No video
How To Prevent The Most Common Cross Site Scripting Attack
Cross site scripting is one of the most common ways that a hacker will attempt to infiltrate a website. There are many different forms of cross site scripting, but the most common cause of cross site scripting is using the JavaScript method innerHTML with user input. Any form of user input must be escaped before being used with innerHTML, and any use of innerHTML should be thoroughly thought out to ensure no user input can make it through without being sanitized. It is such an easy mistake to make, but luckily the fix is also just as easy.
Cross Site Scripting Article:
blog.webdevsim...
CodePen For This Video:
codepen.io/Web...
Twitter:
/ devsimplified
GitHub:
github.com/Web...
CodePen:
codepen.io/Web...
#XSS #WebDevelopment #Programming
Пікірлер: 179
Great stuff. Hello from The Odin Project!
@pendelschabe
Жыл бұрын
Hey
@NadidLinchestein
5 ай бұрын
How's it going? Have you finished
@bashehu
Ай бұрын
Hii from DOM Manipulations and Events
@albertt755
14 күн бұрын
@@bashehu me too bro :D
Explanation for people in a hurry. Clear, objective, and exemplified. You've got another subscriber.
@WebDevSimplified
4 жыл бұрын
Thank you!
The Odin Project brought me here!
@husseinomran1021
Жыл бұрын
me too!
@mikayla3386
Ай бұрын
Same!
@fredymarb
Ай бұрын
@@mikayla3386 good luck in your journey
This is genuinely terrifying...thank you for covering this topic and informing those of us who don't have that in depth knowledge about such security topics..
If you want to use innerHTML,then just encode it before putting inside innerHTML. To encode, just replace '' by '>'. So when it goes in the innerHTML, the browser changes them back to ''.
I really like how this guy makes tutorial videos for teaching (short and simple) and not for view by putting un-necessarily long 10 minute videos. You are doing great work. Thank you!
Clear and concise explanation of how this can be dangerous. Ive been looking around for a while now because I couldn't understand the risk associated, but you did a great job doing it, thanks!
I've seen a bunch of people talk about xss before but you've got a real knack for explaining it simply. Would be great to see more security videos from you!
I don't know what's more amazing... that website.. or that hair...
@areshera4039
2 жыл бұрын
@@SkillUpMobileGaming never gonna let you down
@hdsz7738
2 жыл бұрын
hair, definitely
@AssFaceNFT
2 жыл бұрын
Hello from the other side 🌹🙏🕊
@htx80nerd
5 ай бұрын
Both
Bro even your older content is fire!
Thank you, the first 3 minutes perfectly summarized all my questions
Simple and clear explanation! Thank you!
@WebDevSimplified
5 жыл бұрын
You're welcome!
All those who dislike and hate this video are definitely hackers...thanks for the explanation Kyle
hi there, coming from the odin project
Good explanation. But if one does not put queries in the url then stuff like this doesnt matter, so one could still safely use innerHTML. Generally the client is never safe, because all client code is accessible through dev tools in the browser. So a strong backend protection and safe routing is all it takes to prevent stuff like this.
Odin project keeps sending me to this golden channel.
Thanks @Kyle for simplifying this. You always come up with new interesting topics 💖
@paristar3079
4 жыл бұрын
Your dirty tricks won't work here.
@want-diversecontent3887
4 жыл бұрын
Pari Star javascript:Function(“a”+”lert(1)”)()
@slickwilly691
3 жыл бұрын
fuck you my computer is hacked now
@deansprivatearchive
3 жыл бұрын
Better yet, the alert doesn't even fire as the quotes inside aren't escaped.
@harefeedzieharefidziee4315
3 жыл бұрын
@RajeshKumar Chokkalingam chill, obviously he is in mean of joking.
I prefer to get my coding advice from models. Thank you.
Really simple explanation but it was so clear :) Well done
Awesome tutorial! I'd love to see a intro into Javascript series as well!
@WebDevSimplified
5 жыл бұрын
Thanks. That is something I want to tackle for sure, but I need to plan out exactly how beginner friendly I want to make the videos. I could go as beginner friendly as never programmed before or just explain JavaScript itself and not programming.
@B3ASTM0DE1
5 жыл бұрын
@@WebDevSimplified Yeah that is a tough one to figure out. You never know where people are at in the journey of web development. Personally, I think it would be nice to cover the basic aspects of programming like you mentioned and then dive into Javascript. If they don't want to watch that part they can always skip ahead!
@WebDevSimplified
5 жыл бұрын
@@B3ASTM0DE1 that is kind of my thought as well. I have so many different series ideas and so little time it is tough to choose one to start on.
