Key Points
Release Date: Not stated, possibly 2018
Date Reviewed: 2020
Author/Creator: Jovana Markovic
Subject(s): Cross site scripting exploitation, payloads, server side filtering explained, basic filtering bypass explained, XSS attacks
Prerequisite(s): Basic JavaScript and HTML knowledge is recommended
Medium: Video course voice over with power point slides and demonstrations
Length: 2 Hours
Price: $89.99. $15.99 On Sale
Link: https://www.udemy.com/course/xss-attack-most-widespread-hacking-technique/ (Not Affiliated)
Review Disclaimer
My goal is to provide honest and consistent reviews that can help others decide if an educational resource is right for them. Due to this, reviews are not influenced by discounts given, affiliate marketing, or if product is given for free. However, it is admitted that these benefits influence if a resource will be reviewed and that I only engage in partnerships with companies who provide quality products. If you decide a resource is right for you, it is very appreciated to use any noted affiliate links as this will help Cybersec.Reviews produce more content to further help students make informed decisions on their education.
Review
I bought this course in 2019 after figuring out I wanted to study cyber security. I read some blogs and watched some YouTube videos about web application testing but I wanted a visual demonstration of one vulnerability I was interested in. Cross site scripting was the easiest for me to understand so I found this course to learn more. The course videos start with a slideshow and voiceover and then later includes demonstrations. Since Udemy doesn't include course publish dates I went off of the oldest review that is from 2 years ago. You may be surprised to see that it was released in 2018, given the very old internet explorer browser Jovana is using. Jovana suggests to use an older browser because they don't sanitize dangerous characters that can be used in XSS like modern web browsers. I asked an instructor if this is good advice during a web security workshop at Defcon and he explained that this would make any submission ineligible, due to only a very small amount of people using older web browsers. So, any advice given in this course I would suggest taking with a grain of salt.
Cross Site Scripting Lessons
The course begins with the theoretical overview of XSS that is good for someone who is brand new to it. Next there are explanations XSS types such as Stored, reflected, and DOM. The next section is about creating XSS attacks which would be useful for someone who has never researched how XSS payloads work but only covers the basics. This section also talks about determining the context of where user input lands in the web pages code and then how filtering is conducted on the back end. The filtering video is a good example because Jovana creates the filters on the PHP backend while showing the XSS payloads on the client side which gives some good insights. Next Jovana shows how HTML characters are escaped on the backend (Such as > being >) but unfortunately doesn't go into much detail on how to create bypasses when faced with this type of encoding.
XSS Attacks and Google XSS Game
Near the end of the course cross site scripting attacks are shown such as changing content, stealing cookies, stealing credentials, and keylogging. This part was also cool to see as in bug bounty showing a POC of injecting Alert() or (more desirably) showing access to a user's cookies is sometimes needed for a bounty. Lastly the course concludes with a walk-through of the Google XSS game which can be found here for free (https://xss-game.appspot.com/). Jovana shows how to look through an application using developer tools and determining the context of user input and shows how filter bypass examples, however little detail is provided on the how/why these bypasses work
Conclusion
In the end this course is an okay beginner introduction to XSS and how to create exploits manually. I do like how more time is spent explaining one vulnerability in depth as opposed to how other courses only spend about 10-15 minutes on each vulnerability itself in a OWASP Top 10 Format. However even with the course covering only cross site scripting, a student could still be dissatisfied as not much insight is given during demonstrations. For example, when showcasing demonstrations Jovana states what she is doing but not so much why she is doing it. This course can be useful to learn more about XSS if it is on sale, but at $89.99 I don't think it is worth it.
CSR Score
Quality: 1/5 Okay video quality but has audio issues occurring such as volume lowering or spiking. Sound only worked on the left speaker for about 30 minutes. Spelling errors were present in the given slide show presentation.
Education: 2/5 Explains Cross Site Scripting more in-depth due to this course focusing solely on this subject. But as stated above, some advice this course gives is debatable. Also, the course includes minor explanation on how to craft XSS payloads to bypass filters, which a student would be interested in learning.
Value for price: 1/5 At a $89.99 regular price this course is very expensive for the content the student is given, plus the hands on Google XSS Game used for demonstration can be found for free. If you are interested in this course, it is recommended to wait for a Udemy sale.
Value for time: 2/5 At only 2 hours in length the course does include quick explanations that is helpful to provide insight on how Javascript is filtered on the server side. Due to the quick pace of the course each topic was covered for 5-10 minutes which left a lack of detailed insight on topics the student would be most interested in.
Verdict
Total Score: 6/20 Not worth the time or money
(See scoring guide here http://cybersec.reviews/aboutme/#scoring)