Cross-Site Scripting (XSS) Explained

00:11:27
https://www.youtube.com/watch?v=EoaDgUgS6QA

摘要

TLDRThe video discusses Cross-Site Scripting (XSS) vulnerabilities, starting with a fictional story to introduce the topic. It explains the importance of the Same Origin Policy (SOP) in preventing unauthorized access between different websites. The presenter highlights various types of XSS, including reflected, stored, DOM-based, and mutation XSS, detailing how JavaScript injections can lead to security breaches. The video also addresses the complexity of mitigating XSS vulnerabilities and promotes learning through challenges on a dedicated website. Lastly, it underscores the omnipresent nature of XSS in web development and emphasizes security best practices.

心得

  • 🧒 Bobby Tables becomes Bobby's Script.
  • 🛡️ Same Origin Policy (SOP) ensures web security.
  • ⚠️ XSS allows JavaScript injection on websites.
  • 📜 Reflected XSS is a basic injection type.
  • 📅 Stored XSS can affect multiple users.
  • 🌐 DOM-based XSS exploits JavaScript context.
  • 🧼 Use libraries like DOMPurify for sanitization.
  • 💻 XSS challenges available at xss.ponefunction.com.
  • 📊 Mitigating XSS is complex and multi-faceted.
  • 🔍 Understanding XSS is crucial for web security.

时间轴

  • 00:00:00 - 00:05:00

    The video begins with a humorous introduction to the character Bobby Tables, who experiences special messages due to his name change to Bobby's Script. The speaker transitions into discussing cross-site scripting (XSS), explaining that Microsoft coined the term and expressing personal discontent with the name. The concept of same-origin policy (SOP) is explained as a security feature preventing one website from accessing another's data unless they share the same protocol, host, and port. The SOP is crucial for web security, as it prevents unauthorized access to sensitive information across different websites.

  • 00:05:00 - 00:11:27

    The speaker introduces JavaScript injection as a fundamental technique of XSS, illustrating it with an example where user input is reflected back in a website's response. This is demonstrated by inputting a JavaScript command, which executes due to the browser treating the response as HTML. The video then categorizes different types of XSS: reflected XSS, where inputs are executed immediately; stored XSS, where malicious input is stored in a database; DOM-based XSS, where user input is misused within client-side JavaScript; and mutation XSS, where browser transformations can lead to vulnerabilities. The video emphasizes the complexity of addressing XSS when considering common web practices.

思维导图

视频问答

  • What is the main focus of the video?

    The video focuses on explaining Cross-Site Scripting (XSS) vulnerabilities.

  • What is the Same Origin Policy?

    Same Origin Policy is a security feature that prevents one website from accessing data from another unless they share the same protocol, host, and port.

  • What are the types of XSS vulnerabilities mentioned?

    The types discussed include reflected XSS, stored XSS, DOM-based XSS, and mutation XSS.

  • Why is solving XSS vulnerabilities challenging?

    Solving XSS issues is challenging because JavaScript can be executed in various ways beyond just script tags.

  • What tool does the video recommend for sanitizing HTML?

    The video recommends using DOMPurify to sanitize JavaScript and HTML.

  • Where can viewers find XSS challenges to practice?

    Viewers can find XSS challenges on the website xss.ponefunction.com.

