DO NOT USE alert(1) for XSS

Рет қаралды 162,708

Күн бұрын

... and use alert(document.domain) or alert(window.origin) instead.
Blog post: liveoverflow.com/do-not-use-a...
Sponsored by Google for their Bug Hunter University: bughunters.google.com/learn/i...
00:00 - Intro
00:47 - Why Do We Use Alert(1) for XSS?
02:25 - alert(1) Popup is NOT Proof of a Vulnerability!
03:07 - Invalid XSS Example 1 on Blogger
04:43 - Sandbox Subdomains
06:27 - Sandboxed iframes
08:29 - Invalid XSS Example 2 on Google Sites
09:50 - Why Should You Care About Invalid XSS Issues?
10:55 - Summary
11:55 - Outro
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow

Пікірлер: 251

@mattp12 2 жыл бұрын

ok fine I’ll use alert(2)

@user-zu6ts5fb6g 2 жыл бұрын

based

@magicmulder 2 жыл бұрын

alert(0.5+0.5);

@1Hippo 2 жыл бұрын

alert(Math.PI)

@FUTUREPES 2 жыл бұрын

😂

@punkum 2 жыл бұрын

console.log(1-alert(1)) or eval(alert(1))

@nk2ishere 2 жыл бұрын

It would have been funny for google to really alert 1 when you input alert(1) into search box

@ThomasOrlita 2 жыл бұрын

I think they did something like that once on the Bughunter page.

@2das 2 жыл бұрын

Oh no, hell no, it would not. Imagine all the amateur bug hunters who then spam their reports to the google bug bounty XD

@castles990 2 жыл бұрын

@FBI Federal Bureau of Investigation Then they would pretty much ignore every XSS reports, sorry FBI.

@2das 2 жыл бұрын

@LastName Almaember you better ignore my browsing history

@1e1001 2 жыл бұрын

@@castles990 well they can state that you have to use alert(document.domain) and just ignore all alert(1) ones or whatever

@whydoineedausername1386 2 жыл бұрын

"Look into the chrome developer tools" *Opens firefox*

@dertythegrower 2 жыл бұрын

Yeah.. it calling home every time I open the browser.. yeah, no go for me. Also lack of script-viewing tools on chrome compared to firefox... mm, minimal.

@nicoper 2 жыл бұрын

Since this video is seemingly paid for by google, it's not strange that it contains some advertisement for Chrome.

@vaisakhkm783 2 жыл бұрын

"In a browser, the chrome is any visible aspect of a browser aside from the webpages themselves (e.g., toolbars, menu bar, tabs)." - so technically dev tools is a chrome (Not google chrome , it's just a name of a browser which they stollen)

@sebastianelytron8450 2 жыл бұрын

@@vaisakhkm783 ^^ Can somebody verify that? I've literally never heard it before and information online on it is scarce. Is this really a technical term?

@vaisakhkm783 2 жыл бұрын

@@sebastianelytron8450 I also came to know about this from one of his own videos...."sandbox escape in Firefox" or something like that..... Checkout that video

@charlesfries 2 жыл бұрын

This channel has taught me so much

@user-cs5rg1ny8l 2 жыл бұрын

This guy precisely

@tytangameplay3118 2 жыл бұрын

This channel got me a detention ;-;

@DeadDad1 2 жыл бұрын

Same! I absolutely love way he explains things!

@cedricvillani8502 2 жыл бұрын

You want his bounty all over your chin

@tytangameplay3118 2 жыл бұрын

@@LethalSwizzle found xss and other vulnerabilities in school website, and apparently I violated some policy

@TheMAZZTer 2 жыл бұрын

Funny thing is you're using a browser that shows the origin in the alert box regardless of message, so alert(1) is fine in those browsers. Though you do show the edge case where there is no origin (eg it's blank) the alert box title is different, so it's worth keeping that edge case in mind.

@dasten123 2 жыл бұрын

I though so too, but look at this case 7:30 it just says "An embedded page on this page says"

@_DeProgrammer 2 жыл бұрын

The browser may show the origin in the alert but I think you're missing the point. It's not a bug. Using alert(1) would render a false positive and it would be better to use something other than alert(1) that shows an actual xss on the origin.

@kissinger2867 2 жыл бұрын

The more I watch you the more I find something new, interesting and worth my time. Thank you very much.

@user-ko7oo2qg1g 2 жыл бұрын

One of those rare videos by you about which I can say that I knew most of the things you mentioned. But still, a great one as always! 👍

@IsAMank 2 жыл бұрын

Huh, never considered the bug bounty angle. From my experience with clients, issues in the components of a client's application were still very valid, and would often prompt further discussion and remediation across org boundaries, which I see as the ideal outcome. Good practice for XSS checks nonetheless, great video!

