comprehensive and easy to understand!
Glad you enjoyed it!
@@devcentral❤
sexy videos dio
9:39
Though I found your presentation really neat and useful, I find it even 'neater' that you had logo on your shirt sewn backwards, to appear as it should once you mirror your video(s).
Kudos to you, good sir. I cant think of any other way you made this, unless you're actually writing mirrored which i highly doubt......
OgaDuby this guy..
Thank you! This is the best explanation I have ever seen!!!!!
appreciate the comment!
Thanks a lot you cleared my concept of cross site scripting !!!
glad you enjoyed it!
Very good and simply explained!
glad you enjoyed it!
Good video full of clarity on the topic
glad you enjoyed it!
REALLY awesome video, thanks so much!
Glad you enjoyed it!
Amazingg..your way of explaining things❤ loved it..nice video..
Glad you enjoyed it!
Amazing, thanks!
Thanks!
great job!
thanks...glad you enjoyed it!
Thank you
glad you enjoyed it!
thanks
Its a very nice video, Thanks.
Whatever the example you mentioned in the video is related to a type of XSS i.e, Stored/Persistent XSS.
Similarly can you explain about other types of XSS like Reflected, Blind and DOM Based XSS attacks?
great question! the example I gave in the video is a stored/persistent XSS example. here's a great article that outlines all the different types and gives some good examples as well: portswigger.net/web-security/cross-site-scripting
great job
glad you enjoyed it!
Thanks man!
glad you enjoyed it!
What is different between Redirected XSS and CSRF?
thank you very useful and clear but still didn't hear you talking about input validation in the video witch is one of method of mitigation
Why don't you split the Webapp in two: server and froendend (client)?
Thank you sir...
glad you enjoyed it!
Really enjoyed this series so thanks for producing it. In this example, wouldn't the victim's system execute the attackers code and do a POST (including the session cookie) to the attackers server and not a GET?
Great question, Mark! In this case, the attacker would have set up his "evil.com" site to accept the GET request sent by the victim and would be looking for the parameter value in that GET request. Based on the way the attacker set up the malicious post on the vulnerable web application (the one that the victim visits), the GET request would include a parameter that has the victim's cookie value. The attacker could then take the site cookie and start down the path of more nefarious actions. For more on GET requests that include parameters, here's a good thread to look at: stackoverflow.com/questions/514892/how-to-make-an-http-get-request-with-parameters
I hope this helps...thanks!
@@devcentral I was also thinking same. Thanks for clarifying.
@10:52 - How can a firewall around Web app can prevent XSS, as the script is posted in an input field, right?
So, How can a firewall check what an attacker is entering into the fields like username, password , etc.??
Thanks for the great questions! When you put a Web Application Firewall (WAF) in front of your web application, then all requests to the web application have to pass through the WAF before they get to the application itself. The WAF will learn all about your web application and know what parameters are used, what fields are used, what URLs are used, what file types are allowed/disallowed, etc. So, when a user sends a XSS attack to an input field of the web application, the WAF will know that the request is destined for the input field on the web app, and it will check the request against a variety of signatures, etc to determine if that particular request is malicious or not. If the WAF determines that the request is malicious (i.e. it detects stuff like xyz123) then it will block the request. Hope this helps!
@@devcentral thank you very much
its now 7 because they change marking criteria for OWASP top 10 its now calculated by risk not for a number of attacks. XSS is still most popular attack but its not that dangerous like others ;)
great info...thanks for the clarification!
That's great info, even I too had impression that rating based on popular not by risk...but YES that's sound sense too.
you can't say it's not dangerous. because attacker steal cookie with help of XSS. and phishing also very dangerous. attacker use help of phishing email sending xss alert script and shows pop message. that way steal victim confidential data. why don't think that's not dangerous
@@joshwaphilip9840 yes u are right, sorry for my English back then ;p
Salute !!!
Glad you enjoyed it!
What tool you use to make these kind of videos?
You seem to write in your right hand, but...
Please answer.
They have a pane of glass between him and the camera, he writes naturally but the video is flipped vertically.
Please explain types is xss attacks.
Thanks for the comment! The example I gave in the video is a stored/persistent XSS example. here's a great article that outlines all the different types and gives some good examples as well: portswigger.net/web-security/cross-site-scripting
Hi, thank you for making Owasp video but there is not all the owasp top ten video only I found 5 to 6 Please make it all...
Hi tarun. Thanks for the comment. I am in the process of making all 10 videos, but I've only finalized 7 of them so far. Be sure to stay tuned to our channel as the remaining 3 will be published here as well.
okay & thanks, guys..........
FYI...we created a playlist on our channel that has the OWASP Top Ten videos. We haven't finished all the videos yet (March, 2018), but once they are all finished, the playlist will have them all. ua-cam.com/video/rWHvp7rUka8/v-deo.html
subscribed liked and shared.......
glad you enjoyed it!
thanks.. creative --- on glass board. ;)
glad you enjoyed it!
Is injection still number 1?
Yes it is: owasp.org/www-project-top-ten/
if the words he's writing are not laterally inverted,means he is right-handed?
is he writing reverse on glass?
Yep. I'm imprressed
This sure sounded like CSRF vulnerability. Remote XSS == CSRF ?
my question is what browser will sent the cookies of example.com to another site, evil.com ? is this posible ?
the bad runs in the context of example.com page. browser will give it all the cookies of that domain, right? It will then send them to evil.com. The script will send the cookies names and values... not the browser.
It seems Web Application Firewall is solution to most of the OWASP 10 problems.
What is post script
Hi Deepti...just wanted to get some clarification on what you are asking. What exactly are you referring to when you say "post script"? There's a post script in reference to printing, but I'm not sure if that's what you are talking about here. We are glad to help clarify, but need some more context around what you are referring to. Thanks!
Mobile browser the function character is %
is instructor Wagnon writing backwards?
No, the video is horizontally flipped. And if you ask about the logo on the shirt, I assume it is specially printed in mirrored form for this kind of video
are you writing backwards or flipping the screen 😕
check out this video to show you how we do it: ua-cam.com/video/U7E_L4wCPTc/v-deo.html
what is nutshell
Hi Suren. The phrase "in a nutshell" means to sum it up, or to say it concisely or briefly. I hope this helps...thanks!
The shell that holds a nut. Nutshell.
more videos pls
glad you enjoy these videos!
alert("hacked!");
Looks like the UA-cam comment feature has been designed properly to handle this attack! :)
i appreciate your try
Wait wait is he writing it in reverse?? 🤥 Someone please tell me there's some trick to it.
no, he flips the video after recording it
@@picklecrash So what about the logo on his shirt?
@@petervtzand sewn in reverse
Joshua Clougherty then wouldn’t one be backwards and the other not? Lmfao
@@petervtzand hehe. I thought the commenter was right when he said he flips the video after recording it but then you pointed out the logo on his shirt. Very astute!
alert(1)
dang didnt work
Non script terminal back doors is the latest
Ex:
destroyWebsite();
lol...looks like the UA-cam comments section has included secure coding practices!
Are you drawing all of that backwards??? Lol
this is how we do these: ua-cam.com/video/U7E_L4wCPTc/v-deo.html
Why do we need a victim