XSS

I run a workshop titled Hack Yourself First [https://www.troyhunt.com/workshops/] in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS. In that module, we cover reflected XSS which relies on the premise of untrusted dat...

One of the things I really enjoy about doing live events is the entirely random, unexpected things that can occur without any warning. In fact, I’m increasingly structuring my talks to present these opportunities, but this one was entirely unexpected: > When someone whacks XSS in the live question feed whilst you're answering security questions on a panel... pic.twitter.com/paLp7ECXHF [https://t.co/paLp7ECXHF] — Troy Hunt (@troyhunt) January 22, 2016 [https://twitter.com/troyhunt/status/69056...

This is really not what you ever want to see on your own site: It’s a JavaScript prompt and no, it’s not meant to be there. Someone had successfully mounted an XSS attack against this very website! Now I’ve written a lot about XSS, I’ve authored multiple Pluralsight courses that talk about it in detail and I’ve run many workshops on the topic teaching others the very mechanics of how cross site scripting works. Yet here we are – XSS on my own blog. Fortunately, this was discovered by frien...

Cross site scripting (henceforth referred to as XSS) is one of those attacks that’s both extremely prevalent (remember, it’s number 2 on the OWASP Top 10 [https://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-2.html]) and frequently misunderstood. You’ll very often see some attempt at mitigating the risk but then find it’s easily circumvented because the developers weren’t fully aware of the attack vectors. Last week someone flicked me over a great example of this after having r...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] In the first post of this series [https://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html] I talked about injection and of most relevance for .NET developers, SQL injection. This exploit has some pretty severe consequences but fortunately many of the common practices employed wh...