Learning to become an expert for XSS-attacks

This is a list of resources which helped me most to learn how XSS-attacks work and even find and exploit a new one for the company I work for.

The best resource to get a good overview of all possible attack surfaces of a webapp I recommend you to check out the NodeGoat tutorial: http://nodegoat.herokuapp.com/tutorial/a3 (this is the chapter specific to XSS, but all of them are worth reading!)

Now that you have an idea of how this might work, let's get our hands dirty at the XSS-game: https://xss-game.appspot.com/ - there's some hints available in-game, but if you can't find a solution there are walkthroughs available online.

By the time you completed all levels you should be able to inspect your own webapp for possible XSS-vulnerabilities. Yes, it requires a lot of thinking, monitoring and also lots of disappointments because you hit a dead-end. That's why nobody else found the vulnerability before you. 😉

Last, read through the OWASP guide for XSS (prevention, but you can learn how to execute an XSS by learning how to prevent it): https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Good luck! 🔒🔓
Shared publiclyView activity