@4.0.4 2 жыл бұрын

The reason we use alert is because of old browsers that didn't have such nice consoles. It was the easiest way to see something on screen. In fact I remember an old Microsoft site where I got a debug alert when I pressed some combination of buttons (by chance).

@Fuckutube547465 2 жыл бұрын

This video was very well done and approachable. Nice job!

@zaphooxx8779 2 жыл бұрын

Very good , valuable and helpful information you are providing here. Thanks !

@hikari_no_yume 2 жыл бұрын

Why is there an “advertisement” mark at the top-right, and a mention of sponsorship by Google in the subtitles, but not in the video itself?

@jaralara6429 2 жыл бұрын

Maybe this whole video is an ad from Google telling us to stop with the alert(1) reports 😂😂😂

@uttiya10 2 жыл бұрын

I guess the “paid promotion” message at the beginning might be enough?

@violetwtf 2 жыл бұрын

yeah this seems so sketchy

@luphoria 2 жыл бұрын

@@violetwtf not really.. the video is an ad

@unicodefox 2 жыл бұрын

I think it was originally going to be that, then at the last moment he edited it out. The video is also low quality, almost as if he quickly downloaded it, edited and reuploaded

@h4ckv157 2 жыл бұрын

All your videos are my favorite. 💎 I really appreciate this one too 🙏

@paprika5487 2 жыл бұрын

Thank you! This is good to bear in mind in future testing!

@GiveAcademy 2 жыл бұрын

in the past, my reason for using alert was because it took the least amount of characters, where many forms that were being tested had character limits. also most things would check for eval specifically, however alert was often forgotten... hehe

@TheJDebski 2 жыл бұрын

Thanks so much. You're doing great work. I would love more hunting videos. Very interesting

@thapr0digy 2 жыл бұрын

When you said Google at 6:37, you triggered my Google assistant. Too bad it interrupts the video otherwise you could open malicious web sites on the users behalf

@yashrathi6862 2 жыл бұрын

Actually might, be a nice idea lol, but don't you have your voice recognition setup?

@elessandro39 2 жыл бұрын

Your channel is pure gold. Thank you

@4ag2 2 жыл бұрын

Very well explained! Thanks 👍

@michaeldouglas1052 Жыл бұрын

Very precious and important tips, thank you!

@arivanhouten6343 2 жыл бұрын

Finally another masterpiece!

@krlst.5977 2 жыл бұрын

That was great, very interesting video. Thank you

@10oneluv10 2 жыл бұрын

GREAT VIDEO! I never knew any of this.

@thomascodes 2 жыл бұрын

Different WAF'S Have diffrent responses to payloads some times destructuring the payload may work throw[onerror]=[alert],1

@dasten123 2 жыл бұрын

This is interesting! Cool video man!

@hawk__ 2 жыл бұрын

Very Beautiful Explanation :)

@OdinRu1es 2 жыл бұрын

Don’t use for security reasons. Uses for security reasons.

@jackharbor3347 2 жыл бұрын

Why we shouldn't use for security reasons?

@JustPlayerDE 2 жыл бұрын

@@jackharbor3347 back in the past s where bad, now they are good i guess

@Seedhi-Baat 2 жыл бұрын

Very nice observation! keep it up!

@ripoutyourintestines5099 2 жыл бұрын

I don't know shit about computers but I have a gaming PC lmao, now I can't stop watching this channel.

@marcoschincaglia 2 жыл бұрын

ok, I had to interrupt my lazy Saturday afternoon to actually learn something useful

@sharemarket1971 2 жыл бұрын

I'm new in bug hunting... I understand nothing but I watched this video

@mindreader3947 2 жыл бұрын

wonderful video Thanks @liveoverflow

@anthonation 2 жыл бұрын

Thank you so much 🙌🏻

@seclilc 2 жыл бұрын

Great video as always

@fairchild9able 2 жыл бұрын

Really nice clip. Thank you

@JPlexer 2 жыл бұрын

How do some people say "Good Video" or "Amazing Explanation"? The Video literally just released

@reastle1307 2 жыл бұрын

they fake it

@byekou 2 жыл бұрын

gotta earn the likes

@LiveOverflow 2 жыл бұрын

it's always true for my videos 🙃

@GamingBlake2002 2 жыл бұрын

*cough cough* cyberchiranjit *cough cough*

@JPlexer 2 жыл бұрын

@@LiveOverflow well yes, but actually yes

@chiranjit9529 2 жыл бұрын

Amazing explanation

@piyh3962 2 жыл бұрын

This taught me more about XSS than any other video I've seen so far.

