>please excude my anger >calm concern follows German anger is something else Also I am mad too at that tweet about mastery, in any field where you can become an "expert" curiosity and ever expanding horizon are always key to success and being proud of your abilities.
@cheaterman495 жыл бұрын
German anger has changed a lot in 70 years, hahaha!
@DerMannInDerWand5 жыл бұрын
calmly and analytically breaking down why someone's statement is wrong is very much German anger :D
@vert3x5604 жыл бұрын
I wouldn't like to see German anger :|
@azimislam83885 жыл бұрын
Hacker at an event. First guy: This is Javascript. Crowd: **silence** Second guy: The thing that it is jAvAScRipT Crowd: AAAAAAAAAAAAAAAAAA!
@LiveOverflow5 жыл бұрын
Maybe I'm a bit too pessimistic in this video, but I think it's a concrete example we can use talk about it. I know this video could be a bit controversial, and I did not want to focus on any people in particular - thus I censored the names of the example I criticise. It's not about the person but the work itself. So let me know what you think about it. Also this video contains a few possibly weird "easter-eggs" (or obscure references) that likely only a handful of people will get. So if you think I said something weird, just assume it's a reference to something :P
@piaresquared45905 жыл бұрын
Some experts make simple things difficult to understand realizing that most people reading their content are beginners. Other experts wouldn't share it. It's beginners who think that it's cool because it's difficult to understand and spread it. Those experts get high when nobody understands them..
@SuperMarkusparkus5 жыл бұрын
You say that "jAvAsCriPt:" uses unecessary capitalization, but actually it is completely unnecessary since it's not a protocol handler, it's, interpreted by eval() as an arbitrary javascript label. Labels should be followed by a colon. Then following the label is a single line comment. The whole javascript label, upper case, lower case or mixed case is unecessary :)
@regul4rjohn5 жыл бұрын
You are fine. I leaned stuff as usual, thanks for sharing!
@XantheFIN5 жыл бұрын
@LiveOverFlow How about last video where you mixed people talking DISCS and DISKS and blaming them when you were wrong when tried use DISC program for the DISK media? What you think about it? How about correction? I understand you are programmer and not after hardware... It makes sense such silly mistake.
@LiveOverflow5 жыл бұрын
@@XantheFIN I think there is a misunderstanding of the situation here. I thought I made it very clear in the video that it was a joke to blame the person, because right before of that I acknowledged how embarrassed I was. Also I think google search autocorrected disk/disc and I didn't pay attention when searching. And of course I thought a tool that can create an image of a CD could also create an image of a HDD, because on linux both is exposed as a regular block device that you can read from. So making an image with `dd` would be the same for CD as for a HDD. Thus I didn't think in the rush of the moment that this might be different for Windows. If you have further questions or want some more clarification, feel free to write me an email ;)
@kmcat5 жыл бұрын
I'm more amazed that Safari supports base url
@dealloc5 жыл бұрын
To be fair, Safari actually gets a lot of the newer feature implemented faster than most other browsers. The issue is, though, that a lot of times it's a little too fast and end up with exploitable features, where most other vendors waits until it's as much tested as possible. The reason Apple does this is that they use a lot of the new features way ahead of others in their own products; which is safe enough to do as it is not the internet, but sometimes the features end up in the same or similar fashion when they get officially supported.
@kmcat5 жыл бұрын
@@dealloc Data list Service workers Vibration API Battery API WebGl 2.0 Background sync API Web MIDI API TLS 1.3 WebM Push API Web Bluetooth
@dealloc5 жыл бұрын
@@kmcat Safari has a lot of APIs under experimental flags before being pushed out. But that is not to mention; Data lists-while actually in WebKit behind a feature flag, it's an odd one that I couldn't find much information about. Service workers are supported in Safari now. They were proposed (in 2014) in collaboration between Google, Samsung and Mozilla and were implemented by them first, although behind experimental flags initially. Vibration API was removed from WebKit due to privacy concerns and is currently in a second draft in W3C.
