Cross-Site Scripting (XSS) Explained in 7 minutes

Please, consider clicking Subscribe if you haven't already :)! Thank you!

You were able to explain this topic as if someone has never scene it, yet leaving them with a solid understanding of a high-level view.

Very useful. I had a horrible explanation on XSS and left me confused. This really clarifies it better. Thank you.

This is awesome content! Studying for PenTest+ to get an idea if i want to pursue pentesting. Your channel is an excellent resource.

very informative!

great explanaiton!!!

Very useful

Yeah, I have found my new mentor after a long searching, sql concepts are just waaaaaaahhhhh

Woow...sky is open 😂😂😂...I mean for myself...finally understand.
Thank you 💞
My brain appreciate😊

Thanks for this amazing explanation! 🎉Merry Christmas 2022

Nice explanation with the illustrations. It also beautifully showed the differences between the different types. Still wondering some things:
It is called cross-site scripting. I always wondered what's exactly cross-site about it, i.e., what is denoted as the different sites where the code is to cross in between. From your explanation, it sounds like two different frontend pages, i.e., you see some HTML page, click a link or submit a form and thus the browser requests another HTML page, which will execute the code you brought over. But in modern day we may also have a single page application, so we don't get a completely new HTML page from the backend, only some data and the frontend can re-form using the logic it already has. You could of course still inject some script there depending on the logic in the frontend, though it's a bit of a question when a site is crossed there.
Another idea is that you could call different machines or processes sites, i.e., the frontend being a site and the backend server being a site, but DOM-based XSS would not fit in this frame.
When you submit a form normally, you get another HTML page. Of course, it would not make sense as an attack to inject something in the javascript of that new HTML page while targeting yourself. You can control your own browser and issue own javascript. So I wonder how reflected XSS targets the browser of another user. The thing that comes to mind is when the backend has a reactive pattern and sends data to other users with for example websockets but then they would usually not get whole new HTML pages from that. Another idea would be to send the target users the URL with the malicious payload.The HTTP GET method uses query parameters. For POST method, the payload would need to be in a header or entity, which would be more difficult to trick other users into to issue, since this isn't entailed in a URL.
Similarly with DOM-based XSS, to target another user, you would need to send them a URL with the malicious payload via different means, tricking them to open it.
And I guess there could be mixed forms of XSS, where a stored XSS places some links with malicious URLs on the HTML page of victim users and clicking them can trigger additional stuff as any type of XSS.

Why is this channel so underrated and low subscriber count? This is well written and the explanation and illustrations are toptier -_-
Thank you for this Christophe! (Hope that is your name)
😄

I use webhook to steal session cookies of my own website. However the session part is empty. Why may be the reason, does anyone have the same issue?

Done

Please upload a full xss course

I added javascript text to my own website. However, IT does not give any alert. My web app treat it like a plain text instead of JavaScript. What should i do to make my code vulnerable to XSS? cause i need to perform XSS for my cybersecurity class

Needs better explanation. Didnt get how this could affect anyone but the attacker. How does the server store the script?

Hacked

too much info, not understandable, not direct

alert("hachnjimkd");