Skip to content

Instantly share code, notes, and snippets.

@cammac60

cammac60/XSS.md

Created March 2, 2020 01:15
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save cammac60/0b63cb4085394baafa888768867ba56d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save cammac60/0b63cb4085394baafa888768867ba56d to your computer and use it in GitHub Desktop.
Download ZIP
Differentiation Assignment
Raw
XSS.md

I chose to research cross site scripting (XSS) because I have an interest in web security and I believe that it's very important for any dev to be informed on how their software could be exploited and how they can prevent it. Coming into this I have some knowledge on the basics of XSS works and some of the methods that developers implement to prevent it, such as "escaping" inputs. I also know that XSS is one of the most common attacks (along with SQL injection) so I think it's a relevant place to start learning basic web security. I'm hoping to learn more methods for preventing XSS so that I can make sure I'm doing everything I can to prevent it from happening to any software I work on - especially when I start a job and create more complex apps that might have some real world impact.

I think it's most important to understand how these attacks occur so that I can develop a deeper understanding of the ways I can prevent them. The other important thing to understand is how powerful these attacks can be because XSS attacks allow an attacker to insert their own code into your code base and can be hard to notice. I great example is the XSS attack that took place on Twitter a few years ago. Even though it was a relativly harmless attack, it effected over 45,000 accounts before it was discovered and removed by Twitter. The most common way to prevent these attacks, as mentioned above, is "escaping" inputs. Many XSS attacks are started on inputs because if they aren't properly escaped the attacker can type something like <script>[malicious code here]</script> into an input. If this code is appended to the DOM or somewhere else the interpretor might mistake it for a legitimate script tag and run the code inside of it. If this input was escaped we would be filtering out carets so that the script tag would no longer be read as a legitimate script tag and instead just as some text that says script.

In an interview I think it would be valuable to show that I am interested in security because everyone obviously wants their software to be secure. I think there are many devs that either don't think about security or don't take their security as seriously as they probably should. Even just showing that it is something I think about and care about will show that I care about the product and have integrity in my work. With XSS specifically being one of the most common attacks right now I think being able to talk a bit about it will aslo show that I am keeping up with the current trends in web development and continue to do so in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment