Love your spirit man. You keep regularly updating your videos. Great job.

First time ever i understand the concept of XSS .Excellent explanation

Great video Hussein. I’ve heard of XSS but never had them explained so clearly. Would love to see more security related videos if the inspiration hits you! This has become my favourite back end channel - thanks for your effort making these.

Oooooo Mama......... :D Your Accent/tone/speech/words/humor is just perfect. Thank you that i found you.

Great video Hussein!

FYI - its a "reflected" since your code is "reflecting" the search item on the return results page @2:24, thus executing the script.

Another Hussein Nasser video woohoooo! Would be really awesome if you could make a video purely about CSP. How to set it up and what the best practices are :)

Thanks man! You've been shooting out amazing content lately like multiple times a week! Keep up the good work

Hello Hussein after going through video , I realised that it was you . I have watched most of your content on the design

Mahn! Incredibly fun to watch! Love your content bro

Love your style of teaching, man, you are awesome.

Wow!! Very informative. I lean new things again in less time.... It will help me a lot to prevent outside to come in to my server scripts.

Anybody know how to check if a given website has xss header enabled using pyhton.

This is cool man.I was on facebook console doing all things and kept getting this CSP thing, glad you cleared it up.Need to see how to implement it in nginx when delivering static website

4:55 In general stored xss is more dangerous than reflected one. First - there are no user action required to run a stored xss (when a reflected xss needs a link) and second - any stored xss can also be used as a reflected xss. I mean, I can make some xss on a page no one goes to, so stored xss is not so dangerous there, but I still can make a link to that page, like with reflected xss. But, what I was thinking about, is that stored xss is more dangerous on public pages but on private pages reflected xss is more dangerous . This is because stored xss on private pages in most cases is like self xss - you make that xss, and you can "hack" yourself, but with reflected xss on private pages you can send a link to, for example, profile settings, and it would be quite regular reflected xss. p.s. of course there's always an ability that admins can go to private pages, so, any stored/reflected xss is bad and no matter where it appeared.

You are the best explainer

this is so easily digestable! thank you

We appreciate your efforts

I enjoy how this guy explain :)

Great explanation, thanks!

Thank you very much and keep doing your job :)

Thank you Naseer ! This is very helpful

This is $$ Gold $$. Thank you so much. You earned a subscriber!

This was incredibly helpful thank you! How does this work with the HTML tag "meta http-equiv="Content-Security-Policy" content="default-src 'self'"? Does this tag mean I don't have to include all the lines of JS shown in your video?

hi hussein I need you help/info related to one issue We have in java code like below String hname = request.getRemoteName(); // this line is showing issue in Fortify scan can you help me how to validate the hname? I used with ESAPI input validator but it could not remediate it. Please help

I don't know if u use instagram but there was this one account who posted an insta story, It said "Some text" and below was the profile picture of the person who was viewing that story. So if i opened the story then it would be my pic. But Instagram doesnt provide any API like KZbin does even if it did , There isn't any place to embed it. I wonder how he did it cuz it was pretty cool

I just subscribed. You are awesome bro. Thank you loads.

is XSS relevant to only public domain sites(twitter,facebook) or even licensed webapps(jira, enterprise git..etc) can undergo XSS?

What websites let you just store things on them like that?

Awesome made it all clearer 🙏

if it is a dynamic website, is it okay to put the main homepage link in?

Glad to see you actively adding more videos. Trying to watch as many as possible. Can we expect a video on tools like Prometheus and Grafana by any chance?

At 09:13 , you said we shoudnt write script inside inline script tag. But it wasn't clear why. Can u elaborate on it please.

Please make more videos on web security and headers! ❤️

thanks for the nice explaining it was very enjoyable.

Does xss protection header prevents DOM xss

Great Explanation

Awesome Demo thank's

It's very informative!

How to implement in struts

Thank you for a beautiful explanation sir. Actually interested in learning js btw found u on Udemy.

I love your videos always you are the best on youtube Thank you so much for your effort and time

It was helpful, thank you

ও মামা। Amazing explanation!

"Oooo Mama" 😂 - Hussain 2020

Of course you could have mentioned the real problem and solution in the js code, distinguishing text from HTML encoded text. (Easier with typescript 😜) But good demo of the csp header.

So you mean that if we do use CSP XSS can't be injected, right ?

Such powerful stuff...

شكرا جدا عالشرح الواضح

When your mom found out that you did something wrong and she stares at you like she about to end yo career: 3:26

Thank you for this great video, as always. Learning a lot from them. (I am trying to build a resource server for my spring boot- anugular application. Please do you know any resource that will help or any free tool I can use. Thanks for your feedback.)

Been just kind of defeated. Haven't even been on a computer in a long time. I do like your vids though. Still picking up theories and concepts here and there

Hi Hussain.Your content is awesome. Csp attributes get fails even though it has been configured correct url.can u help me out?

awesome

Can u make a vid on modsecurity with Nginx

the edvotise was so greate "click here to Boost your CPU"🤣🤣🤣

Thank you for saying SHE and including us ✨ 🙌🏽 ✨ women hack & code too (:

great

XSS babes!

joss

❤️

This + html ping to post form :)

alert("Mad")

alert("XSS")

alert(test attack);

alert("Hello");