Cracking Websites with Cross Site Scripting – Computerphile

Cracking Websites with Cross Site Scripting – Computerphile


Cross site scripting is the number one vulnerability on the web today. If you are writing any kind of web software, and you don’t know about this, you should know this! And if you are the kind of person who likes to play about with websites, and break them, in a definitely legal manner, you should know this. To explain it, we have to go back to the early days of the internet. We have to go back to Tim Berners-Lee sitting at CERN, making up how the web will work. The web is based on something called HTML, HyperText Markup Language. Most people who are watching this, I think, will know how this works, but just very quickly, it means that you have tags. An HTML document starts with angle brackets like this, and closes with angle brackets like this. Anything between angle brackets is read as an instruction. So if I wanna put some text in bold, I put atag and a closetag, and I put some text in the middle, and that becomes bold. This is why, and I know you’ve been getting comments about this, the ending graphic on Computerphile should have a little slash like this one here, to make it over. Otherwise you’re kind of saying that you’re starting a new one. And, no doubt, all sorts of pedantic people have been emailing you about that. Those angle brackets, wherever they are in the document, mean “an instruction is coming here.” So, what do you do if you want to put an angle bracket, which is basically a less-than sign, into your document? Well, you do something called escaping. Instead of sending the angle bracket, you send an ampersand, and then “lt” for less than, and then a semicolon. And that means, when the user actually reads it, it will become an angle bracket. Great. Wonderful. And that works fine. It means in the old days of the world wide web, you could send a request, and the document would come back, and the angle brackets would not mess everything up. Then we move on a bit, and we start coming back with more interactive things. Someone comes along and invents JavaScript. And JavaScript is a programming language that sits in the middle of web pages. You start with a tag in the middle of your document. So you’ve already got your HTML here and here. You start with atag down here. Nothing in this section will actually appear on the user’s screen. What you have here is a completely separate programming language. You can declare variables. You can do calculations. That’s vaguely sensible. You can create an entire language there, and that language can affect the document. So you can take the output from that, and you can put it into the rest of the text. So if you have, for example, an email client. Gmail uses this. Gmail uses incredible amounts of this. Because when you type in things, it sends it to the server. You don’t have to send “save” like in the early days of the web. And then it would take a second to go there and a second to come back. It just quietly does it all in the background. It’s really really powerful. It’s the way that everything big, everything interactive, works on the web now. You can design entire games in JavaScript. And all it’s doing is creating a web page, and then just moving bits about. The trouble is that JavaScript is dangerous. It can do anything to the web page. And rightly so – that’s how Gmail works. But imagine if you could get whatever JavaScript you wanted to do anything with, say, the login page of an online bank. You could tell it that, instead of just taking the username and password and sending them to the bank’s servers, first, it should send them to someone else. And when they’ve got them, and the user won’t know that’s happened, then it should log people into the bank. Or you could, say, instead of sending the words people are actually typing to the web, ignore them. Just send Rick Astley instead. This is how MySpace worms spread, because you would type in the code, and it would appear, because MySpace hadn’t quite filtered JavaScript properly, and that’s the cross site scripting bug I’ll get to in a minute. You could write anything you wanted in there, and every time someone looked at that MySpace page, the code would run! And it would say, hey, go do stuff with their profile instead. And it would. JavaScript is dangerous because it lets you do anything on a web page. So, how do you get it in there? Let’s go to, say, Google. Here’s Google, here’s a search bar. Whatever I type in that search bar, “test”, will probably appear on the next page here: “test”. And it’ll also appear here a couple of times, and here. Whatever I type in here, appears on this web page. That’s fine. What happens if, instead, I type in an italic tag? Well, what won’t happen is that Google will send the whole page in italics. Because what they have done is they have converted it into this less-than. Which is great. Let’s imagine that instead of typing “test”, or instead of typing that, instead I type in

100 comments

  1. <computerphile> should be <computerphile/> for a single-tag element, not </computerphile> as most people will suggest, because the latter is the closing tag for a double-tag element.

  2. Javascript is a client side language.. How can you possibly use it to steal a password from a server side language that's for instance php??? Am confused

  3. "That's JavaScript code! I'm gonna run that!"

    Gotta love the childlike enthusiasm of this personification of web browsers.

  4. To sum up the long debate which took place in my last comment:
    either use <strong></strong> or better, don't use bold text.
    Thank you.

  5. So Wikipedia describes him as a comedian to which I agree, but… Does he have a Masters in computer science or a title alike? He's got an amazing skill to explain complex stuff!

  6. Great description of unauthorized Javascript execution but I didn't quite get what was the "cross site" part of this.

  7. I've tossed around the idea of creating my own language, and one of the ideas I had was that, when doing input, rather than getting Strings, you'd get, say, Untrusted<String>. And it would warn you wherever you just naively grab the String out of it without processing it properly.

  8. Obv, instead of making a closing tag at the end of each video, you should have just put like 2000, closing brackets cascading at the end of the video if the channel ever officially shuts down

  9. It's almost like script and content shouldn't be mixed in the same document… but then we'd have to reconsider 30 years of WWW standards.

  10. When tom says he types into the google search bar some code, what kind of code is he talking about? For example could someone show me what form this code takes in the comments ?

  11. How can script posted via text field by one user affect another user? Doesn't script run only for user who posted the script in his browser? How does it magically infect and get out?

  12. How do all of this guys have dot matrix printer paper on this channel. LOL. I haven't seen it since the 90s! Well actually i've seen it in 3-4 videos here on computerphile now, but other than that–the 90s!

  13. 12 grand for finding XSS vulnerability in the biggest social media platform that currently exists.. Sweet.. I think you could get more if you sold in on some forum.

  14. But how can you influence the web page of others by just modifying script on the page you were sent ? You can modify whatever you want, but when another person will send a request to the site, it will send them back the original page, without any of the modification you applied. Am I wrong ?

  15. If instead of using a sheet of paper and your "scribbles" you did a demonstration, directly on the internet, to prove that this is true, perhaps it would have some credibility. Here in Brazil we usually say that "paper accepts everything".

  16. Oooooorrrr, you can command JavaScript to create web upload form and upload a php file with your filemanager shell and you can modify, add, or delete contents on the pages! 😁

  17. Well explained, but he didn't specify any concrete technique for executive such an attack (possibly intentional).
    Though, explains the mechanics well enough that one could figure it out. ☺️

  18. I'm a BS Physics student(first year) I really want to learn more about Cyber Security, I want to shift but I would waste my scholarship so yeah I'm watching your videos…Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *