Man this is cool. Having this timeline view on how web security evolved really helps you understand them at lot better. It's like seeing bugs being "created" from scratch. This series is really awesome, I hope you continue it until we get to like modern day lol.
bro i gotta say, i've been watching you since i was 13 years old. now im 19. first video i've watched for you at 13 was the bufferoverflow one, your content are truly fatanstic. keep it up 🌹
Hey, folge dir jetzt schon seit einigen Jahren und möchte mich über dein Content bedanken. Ich arbeite selber im Bereich Netzwerksicherheit und finde es immer wieder faszinierend wie einfach und spannend wie möglich du Sachen die doch ziemlich kompliziert sein können, erklärst. Mach weiter so!
That's quite the piece of archival work; I was paying attention as a very inexperienced web dev at the time but didn't get into the security stuff until 2002 - and a computer systems course - at CMU, of all places. (Given that's where CERT is, I figured I'd mention.) It is also astonishing to see that people got the "it is an output problem" from the beginning - as a developer who was security conscious I picked up resources that did not emphasize that or even got it wrong. Pioneers have it hard! When I give XSS workshops now (as a security trainer) I now emphasize the output problem nature, but I had to hear it from "newish" resources ! Also as for the name itself, lots of things are named "wrongly" - named with a theoretical background that is in fact false. For example, organic chemistry is named because it was thought it was the chemistry of organisms, where that was somehow fundamentally different from that of non-living things. When Wohler artificially synthesized urea, it was a "doh!" moment for that reason. Similarly in chemistry, we have "carbohydrates" which are named as if they are hydrates of carbon, when that's not literally true; they are just in that proportion.
I am pretty sure this video won't get as many likes as your vids usually do. Mostly, because not many people care about the factual and historical events that led to what we have now in the web. Great watch and thanks for all the research done and 6:09 :D
I wasn't really aware of these things as early as pre 2000, but I do remember the glorious years that followed. It was an open secret that you could inject HTML and JS in the first and last name fields on MySpace. Most people used it for some animations or other fun stuff. I figured out that you could steal people's passwords this way as well. Yes, this was indeed a time when it wasn't just considered acceptable to store passwords in plaintext in a database, but also to fill out the password field on the settings page so anyone who visited that page (or happened to download it with the then new XMLHttpRequest) could read the password.
Sir your work is awsome.this is a very good method to learning so many things like mathematics physics and computer science. You're doing it in a very good way.
I am starting to like this series of learning about vulnerabilities/exploits by learning their history and at the same time we are learning about cybersecurity concepts and their how's and why's.
I would love it if you could do more explanatory whiteboard drawings while you are talking about stuff. I feel like I really liked it when you did more of that.
Impressive how he makes it rich and interesting even for viewers who knew why it was called xss beforehand. Very well researched, keep it up with the great videos! August 1998, can I say I share the same birth month with XSS?
More of a practical question and maybe you already have a video on this :) but would you consider doing a video on sniffing out XSS scoping? When it comes to enumerating potential XSS vectors such as finding different cases where sanitizing methods differ and explaining how to overcome them when the scope of the vector differs for different DOM XSS cases?
Hello, love the content! I've been working on making a program in GO that uses Masscan to find your minecraft server... I just wanted to make sure its still up.
I remember the chaos when someone figured out you can inject js into TH-cam comments. Fun times, but those who participated later faced the ban hammer.
I'm old enough to remember the time when every knowledgeable user just screamed at people who emailed them in HTML. Because the HTML emails looked like crap in all likelihood, made the emails far bigger than necessary, were usually redundant (the email apps also included a plain text version anyway) and probably had unexplored security issues. Yes. People dared to suggest that.
I would like to see the history of Firesheep en.wikipedia.org/wiki/Firesheep , I think it kept working until the Edward Snowden leaks. may be even the history of HSTS and how it made some phishing attacks obsolete.
Yeah I've always thought the name to be confusing too. But right to understand the name its important to understand context of XSS being used in conjunction with cross origin, xsrf attacks. But yeah XSS doesn't have to be cross origin. The best XSS is same origin, persistent, embedded JavaScript. Get your JavaScript stored in their DB. Lot of bad web devs out there, still happens all the time.
OMG I'm so old. 😄 Very well researched, well done, and thx for the compliments!
Man this is cool. Having this timeline view on how web security evolved really helps you understand them at lot better. It's like seeing bugs being "created" from scratch. This series is really awesome, I hope you continue it until we get to like modern day lol.
The best 14 minutes of my day
bro i gotta say, i've been watching you since i was 13 years old. now im 19.
first video i've watched for you at 13 was the bufferoverflow one, your content are truly fatanstic. keep it up 🌹
Hey, folge dir jetzt schon seit einigen Jahren und möchte mich über dein Content bedanken. Ich arbeite selber im Bereich Netzwerksicherheit und finde es immer wieder faszinierend wie einfach und spannend wie möglich du Sachen die doch ziemlich kompliziert sein können, erklärst. Mach weiter so!
That's quite the piece of archival work; I was paying attention as a very inexperienced web dev at the time but didn't get into the security stuff until 2002 - and a computer systems course - at CMU, of all places. (Given that's where CERT is, I figured I'd mention.) It is also astonishing to see that people got the "it is an output problem" from the beginning - as a developer who was security conscious I picked up resources that did not emphasize that or even got it wrong. Pioneers have it hard! When I give XSS workshops now (as a security trainer) I now emphasize the output problem nature, but I had to hear it from "newish" resources !
