Website Hacking Demos using Cross-Site Scripting (XSS) - it's just too easy!

// MENU //
00:00 ▶ We are taking over the world!
00:16 ▶ Introducing//XSS Rat//Wesley
01:28 ▶ What is XSS/ Cross Site Scripting?
02:59 ▶ Types of XSS
05:15 ▶ Reflected XSS
06:22 ▶ Example of data sanitization
07:35 ▶ Circumventing filtering with the img tag
11:01 ▶ Sending a Reflected XSS Attack to Someone
12:01 ▶ Using HTML comments as an attack vector
13:49 ▶ Using single quotes to break out of the input tag
15:14 ▶ Don't use alert() to test for XSS
17:33 ▶ What you can do with Reflected XSS
19:26 ▶ Stored XSS
20:31 ▶ Using comments for XSS
21:05 ▶ Example #1 of Stored XSS on Twitter
21:42 ▶ Example #2 of Stored XSS
22:12 -▶ The answer to the ultimate question of life, the universe, and everything.
22:56 ▶ Stored vs Reflected XSS
24:22 ▶ AngularJS/Client Side Template Injection
25:06 ▶ Don't use JavaScript?
26:09 ▶ Where to learn more//XSS Survival Guide
27:04 ▶ DOM Based XSS
29:36 ▶ List of DOM sinks
30:12 ▶ jQuery DOM sinks
32:15 ▶ XSS Rat Live Training
33:00 ▶ Support XSS Rat//Wesley
34:06 ▶ Closing//Thanks, Wesley!
// Demo Sites //
hackxpert.com/labs
hackxpert.com/ratsite
// David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
UA-cam: ua-cam.com/users/davidbombal
// XSS Rat SOCIAL //
Twitter: twitter.com/theXSSrat
UA-cam: ua-cam.com/users/TheXSSrat
Website: thexssrat.podia.com/
// XSS Rat's Udemy course //
XSS Survival Guide: www.udemy.com/course/xss-survival-guide/
// XSS Rat's courses and bootcamps //
thexssrat.podia.com/
// MY STUFF //
www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!

Wow David you're collaborating with awesome people ♥️♥️.. here you dropped this king 👑

LOL David I just started following the XSS Rat not long ago! Either you're in my head, or I'm on the right track...'cause this just keeps happening! 🤣 Love that you're helping expose these gems of our community to the masses...great stuff man!

Once again great vlog David! Your channel is so awesome, you always have a great wealth of knowledge from all the guest that appear on the channel. I'm very appreciative of learning new things every time I tune in.

David you’re just the best. Keep pouring these contents . I’m really having fun .

Your videos are also so informative and entertaining! Thanks David!

As a developer this is pretty useful. Thanks for the great value David

This channel is on fire! Loving these videos David!

Best content creator in the field Cybersecurity by far, informative and entertaining!

He is ridiculously clear in his explanations. Beautiful.

Damn!!! Loving these talks; learning so much and it's all thanks to you David, thanks 👍🏽

Tutorials on the net about this stuff are so confusing. Sometimes they appear to contradict one another. It's no wonder they have mistakes. Good video

Bro i learned so much from this guy, videos like this are terrific, please do as many as you can. Wish you the best!

Amazing video, questions and demo very well done. I always find it amazing how you can look at one thing differently and your in. *looking at the wall with security guard checking ID’s. Wall is only 3 feet wide. Just walk around.
I’m excited to see how I will look at my own code differently.
Thanks again!

WOW! Wesley is so awesome! Thank you so much, David Bombal!!! All love. Always.

graet video, your guest seems to be a nice instructor, easy to understand him as well

Third time watching through. I will be signing up for the boot camp thank you for this.

Awesome content as always! Wesley seems pro and really nice guy!

Thank you buddy all things you do to the community if not for you people like me coming from poor backgrounds would have faced a lot of difficulty to break into cyber security

great work david, nice questions!!

As always, amazing content!

Great video! thanks for the awesome content David

Wow, there is so much to learn. That was a really good informative video.

Thanks for providing me some supercool testing scenarios David..Love u 3000 man❤️..👍😀

A Gold Tutorial Video For Me I was Learned SQLI but Still Confused XSS this Video help me alot.Nice David.From Burma

Dang.... you know I've used templating frameworks for so long like handlebars, angular and most recently Vue. I never considered the possibility of script being injected through these templating engines but it makes perfect sense now that I've seen it.

I saw wesley for the first time in an interview with nahamsec. I immediately subscribed to his Chanel and watched his amazing videos 👍 java script is for me as network guy a little bit complicated but I learned the basics of reflect attack and found some vulnerability (I reported them ). Thank you David and wesley for this amazing video! ✌

Very nice video, I really loved it! I think I just found my new path in the IT world.

YOU CONTINUE TO BEING THE BEST

this xssrat guy is a demon at bypassing wow just wow lol pls a video on javascript for hackers would be great

Thanks David, I finally understood Cross Site Scripting

That's the kind of videos we love, great 🎩

Thanks! Another wonderfully didactic video!

