XSS: training and resources

in #hacks7 years ago

What is XSS?

For those of you that don't know, XSS stands for cross-site scripting, and is a method where an attacker will manipulate code on a website so that their own script can take advantage of an existing system's framework. XSS is a pervasive threat on the internet, and something that can have devastating consequences to sites that aren't prepared.

According to OWASP, through XSS, "attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc."

Safety first!

So ... do you own a website? Maybe you code one for a friend?

Want to make sure it's safe, but haven't been keeping up with netsec news?

Don't have the money to higher a pen tester to give your code a go?

Well, you could keep your head in the sand and try to ignore the way that the world works, or you could start teaching yourself about vulnerabilities so that you can avoid coding them.


1652.png
Source: XKCDSW

Training yourself to tackle vulnerabilities isn't illegal, but the means you use to train yourself can be. Trying to break into someone's site to see what works and what doesn't is a big no fly zone. In most places, though, so long as you aren't trying to mess with someone else's property (that includes your host), you won't find yourself in trouble (be familiar with the laws that apply to you).

This begs the question: where can you find a place to train yourself in some vulnerabilities without getting in trouble, so that you can start figuring out how to avoid putting them in your code?

Here. That's where. At least, if you're looking to learn about XSS.

XSS Payloads is a website dedicated to all sorts of goodies relating to cybersecurity, centering around JS vulnerabilities but including "much, much more" (to quote their website) in the hot topic field of cybersecurity. They have an active Twitter, and a website rife with resources, including historical documents relating to script manipulation, as well as updated tutorials that you can use to train yourself to be a good little coder.

Their website is smart - it not only shows you how to protect against XSS, but explains a lot about XSS history and methods. If you follow all of their resources, you'll learn a lot about this topic of cybersecurity.

Just be prepared to read a lot of stuff that some outside of this field may call "boring" or "long-winded".

There are lots of other resources online to train yourself legally - I'll be covering them further in future articles.

Fun fact

Many people confuse XSS with injection. Do you?


exploits_of_a_mom.png
Source: XKCD

Have you seen or heard any examples of XSS in the past? Let us know down in the comments.

Sort:  

Good article @aman.sri, upvoted and followed you.

I post about security, coding and photography if you want to take a look:
https://steemit.com/security/@gaottantacinque/javascript-pills-3-download-a-file-programmatically-website-affected-by-xss-vuln

Thanks :D