Cross-Site Scripting (XSS): The 2021 Guide
Description: In this course, you will develop the skills you need to successfully perform and combat Cross-Site Scripting (XSS) attacks. XSS is one of the top 10 most dangerous and common web application attacks according to both OWASP and CWE. I've spent months creating and collecting the best resources on XSS to put them in this course so that you can learn Cross-Site Scripting in a fun, efficient, and practical manner.
In order to truly understand how XSS works and how to defend against it, you have to learn hands-on by executing attacks against vulnerable applications and then looking at secure versions of the same code, and that's exactly what you'll do in this course. We start out by explaining the concepts of XSS and its 3 main types: Reflected, Stored (Persistent), and DOM-based. Then, we take a look at case studies of recent real-world XSS vulnerabilities in Facebook, Gmail, Twitter, Tesla, Airbnb, and TikTok. After that, we spin up a lab environment to perform all 3 types of attacks with both manual and automated approaches. We then set up, configure, and use a powerful browser exploitation framework called BeEF to deliver a payload that hooks unsuspecting browsers. From there, you can launch a number of different attacks using BeEF command modules (ie: scanning internal networks, defacing websites, compromising routers, and more). Next, we apply everything we've learned to pentest the OWASP Juice Shop starting with information gathering, and then exploiting all 3 types of XSS. Finally, we wrap up the course by discussing the most (and least) effective defensive controls, including rules, cheat sheets, and recommended code review techniques to properly defend your applications from this dangerous threat.
If you're looking for a hands-on way to learn Cross-Site Scripting, this is your course!
Duration: 5h00
Difficulty: Beginner to Intermediate
Recommended pre-requisites:
- Experience working with web applications
- Experience working with JavaScript
Topics Covered:
- Learn what Cross-Site Scripting (XSS) is and how it works
- Learn the 3 main types of XSS attacks
- Study recent real-world case studies of XSS vulnerabilities in Facebook, Gmail, Twitter, Tesla, Airbnb, and TikTok
- Learn hands-on by performing attacks against lab environments
- Learn to use OWASP ZAP as your proxy (Burp can also be used instead)
- Learn about filter and defense evasion by looking at various case studies and crafting payloads
- Learn how to use the powerful browser exploitation framework called BeEF to hook browsers and launch commands remotely
- Learn defense controls and rules to defend against the 3 main types of XSS
Testimonials:
"This course is great and I would recommend it to anyone trying to learn about web-pentesting or trying to pursue bug bounty as this course gives you a good basis on XSS with a lot of hands-on work." - Bludger
Course Content
About Instructor
Christophe
4 Courses