@IsaiahGamers5 жыл бұрын
Safari and Chrome use the same engine
@dealloc5 жыл бұрын
@@IsaiahGamers Chrome uses its own engine called Blink, which is based on WebKit but heavily modified. Only on iOS does it use WebKit, as it is required by Apple.
@ilya3004005 жыл бұрын
author of second tweet just didn't wrote "#xss" in his post:(
@RyanLynch15 жыл бұрын
good point there
@WanniGames5 жыл бұрын
who exactly browse #xss anyways, seems a bit skitty imo
@valvarexart5 жыл бұрын
Bots, probably
@Someone-cr8cj5 жыл бұрын
@13:00 "console cleared at 3:13 am" get some sleep man
@taureon_5 жыл бұрын
lol
@EXHellfire5 жыл бұрын
who the fuck sleeps at 3 am
@Kitsudote5 жыл бұрын
IT folk (and I guess especially hackers) are creatures of the night :)
@codechapter69605 жыл бұрын
Whats sleep?
@chellathurais6503 жыл бұрын
Are u guys knew to sleep?
@tg66403 жыл бұрын
for guys who are confused with the minus symbol: can be written as
@jan_harald5 жыл бұрын
amazing but you know why the first tweet was more popular? because it looked as if it explained what was going on... "here we have this" vs "lol/safari.html" the second one might be better, but it looks more like random jumble or a joke at first glance also it doesn't tag #xss like the first one, so you're less likely to find it randomly browsing
@chrisparrot26605 жыл бұрын
tHe pEoPLe wHo wErE meAnT tO sEe iT, iNdEeD SaW it
@peterjohnson94385 жыл бұрын
The Safari bug smells like someone messed up the protocol format verification routine, by cutting the protocol part substring one character too early. It'd still go through all internal conformance tests just fine, but leaving out that significant second slash opened up Safari to an interesting new exploit vector. Great video. Edit: my original comment made no sense, it seems I'm too tired to brain right now
@KeanuReevolution2 жыл бұрын
I barely know anything about XSS but I got so mad as you started explaining why the first tweet is so inane. Goes to show how great you are at explaining things to people in a simple way that even a n00b like me understands lol. Thank you!
@Lfomod1Dubstep5 жыл бұрын
Great video man! I've been playing with XSS the whole day, just to get more knowledge about it. You've been helping me with your videos :D
@jdurfer5 жыл бұрын
Can't tell you how much I enjoy your vids. Both the content and presentation. Thank you
@AmitChauhan-sp1cw3 жыл бұрын
this video gave me some confidence ........not everything present on internet is true ......sometimes i think i don't know the concept that's why i not understanding but now everything is clear...... A BIG THANKS TO YOU
@digitzero36135 жыл бұрын
This channel is very underrated. You are a great teacher mate, I hope you will succeed. Thanks
@rosco35 жыл бұрын
5:37 Even to me a completely beginner at XSS you can tell that it makes no sense to use upper and lower case and that the script itself is intentionally confusing.
@Walter_5 жыл бұрын
YoU KnOw, OnLy GeNiUsSeS WrItE LiKe ThIs
@teenapittman42415 жыл бұрын
@@Walter_ Years ago, after a closed head traumatic brain injury, my husband wrote like this.
@peterjohnson94385 жыл бұрын
@rl1k Doe which is why we, at least in the enterprise Java world, use case insensitive and fuzzy matching for blacklists...
@peterjohnson94385 жыл бұрын
@rl1k Doe depends on the application :)
@imgayasheck5955 жыл бұрын
@@peterjohnson9438 it's a blacklisting escape if they are looking for 'javascript' or 'script' with a bad filter. I've seen some really bad filters, though with enough effort there's very few that survive the test.
@over00lordunknown125 жыл бұрын
I'm going to say it anyway... As for the tag example, it could be used to bypass basic filters, and it could also be for obfuscation (even though it is simple to clean up if you understand it well enough), a small-time dev will have a harder time searching logs for why their website broke.