@Speaks4itself
5 жыл бұрын
Web Dev Simplified Will be waiting
@yadneshkhode3091
4 жыл бұрын
@@WebDevSimplified Can you make video based on Kylie Simpson book you don't know js Or other JavaScript books A person can find basics anywhere on KZread but you won't find industry level JavaScript anywhere So can you please cover that ? You can even make paid course if you like many people will purchase if it's on the level of Kyle Simpson book ( lot of people hate reading books like me and it's more time consuming )
really well explained my friend, subbed
@WebDevSimplified
5 жыл бұрын
Thanks! I really appreciate it.
FANTASTIC. Your teaching skills are crazy good.
This is a great explanation, thank you! Do you have any other videos that talk about securing a website and web server?
“>alert(“Channel Hacked!!!”)
@sreeharisanjeev8271
4 жыл бұрын
Your dirty tricks don't work here
@anarkix6956
4 жыл бұрын
eval(StringtoCharCode());
Thanks so much for doing contents that help people like this one. God bless you
Your video are really awesome, you make web really simplified 🎉
thanks Kyle. This is vital information. I've subbed !
Discord had to patch this thing just a week ago, I mean cmon how has nobody considered it?
Problem is that also innerText is not a a safe method, textContent is a better idea
Great tutorial as always :D
@WebDevSimplified
5 жыл бұрын
Thanks! I really appreciate it.
Legend, subscribed!
@WebDevSimplified
5 жыл бұрын
Thanks!
Great explanation man! You earned a sub!
learned is much here, I think I have to my 7th javascript beginner tutorial
This was very eye-opening... like wow...
Thanks!
@WebDevSimplified
Жыл бұрын
You're welcome!
Umm why didn't you show us how to fix the problem right at the end?? Kinda weird that you stopped on the most important part lol
@DogmaFight
2 жыл бұрын
Yes, was expecting a quick example of how to sanitize the input
Nice tutorial... The short of it sent me here.
wow. thx for this useful and concise video. now I understand Cross Site Scripting
Hi, So you escape on client side or server side?
@WebDevSimplified
5 жыл бұрын
The escaping needs to be done on the server side since it is always possible a user can change something on the client side before it gets sent to the server so when you send it back you need to escape it.
@ravendfj
5 жыл бұрын
@@WebDevSimplified Thanks for the answer!!
@yashojha5033
3 жыл бұрын
Or you can use do escaping when you are actually rendering it in DOM. if server side change is a lot. dompurify npm package does exactly that.
"you may think, what can they do with this?" Have you ever had the infinite error box???
Woah, never knew about IMG tags can be dangerous too. so on error event or any event in the dynamic html and script tags should be removed. got it.
Thank you for a such helpful video!
So how would one sanitize the input? Would you just replace all less than and greater than signs with < > ?
Superb..couldn't be explained better.
@WebDevSimplified
5 жыл бұрын
Thanks!
Hi, I don't fully understand how a person can have access to the cookie data if I open the link on my end, wouldn't the script just be run on my end and only be seen by me? Thanks
@Victor_Marius
3 жыл бұрын
It can send your data from your end to an api/server of theirs (to the malicious end). Afterwards they can use those cookies to log into your account.
My pc just got hacked were I axadently put a script in my URL and some guy almost got my pc but I emailed my local police and they got him
Thank you! On a side note, what is that font that you are using?
Great video! Thank you!
@WebDevSimplified
4 жыл бұрын
You're welcome!
Thank you I am about to finish my web site and I am thinking now I will have to do the same amout of work only for the security its a dangerous world ...
@WebDevSimplified
5 жыл бұрын
Security is really hard, but luckily once you know what to look for it is pretty easy to avoid those traps.
@web dev simplified I see other videos and they start with script tags, why do you say it's not supported ? I think CORS isn't the way to stop XSS issue of sharing cookie information to another server, right ? If so how can we allow/block thirdparty servercalls from client side and who decides it?
Great video. Thanks!
@WebDevSimplified
5 жыл бұрын
You're welcome!
thank you, very helpful
Hello from TOP!
we can stop this by just giving a regex expression though not allowing tag related items
Love this video. I am curious if these filters can be seen from a website if one was to open the developer tools to search these .innerHTML or .innerText elements.
@amyp.575
4 жыл бұрын
Look in the inspect tab then the console tab and look
function safeify(string) { let el = document.createElement('p'); el.innerText = string; return el.innerHTML; }
very nice explanation bro
@WebDevSimplified
4 жыл бұрын
Thank you
I added javascript text to my own website. However, IT does not give any alert. My web app treat it like a plain text instead of JavaScript. What should i do to make my code vulnerable to XSS? cause i need to perform XSS for my cybersecurity class
Sir I request you to built a simple website discussing all security issues
Thank you!
