I'm going to show you how websites get hacked with JavaScript so you can see first-hand exactly how cybercriminals can use code in XSS attacks to make you do things you don't want to do.

Follow along on YouTube

Cross-Site Scripting, or XSS, allows cybercriminals to inject their own code inside a webpage.

On a desktop or laptop, you can actually run code right now using the console in your browser's dev tools and calling the alert() function.

• Chrome console: CtrlShiftJ (CommandOptionJ on OSX)
• Firefox console: CtrlShiftK (CommandOptionK on OSX)

No console for you.

If YouTube had an XSS Vulnerability

Think about it like this: if you were using a public computer, say, at a library, and someone forgot to sign out of their YouTube account, what's the worst you could do?

Whatever evils your wicked mind can think up, attackers can simply write JavaScript code to do the same.

Now let's suppose that video descriptions on YouTube had an XSS vulnerability. What would this mean?

Let's attack that description.

This means that, in addition to writing text, attackers could also add JavaScript with each uploaded video.

As a result, every time somebody sees the video, the script would automatically run in the browser, doing whatever the attacker wanted, such as asking for your password, writing a hilarious comment or as I'm showing you today: clicking SMASHING that like button.

All you need is code; code is all you need.

Exploiting XSS in real life

Most of the time security researchers demonstrate XSS by opening an alert box in the browser like this.

After all they can't just go around exploiting users every time they find a vulnerability. You know, because of rules and morals and... prison.

But here's the problem: most engineering teams get “alert fatigue” and become desensitized to XSS because they've never seen the full impact that it can have. As a result, they can't fully grasp just how dangerous and damaging XSS attacks can be. That is, unless they've already been hacked.

So let's go beyond the alert and see how attackers can use JavaScript in XSS attacks to control your actions on YouTube.

Planning the attack

Our goal is to make JavaScript automatically like the video and there are two steps required to do this:

1. Find the like button
2. SMASH it

Now since our first step is to find the like button in JavaScript we just need to search for something unique in the button's code.

If you right-click the like button on a YouTube video and select the inspect option you'll see the HTML code used to create that exact button.

You'll also see that the button has an attribute called aria-label set equal to the words like this video and so on.

This thingy right here.

Perfect. We can now prepare our attack in the console on YouTube since it allows us to run our own JavaScript code inside the web page as if we were injecting it to exploit an XSS vulnerability.

Now in order to find the like button in JavaScript we'll type:

Altogether we're telling JavaScript:

give me the first: document.querySelector()
button you find: 'button'
with an aria-label attribute: [aria-label]
starting with like: ^="like"
and let's name it button: button =

Now remember, this is important, YouTubers don't click, so lets type:

Now all that's left is to SMASH that like button with:

It's really that easy.

Finishing our XSS attack

If an attacker can inject script into YouTube this is all the code that script would need to force users to automatically like the video:

Ta-da!

Obviously there's much worse that can be done here if you did find an XSS vulnerability in YouTube. That said, I would suggest working responsibly with Google and they'll pay you lots of money through their reward program instead of trying to exploit users and going to prison.

There's a whole lot more to XSS than this, so if you're ready to dive deeper into XSS attacks, exploits and defenses check out The Ultimate XSS Training Course for hands-on experience writing more advanced exploits and discovering the many hidden ways websites can be attacked with JavaScript.