@LiveOverflow5 жыл бұрын
that was not the point of the tweet though - it was about the XSS in the output tag (not about WAF bypasses). Imo it's simply an excuse used to distract from what I believe is the real reason: making it look more crazy to mislead and deceive people.
@cactusjuice97095 жыл бұрын
@@LiveOverflow It's just an ego thing like: "my skill is this high, that obfuscating is the standart; look mom: I can read it fluently" or something like this. Does it even matter, if the author don't care to educate on twitter? I don't know the author, but I saw your dispute with this xss-tool-selling-dude, so if this payload belongs to misleading people to sell some shit, than the world will get your message. I also think, that the itsec community is build on learning from each other but if some dudes want to show their vitrual balls, there is no need to beat this tweets to death. Anyhow, cool vidoe. Learned something new. Would love to see some "more guide like" guides to bypass WAFs and how to work with different contexts and encoding.
@miralemnermina1425 жыл бұрын
When's SIM part 3 coming? Also awesome content, keep up!
@4.0.45 жыл бұрын
Hacking is essentially thinking outside the box. It's like some sort of IQ test, you can't hack something if you're not comfortable with lateral reasoning. Also, reminder that browsers are open source. Finding XSS vectors or ruling out ideas can be done at a lower level. It's still way out of my league but I have tried it a few times, to no avail (I wanted to trigger a network request from an SVG loaded in an img tag, so I looked into the Firefox source. It seems impossible)
@dcodernz3 жыл бұрын
People tend to like things more if they understand it and they think it's clever, so obscuring the first example achieved the feeling smart in more people because it's easier to understand for more people.
@HolySemtex5 жыл бұрын
How about a 1-week-coding challenge? I think it's the perfect fit for you since it would be the total opposite of what you do here right now. Love you, keep it going!
@nopnopnopnopnopnopnop5 жыл бұрын
No, plenty of people do coding challenges. This is one of few people who make good security-related videos.
@alfinjoseph68542 жыл бұрын
We can also get around the // in javascript by giving a new line character .
@juniorGs125 жыл бұрын
From your recent twitter activities, I was waiting for the video going after brutelogic LOL
@tmack7295 жыл бұрын
Brute logic is such a hack.
@johnhammer86685 жыл бұрын
Glad i found your channel. Occasionally watch your videos(not enough time sadly) as i am a full time application developer and not in a security domain. Thanks so much for sharing.
@inquisition.musician Жыл бұрын
I can sound silly, but the first tweet actually tweeted this for the stuff that allows custom HTML in your profile, like Samy Kamkar did with his "Hero" worm. This is used to mislead checks in the forums. But, there's still an XSS auditor, so we need to make the workaround.
@Gr1pp7175 жыл бұрын
The reason for the craziness is to account for poor parsing procedures. Developers who try to write their own security, but fail to account for one kind of character or another.
@moth.monster5 жыл бұрын
I personally have no plans to go after bug bounties but this was neat, cause that's a pretty fun exploit. Safari bugs aren't something to be scoffed at, plenty of people use the browser.
@user-vn7ce5ig1z5 жыл бұрын
Ostensibly, the reason that the _ouput_ example got more likes and RTs than the _base_ example is because it is more straightforward and easier to figure out and understand, so people responded to it, but the other one is more confusing, so they ignored it. I figured out the first one in a couple of seconds, but for the second, I actually had to look up the base tag (I've never used it before), and check the specs to see how empty hrefs are handled, then had to decipher the regex. I learned nothing from the lazy attempt at basic obfuscation from the first, but learned a couple of things from the second. Your frustration is completely justified; I feel the same way. People are lazy and boring. They don't like challenge, they like simply, basic pablum.
@sarowie5 жыл бұрын
The first tweet was at least successful in hiding the alert - by adding an eval, which to me is a blinking right danger sign that even more loudly and proudly screams "unsecure code" then any "javascript" or "alert" string could ever do.
@Cyb0rg_125 жыл бұрын
Found a parameter > Copy & paste XSS payload > Alert !!! > Report > Get Bounty > Tweet it like a champ. No Offense :)
@muhammedtan98192 жыл бұрын
Man its like a poem. Respect!
