2017 OWASP Top 10: Cross-Site Scripting (XSS)

Рет қаралды 145,997

F5 DevCentral

Күн бұрын

Пікірлер: 116

@hayleyha9433 5 жыл бұрын

Thank you so much, this is the most insightful introduction of XSS I have found on KZbin.

@devcentral 5 жыл бұрын

glad you enjoyed it!

@BobCat981 4 жыл бұрын

Though I found your presentation really neat and useful, I find it even 'neater' that you had logo on your shirt sewn backwards, to appear as it should once you mirror your video(s). Kudos to you, good sir. I cant think of any other way you made this, unless you're actually writing mirrored which i highly doubt......

@ilypineapple6461 4 жыл бұрын

OgaDuby this guy..

@amarchhabra2175 3 жыл бұрын

What a terrific video - very clear and concise - yet comprehensive and easy to understand!

@devcentral 3 жыл бұрын

Glad you enjoyed it!

@shameermehsoodshameermehso2149 Жыл бұрын

@@devcentral❤

@shameermehsoodshameermehso2149 Жыл бұрын

sexy videos dio

@shameermehsoodshameermehso2149 Жыл бұрын

9:39

@rayyu9684 3 жыл бұрын

Thank you! This is the best explanation I have ever seen!!!!!

@devcentral 3 жыл бұрын

appreciate the comment!

@jamesslaterly8670 3 жыл бұрын

now i understand XSS thank you!

@devcentral 3 жыл бұрын

You're welcome...glad you enjoyed the video!

@shimmeringreflection 4 жыл бұрын

Excellent video and exactly the right length. A topic like this needs a lengthy explanation to get one's head around it. Too many other vids try to sum it up in a few minutes only to leave the learner not really understanding what XSS is at the end of it.

@devcentral 4 жыл бұрын

glad you enjoyed it!

@artmasterpl 6 жыл бұрын

its now 7 because they change marking criteria for OWASP top 10 its now calculated by risk not for a number of attacks. XSS is still most popular attack but its not that dangerous like others ;)

@devcentral 6 жыл бұрын

great info...thanks for the clarification!

@ramsthoughts 6 жыл бұрын

That's great info, even I too had impression that rating based on popular not by risk...but YES that's sound sense too.

@joshwaphilip9840 6 жыл бұрын

you can't say it's not dangerous. because attacker steal cookie with help of XSS. and phishing also very dangerous. attacker use help of phishing email sending xss alert script and shows pop message. that way steal victim confidential data. why don't think that's not dangerous

@artmasterpl 4 жыл бұрын

@@joshwaphilip9840 yes u are right, sorry for my English back then ;p

@eyalpery8470 4 жыл бұрын

This video is amazing! I understood so much about XSS, Thank you!

@devcentral 4 жыл бұрын

glad you enjoyed it!

@HH-qe3sr 3 жыл бұрын

thank you very useful and clear but still didn't hear you talking about input validation in the video witch is one of method of mitigation

@api-first 4 жыл бұрын

You guys are great. I can always be sure to see a quality video when clicking on F5 stuff.

@LetsBeHuman 5 жыл бұрын

@10:52 - How can a firewall around Web app can prevent XSS, as the script is posted in an input field, right? So, How can a firewall check what an attacker is entering into the fields like username, password , etc.??

@devcentral 5 жыл бұрын

Thanks for the great questions! When you put a Web Application Firewall (WAF) in front of your web application, then all requests to the web application have to pass through the WAF before they get to the application itself. The WAF will learn all about your web application and know what parameters are used, what fields are used, what URLs are used, what file types are allowed/disallowed, etc. So, when a user sends a XSS attack to an input field of the web application, the WAF will know that the request is destined for the input field on the web app, and it will check the request against a variety of signatures, etc to determine if that particular request is malicious or not. If the WAF determines that the request is malicious (i.e. it detects stuff like xyz123) then it will block the request. Hope this helps!