@devprogramming 2 жыл бұрын

Use print() instead of alert() because browsers are disabling the alert() for cross-domain s.

@menkiguo7805 2 жыл бұрын

I was working for a website and their filter of XSS has alert(1) in it

@soonpeace9938 2 жыл бұрын

Very Informative.............Keep it up

@156785543 2 жыл бұрын

Excuse me my ignorance. What is the most dangerous thing you can do with that kind of attack? (xss) in Real life. I mean if I found a xss vuln the hacker just could catch my token/credentials by fishing? Or there is a other most power full attack. Excelente video and cheers from Argentina!

@pixelorange9651 2 жыл бұрын

Thank you for your suggestions on XSS! Your video is very good, so I want to translate it and share it on the Chinese video website (bilibili) in my free time. I will keep the introduction and title of your video consistent and declare the author, and I will not get any profit from it. Do you agree with this matter?

@mekb1 2 жыл бұрын

seems you accidentally left advertisements watermark in the top right corner for the video lol

@gurglemurgle5 2 жыл бұрын

The vid might be sponsored by Google

@Test123747 2 жыл бұрын

saw a few german youtuber doing this for legal reasons. Otherwise competitors will assume you are breaking a law if some products are highlighted in the videos, even if there is no sponsorship. They will ask for money and for you to stop doing this in the feature (with some legal document ). In return those youtuber then have to explain that there is no sponsorship and might even need the assistance of a lawyer. If it was sponsored he probably has to pay money to the competitor. So they just place a advertisement note on every single video to just not having to deal with that kind of bullshit.

@bernhardschmidt9844 2 жыл бұрын

I mean, he does link to Googles new bug hunter University thing in the description and he does talk about how to do stuff in regards to google products throughout the video, so it being sponsored in some way isn't too far fetched. That said, it's weird he doesn't explicitly mention it anywhere...

@lilyliao9521 2 жыл бұрын

@@Test123747 interesting

@asdfghyter 2 жыл бұрын

Is there any practical difference between document.domain and window.origin for these purposes?

@HackoMedia404 2 жыл бұрын

Very informative video

@realjameskii 2 жыл бұрын

Ok thanks, ill use alert(2) instead

@dclxviclan Жыл бұрын

Cool, nice tut

@velho6298 2 жыл бұрын

Advertisement, nice touch.

@1Hippo 2 жыл бұрын

Chrome and Firefox both always display the origin domain in the alert, shown in the video for example at 3:41. I don't see the point of writing such a unnecessarily long payload, the video title seems a bit much clickbait, otherwise good explanation tho. alert(1) is still fine. btw: Opera and Vivaldi do it too, I guess all chromium based browsers.

@SolomonUcko 2 жыл бұрын

It looks like inside s, at least browsers just say "an embedded page" rather than the actual domain or origin of the .

@dasten123 2 жыл бұрын

See 7:30

@1Hippo 2 жыл бұрын

@@SolomonUcko They report the actual domain if it is set, blogger uses an too, see 4:26. In his selfmade example src is just not set, so it falls back to the generic message.

@1Hippo 2 жыл бұрын

@@dasten123 See 7:45, in any case you get basically the same info.

@Baeyk 2 жыл бұрын

I love this guy

@sql7002 2 жыл бұрын

As usual 🔥🔥🔥🔥👌

@randomguy3784 2 жыл бұрын

Superb video👌

@ThePowerRanger 2 жыл бұрын

Very interesting.

@mekb1 2 жыл бұрын

dark mode intro pog

@drahoxx3076 2 жыл бұрын

Why is there an "advertisement" message in the top right corner ? Is it just a mistake ? Anyway, very instructive video ! (Like the others!)

@tercmd 10 ай бұрын

It's because Google paid him to produce this for Bug Hunter University and he thought it to be a good video, so he published here.

@Jimmy1985 2 жыл бұрын

But can i still deploy malware on the client machine via this xss? A bEEF hook could hook into the browser of the client. I would not call any xss a safe xss but i guess it is out of scope.

@thesheep6248 2 жыл бұрын

great info

@scou1yy 2 жыл бұрын

Imagine getting a pop-up saying "2", that would be threatening

@charlie5tanley Жыл бұрын

thank you thank you....

@DiThi 2 жыл бұрын

Are web workers another way of sandboxing potentially unsafe code?

@aldison5070 2 жыл бұрын

We use eval()

@soroushhd2408 2 жыл бұрын

man I believe in it I got a xss from an imortant web site thats belong to a very important organization that was pentested for 3 times 🤣🤣🤣

@mualifulmizan9066 2 жыл бұрын

Nice this video

@danhorus 2 жыл бұрын

I use console.log or console.trace :)

@starkline3962 2 жыл бұрын

which video editing tool you use to edit video

@mrspy8972 2 жыл бұрын

Make a video on Pegasus Too..