@Jimmy19855 жыл бұрын
Thanks for the awesome video! the application should encode any input of the < character and convert it to <. Check out the OWASP Character escape sequences on XSS Filter Evasion Cheat Sheet.... testing for the application accepting the < character is a much faster way. The character escape sequeces on OWASP is a fantastic way of learning the encoding styles.... anyway XSS will have a beef hook on it to deploy malware or cryptominer not just steal cookies.
@nikolanojic68615 жыл бұрын
When u are currently watching ome of his tutorials and notification comes for a new video :/
@juliavanderkris51565 жыл бұрын
Great video! I was confused at the "bullshit" one as well. I mean, what's even the point if you're using onclick anyways? Probably won't even bypass any filters. The base XSS one was crazy though. It seems so basic, and without this video I wouldn't have thought anything about it.
@pwnweb57344 жыл бұрын
who knew that google xss would have actually popped up in 2k19
@jonasgrill11555 жыл бұрын
I found a small vulnerability in my school's wifi blocking system (iboss). Some of the text on the page blocked screen were accessible in the URL of the site. I tried changing that and refreshing and it changed the text on the screen. I had recently learned about cross-site scripting so I tried adding HTML and it showed up, though it was only on the client (from what I know. I wasn't able to do any tests). I just can't believe wifi site blocking software by a company founded in 2003 still has an unpatched vulnerability that allowed HTML to be injected through the URL. I mean, Google has the search text in the URL (which makes sense) but it's at least filtered and doesn't allow HTML injection. Anyways, I'm still glad I figured that out because it was fun messing with it.
@fireshredder245 жыл бұрын
I used the simplified first one to show an alert on the Poem of the Masses I feel accomplished now
@DanteEhome4 жыл бұрын
Well, it helps me understand that browser discard useless information or those they cannot understand at least. So it's not completely useless i guess :)
@razvannechifor3655 жыл бұрын
I'm a beginner in pent testing and programing language and one thing that I learned is that "You can't call you a hacker until you write a program/script off your own " copy paste is just to have an idea of how things work
@aniketpatil61115 жыл бұрын
Razvan Nechifor it’s called script kiddies but use your own script.
@razvannechifor3655 жыл бұрын
@@aniketpatil6111 sorry I didn't know that... But I just learned a new thing txh man :D
@aniketpatil61115 жыл бұрын
Razvan Nechifor no worries mate just don’t be script kiddies. Use tool and learn how is it made actually hacker definition is the one who is curious about how computers work and trying to enhance them. That’s it ! Be that hacker www.catb.org/esr/faqs/hacker-howto.html read the essays of ESR
@0dWHOHWb05 жыл бұрын
The best way to learn programming is, or at least starts with, reading good code. Obviously to internalize that knowledge you have to write your own shit that utilizes what you've learned in practice but it starts with looking at what has been done before. All knowledge is cumulative and builds on previous work. Ask a lot of questions (Why is this built this way? How do you use this in X situation? How do I apply this? What about X other technology?) and don't give up until you find your answers.
@razvannechifor3655 жыл бұрын
@@0dWHOHWb0 Of corse but you need to understand what are you looking at right ?
@Brentiannoli5 жыл бұрын
I like the casual use or port 1337
@ahmedmani10514 жыл бұрын
so wait your telling me i was miss pronuncing regex all this time
@TimLF5 жыл бұрын
I'd like to see a nice concise XSS border case list... AFAIK banning "", "script", "object", "link", "svg", "*[on*]", "img[src~=.svg]", "style[innerHTML~=url(.*.svg]" will prevent XSS
@vurpo70805 жыл бұрын
That sounds a lot like fixing SQL injection by banning specific characters (in that someone will find a way to make it work anyway). An easier way to prevent XSS is to never include any user input in your HTML response without HTML-encoding it first. Becaude then, in addition to using a more reliable way, you actually allow people to *discuss* HTML and CSS stuff on your website without having to trigger a "banned words" filter.
