Cross-Site Scripting (XSS): The 2021 Guide

Description: In this course, you will develop the skills you need to successfully perform and combat Cross-Site Scripting (XSS) attacks. XSS is one of the top 10 most dangerous and common web application attacks according to both OWASP and CWE. I've spent months creating and collecting the best resources on XSS to put them in this course so that you can learn Cross-Site Scripting in a fun, efficient, and practical manner.

In order to truly understand how XSS works and how to defend against it, you have to learn hands-on by executing attacks against vulnerable applications and then looking at secure versions of the same code, and that's exactly what you'll do in this course. We start out by explaining the concepts of XSS and its 3 main types: Reflected, Stored (Persistent), and DOM-based. Then, we take a look at case studies of recent real-world XSS vulnerabilities in Facebook, Gmail, Twitter, Tesla, Airbnb, and TikTok. After that, we spin up a lab environment to perform all 3 types of attacks with both manual and automated approaches. We then set up, configure, and use a powerful browser exploitation framework called BeEF to deliver a payload that hooks unsuspecting browsers. From there, you can launch a number of different attacks using BeEF command modules (ie: scanning internal networks, defacing websites, compromising routers, and more). Next, we apply everything we've learned to pentest the OWASP Juice Shop starting with information gathering, and then exploiting all 3 types of XSS. Finally, we wrap up the course by discussing the most (and least) effective defensive controls, including rules, cheat sheets, and recommended code review techniques to properly defend your applications from this dangerous threat.

If you're looking for a hands-on way to learn Cross-Site Scripting, this is your course!

Duration: 4h30 hours

Difficulty: Beginner to Intermediate

Recommended pre-requisites:

  • Experience working with web applications
  • Experience working with JavaScript

Topics Covered:

  • Learn what Cross-Site Scripting (XSS) is and how it works
  • Learn the 3 main types of XSS attacks
  • Study recent real-world case studies of XSS vulnerabilities in Facebook, Gmail, Twitter, Tesla, Airbnb, and TikTok
  • Learn hands-on by performing attacks against lab environments
  • Learn to use OWASP ZAP as your proxy (Burp can also be used instead)
  • Learn about filter and defense evasion by looking at various case studies and crafting payloads
  • Learn how to use the powerful browser exploitation framework called BeEF to hook browsers and launch commands remotely
  • Learn defense controls and rules to defend against the 3 main types of XSS
Christophe · November 20, 2020