OWASP Top 10 Part 7: Cross-Site Scripting (XSS)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> OWASP top 10, number 7, Cross-Site Scripting.
00:00
We're going to talk about the risks
00:00
of cross-site scripting,
00:00
the impact of cross-site scripting,
00:00
the techniques to address
00:00
cross-site scripting and web applications.
00:00
What is cross-site scripting?
00:00
In short, cross-site scripting is
00:00
when a malicious actor takes
00:00
advantage of the trust that
00:00
a user has in a particular website.
00:00
The attacker compromises some aspect
00:00
of the website that enables them to
00:00
inject malicious code so that when
00:00
the user visits the website
00:00
and puts in their credentials,
00:00
their credentials or the session token or
00:00
the cookie that's being used to authenticate
00:00
them to the website is sent to the hacker.
00:00
That individual is then able to leverage
00:00
those things to get unauthorized access to the website.
00:00
There are three different main types of
00:00
cross-site scripting: reflected, stored, and DOM.
00:00
Each of them relates to a different aspect
00:00
of the underlying piece of a compromise.
00:00
With reflected cross-site scripting,
00:00
the attacker is really able to use
00:00
unvalidate or unescaped user input
00:00
and change the HTML output.
00:00
This really allows the attacker to execute
00:00
arbitrary HTML in the victim's browser.
00:00
Stored cross-site scripting,
00:00
this is when an application or API stores unsanitized
00:00
user input that could be viewed
00:00
later by the user or an administrator,
00:00
but this can also be viewed by the hacker itself.
00:00
How do you prevent cross-site scripting?
00:00
Well, there are
00:00
different frameworks that will
00:00
automatically escape cross-site scripting
00:00
or that will just not trust HTTP requests for data,
00:00
and this can prevent the credentials from being
00:00
sent to the threat actor when the compromise is put.
00:00
Basically, websites need to be tested
00:00
significantly to prevent
00:00
cross-site scripting vulnerabilities.
00:00
Cross-site scripting can dramatically undermine
00:00
the trust that users have in a company or the website.
00:00
They can be particularly damaging to
00:00
the brand of the organization.
00:00
Quiz question, which type of
00:00
cross-site scripting attack allows
00:00
an attacker to execute arbitrary
00:00
HTML in the victim's browser?
00:00
Is that reflected, stored, or DOM.
00:00
If you said reflected, you're correct.
00:00
In summary, we talked about what
00:00
cross-site scripting attacks are?
00:00
They are malicious attacks that change
00:00
something about a website
00:00
to forge a user's credentials.
00:00
They take advantage of
00:00
a user's trust in a website and its security.
00:00
The attacker is able to steal
00:00
the user's credentials and use them to login to
00:00
the website and falsely impersonate that individual.
00:00
It's really can be addressed through various means
00:00
of testing the website
00:00
against cross-site scripting vulnerabilities.
00:00
I'll see you in the next lesson.
Up Next