I love how he just used "validate" instead of "sanitize" which is not overwhelming to hear 🥰

this is something someone new to programming would fall for, i can see also self taught developers in their early days falling for this. as someone who learned programming this year i see myself doing some mistakes when i want to build something fast, which is the case for any freelancer who wants to deliver the project and doesn't have much experience. thanks for the video.

Thank you for sharing, I am studying this material in my ethical hacking class, and your explanation clarified some things for me about XSS. It makes more sense. I would like to work for IBM sometime.

thank you. nice and simple explanation

Thank you for adding English subtitles to make it easier for the AI to translate into Korean.

How could a code typed in a website comments section execute an attach. Can a code run in the comments section?

Damn I was late for class I'm interested in understanding how the industry is working to genuinely solve XSS (Cross-Site Scripting) attacks. Since trusted websites can sometimes be manipulated to execute an XSS attack, it raises an important question: How can end users know if a 'trusted service' has been compromised? While I understand that there are browser extensions aimed at detecting OWASP Top 10 vulnerabilities, I'm curious how effective they are in practice. Additionally, as a software engineer, I'm aware that methods like command injection can also exploit systems, and that attackers could theoretically use the browser API to bypass certain defenses. How does the industry address these challenges, and what are the best approaches for ensuring users' security when using trusted websites?

ok but how is that malicious code persisting on the server? shouldn't only apply for the hackers session? ie how has he modified the coder on the server to now include his code as part of the servers. your example would only happen once, to the attacker. this only makes sense if the xss is doing an sql injection into the server which will then serve it up for all future users

You are awesome sir.

These exist because of the hard drive cartels not releasing certain technology to the public, which kept storage prices high. It was cheaper to have multiple servers, which used XSS to connect them as a single website.

I still remember the first time I read about this. It was a masterpiece. Absolutely genius!

How is he able to write mirrored letters so quickly?

Great topic but the explanation is lacking of details. Show some examples of how to place malicious code in a comment on a forum with a guided instruction on how to construct malicious code that makes stuff execute with an intension of an attack when bringing up this topic. It would make difference for developers and why it is important to protect against this type of vulnerability.

Great expalanation. Any recommendations for someone interested in getting into cybersecurity?

great video like always

You don't necessarily need to make the user interact with the XSS attack payload right? Can't it just run through the web browser loading the page?

Ty u.

He’s been hijacking Amazon employees. He’s hijacking techs to edit and inject exploit code on EC2 and light sail

So the Bottomline... NEVER... EVER... TRUST USER INPUT!!! As a web developer, your DEFAULT position should be... ALL USERS ARE EVIL!!! Stick to that... Along with copious amounts of paranoia!!! 😂 And the websites and apps that you build... Should be fine! 😊

that is in all honesty a terrible video...bcs it doesn't actually talk about ANYTHING really, feels like `let semantics = null` if u catch my drift... It doesn't even mention the 2 flavours of this attack, nor does it say what is it exactly that happens, that would result in a random user getting back trusted with mixed-in malicious code... This is akin to the annoying uprising of "the coding bootcamp" crap that "anybody can program" which is actually rather damaging to the industry as a whole, destroys the possibility to work with amazing engineers (ideally passionate about the topic not "just as a job") and ofc unnecessarily lowering payments for those that have actually have skills and passion for the craft... #analogy Instead of watching this, just read the OWASP wesbite on it and associated links...

I'm early

javascript was written in 7 days and was meant for a whole different purpose

👻🥸🤐👁️