@fluffydoggo4 жыл бұрын
Every time I watch one of these videos, I think of how I really *dont* know HTML, and even JavaScript, when I've built so many applications out of them.
@christianlijs13465 жыл бұрын
I'm early! I can tell this is gonna be a good vid.
@samu69825 жыл бұрын
Every video on this channel is awesome
@zaphooxx87793 жыл бұрын
i know i am about 3 years late, but in the video you say that the "base" payload is safari specific. However I tried a similar payload in firefox and it works all fine there too. the main difference I see is that the link tag needs an actual value in the href attribute to make it work. if the href is empty as in the last line of the tweet it wont work as it wont prepend the base url to an empty href. however a simple "#" is sufficient. maybe this is just something that is possible now and wasnt 2018? whatever , what are the odds someone actually reads this post :)
@sashimisub8536 Жыл бұрын
Maybe WebKit specific? Both browsers based on WebKit
@xunxekri5 жыл бұрын
That safari vector is actually pretty cool. I'm technically not even in chapter one, but I understood the code from the start, lol.
@xunxekri5 жыл бұрын
Except the slashes at the end, I'm glad you explained that.
@Juplay_FV5 жыл бұрын
Heh, schau' deine Videos wie immer im Unterricht, da dies immernoch um einiges interessanter ist als 4 Stunden in etwas zu machen was 1.sowieso unsicher und outdated ist 2. Man schon vor 2 Jahren privat gelernt hat. 3. Wovon selbst der Lehrer keine Ahnung hat. (Der dachte u.a. bis heute das PHP und Js beide serverseitig laufen und das bootstrap ein Programm wäre um Webseiten per drag and drop zu gestalten)(und Ja, ich mache gerade eine schulische Ausbildung zum Informationstechnischen Assistent)
@chaosmagican5 жыл бұрын
Ach der gute alte ITA... Wenigstens musst du deinem "HTML-Lehrer" (sic!) nicht erklären dass es auch gibt. Wenigstens nutzt du deine Zeit sinnvoll, wir haben alle Pokemon auf Emulator gezockt :D Ach der gute alte "Taschenrechner" der dir bei 13+37 einfach so Adminrechte gegeben hat, XP war schon was feines.
@Juplay_FV5 жыл бұрын
@@chaosmagican Naja, das Fach heißt zwar Datenbanken, aber wir machen da auch HTML, ja...
@chaosmagican5 жыл бұрын
@@Juplay_FV Das waren bei uns zwei Fächer, wobei Datenbanken im ersten Jahr Excel bedeutete. Der Lehrer (ein Inder mit schlechtem deutsch) war aber der geilste. Der hat uns immer DINA1 (sic!) Blätter mit Aufgaben ausgedruckt. Wenn man eine Frage hatte "druckst du F1 kriegst du Hilfe" 😂 (wobei ich nicht weiß ob ich weinen oder lachen soll). Ich hoffe du hast halbwegs kompetentere Lehrer als sowas. Retrospektiv habe ich den ITA (+Fachabi) nur wegen es Fachabis gemacht. Bis auf ein bisschen iOS (das von Cisco) habe ich dort nicht wirklich was gelernt. Eine Frage habe ich aber noch. Ich war damals der erste Jahrgang der von folgendem Deal gebrauch machen konnte: Nach ITA-Abschluss gehst du 6-Monate Praxis sammeln (irgendwas technisches sollte es wohl sein) und dann kannst du deinen FiSi-Abschluss bei der IHK machen (nur Prüfung+Projekt). Ich war einer von dreien in meiner Klasse die das gemacht haben, war eigentlich ziemlich easy für mich. Ich habe nur für den Wirtschaftsteil gepaukt. Ist sowas mittlerweile Standard bzw. kannst du sowas auch machen? Bei mir war es damals jedenfalls eine Kooperation meiner Schule und der IHK. Bin jetzt FiSi obwohl ich eigentlich zu 95% Anwendungsentwicklung mache.