Very cool great video dude
@WebDevSimplified
5 жыл бұрын
Thanks!
You are life saver.
Thank you 🙏🏻
i dont get it? you can insert into html easy and get the same information too? just click inspect in chrome and put that in
@bryceblazegamingyt9741
Жыл бұрын
You can't send other people your inspected website.
Do you have a course on Javascript?
@WebDevSimplified
5 ай бұрын
Yep. javascriptsimplified.com
I tried to test with your HTML CSS JS code in Codepen, nothing works.
So what about link sharing ? If I want my website to be able to support web url/link sharing what can I do ? If I use innerHTML then it won't understand a website url as links. Any idea ?
why don't you use a pattern for avoid xss attack
very great video
I tried this with my site and the alert is not working. I have not sanitize it all and not sure why it is not displaying
Hello friend! How are you? I'm Brazilian, a script is running on my sales site. Do you know if there's a way I can block it?
very interesting!
hi again dudee
Why would other websites data be available for this website? This seems like a browser defect, it shouldn't hand cookies and data of other websites
what if im not using innerHTML in a form rather am using it to output data from a php script?
I'd like to learn more about escaping
bro you are awesome..
bro recently iw as just using a normal stranger chat page in google and a person did this like showing big running charectors and all....and he told he is doing html injection.....what should i do???? should he have harmed me????say bro....suddenly my replies went also changed in that site..i then disconnected and stopped.....help me bro..how to check that im secure
Awesome !
what if i use post method using jquery for this work?
That spot on your camera man. I kept swiping my screen for 5 mins😭
2:00 magic!
Thanks bro
Hi, can you tell me how to prevent xss in perl ?
You can see cookies in console if you type alert(document.cookie);
That Website is Very Very Vulnerable to SQL injection And Cross Site Script
Amazing!
@WebDevSimplified
5 жыл бұрын
Thanks!
Looking for Js decoraters
Nice like animation.
hey guys can anyeone help with a a java script site just like this one so i can practice?
Not correct information. You'll need to sanitize the text on the server. You can't trust the client. Anyone can open the developer tools and change `innerText` to `innerHTML`.
@shaheerDev
Жыл бұрын
but then thats the users fault, not the site
@bryceblazegamingyt9741
Жыл бұрын
While you can change inner text to innerHTML, you can't change it for other people you send the links to.
subscribed
Cross site scripting:normal poo HTML searching:ugly poo javascript injection:rich poo
Pikaboo, baby Kyle! 😄
Can you please explain difference between using only alert tag against img tag? why did alert tag not inject it while img tag inject it? I dont understand the difference between the too scripts that u have used.
@WebDevSimplified
4 жыл бұрын
When you inject a script tag it will not run since the browser already ran all the script tags for the page. The img tag will run the onerror script though since it will immediately through an error when it is loaded.
@jackr6727
4 жыл бұрын
@@WebDevSimplified Sorry still didn't get...since the browser already ran all the script tags?
@WebDevSimplified
4 жыл бұрын
@@jackr6727 That is correct. It already parsed and ran all the script tags and will not run the newly imported script tag.
@jackr6727
4 жыл бұрын
@@WebDevSimplified It already parsed and ran all the script tags ? How is it already parsed? I am talking abt general difference between the 2 scrips. Not related to your video or website that you have used for demo
@WebDevSimplified
4 жыл бұрын
@@jackr6727 What do you mean?
that is amazing
Any examples of a good sanatize/escape functiom I can run for showing (e.g.) an user his details in his profile page as they are all user input.
@WebDevSimplified
5 жыл бұрын
Just make sure you don't use innerHTML with any of the data and you will be fine. You can easily test this to make sure it works, by entering valid HTML and submitting that to see if it is injected or not.
@MisterOptimous
5 жыл бұрын
@@WebDevSimplified I've actually always thought XSS is a thing I should be careful with when programming backend, and also I use jQuery so I guess the equivalent would be $().text and $().html
@MisterOptimous
5 жыл бұрын
Thanks for clearing it up though, I shall be more careful writing my frontend js code now.
@MisterOptimous
5 жыл бұрын
@@WebDevSimplified also what about when I use something like eJs, and then write his or her username like or when you use php short tags, that would be vulnerable, would it not? It's something I just thought of.. I am confusion 🤔😀
@WebDevSimplified
5 жыл бұрын
@@MisterOptimous it would be vulnerable if your backend language isn't sanitizing the data before rendering. It depends on your language. An easy way to test would be to just try it and see what your language does. Most should sanatize it.
But didnt you just fetch your own cookie from your own browser, how could you do it for other users?
@NickyDekker89
3 жыл бұрын
In this example, you could create a malicious link to this website and have other users click it, fetch their cookie and send it off to you so you can use it to access their account.