This has truly been a lifesaver. My college professor told us to research this for a paper and gave us no source material whatsoever. Everywhere I look, the explanations are so technically written that it goes right over my head with my limited knowledge. (Usually, if I have to look up 3 terms before I finish the first paragraph, I'm out) Thank you SOOOOOO much for describing this in detail without weighing it down with an excess of unnecessary jargon and high-level concepts.

00:50 SOP, the browser checks, blocks read and write 02:10 JS, access, DOM API, javascript injection technique, 03:21 basic classic example 05:35 reflected 05:54 stored 07:31 DOM XSS

I read so many explanations about XSS recently and yours is by far the best. Keep up the great work !

dwangoAC of the custom Twitch chat XSS segment - thanks for including it! We had difficulty classifying it as well, and the realtime nature made it hard to say if it was truly stored XSS or not. The volunteer who wrote it learned valuable lessons that day.

Upload more frequently! :)

This lesson was sooooo well done my dude! It was great, lots of specifics but not so complicated that everything flew right over my head. Thank you!

Absolutely loved this video! The intro video, your style of talking, those amazing blue and pink (I guess they are called pastel colors?) colors. It was really fun to watch this video and get a general knowledge about XSS. Keep this us, buddy! Definitely sub from me!

I gotta say bro, your content is helping me out a fugh-ton. I've been brushing up on my security since ive been interviewing for a few months and realized my understanding of some sec principles werent complete or in some cases simpler than i had originally thought. thanks!

i do not leave comments often but.. my dude holy crap this was great. thank you. much more in depth and easy to understand compared to professor messer. loves the visuals. keep it up

hey man , good to see you after a long time.. plan some frequent uploads ..

The day has come I finally got an xkcd reference :)

Dude! You vids are amazing. Very technical which is great and your graphical explanations leave no room for guessing! Love it! Keep these going!

This was the first video I saw from you but I have to say, I am really glad I’ve found this channel. Big subscribe and I hope that you will have a successful KZbin carrier

this is the first video ive watched of yours and I already love how you approach the over acrhing concept!

Been struggling to wrap my head around what xss was exactly for a while, and this cleared up a lot of things. Thank you. :)

You're the best online teacher that I ever had! Keep uploading more vulnerabilities pls, tomorrow I will try some xss challenge of your website, thank you for all your hard work

The fact that you didn't edit out the differentiation thingy just earned you a subscribe

What you do for the community is awesome man. Thanks for the game and the great videos

You are super funny man love how you have a good time while making the explanations. Underated and I wish you well in your future I will be subscribing and supporting!

Bruh! I don't know who you are, but I will find you and hug you! (maybe after covid) Your explanations has been spot on with the perfect amount of words and video. You should teach class at university that way students will actually get what they are supposed to be studying! Hats off to you good sir.

Hello ! I finally understood XSS ! Thank you man ! You're the best! Keep those videos coming. #subscribed

This has got to be the best KZbin tutorial, HANDS DOWN. Lmao! Subscribed.

Your videos are so awesome. You explain stuff in such an easily-digestable manner. Please make more :)

Dude your video editing skills are next level. Keep up the good work!

Came here from the deserialization vid. Awesome content, well done. +1 Sub.

Happy to see u back I missed u

yo pwn function, i love your vids, please try to post more. i have watched all ur vids and learned a ton from each which I thought i wouldn't have so ur channel has been an all around big help. I love ur content so maybe just trying to post when u can will be great...

Random tidbit: I had a phone interview with the guy who coined the term "XSS" (allegedly), he was absolutely obnoxious and made sure to let me know he came up with that term every 5 minutes.

Waiting for next video! You're making top content!

Incredible video, I have been drinking allot of concepts from a water hose for my CySA+ and XSS for whatever reason was one I really struggled to conceptualize.

Very helpful I keep learning, understanding, and then forgetting XSS. This time it stuck with me 👍

Liked and subscribed! Thank you so much! This was really really well done and explained! Edit: Was I subscriber nr 14.000?!

Corrections on the same origin policy. You can "write" or "send" regardless of origin but the browser will hold onto any response that is coming from an untrusted origin. This is the reason CSRF is not prevented by SOP. This isn't hate mail btw, I love your videos and you helped me a ton in the past. P.S. glad to see you're back!

Realy a great content that you made~ I really like it & thank you for creating this. I hope you'll make another content more frequent~

Samy worm reference caught! Great video btw, very clear and useful

I wish I've found this channel way before, great content!❤️

Great explanation. And that video of the streamer 100% go watch it everyone!! I am so thankful you put that link there for us, haven seen such an amazing video for a while xD

First time watching ur vid. Love the icon!

Huge respects bro! You have a great and unique way of teaching

Concept

FINALLY! a great video on XSS! Thank you!

I love your video making style, it makes it fun to look at

One of the best explanation for XSS. Thank you very much for this video and also for learning resource.