查看更多视频摘要

即时访问由人工智能支持的免费 YouTube 视频摘要!
字幕
en
自动滚动:
  • 00:00:00
    alrighty it's been a while so let's
  • 00:00:02
    start off with the story once upon a
  • 00:00:05
    time there was this kid his name was
  • 00:00:07
    Bobby tables soon after changing his
  • 00:00:09
    name to Bobby's script he started to see
  • 00:00:12
    some special messages on any new website
  • 00:00:15
    he signs up to now I wonder what's the
  • 00:00:19
    connection
  • 00:00:21
    [Music]
  • 00:00:25
    Jokes Aside let's talk about xss
  • 00:00:29
    exercise stands for cross-site scripting
  • 00:00:31
    as far as I'm aware Microsoft coined the
  • 00:00:34
    word
  • 00:00:35
    now I know I'm not supposed to give my
  • 00:00:37
    opinion but I just don't think it's a
  • 00:00:40
    great name for the venability don't get
  • 00:00:42
    me wrong though exercise sounds cool and
  • 00:00:44
    everything but I just don't think it's
  • 00:00:46
    the right name but anyways before we
  • 00:00:48
    jump right into xss let's talk about a
  • 00:00:51
    core security feature called say margin
  • 00:00:55
    policy so that you know we're all on the
  • 00:00:58
    same page
  • 00:00:59
    [Music]
  • 00:01:05
    same origin policy or simply sop is a
  • 00:01:09
    policy that stops one website from
  • 00:01:11
    reading or writing data to another
  • 00:01:15
    the policy essentially checks for three
  • 00:01:17
    different things in the origin the
  • 00:01:20
    protocol host and the port only if all
  • 00:01:24
    the three are the same for two different
  • 00:01:26
    Origins then the browser allows
  • 00:01:28
    cross-origin read or write for example
  • 00:01:32
    if we have a website ponefunction.com
  • 00:01:35
    and another website hackfunction.com
  • 00:01:38
    then the browser checks if the protocol
  • 00:01:40
    is same in both cases which it is which
  • 00:01:44
    is HTTP so on to the next check next it
  • 00:01:48
    checks for the host obviously they're
  • 00:01:50
    different one is pen function the other
  • 00:01:53
    one's hack function so the browser
  • 00:01:55
    blocks cross origin read and write as
  • 00:01:58
    you can imagine this is a great feature
  • 00:02:01
    ensuring some basic web security but now
  • 00:02:05
    let us imagine something like a thought
  • 00:02:08
    experiment what if we have control over
  • 00:02:12
    the JavaScript of another website you
  • 00:02:15
    can pause the video and think about it
  • 00:02:17
    yourself but let's let's just run down
  • 00:02:20
    some ideas shall we
  • 00:02:22
    set firstly we know that JavaScript has
  • 00:02:25
    access to HTML documents via the Dom
  • 00:02:27
    apis which are provided by the browser
  • 00:02:30
    which means we can manipulate the Dom
  • 00:02:32
    and make it look different like defacing
  • 00:02:36
    a page or something better yet we can
  • 00:02:38
    steal some csrf tokens which could also
  • 00:02:41
    be problematic or you can simply read
  • 00:02:45
    some cookies if you can and send it over
  • 00:02:48
    to your website via Ajax request or
  • 00:02:51
    maybe your form submission whatever that
  • 00:02:53
    might be but I think you see the picture
  • 00:02:56
    that I'm trying to paint having access
  • 00:02:58
    to JavaScript on another website in a
  • 00:03:01
    different user's context can be very
  • 00:03:03
    problematic but now the question is can
  • 00:03:07
    we really inject some JavaScript into
  • 00:03:09
    another website the answer is yes we can
  • 00:03:12
    and that's exactly what xss or
  • 00:03:15
    cross-site scripting is all about merely
  • 00:03:18
    just a JavaScript injection technique
  • 00:03:21
    let's start by looking at a very basic
  • 00:03:24
    and a classic example assume that we
  • 00:03:26
    have a website where you can input your
  • 00:03:29
    name into this text box and get back to
  • 00:03:32
    the response which simply greets us back
  • 00:03:34
    by our name let's see what actually
  • 00:03:37
    happens behind the scenes so when we
  • 00:03:40
    click on the button we send out an HTTP
  • 00:03:43
    request which looks something like this
  • 00:03:45
    as you can see the name is sent out as a