@Juplay_FV5 жыл бұрын
@@chaosmagican bei unserer Schule (BK Rheine) zumindest ist das inzwischen Standard, weiß jedoch nicht ob das für alle Schulen gilt. Ich konnte es jedoch nicht machen, da das Programm das Jahr schon voll war.
@victornpb5 жыл бұрын
XSS level: tries to share a XSS script on twitter... XSS twitter.
@exodus44055 жыл бұрын
I have no clue what are you talking about but I like it
@musicstreams34795 жыл бұрын
I was curious if maybe the first tweet was formatted that way with the specific purpose of bypassing the chrome/Firefox XSS auditor? I thought it was mostly pattern recognition but I might be wrong!
@jozsefsebestyen82285 жыл бұрын
Or even skip some HTML sanitizers
@maowtm5 жыл бұрын
@@jozsefsebestyen8228 I don't think any scanner is going to allow a onclick attr…
@mswilladsen5 жыл бұрын
Your videos keep being educational and interesting.
@Nozomu5645 жыл бұрын
Wait, wouldn't it work in Chrome on iOS? It could make it actually worth some $.
@Omio99995 жыл бұрын
A different vulnerability was talked-about on this channel, and it only netted I think like $5k from Google, along with a browser-crash handler as a form of protection, since Apple isn't putting a lot of love into Webkit.
@silverzero95245 жыл бұрын
is $5k less?
@Omio99995 жыл бұрын
@@silverzero9524 If Apple were to actually ever bother to FIX Webkit, then yeah, it'd be probably $25,000, which is some more serious bank.
@JamesBalazs5 жыл бұрын
@@Omio9999 $7500 I believe, saw that video recently. Apple wouldn't have awarded anything for it, even though it was a WebKit issue. Google paid out because the guy reported it to them thinking it was a Chrome issue, and they were kind enough to reward him regardless. Afaik Apple don't really value this sort of stuff, so in terms of a bounty it's worthless.
@Omio99995 жыл бұрын
@@JamesBalazs Until the industry changes, and either throws Apple out of business, or Apple gets back into actually fixing their still-open exploits, I still agree.
@hadinossanosam44595 жыл бұрын
I have no clue about XSS, but I thought the Safari one had to be way more interesting because it's so specific... (like where is the difference in Safari that makes it react differently?)
@liteoner5 жыл бұрын
It uses WebKit, a different engine
@domaincontroller3 жыл бұрын
02:35 lets have a look to these two XSS vectors
@matte.3093 жыл бұрын
I didn't realize you can access other attributes on a DOM element as arguments in the onclick event handler.
@lordmummie5 жыл бұрын
What I really wonder is how you would stumble upon these quirks. Is it eternal research? Throwing "random" stuff into "random" places? Researching weird bugs, finding what caused them and then seeing if you can exploit it? If anyone could tell me it'd be highly appreciated!
@nikkiofthevalley2 жыл бұрын
Eternal research and educated guesses.
@nickhubbard36714 жыл бұрын
Very thoughtful!
@talboris5 жыл бұрын
how can i send cookie in html event tag ? i dont want just alert1, and ' " ' is filtered?
@soviut5 жыл бұрын
Feels like the first tweet was a code joke; Especially with the setup.
@thaumictom5 жыл бұрын
So if you can actually inject HTML stuff into inputs, why do websites just don't remove the before the query gets used and executed?
@Jimmy19855 жыл бұрын
that is what they are supposed to do! encode the < into < and not execute it... issue is developers learn to develop fast and loose with old ways
@thaumictom5 жыл бұрын
@@Jimmy1985Oh well, thank you!
@Seltyk4 жыл бұрын
Why can those extra slashes be in the second tweet without generating a comment? Most programming languages I'm familiar with will break into a comment the instant you give it an excuse, so why is JS just allowing these nil subdirs instead?
