XSS presentation

Cross-site scripting: What it is and how we got here

Watch the presentation on YouTube.

View the slides.

Links:

• History of the web
  • History of the WWW on Wikipedia
  • The first website
• Demo: CSS and JavaScript
• Demo: Vulnerable comment page
• The MySpace worm (samy is my hero)
  • Samy's own write-up
  • Samy's technical explanation
  • Vice article (2015)
• Self-retweeting tweet
  • The tweet
  • ZDNet article
  • Tom Scott's explanatory video (really good!)
• More sites hit by XSS attacks
  • Tons of banks
  • American Express
  • BarackObama.com
  • CIA
  • eBay
  • Equifax
  • Facebook
  • FBI
  • HMIC (Her Majesty's Inspectorate of Constabulary)
  • Jira (Atlassian)
  • Justin.tv
  • Hotmail
  • Kaspersky
  • Magento
  • McAfee
  • Orkut (by Google)
  • PayPal
  • Steam
  • StrongWebmail
  • Symantec
  • Tesco
  • Twitter
  • WordPress
  • Yahoo!
• Interactive demo
  • OWASP XSS Filter Evasion Cheat Sheet
• Preventing XSS
  • OWASP XSS Prevention Cheat Sheet
  • There's more to HTML escaping than &, <, >, and "
• Further reading
  • XSS on Wikipedia (general audience)
  • XSS on OWASP (more technical)
  • Troy Hunt's blog

These slides and demos are licensed under a Creative Commons Attribution 4.0 International License.