Cracking Websites with Cross Site Scripting - Computerphile
Audible free book: www.audible.com/computerphile
JavaScript is dangerous! Why? How are websites vulnerable to it? Find out about bug-bounties from Tom Scott.
More from Tom Scott: / enyay and / tomscott
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computerphile is a sister project to Brady Haran's Numberphile. See the full list of Brady's video projects at: bit.ly/bradychannels
Пікірлер: 905
now, should we keep that end graphic? :)
That's Javascript! I'm gonna run that!!! -Quote of the year.
"That's JavaScript code! I'm gonna run that!" Gotta love the childlike enthusiasm of this personification of web browsers.
There's a comment in a Javascript project I worked on that says: [bunch of checks for user input] //You know, if the users could just be more considerate //I wouldn't have to do any of this.
*-html styling does not work in youtube comments. believe me-*
why in the world are you doing this in a hotel lobby?
The guy who found the Facebook vulnerability was actually rudely rejected by Facebook and got his well deserved money as donations!
I love Tom Scott's enthusiasm for this stuff!
In a very dark place that wouldn't let us use a light! - its the Renaissance Hotel at St Pancras, London >Sean
*Apparently HTML Works in KZread Comments, judging by the large amount of bold comments* Can I put bootstrap into my comments to make them look pretty?
"Which is not entiiiirely legal under the computer misuse act, but no one pressed charges" I didn't know he was such a rebel XD
I love these videos because they explain how people have broken into webpages to re-write them, steal info, etc. You always hear how vulnerable stuff can be but never the specifics about how people get in. Great videos as usual, Brady!
The ending doesn't have a dash because you are supposed to binge the next 20 computerphile videos after it...
Another cool thing for input dropdowns, is changing the value of one of the s in the , and then submitting. Especially if the output does something with the value of the dropdown, for example with an age input where the output has control over the date format, it completely screws up. Example: I change my birthday to "Cake Pie 1000BC". That will, on a lot of sites with profiles that use this dropdown system for birthdays, completely break the thing when it's trying to convert the month number for example to the month name, since there is no "Pie"th month in the year. It's quite harmless, unless the site actually displays the thing you entered in the input directly on the page, in which case you might indeed be able to insert a script tag. PS: I've managed to cause my profile to completely break by doing this on a site once, after which it just gave me back an error 500. Great fun. I decided to change it back afterwards though. (keep in mind that if your birthday is loaded onto your settings page too, you might also get an error on the settings page, and you won't be able to change it back)
I love this guys enthusiasm when explaining. Makes it more interesting.
Client side filtering is a good idea because it can make it easier on the legitimate user. E.g. tell them the phone number is invalid before they hit submit, saving them time. But client side prefiltering does not add any additional security. All inputs must be fully validated at the server. There is no guarantee that an attacker will be using a polite client that follows your prefiltering rules. An attacker can download the page and remove the rules.
*bold* _slant_ -strike- *_-Magic-_*
This video just helped me notice an XSS vulnerability on one of my sites. Thank you. :|
This man has a lot of energy and enthusiasm for this topic.
I didn't understand a single word of what that guy just said but he's super engaging and the 8 minutes flew by.
Great video. I wish I had been taught at school by someone speaking passionately about their subjects like he does!
Tom Scott is really good at explaining things and I LOVE the concepts he explains. More from Mr. Scott? :3
Tom explains this in 8 mins better than my Network security professor in an entire lecture
He's so funny yet so informative. More of this guy!
Tom Scott is definitely my new favorite, especially considering all of Brady's other channels have slowed down. Tom is making a very good showing. Keep it up.
So Wikipedia describes him as a comedian to which I agree, but... Does he have a Masters in computer science or a title alike? He's got an amazing skill to explain complex stuff!
Defiantly the most ecstatic video you've done, really entertaining, whilst also quite educational.
I like the dark lighting. Makes it feel more laid back and down to earth :D
XSS is even more dangerous when coupled with Cross-site Request Forgery (CSRF). A video on CSRF would probably be a nice follow-up to this.
2:35 I've never seen a JavaScript code that looks like "i+i=2", it looks more like an equation :D
Absolutely! I adore how he speaks so strongly about these things, his rhetorical skills are very well-developed and he's a joy to listen to.
I like the darkness, it adds to the atmosphere, and (at least I can) still see everything just fine...
I would just like to thank who ever's idea it was to do the Audible promotion because audio books are expensive and getting a free one was a really nice gesture.
wut wut
I liked the little touch of you guys putting the / in the closing tag at the end of the show.
This is amazing! That guy should have more videos!
So if I typed *and closed it with* , youtube will make it bold?
The passion and enthousiasm is great ! More please :)
Make more of these type of videos! They are very interesting and incredibly informative.
The white balancing in this video confuses me.
The content of this video is true, however, none of it is about cross-site scripting.
I'm a BS Physics student(first year) I really want to learn more about Cyber Security, I want to shift but I would waste my scholarship so yeah I'm watching your videos...Thank you!
Excellent video! I learned a lot and the enthusiasm of the speaker made it even more exciting!
