Advice for New Hackers: Read the Vulnerability History Books

Advice for New Hackers: Read the Vulnerability History Books

Let's say you are learning about XSS. How many times have you seen an example like this?

Cross site scripting (XSS) occurs when user-controlled JavaScript, e.g. <script>alert(1)</script>, is not properly sanitized by the web application and gets interpreted as a valid script tag by the browser. Sanitization can be done with libraries like...

Some of the better lessons on XSS show real-world examples, but those will cost you!

Meanwhile, a wealth of real-world examples are publicly available in vulnerability databases like CVE Details. The screenshot above shows 54000 search results for "cross site scripting" - practically an encyclopedia of real XSS vulnerabilities. It doesn't take long to dig into those CVEs and find a description, exploit code, or an open-source commit fixing the vulnerability. Some CVEs have "unspecified" exploits, but many are valuable real-world examples of XSS.

Rinse and repeat for any type of vulnerability that you want to learn more about. Have fun :)

p.s. A search for "[vulnerability] payloads" is always instructive, too. A search for "XSS payloads github" returns this treasure trove: https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt

About Joey Rideout

I am an Application Security professional and UW CS grad currently based in Ottawa. Committing the crime of curiosity since 2008. Submit questions or ideas for the blog to: joey.rideout@owasp.org

Comments