Writing
Teaching
# 10x Education ## Cross Site Scripting (XSS) ## jmerhi.mov --- ## Dont hack unethically pls Things I will teach you today can actually cause people harm. Dont use it maliciously. _TLDR: Don't be a jerk_ --- ## Whoami - Jesse Merhi (Like that herb myrrh + "he") - Product Security Engineer @ Atlassian - Probably the biggest Australian founded tech company. - Has a cool building being built on top of Central station. - Now has an F1 team? - Been working for over 2 years now - Also teach at UNSW and have a few bits and bobs you can feel free to ask me about :) -- ## In saying that - We tutor! - One of my (and George's) favourite pass times is teaching and inspiring students! - enquiries@10xeducation.com.au - Some good deals to be had ;) - Will provide HSC level Software Eng help + Career Coaching too! --- # Onto XSS -- ### What we need to know 1. Basic Programming (Bonus points if it is Javascript) 2. HTML 3. ~Your debit card numbers~ -- Demo Time [https://github.com/jesse-merhi/xss-sqli-demo](https://github.com/jesse-merhi/xss-sqli-demo) -- ### Secure commenting site - You can securely comment - You can even HTML things which is nice - How does this work? Go to the repo to find out :) --- ### Javascript Console --- - Javascript is super similar to python - The console lets you run individual LINES of javascript. - VERY similar languages ```python # In Python we do print("Hello World"); ``` ```javascript // In Javascript we do console.log("Hello World"); ``` -- - Javascript is designed to interact with a browser! - Some cool things you can do: ```javascript document.location = "https://www.google.com"; print("JESSE"); document.querySelectorAll("*").forEach((element) => { element.style.backgroundColor = "red"; }); ``` --- What is the `<script>` tag? -- We can make javascript run on someone elses computer! --- ### Cross Site Scripting (XSS) --- Running javascript on someone elses computer is called XSS. - Stored XSS: Javascript that is stored (usually in a database) and is executed! - Reflected XSS: Javascript that is stored somewhere on your personal browser/link and will be executed when a page is opened -- - Stored XSS is really bad because it is **persistent** - Reflected is not as bad because it requires the user to do something (clicking a link perhaps). --- ### Sessions What is a session? [https://www.google.com/](https://www.google.com/) --- ### Stealing Sessions ```javascript document.cookie; ``` ```javascript // Attacker can steal all of my cookies and login as me! <script>send_to_attacker(document.cookie)</script> ``` --- ### But dont worry! Nowadays full account takeover is really hard - I will leave you guys to read into why thats the case... - HTTP ONLY - SECURE - Filtering --- ### Bonus: Bug Bounties - https://bugcrowd.com/engagements/atlassian - https://hackerone.com/riot?type=team