adporn.net Cross-site scripting (XSS) in JavaScript - ASP.NET Video Tutorial | LinkedIn Learning, formerly Lynda.com

LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Select Accept to consent or Reject to decline non-essential cookies for this use. You can update your choices at any time in your settings.

Start free trial Sign in

From the course: Security in ASP.NET Core

Unlock this course with a free trial

Join today to access over 24,400 courses taught by industry experts.

Cross-site scripting (XSS) in JavaScript

Cross-site scripting (XSS) in JavaScript - ASP.NET Tutorial

From the course: Security in ASP.NET Core

Start my 1-month free trial Buy for my team

Cross-site scripting (XSS) in JavaScript

“

- [Instructor] I've got bad news. There still is at least one cross-site scripting vulnerability on that page, but it's not that obvious. So in line 609, we're using jQuery, but that's not a jQuery problem. It's a problem of our implementation, to write something in the HTML using the DOM of our page. And we have a string for that. And in that string we have the Search term. And, as you can see, that Search term has been properly escaped for HTML. So HTML special characters were escaped. But we are not really in HTML here. We are within a JavaScript string. In a JavaScript string, we have different special characters; for instance, the backslash. The backslash is not escaped by the at character in ASP.NET Core. But it can be used to add special characters to a string. So, for instance, using \x, we can provide the hexadecimal char code, and then that character is part of the string. Hmm, so as an attacker, if I would like to do cross site scripting, I'd like to inject angle brackets…

Contents

- (Locked)
  
  Next steps
  
  3m 2s