Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSS
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Mike Klemarewski
April 05, 2016
Programming
74
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
XSS
A quick overview of cross site scripting
Mike Klemarewski
April 05, 2016
More Decks by Mike Klemarewski
See All by Mike Klemarewski
Redux Containers Demystified
mikeklemarewski
1
68
HTTPS
mikeklemarewski
1
65
Injection
mikeklemarewski
1
71
Handy Shell Commands
mikeklemarewski
2
75
Other Decks in Programming
See All in Programming
並列実装の現場、2ヶ月間実務でAIを使い倒したAIもPCも私も限界が近い
ming_ayami
0
120
TypeScript+Orvalで実現する型安全かつ堅牢でスケーラブルなマルチチャネル通知基盤 / TSKaigi Night talks ~after conference~
d0riven
0
320
Make SRE Operations Easier with Azure SRE Agent
kkamegawa
0
5.3k
軽量Java基盤の設計 DIコンテナに頼らない、長期保守と1秒起動の実現 JJUG CCC 2026 Spring
macha64
0
490
Observability in Practice:Grafana 與 Edge Device SRE 的那些事
blueswen
0
160
Claspは野良GASの夢をみるか
takter00
0
180
その問い、本当に正しいですか?AI時代のエンジニアに必要な哲学と認知科学 / ai-philosophy-cognitive-science
minodriven
6
4k
A2UI という光を覗いてみる
satohjohn
1
130
Copilot CLI の継戦能力を高める コンテキスト管理
nozomutu
1
1.2k
AI時代のUIはどこへ行く?その2!
yusukebe
21
7k
Semantic Version 単位で戦略を柔軟に変えて、パッケージアップデートを自動化する
daitasu
0
220
AIチームを指揮するOSS「TAKT」活用術 / How to Use “TAKT,” an OSS Tool for Orchestrating AI Teams
nrslib
6
880
Featured
See All Featured
Exploring anti-patterns in Rails
aemeredith
3
400
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
160
Accessibility Awareness
sabderemane
1
140
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
201
75k
Raft: Consensus for Rubyists
vanstee
141
7.5k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2k
Building Better People: How to give real-time feedback that sticks.
wjessup
370
20k
jQuery: Nuts, Bolts and Bling
dougneiner
66
8.5k
Rails Girls Zürich Keynote
gr2m
96
14k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Producing Creativity
orderedlist
PRO
348
40k
Technical Leadership for Architectural Decision Making
baasie
3
400
Transcript
XSS (Cross Site Scripting)
What is it? • Text based attack • Exploits the
browser's interpreter, allowing the attacker to run code on the target site
What can be done using XSS? • hijack user sessions
• insert content • redirect users • hijack the user’s browser using malware
Who can do these attacks? • Anyone that can send
data to the system • Anyone that can craft a url and put it in front of other people
Types of XSS
Stored • User input is stored on the server and
rendered to any user that visits the page • Eg. User reviews, comments, profiles
Reflected • User input is returned by the web application
and rendered without being sanitized • Eg. Search results
DOM Based XSS • The response doesn't contain the exploit
payload • Some client side code reads the malicious data from the URL or DOM and executes it
Demo! Great resource from Google
Example attacks • Samy MySpace Worm • Spread through 1
million users in 20 hours • StrongWebmail CEO email hacked • XSS Worm Examples
Prevention • Properly escape untrusted data • Input validation can
help, but isn't a full solution • Use sanitization libraries
FIN
mikeklemarewski
ming_ayami
d0riven
kkamegawa
macha64
blueswen
takter00
minodriven
satohjohn
nozomutu
yusukebe
daitasu
nrslib
aemeredith
techseoconnect
sabderemane
soudai
vanstee
aleyda
wjessup
dougneiner
gr2m
samlambert
orderedlist
baasie