Between the SQL holes video and this one, I sure am glad that Tom Scott is on our side.
I love this guy. He really seems to love what he's doing.
You have ruined my internet searching for life. Not every time I see a user input box i need to put in code xD
Watching this in 2022 and this still feels so relevant.
Amazing explanations Tom. Thank you very much dude.
"never trust user input" This should have been this video's conclusion! =)
"That is Javascript code I'm gonna run that!" love it!
Please, talk this guy into having his own channel, or make more videos with him, he is awesome!
This guy is so enthusiastic. Love it!
Ah yes, Bobby Tables. Definitely one of the more amusing tech jokes I've come across, still gets a good chuckle from me every time I read it. :)
Its funny how many people are actually trying to do XSS on KZread just because they saw a video explaining about it xD
I really enjoy your videos! Well done!
Another great explanation fulfilled by highly understandable and educated content!
Omegle had that same problem for a bit when they introduced Spy Mode. They weren't sanitizing their question inputs, so for a while I would go around sticking JS in there that froze the computers of whoever got stuck with my question XD They fixed it in a few days, though.
That is JavaScript! I'm gonna RUN that!
Wow, I was literally about to send a request for a video on this, I have to do an assignment on this for college, Thank you!
That end graphic is really clever and I like it.
Where did you even get dot matrix printer paper?
"Cross site scripting is the number one vulnerability on the web today" me watching in 2023: hmmmm, sounds legit...
Its worth mentioning (and possibly a future video topic) that even if your website's forms are supposedly "secure" anybody can make a form on their own site that submits to yours. No matter what make sure ALL input processed by your website is properly escaped.
The best and simplest explanation ever in XSS :)
Great video! More please :) Also, love his impression of a web browser at 5:33 :)
This reminds me of Bobby Tables.
4:03 "Because myspace hadn't quite filtered javascript properly". Brilliant!
Very interesting, Tom Scott explains really well.
Tom “You should know this” Scott
*_GUYS IT WORKS!_*
@jasonneu81
9 жыл бұрын
Nope.
@midsummerstation3345
9 жыл бұрын
***** *i think so*
Now that I come to think of it, the closing tag </computerphile> at the end of each video makes total sense. Just never thought of it, I guess it wasn't important enough to notice.
Depends on the case: You can use bold if you want the text to be just bold, you can use the strong that if you want it to be bold and also be a "hint" for search engines like google to take that "strong" as something important to include on their web-crawler.
"Someone *at Netscape* comes along and invents JavaScript!"
test
you guys deserve more views/subscribers :) thank you
This was very good! He should be in more videos like this!
5:33 My favourite moment in this entire video.
Test *Test* Test
@011azr
9 жыл бұрын
011azr -Test- *_Test_* _Test_ Um, okay *:O*
Yeah, I phrased it badly, I meant to say that validation/filtering server side is 100% essential for any input. Client side validation is more of a latency thing for the client, since the person won't need to wait for it to come back invalid (saves server load as well).
i love this guy, he is so enthusiastic about computers :)
Just trying to see if the bold tag works here
Dot Matrix paper for notes!?! Someone's got funding!
this guy's my favorite in computerphile
So how on earth could you use javascript to make a webpage send users info to your pc if it only affects you?
Computerphile can just have a self-closing one:
bold text: *test*
One example would be WebKit only partially making use of the "min-" & "max-height" and "-width" properties. If you want more examples check the Wiki page "Comparison of layout engines (CSS)"
this guy and the graphics guys are the best
Googled Rick Astley, rick rolled again :/
The camera sways so much, I thought it was a ferry. :D
finally! the closing tag!! Thanks.
Great video! More of this dude!
alert("hi");
don't understand how this could be dangerous.For example anyone can click inspect element and type some text into their web browser and change a COPY of the page they're looking at no one else will ever use that copy you have changed.In this same manner, how would me writing a script inside of my copy of a webpage effect someone else's copy?
@lolbajset
8 жыл бұрын
+Curran Hyde If i understood the video correctly it is when someone else visits your webpage that the script gets executed. If I make a website and add a script in the middle of its html, it will run when you or anyone else loads the page, thus enabling attacks. Again, that's at least how I understood it, could be wrong
@MrAntiKnowledge
8 жыл бұрын
+Curran Hyde It only becomes a problem for sites which allow users to post something which gets displayed to other users. Like this comment here (only that youtube is smart enought to filter out code). If you don't have a filter active that say... replaces "" with "<script>"* then whatever the user writes in between and will be run as code in the Browser of another user who happens to get that text either because it was send to his account, or cause he visited the page where it was posted. *("<script>" would be displayed as to the user, but the browser understands that it shouldnt be run as code)
These are everywhere. I was recently reading a book about the programming language Go, and found a XSS vulnerability in a simple statistics program used as an example.
How would you address the company? Would you tell them upfront, or mention something needs to be fixed?
5:58 not TECHNICALLY ENTIRELY LEGAL
Does it
I love this guy. He's so enthusiastic!
My god...Tom Scott is GOAT