90% of the questions I get are about Cross-Site Scripting (XSS) and other Client-Side Injection attacks, so I decided to make a nearly 5 hour video doing my best to explain how to hunt for Client-Side Injection attacks in real-world applications.
00:00 - Why I'm Making This Video
01:50 - Quick Review of Object Oriented Programming (OOP)
04:02 - The Document Object Model (DOM)
08:11 - Three Strategies for Hunting for Client-Side Injections
09:03 - Strategy 1: Reflected Input in Unauthenticated Routes (Hidden Subdomains)
12:00 - Strategy 2: Reflected Input in Authenticated Routes (Hidden Endpoints)
12:48 - Strategy 3: DOM Injection in Custom Javascript Files & NPM Packages
16:22 - How Compensating Controls Effect Client-Side Injections
18:14 - Cookie Flags (httpOnly, secure, dopmain scoping, etc.)
20:28 - Browser Security Headers
21:00 - Content Security Policy (CSP)
22:29 - Web Application Firewall (WAF)
24:00 - Client-Side Validation
24:46 - Server-Side Validation
25:12 - Output Encoding
26:30 - Shut Up and Hunt!!
26:44 - Starbucks Doesn't Care if You Steal a Cup of Coffee
29:30 - Identifying Our Target Domains
30:15 - Importing Scan Data
32:07 - Notes Are Madatory
32:55 - Defining Categories for Live URLs
39:32 - Sorting Live URL's into Categories
1:00:22 - Setting Up Burpsuite
1:01:45 - Finding Targets in Endpoints w/ No Functionality
1:26:40 - Finding Targets in Endpoints w/ Restricted Access
1:33:33 - Checking Fuzzing Results & Expanding Attack Surface
1:49:42 - Finding Targets in API Endpoints
1:54:45 - Finding Targets in Third-Party Services
2:01:18 - Finding Targets in Internal Services
2:04:21 - Finding Targets in Full Applications
2:11:16 - Discuss Possibilities for Attack Vectors in Each Category
2:14:20 - Building a Custom Burp Scan to Find Reflected Input
2:20:08 - Finding Attack Vectors in Targets
2:31:14 - Identifying Compensating Controls in First Attack Vector
3:14:36 - Testing Web Application Firewall (WAF) Bypass
3:38:20 - Testing Validation and Output Encoding Bypass
3:48:45 - Scoring Our First Attack Vector
3:53:15 - Identifying Compensating Controls in Second Attack Vector
4:09:30 - Scoring Our Second Attack Vector
4:12:20 - Talking Through Different Use-Cases
4:37:00 - Summary of Methodology & What We Learned
Discord - https://discord.gg/EhuZRNe7BP
Hire Me! - https://ars0nsecurity.com
Watch Live! - https://twitch.tv/rs0n_live
Free Tools! - https://github.com/R-s0n
Connect! - https://www.linkedin.com/in/harrison-richardson-cissp-oswe-msc-7a55bb158/