@arenaesports2580 2 жыл бұрын

For Chrome we can use print now

@Jason-uv5tm 2 жыл бұрын

very cool

@muha0644 2 жыл бұрын

You make your videos really well. Amazing script, you speak clearly and enthusiastically, and you make cool graphics that are easy to understand and look nice in general, etc... The only thing I can complain about is that your IRL background looks kinda scary, like you are about to make an apology video or a documentary. It's not really a complaint but I though you could use the feedback. If you still have the breadboard pc you could make a counter and hang it in the background...or add some shelves or something. Unless you like the empty backdrop in which case ignore what I just said. Keep up the good work!

@thejswaroop5230 2 жыл бұрын

Bro i have a suggestion.... can u please put a video on PEGASUS spyware...like I'm genuinely confused what is it and why news channels are milking it so much....is it a thing to be afraid of? I would love to see your perspective on this.... If not here maybe atleast in your other channel liveunderflow pls....?

@AntiWanted 2 жыл бұрын

Nice 👍

@omri9325 2 жыл бұрын

Is this a new video-file format? the quality looks too compressed :|

@w3w3w3 2 жыл бұрын

damm super interesting :)

@gradientO 2 жыл бұрын

alert(1)

@b391i 2 жыл бұрын

alert("You Are The Best")

@Hackerone1444 7 ай бұрын

print(5)

@spv420 2 жыл бұрын

I just realized I wasn’t subscribed. I fixed that.

@HacknMate 2 жыл бұрын

For Pentesting you use alert(1) because you need to document everything that is vulnerable on a blackbox webapp. For bug bounty, however this will not work because of 'impact'.

@user-ou9mn8pj5c 2 жыл бұрын

Not unless the organization’s webapp you’re pentesting is purposely allowing scripts to be executed by the end-users.

@HacknMate 2 жыл бұрын

@@user-ou9mn8pj5c that would be an isolated case. I'm talking in general.

@Agilato 2 жыл бұрын

Please, work on you over all sound volume, each time i watch your channel have to wear a headset cus volume is too low compare to other channels. Thanks for your work!

@lbproductions6215 2 жыл бұрын

Interesting

@ceilidhDwy 2 жыл бұрын

Why is it marked as a sponsored video? Did google sponsor this one?

@tercmd 10 ай бұрын

They paid for it to be created and he thought it to be a good video, so he published it on LiveOverflow

@LenaMilize 2 жыл бұрын

Ahh that's great

@MrItrollaround 2 жыл бұрын

Wait, so I'm not allowed to name my Skyrim player this anymore? Darn.

@isvladxxe 2 жыл бұрын

is this a recipe how to make user js safe?

@medpro5612 2 жыл бұрын

Can I use alert(1337) ?

@rupesholee 2 жыл бұрын

why not

@yuck871 2 жыл бұрын

nice

@KickoffCentral24 2 жыл бұрын

I need help in APDU setup

@TianyuQi 2 жыл бұрын

me, who uses alert(): intensive sweating

@neilthomas5026 2 жыл бұрын

Gold

@shaswatmanojjha2969 Жыл бұрын

Is it self or reflected XSS if I modify the response in BURP and it shows alert, but doesnt show in URL?

@LiveOverflow Жыл бұрын

Neither ;) it’s nothing ;)

@shaswatmanojjha2969 Жыл бұрын

@@LiveOverflow

@Epinardscaramel 2 жыл бұрын

5:02 Sorry Flash, f.

@iooosef6006 2 жыл бұрын

Good thing I use alert(2)

@lmaoroflcopter 2 жыл бұрын

Use prompt(2) ?? :D

@ZelenoJabko 2 жыл бұрын

Not all browsers support sandboxed s. Those browsers are vulnerable.

@ThePizzabrothersGaming 2 жыл бұрын

which one doesn't, internet explorer? thats EoL

@ZelenoJabko 2 жыл бұрын

@@ThePizzabrothersGaming your mom doesn't

@IudiciumInfernalum 2 жыл бұрын

I generally just `alert(%27MyHandle%27)`

@Lantalia 2 жыл бұрын

We use alert because it predates chrome, firebug, and most useful 'consoles'

@prawnstarrr 2 жыл бұрын

alert("xss") -- a classic

@rafaeldacosta8581 Жыл бұрын

destroying kids dreams under 12 minutes huahuahuahuahuahua

@ruhruhruhruhruheisjsij 2 жыл бұрын

Tldw Origin Policies

@iicloudbob8793 2 жыл бұрын

Please try reverse engineering Synapse X. It will be a challenge for you