"Lets talk about SOP, so that were all on the same page" nailed it

It's a perfect video! I finally understand everything. Thank you so much!!!! By the way, the video fragment was so funny))

Top Notch explanation of a difficult topic. Loved the graphics and animation. Barvo!!

thank you so much, a lot of websites and forums just say like: blah blah if you write blah blah blah in blah you will get blah blah blah. but now i get how it works

This should be at the top of my youtube search! I keep seeing random half assed videos on XSS. But this kinda gold is down the list for some reason.

You are good at explaining. If all your videos are going to be like this, consider you have a new subscriber .

Thank you very much sir! you cleared all my doubts :) . Your way of presentation of topics is really really good! :D

GREAT video man, keep the content!

Thank you for your work! Amazing explanation!

Cleared my doubts Thanks bro ✌️

In my view, the biggest fundamental flaw of the same origin policy is the fact that it is purely a client side implementation. Case and point: fork Chrome, turn the flag off you have a CORS-less browser. Why you'd want that when it would be a detriment to your own good is another question. But you can do it. You don't even need to change the code. As far as I know, there still exists a flag you can pass when launching Chrome (and other browsers) to turn it off. And now we have "Local Overrides" in Chrome's dev tools. This is a wonderful tool that has helped me debug a number of issues in production, but it also is a wonderful asset to performing XSS attacks on sites you shouldn't have authority over. It's also possible to manipulate the perception of who you're communicating with by modifying your local hosts file. Add break points to another site's scripts, pause execution at important points, retarget your domain to a local server you're serving assets from, revert hosts file, resume execution as desired. I'm sure there's a number of brighter people than me here who have even better examples of how easy it is to circumvent the minimal protection that is there, so it leaves me wondering why we have an entire ecosystem of technology built around such shaky ground. It seems to me that we should have implemented better security mechanisms for these sort of things in the actual protocol level. In the same way in which we introduced websockets by "upgrading" connections, it feels like more should be done in this area to mitigate the weak protection client-side CORS policies provide.

Amazing explanation of XSS. Kudos mate

I actually subscribe after the first few animations. Clean tutorial.

Excellent videos, amazing production value

Can't believe more people haven't seen this, very well explained and at a very good pace.

bro you just taught me what I wanted. big fan 😊❤

why this was not recommended to me

This was so well done. By the way, what software do you use to do the drawing on your videos?

Hey man, great content as always. Please make more content like this :)

This was amazing! Thanks for the upload, currently exploring your channel :)

Simple, entertaining, and engaging. Subbed. Teach me more. -Cyber Security student

Awesome explanation man! Hats off! 👌

that 'same page' joke is what got you a thumbs up.

Yo, I can confirm this vidoe is better than a QS top 100 uni lecture video, sorry professor :)

Thanks brooo. A little late onto security. But it was a great learning experience 🥳💐

You have made my life easier. Thanks

keep up the good work, very nice animation and super clear explanation thank you

Love the graphics and explanation 👌

Good quality content and thanks for explaining XSS

Please make more videos on different Web Vulnerability types , And maybe some more demos on them . Love your channel ❤️

Samy is my hero....the classic myspace prank... loved the reference

a webpage to practice xss with examples? i think i love you

Lil Bobby tabels you forged his name to Bobby script!! Xoxo love from India... keep up the good work cheers

Great video man. Btw, how do you do these animations? IPad recodings?

Thank you for getting us all on the same page ;)

Thank you for building that website! And for this video

Here before this channel blows up

Dude your content is awesome omg! I guess what finally made me click was you saying that the name XSS is probably not the best one (stopped focusing on the name to realize it's just an injection technique :)

wow what a great video. I hope you will do a lot more videos like this!

Dude you're awesome 👌 Your explanation and example is exactly what I was looking to properly understand Thanks. Do you have a video on XSRF also???

Awesome video as always!

Love your vids!

1:51 I don't know much about hacking,, i recently read about open redirect vulnerability,, Is it possible that SOP gives access to that if Open redirect vulnerability is there?

u are great dude, happy i found u out

What happen to you man! Many of them are waiting for your video You are such a awesome youtuber i saw earlier im still waiting for the next video When i saw your video at first time i didnt understand that much .then i watch many times and understand the concept of the vulnerability i hope you upload your next video on november You are literaly awesome regards,surya

Amazing video. Keep them coming

I'll learn how to do security. Thanks for showing it to me!

SOP only prevents reading though right? The backend server will execute the request and send the response back to the browser, but the browser will not show the response.

Welcome mate , Please more videos

Pretty cool explainer video on XSS!

Also, we should preferably use innerText attribute to put content inside a html element

hey man please make videos more frequenty and put here for us to learn. I love your work man!!

your amazing dude keep up the good work

Awesome presentation. May I ask which tool you use to create the animations?

best explanation on the internet!!

Wow its been long time, nice video

Isn't 1:13 wrong? SOP only applies to reading data and not writing it. CSRF attacks are still possible against SOP.