  • 00:03:49
    get parameter and after the server
  • 00:03:51
    processes the information it returns us
  • 00:03:54
    back with a response here we see the
  • 00:03:57
    name that we send out now the
  • 00:04:00
    interesting thing here is that the
  • 00:04:02
    browser sees the whole of the response
  • 00:04:04
    data as HTML which is also specified by
  • 00:04:08
    the content type header up here the
  • 00:04:11
    thing is the browser doesn't know or
  • 00:04:14
    can't know without any extra information
  • 00:04:16
    that the input what we send out is being
  • 00:04:19
    reflected back in the response so simply
  • 00:04:22
    it just assumes the entire blob to be
  • 00:04:25
    HTML and it does its further processing
  • 00:04:28
    and renders it out to the screen now
  • 00:04:31
    let's repeat the same request but this
  • 00:04:33
    time let's change the input from just
  • 00:04:35
    being a name to something that looks
  • 00:04:37
    like HTML in this case script to let
  • 00:04:40
    script is a tag which is used to execute
  • 00:04:43
    some JavaScript and inside that we have
  • 00:04:45
    alert which simply just pops up a small
  • 00:04:49
    little pop-up pretty much I guess but
  • 00:04:52
    anyways now a similar thing happens we
  • 00:04:56
    get back the input directly in the
  • 00:04:58
    response but as you can see there's no
  • 00:05:01
    differentiation if if I said the word
  • 00:05:04
    correctly there's no differentiate
  • 00:05:07
    different differentiate Jesus Christ
  • 00:05:09
    there's no difference between the HTML
  • 00:05:11
    code that needs to be rendered and the
  • 00:05:14
    input we sent out so the browser doesn't
  • 00:05:17
    necessarily know so it simply accepts
  • 00:05:20
    the whole thing as the HTML and executes
  • 00:05:23
    it which in turn executes our JavaScript
  • 00:05:26
    code Ergo JavaScript injection or simply
  • 00:05:30
    call it xss
  • 00:05:32
    foreign
  • 00:05:35
    [Music]
  • 00:05:39
    types of xss the first one is reflected
  • 00:05:42
    xss that's the one you just saw now
  • 00:05:45
    where the input was reflected back in
  • 00:05:48
    the response and identified as a script
  • 00:05:50
    block and then gets executed the second
  • 00:05:53
    one is thought exercise this is similar
  • 00:05:55
    to the first one but the input isn't
  • 00:05:58
    just reflected back but instead the
  • 00:06:01
    input is persisted or basically stored
  • 00:06:04
    in some sort of a database or something
  • 00:06:06
    and then shown back to the user by
  • 00:06:08
    pulling it out from the place that it
  • 00:06:10
    was stored but as you can imagine this
  • 00:06:13
    can be even more powerful since the
  • 00:06:15
    malicious input is actually stored in a
  • 00:06:18
    database and injects everyone who just
  • 00:06:20
    views the page that depended on your
  • 00:06:23
    input a classic example often used to
  • 00:06:26
    explain stored exercise is the comment
  • 00:06:28
    section maybe think of it as YouTube
  • 00:06:30
    comments section if there was exercise
  • 00:06:33
    then you'd be able to inject some
  • 00:06:35
    malicious JavaScript which gets stored
  • 00:06:37
    in the database now whoever sees the
  • 00:06:40
    comment gets infected automatically
  • 00:06:43
    let's take a quick detour and check out
  • 00:06:45
    a real world example I'm not sure if the
  • 00:06:48
    following video is an example of
  • 00:06:50
    historic success but it's kind of
  • 00:06:52
    similar to what I just described but has
  • 00:06:55
    a funny exercise bug in a custom twitch
  • 00:06:58
    chat window
  • 00:07:01
    [Laughter]
  • 00:07:01
    um
  • 00:07:04
    so let me put it this way this way uh
  • 00:07:08
    you guys found a vulnerability in the
  • 00:07:10
    chat client that
  • 00:07:12
    that don't mind me oh my goodness
  • 00:07:18
    I'm just gonna sit back and
  • 00:07:22
    by the way you can find the link to the
  • 00:07:24
    full video in the description check it
  • 00:07:26
    out now getting back to the types of xss
  • 00:07:29
    the third one is domic Success where
  • 00:07:32
    they use this input directly lands
  • 00:07:35
