Cross-Site Scripting (XSS): The 2021 Guide

What you'll learn

  • See, in action, the dangers of XSS
  • Learn what XSS is and how it works
  • Learn the 3 main types of XSS: Reflected, Stored, and DOM-based
  • Perform XSS attacks by hand and with automated tools
  • Attack applications legally & safely to practice what you're learning
  • Compare vulnerable and safe code side-by-side to learn best practices
  • Learn effective defense controls to protect your applications
  • Learn from recent real-world case studies of XSS vulnerabilities at Facebook, Gmail, Twitter, Tesla, Airbnb, and TikTok


  • Experience with JavaScript
  • Experience working with web applications
  • A desire to learn!


About the course:

Welcome to this course on Cross-Site Scripting (XSS)! In this course, we explore one of the biggest risks facing web applications today.

I've spent months creating and collecting the best resources on XSS to put them in this course so that you can learn XSS in a fun, efficient, and practical manner.

We start out by explaining the concepts of XSS and its 3 main types: Reflected, Stored, and DOM-based. Then, we break down recent real-world case studies of XSS vulnerabilities from Facebook, Gmail, Twitter, Tesla, Airbnb, and TikTok. After that, we create safe and legal lab environments to perform all 3 types of attacks with both manual and automated approaches. We then set up, configure, and use a powerful browser exploitation framework called BeEF to deliver payloads that hook unsuspecting browsers and let you send commands to those browsers remotely.

From there, you can launch a number of different attacks from BeEF with command modules (ie: scan internal networks, deface websites, compromise routers, etc...).

This is an important step because it demonstrates just how powerful a single, simple XSS payload can be, and why it's critical that you defend your apps from this serious threat.

After that, we apply everything we've learned and pentest the OWASP Juice Shop starting with information gathering before exploiting all 3 types of XSS to complete challenges of varying difficulty.

Finally, we wrap up the course by discussing the most (and least) effective defensive controls including rules, cheat sheets, and recommended code review techniques to properly defend your applications from this dangerous threat.

If you're looking for a hands-on way of learning Cross-Site Scripting, this is your course!


Please note: Performing these attacks on environments you do not have explicit permissions for is illegal and will get you in trouble. That is not the purpose of this course. The purpose is to teach you how to secure your own applications by providing a safe learning environment.


Topics we will cover together:

  • What Cross-Site Scripting (XSS) is and how it works
  • The 3 main types of XSS: Reflected, Persistent, and DOM-based
  • Recent real-world case studies of XSS vulnerabilities in Facebook, Gmail, Twitter, Tesla, Airbnb, and TikTok
  • How to set up a lab environment with Kali Linux Virtual Machine for free
  • How to easily configure and create safe & legal lab environments using containers inside of Kali
  • How to get started with OWASP ZAP (a free alternative to Burp Suite)
  • XSS techniques with cheatsheets and references
  • How to use manually-crafted payloads to evade security filters
  • How to use automated tools to find successful XSS payloads (including ZAP, XSStrike, XSSer)
  • How to remotely control browsers with BeEF
  • How to gather information about your target in order to find potential vulnerabilities
  • How to perform XSS injections by hand with crafted requests using a proxy tool (ZAP)
  • How to use results from successful injections to exploit targets (ie: change a user's password with a single URL via CSRF)
  • Effective (and ineffective) defenses against XSS
  • Side-by-side comparison of vulnerable and secure code
  • Cheatsheets to protect your applications
  • Rules to follow in order to prevent XSS vulnerabilities for all 3 types of attacks
  • How to review code for XSS vulnerabilities


Who this course is for:

  • Web Developers
  • Pentesters
  • Software Developers
  • Application Security Engineers
  • IT Managers
  • Risk Analysts
  • Security Analysts
  • IT Students

  Source Link:

Download Link:

Post a Comment

Whatsapp Button works on Mobile Device only

Start typing and press Enter to search