Cracking Websites with Cross Site Scripting - Computerphile
1,520,209
Published 2013-10-23
JavaScript is dangerous! Why? How are websites vulnerable to it? Find out about bug-bounties from Tom Scott.
More from Tom Scott: youtube.com/user/enyay and twitter.com/tomscott
www.facebook.com/computerphile
twitter.com/computer_phile
This video was filmed and edited by Sean Riley.
Computerphile is a sister project to Brady Haran's Numberphile. See the full list of Brady's video projects at: bit.ly/bradychannels
All Comments (21)
-
That's Javascript! I'm gonna run that!!! -Quote of the year.
-
now, should we keep that end graphic? :)
-
"That's JavaScript code! I'm gonna run that!"
Gotta love the childlike enthusiasm of this personification of web browsers. -
There's a comment in a Javascript project I worked on that says:
[bunch of checks for user input]
//You know, if the users could just be more considerate
//I wouldn't have to do any of this. -
why in the world are you doing this in a hotel lobby?
-
html styling does not work in youtube comments. believe me -
The guy who found the Facebook vulnerability was actually rudely rejected by Facebook and got his well deserved money as donations!
-
I love Tom Scott's enthusiasm for this stuff!
-
The ending <computerphile> doesn't have a dash because you are supposed to binge the next 20 computerphile videos after it...
-
"Which is not entiiiirely legal under the computer misuse act, but no one pressed charges"
I didn't know he was such a rebel XD -
In a very dark place that wouldn't let us use a light! - its the Renaissance Hotel at St Pancras, London >Sean
-
Apparently HTML Works in YouTube Comments, judging by the large amount of bold comments
Can I put bootstrap into my comments to make them look pretty? -
I love these videos because they explain how people have broken into webpages to re-write them, steal info, etc. You always hear how vulnerable stuff can be but never the specifics about how people get in.
Great videos as usual, Brady! -
Another cool thing for input dropdowns, is changing the value of one of the <option>s in the <select>, and then submitting. Especially if the output does something with the value of the dropdown, for example with an age input where the output has control over the date format, it completely screws up. Example:
I change my birthday to "Cake Pie 1000BC". That will, on a lot of sites with profiles that use this dropdown system for birthdays, completely break the thing when it's trying to convert the month number for example to the month name, since there is no "Pie"th month in the year. It's quite harmless, unless the site actually displays the thing you entered in the input directly on the page, in which case you might indeed be able to insert a script tag.
PS: I've managed to cause my profile to completely break by doing this on a site once, after which it just gave me back an error 500. Great fun. I decided to change it back afterwards though. (keep in mind that if your birthday is loaded onto your settings page too, you might also get an error on the settings page, and you won't be able to change it back) -
Client side filtering is a good idea because it can make it easier on the legitimate user. E.g. tell them the phone number is invalid before they hit submit, saving them time.
But client side prefiltering does not add any additional security. All inputs must be fully validated at the server. There is no guarantee that an attacker will be using a polite client that follows your prefiltering rules. An attacker can download the page and remove the rules. -
I love this guys enthusiasm when explaining. Makes it more interesting.
-
bold
slantstrikeMagic -
This man has a lot of energy and enthusiasm for this topic.
-
Tom explains this in 8 mins better than my Network security professor in an entire lecture
-
I didn't understand a single word of what that guy just said but he's super engaging and the 8 minutes flew by.