    inside a dangerous part of the
  • 00:07:36
    JavaScript code this happens entirely on
  • 00:07:39
    the client side for example here the
  • 00:07:42
    user input directly lands inside the
  • 00:07:45
    inner HTML property of the div element
  • 00:07:47
    so in this case a string supplied by the
  • 00:07:50
    user lands inside a Dom which ultimately
  • 00:07:53
    has the ability to execute some
  • 00:07:55
    JavaScript lastly we have mxss or
  • 00:07:59
    mutation exercise where the user input
  • 00:08:02
    is mutated or changed in some way by the
  • 00:08:05
    browser before inserting it to the Dom
  • 00:08:07
    which sometimes can lead to cross-site
  • 00:08:10
    scripting
  • 00:08:11
    [Music]
  • 00:08:14
    foreign
  • 00:08:16
    solving the problem of xss isn't a
  • 00:08:19
    simple one often times requires a lot of
  • 00:08:22
    work to get rid of some of these issues
  • 00:08:24
    take this for example a script alert 1.
  • 00:08:28
    you may think that blocking script tags
  • 00:08:31
    might fix the issue but it's far from
  • 00:08:33
    the truth
  • 00:08:34
    script tags isn't the only way to
  • 00:08:36
    execute some JavaScript you can use
  • 00:08:38
    something called as event handlers which
  • 00:08:41
    is associated with most of the tags in
  • 00:08:43
    HTML which executes again some
  • 00:08:46
    JavaScript
  • 00:08:47
    now you might think let's just filter
  • 00:08:50
    out opening and closing tag symbols so
  • 00:08:53
    that there's no tags at all well this
  • 00:08:56
    might be useful but it's also
  • 00:08:58
    problematic in some cases for example
  • 00:09:00
    email services like Gmail use HTML to
  • 00:09:04
    send emails out similarly you have
  • 00:09:06
    online website Builders Rich Text
  • 00:09:09
    editors or even markdown editors and I'm
  • 00:09:13
    sure that there are many other use cases
  • 00:09:15
    as you can guess by now it's not that
  • 00:09:18
    simple but amazing people have come up
  • 00:09:21
    with some great Solutions which work
  • 00:09:24
    great in a lot of cases for example Dom
  • 00:09:26
    purifier is an awesome Library which
  • 00:09:29
    sanitizes JavaScript and spits out only
  • 00:09:31
    the clean HTML so go ahead check it out
  • 00:09:35
    [Music]
  • 00:09:42
    assess is a super huge slash endless
  • 00:09:45
    topic of exploration I've decided that
  • 00:09:48
    the best way that the community and
  • 00:09:51
    myself can learn about exercise is by
  • 00:09:53
    making a bunch of challenges and put
  • 00:09:56
    them on together on a website with
  • 00:09:58
    solutions for each one of them with
  • 00:10:00
    explanations of course so that people
  • 00:10:02
    can understand things better
  • 00:10:04
    so for that reason I've went ahead and
  • 00:10:07
    created a website for you guys the
  • 00:10:09
    website has been up and running for
  • 00:10:11
    about a month or two new challenges will
  • 00:10:14
    be posted as often as possible and the
  • 00:10:17
    older ones are going to stay there like
  • 00:10:19
    always like forever and ever till the
  • 00:10:22
    end of time okay maybe that's a bit of a
  • 00:10:24
    stretch but hey as long as I'm around
  • 00:10:27
    okay
  • 00:10:28
    anyways the website is at
  • 00:10:32
    xss.ponefunction.com to which the links
  • 00:10:34
    are going to be in the description of
  • 00:10:36
    course so check it out hopefully this
  • 00:10:38
    will be some sort of a help to you guys
  • 00:10:40
    and lastly like I always end my videos
  • 00:10:43
    with the cheesy line here it goes
  • 00:10:46
    in the end excess boils down to just
  • 00:10:49
    being JavaScript injection
  • 00:10:51
    and as you saw it can be in many
  • 00:10:54
    different places taking many different
  • 00:10:56
    forms like a shape shifter
  • 00:10:58
    but what you do with it or what it's
  • 00:11:01
    good for
  • 00:11:03
    is up to you
  • 00:11:05
    [Music]
  • 00:11:14
    [Music]
  • 00:11:19
    foreign
  • 00:11:21
    [Music]
标签
  • XSS
  • JavaScript
  • Security
  • Same Origin Policy
  • Web Vulnerabilities
  • Cross-Site Scripting
  • DOM Manipulation
  • Sanitization
  • Cybersecurity
  • Web Development