Thank you so much, i just upgraded the security of my project :3

Interesting David thanks so much to the guy doing the teaching!!!!

Hi David, It would be great if these type of videos include 'how to prevent being a victim of these types of attacks'.

Amazing content :) Thank you both for it

What a really likable guy and great teaching methods. I've signed up on Udemy

Got scared I actually bought Wesley's Udemy course right away. David continue inviting good people to your channel. I have promised to watch your videos instead of the Ukraine war news. Gives me more knowledge.

Now I understand how it works thanks David ❤

You are creating amazing content!!

You deserve this 🍪 ( cookie represent appreciation in modder's world).

What a great video. I will sign up for the Udemy course. Thank you!

This was very information !
Such topics should be taught in college , not only how to write code .

Great video! Can you do a video on webassembly safety? Its an exiting new tech, and probably has some security pitfalls. For example, webassembly cannot run when you have csp headers. Cheers

Glad I know some basic of XSS security to handle as a developer. How foolish I am? . Thank you for your effort sir. Thanks a loot ❤️

alert() 🙃😂

Awesome vid! 💯

amazing, he realy dominates the XSS technique

Keep the great content coming

In addition to complex scripting, bad actors could also, for example, add unwanted images to your sites via the anchor tag - one method to screen out all offending tags in user content is to replace "

Your regular viewer orbit xyz😉😉

Video is great, plz make further video's on these topics

with reflected xxs can a attacker make a vulnerable website on purpose and host it them selfs then make a url that downloads somthing?

Great INFO, Cheers !

This is the reason why If you want to be a good hacker you really need to know or understand web development.

Thank you so much for your big efforts ❤

I am buy your wireshark course.... totally Pro level course ....so so Thank you bro....

Keep up the great videos.

So Content security policy and access control headers should be good enough protection right ?

Awesome video

This is really interesting stuff

Amazing vid!

Good program guru. Thank you.

Great video 🖤

If i were a President and i had a country, I'd have given you a state to govern. Just my way of saying thank you, Mr. David🇳🇬❤❤❤

can this not be solved by using .textContent instead of .innerHTML to display content on the page, or even convert the input to a string?

All time the best 😊

(bro, I have a very important question for me, if you have the opportunity, please answer me, because I worry about my account every day) what should I do if I crossed a site with an XSS attack?

Great video…. Thanks

Hey, guys, I know I am kind of late, but I have a question. How can I load and run an external JavaScript onerror? (I thought I could maybe inject beef this way!)

Love this guy!

If you would obfuscate your JavaScript then it would technically bypass the code that removes "Script"??

Nice guest 👍

You are the best !!

Didn't know rats were that smart, time to build an army

thankuuuuuu thanku thankuuuuuuuuuuuuuuuuuuuuuuu luv you

for any script to execute on a local pc visiting the "infected site", if the user has no admin rights, can the script be executed to do its malicious activity or not?

Sooooooo informational, me like 👍

Hi! Im trying to bypass a filter on a webpage that only accepts some limited alphanumeric 11 character strings. What could be the easiest ways to do that? Is it even possible?

So recently, I had my bank account hacked and someone stole $2500 from my savings (surprisingly, they didn't wipe me out)- any idea as to why they didn't steal all of it? I'm thinking this is how my bank is hacked because the bank itself said, "at least once a day, someone comes into our branch and says, 'I've been hacked.'" Thankfully, they're FDIC insured and I love my bank/trust it, but I'm curious if this is how they might've stole/transferred money. I have info from them and IP address if someone could help me out. He/She accessed other accounts too, but who knows if it's really that person because they could have a "pool" of IP addresses, but definitely have one.

thanks for this video!!

no matter what I do, my internet on my computer and my cellphone, even using my data and turning wifi off (my identity was sold on the dark web); its like someones flooding me out of my connection. what do i do?

Thank you very much sir David

I want to see the source code of the sample website. Where can I see the sample source code?

Wow thank you, good labs 👍

I heard about an attack where hacker send an image via gmail or fb and they were able to get my token at that time. Is it true that can tell me how hackers created it and how to prevent it?

Yup, his website is a gold mine, awesome guy!

You know..i didnt understand a thing What can we do with it? I mean i wanna access the terminal of a website host(to run node.js)can i do this?

Can jQuery do a lot more than Javascript? Isn't jQuery mostly just prepackaged javascript functions? Kind of like a templating engine but for queries?

Hi David, please bring Dr, chuck once again, thankyou.

Wow! I had no idea… scary.

Thanks ❤️ means a lot

Thanks Again!

okay, I got it, but if I steal a cookie session, isn't that MY cookie? How does one knows whom cookie it is?

Hey David can you make a video for the reverse Engireering apktool,and i thank you for all your course

Hello David sir , I love your videos very much , but sir can you start podcast on spotify and put the conversations with people on Spotify

take a drink every time he says cross site scripting ahah

At around 10 minutes, isn’t this attack just a cross site request forgery/CSRF?

Can you talk about browser fingerprint?