Also as for the name itself, lots of things are named "wrongly" - named with a theoretical background that is in fact false. For example, organic chemistry is named because it was thought it was the chemistry of organisms, where that was somehow fundamentally different from that of non-living things. When Wohler artificially synthesized urea, it was a "doh!" moment for that reason. Similarly in chemistry, we have "carbohydrates" which are named as if they are hydrates of carbon, when that's not literally true; they are just in that proportion.
Haven't watched you in a long time, after fully watching this video.. that outro song was the hardest nostalgia to ever hit.
I am pretty sure this video won't get as many likes as your vids usually do.
Mostly, because not many people care about the factual and historical events that led to what we have now in the web.
Great watch and thanks for all the research done and 6:09 :D
I wasn't really aware of these things as early as pre 2000, but I do remember the glorious years that followed. It was an open secret that you could inject HTML and JS in the first and last name fields on MySpace. Most people used it for some animations or other fun stuff. I figured out that you could steal people's passwords this way as well. Yes, this was indeed a time when it wasn't just considered acceptable to store passwords in plaintext in a database, but also to fill out the password field on the settings page so anyone who visited that page (or happened to download it with the then new XMLHttpRequest) could read the password.
I think you should make another video about the term "Shellcode" and about that we don't have any good alternative way to refer the concept of it.
Sir your work is awsome.this is a very good method to learning so many things like mathematics physics and computer science. You're doing it in a very good way.
6:08 subtitles contain what you originally said, "java applet" instead of what you voiced over (as a correction?)
I am starting to like this series of learning about vulnerabilities/exploits by learning their history and at the same time we are learning about cybersecurity concepts and their how's and why's.
I would love it if you could do more explanatory whiteboard drawings while you are talking about stuff. I feel like I really liked it when you did more of that.
Impressive how he makes it rich and interesting even for viewers who knew why it was called xss beforehand. Very well researched, keep it up with the great videos! August 1998, can I say I share the same birth month with XSS?
Love the intro music snippet... where's is sampled from..?
Thank you very much. sir. You channel is literally gold. I mean WHOLE channel.
I really like how you come up with such interesting ideas.
More of a practical question and maybe you already have a video on this :) but would you consider doing a video on sniffing out XSS scoping? When it comes to enumerating potential XSS vectors such as finding different cases where sanitizing methods differ and explaining how to overcome them when the scope of the vector differs for different DOM XSS cases?
Simply brilliant video! Thank you!
@liveoverflow do you do bug bounties??
Great informational video thanks
Ik there was some myspace worm that used an XSS issue ..
I was 10 when all this was going on. When I was 14 I started to do CTFs where XSS was a topic. Now Im 32.
I love to learn more about the history of xss, it's a vulnerability I find the most
Like ✌️
absoulte unit of ep . love it
This series is awesome, thanks!
Hello, love the content! I've been working on making a program in GO that uses Masscan to find your minecraft server... I just wanted to make sure its still up.
just WOW, man, what a research!!!!!!
Maybe a journey about DOM Clobbering? (But this time not a series but one video) and more not so popular (but common) web vulns
Are you still keeping your minecraft server always online?
nt
I remember the chaos when someone figured out you can inject js into TH-cam comments. Fun times, but those who participated later faced the ban hammer.
I'm old enough to remember the time when every knowledgeable user just screamed at people who emailed them in HTML. Because the HTML emails looked like crap in all likelihood, made the emails far bigger than necessary, were usually redundant (the email apps also included a plain text version anyway) and probably had unexplored security issues. Yes. People dared to suggest that.
I can't help to think that Cervenka is actually really spelled Červenka (with the caron over the C), and pronounced Chervenka.
great video!
Its funny we hold stock in wikipedia, but our professors refusr to consider wiki searches as content for an assignment.
I love your content
Thanks a lot 😁
YOYOYO......this will be awesomeee!!!!
Hackers, take notes, very informative!
Hallo Hans viel danke schön!
How to know phone number of facebook user
Funny, I always thought it was a MIM attack but was much simpler.
You always pronounce the X in XSS in German.
I had an interview once with a guy who claims to have coined the term XSS. He was...... Interesting.
I would like to see the history of Firesheep en.wikipedia.org/wiki/Firesheep , I think it kept working until the Edward Snowden leaks. may be even the history of HSTS and how it made some phishing attacks obsolete.
thank you so much, and i study English hard
I think I finally understand xss is.
All this happened yesterday
Ooh coding history. Neat.
Yeah I've always thought the name to be confusing too. But right to understand the name its important to understand context of XSS being used in conjunction with cross origin, xsrf attacks. But yeah XSS doesn't have to be cross origin. The best XSS is same origin, persistent, embedded JavaScript. Get your JavaScript stored in their DB. Lot of bad web devs out there, still happens all the time.
thanks
Thank´s ;)
Seems like they should be called attackments.
I still tend to call xss html injections
Push!
this doesnt look like more minecraft videos bro wtf
alert("Hello there!");
Any one from Pakistan who can heak the Facebook account
georgy was the real deal backthen, did not like MS, broke MS browser
Macromedia Shockwave!!!!!
Microsoft is so incompetent they did not even name it properly
Xss never works in real life
first
Fourth
FIRST FIRST FIRST 😁
firstn't