@LetsBeHuman 5 жыл бұрын

@@devcentral thank you very much

@illt3ck 4 жыл бұрын

Really enjoyed this series so thanks for producing it. In this example, wouldn't the victim's system execute the attackers code and do a POST (including the session cookie) to the attackers server and not a GET?

@devcentral 4 жыл бұрын

Great question, Mark! In this case, the attacker would have set up his "evil.com" site to accept the GET request sent by the victim and would be looking for the parameter value in that GET request. Based on the way the attacker set up the malicious post on the vulnerable web application (the one that the victim visits), the GET request would include a parameter that has the victim's cookie value. The attacker could then take the site cookie and start down the path of more nefarious actions. For more on GET requests that include parameters, here's a good thread to look at: stackoverflow.com/questions/514892/how-to-make-an-http-get-request-with-parameters I hope this helps...thanks!

@RajivKumar-ee7xv 3 жыл бұрын

@@devcentral I was also thinking same. Thanks for clarifying.

@mfstuff8252 4 жыл бұрын

Very good and simply explained!

@devcentral 4 жыл бұрын

glad you enjoyed it!

@sirdondaniel 4 жыл бұрын

Why don't you split the Webapp in two: server and froendend (client)?

@HD_Heresy 3 жыл бұрын

REALLY awesome video, thanks so much!

@devcentral 3 жыл бұрын

Glad you enjoyed it!

@sunilchaudhari5730 3 жыл бұрын

It seems Web Application Firewall is solution to most of the OWASP 10 problems.

@Rookey_Traveller 4 жыл бұрын

Please explain types is xss attacks.

@devcentral 4 жыл бұрын

Thanks for the comment! The example I gave in the video is a stored/persistent XSS example. here's a great article that outlines all the different types and gives some good examples as well: portswigger.net/web-security/cross-site-scripting

@tanercoder1915 4 жыл бұрын

This sure sounded like CSRF vulnerability. Remote XSS == CSRF ?

@rudyc79 3 жыл бұрын

Is injection still number 1?

@psilvas 3 жыл бұрын

Yes it is: owasp.org/www-project-top-ten/

@Dasman_adventures 6 жыл бұрын

Really like this example and the breakdown! Thanks for making the OWASP Top 10 a bit more available! :)

@devcentral 6 жыл бұрын

Thanks! Glad you are enjoying the videos...

@shubhampaul8394 3 жыл бұрын

Amazingg..your way of explaining things❤ loved it..nice video..

@devcentral 3 жыл бұрын

Glad you enjoyed it!

@vinaydrdo 5 жыл бұрын

Good video full of clarity on the topic

@devcentral 5 жыл бұрын

glad you enjoyed it!

@frankthabo 3 жыл бұрын

Salute !!!

@devcentral 3 жыл бұрын

Glad you enjoyed it!

@houssamboudahra7803 3 жыл бұрын

Thank you

@devcentral 3 жыл бұрын

glad you enjoyed it!

@sudhanshupal4427 5 жыл бұрын

Thanks a lot you cleared my concept of cross site scripting !!!

@devcentral 5 жыл бұрын

glad you enjoyed it!

@venkateshbogadhi4652 5 жыл бұрын

Its a very nice video, Thanks. Whatever the example you mentioned in the video is related to a type of XSS i.e, Stored/Persistent XSS. Similarly can you explain about other types of XSS like Reflected, Blind and DOM Based XSS attacks?

@devcentral 5 жыл бұрын

great question! the example I gave in the video is a stored/persistent XSS example. here's a great article that outlines all the different types and gives some good examples as well: portswigger.net/web-security/cross-site-scripting

@sariksiddiqui6059 4 жыл бұрын

if the words he's writing are not laterally inverted,means he is right-handed?

@tarunvishwakarma2562 6 жыл бұрын

Hi, thank you for making Owasp video but there is not all the owasp top ten video only I found 5 to 6 Please make it all...

@devcentral 6 жыл бұрын

Hi tarun. Thanks for the comment. I am in the process of making all 10 videos, but I've only finalized 7 of them so far. Be sure to stay tuned to our channel as the remaining 3 will be published here as well.

