Whoami

• Jesse Merhi (Like that herb myrrh + “he”)
• Product Security Engineer @ Atlassian
  • Probably the biggest Australian founded tech company.
  • Has a cool building being built on top of Central station.
  • Now has an F1 team?
• Been working for over 2 years now
• Also teach at UNSW and have a few bits and bobs you can feel free to ask me about :)

In saying that - We tutor!

• One of my (and George’s) favourite pass times is teaching and inspiring students!
• [email protected]
• Some good deals to be had ;)
• Will provide HSC level Software Eng help + Career Coaching too!

Onto XSS

What we need to know

1. Basic Programming (Bonus points if it is Javascript)
2. HTML
3. Your debit card numbers

Demo Time

https://github.com/jesse-merhi/xss-sqli-demo

Secure commenting site

• You can securely comment
• You can even HTML things which is nice
• How does this work? Go to the repo to find out :)

• Javascript is super similar to python
• The console lets you run individual LINES of javascript.
• VERY similar languages

# In Python we do
print("Hello World");

// In Javascript we do
console.log("Hello World");

• Javascript is designed to interact with a browser!
• Some cool things you can do:

document.location = "https://www.google.com";
print("JESSE");
document.querySelectorAll("*").forEach((element) => {
  element.style.backgroundColor = "red";
});

What is the <script> tag?

We can make javascript run on someone elses computer!

Running javascript on someone elses computer is called XSS.

• Stored XSS: Javascript that is stored (usually in a database) and is executed!

• Reflected XSS: Javascript that is stored somewhere on your personal browser/link and will be executed when a page is opened

• Stored XSS is really bad because it is persistent

• Reflected is not as bad because it requires the user to do something (clicking a link perhaps).