@tarunvishwakarma2562 6 жыл бұрын

okay & thanks, guys..........

@devcentral 6 жыл бұрын

FYI...we created a playlist on our channel that has the OWASP Top Ten videos. We haven't finished all the videos yet (March, 2018), but once they are all finished, the playlist will have them all. kzbin.info/www/bejne/qIirp6Ntp7qel5o

@LetsBeHuman 5 жыл бұрын

What tool you use to make these kind of videos? You seem to write in your right hand, but... Please answer.

@SpeedlPN 5 жыл бұрын

They have a pane of glass between him and the camera, he writes naturally but the video is flipped vertically.

@25kirtan 4 жыл бұрын

Thanks man!

@devcentral 4 жыл бұрын

glad you enjoyed it!

@suan_tech2019 2 жыл бұрын

thanks

@Watcher3121 6 жыл бұрын

is he writing reverse on glass?

@PolymathTheDiver 5 жыл бұрын

Yep. I'm imprressed

@nguyenhuyhoang555 5 жыл бұрын

What is different between Redirected XSS and CSRF?

@Xpressd 4 жыл бұрын

are you writing backwards or flipping the screen 😕

@psilvas 4 жыл бұрын

check out this video to show you how we do it: kzbin.info/www/bejne/i2iokH9qrKiDisU

@bigmarkua 4 жыл бұрын

Thanks!

@duonganphong7643 4 жыл бұрын

Amazing, thanks!

@passord1d493 4 жыл бұрын

destroyWebsite();

@devcentral 4 жыл бұрын

lol...looks like the KZbin comments section has included secure coding practices!

@angeloreyes707 3 жыл бұрын

Are you drawing all of that backwards??? Lol

@psilvas 3 жыл бұрын

this is how we do these: kzbin.info/www/bejne/i2iokH9qrKiDisU

@h.rehaief3567 5 жыл бұрын

great job

@devcentral 5 жыл бұрын

glad you enjoyed it!

@gck330 6 жыл бұрын

my question is what browser will sent the cookies of example.com to another site, evil.com ? is this posible ?

@mlrhazi 6 жыл бұрын

the bad runs in the context of example.com page. browser will give it all the cookies of that domain, right? It will then send them to evil.com. The script will send the cookies names and values... not the browser.

@pineappleapplepens 5 жыл бұрын

is instructor Wagnon writing backwards?

@DjSeymur 5 жыл бұрын

No, the video is horizontally flipped. And if you ask about the logo on the shirt, I assume it is specially printed in mirrored form for this kind of video

@Cognitoman 6 жыл бұрын

great job!

@devcentral 6 жыл бұрын

thanks...glad you enjoyed it!

@debjitpaul8580 5 жыл бұрын

Wait wait is he writing it in reverse?? 🤥 Someone please tell me there's some trick to it.

@picklecrash 5 жыл бұрын

no, he flips the video after recording it

@petervtzand 4 жыл бұрын

@@picklecrash So what about the logo on his shirt?

@picklecrash 4 жыл бұрын

@@petervtzand sewn in reverse

@ilypineapple6461 4 жыл бұрын

Joshua Clougherty then wouldn’t one be backwards and the other not? Lmfao

@shimmeringreflection 4 жыл бұрын

@@petervtzand hehe. I thought the commenter was right when he said he flips the video after recording it but then you pointed out the logo on his shirt. Very astute!

@deeraj3069 5 жыл бұрын

Thank you sir...

@devcentral 5 жыл бұрын

glad you enjoyed it!

@deeptipathak7739 5 жыл бұрын

What is post script

@devcentral 5 жыл бұрын

Hi Deepti...just wanted to get some clarification on what you are asking. What exactly are you referring to when you say "post script"? There's a post script in reference to printing, but I'm not sure if that's what you are talking about here. We are glad to help clarify, but need some more context around what you are referring to. Thanks!