@stonedhackerman5 жыл бұрын
yo, but where did the sim cards/cellular network hacking videos go? I was sooo thrilled for them
@diemaco5 жыл бұрын
make a website and hide something inside of it and we need to try to find the secret
@over00lordunknown124 жыл бұрын
When I first saw this video when it was new, I didn’t really understand why it mattered, but now I see the prowess that was involved with the Safari one.
@user-xw6fg5pi8q5 жыл бұрын
You could say obfuscation a code isn't crazy because the output is not made to bypass the website (aka xss)
@Hans59585 жыл бұрын
It's just LO explaining the philosophy of hacking, not the hacking itself.
@squidneyj70975 жыл бұрын
You're not being too pessimistic. Poor educational materials are frustrating for anybody, especially the people that devoted their time to learning from that resource.
@nowonder94663 жыл бұрын
Would this be considered dom xss? The second one.
@pauribelles79205 жыл бұрын
Are you thinking on making a Discord server any time soon? Through a Discord server this community could grow so much, it could be awesome!
@codechapter69605 жыл бұрын
TBH I think that liveoverflowperson.grabname() (i dont know your name) is genuinly one of the few large coders who try to help people learn instead of putting them off. Well done nice vid
@JackBond12345 жыл бұрын
Do people post XSS vectors without explaining them? I might be inclined to try to figure it out whether it looks fake or not, but it's kind of rude to not provide an explanation.
@ne12bot945 жыл бұрын
Hear a question , if a professional program mer used other ppl app to pen test there work. Does that make them a script kiddy, sorry im just throwing our there.
@onion24455 жыл бұрын
If you don't understand what the program is doing, then yes.
@derekkleinhen52905 жыл бұрын
Forgive me if I am misinterpreting this, but couldn't the base href injection be used even more maliciously to direct traffic to an attacker-controlled server? For example, if the attacker injected the base href tag to point to a domain owned and controlled by the attacker, wouldn't every relative reference on the page be redirected to the attacker's server, since the base href is set to be a domain he controls?
@LiveOverflow5 жыл бұрын
yup, but it's not so bad... I can also send you a link and you will probably click on it ;)
@derekkleinhen52905 жыл бұрын
@@LiveOverflow Definitely, but users would trust links embedded on a site they know far more than they would trust a link randomly sent to them imo. Thanks for the reply!
@bibliophile58635 жыл бұрын
Is there a reason that you have to use ///// at the end of the payload instead of just /*? I don't have a Mac so can't test it...
@twistedsim5 жыл бұрын
it's explain in the video keep watching
@baranoid5 жыл бұрын
i don't think /* would work in a url the same way it works in a regex
@pascal-t5 жыл бұрын
The slashes are treated as subdirectories on the web server not as comments. If I understood correctly by clicking a relative url ("../lol/safari.html") the browser tries to evaluate the base url. I Assume the broser parses the payload as a subdirectory on the web server. Thats why we need to add enough slashes at the end that the relative URL does not "step out of the payload subdirectory". Then because the base url starts with "javascript:" the following javascript is executed.
@Electropretzel5 жыл бұрын
I don't totally agree that the first one is useless. It's not showing any new XSS technique or vulnerability but demonstrates a concept of bypassing lousy server side verification or lousy WAF implementation and it's an important thing that many beginner might not be aware of. Just wanted to add: "Not all that shines is gold". We all know those people in the industry that all they want is publicity, by impressing those who have no clue. You will probably meet those people in all subject of life so no need to loose your shit :)
@LiveOverflow5 жыл бұрын
it's equally useless for learning about different WAF bypass ideas and techniques.
@ksnoguru5 жыл бұрын
@@LiveOverflow I am not aware of your background as a developer in the commercial industry, but believe me, I saw enough stupidy where people try to defend themselves against XSS by writting "fancy filtering stuff" which leads to being vulnerable against the "crap" you're "raging" about. But in general yeah, crap cakes.
@LiveOverflow5 жыл бұрын
I'm very aware of those ;) But these filters are unique, and a generic tweet doesn't make sense. These might all be valid options to bypass some filters, but the tweet was about the "" tag and not about filters. I briefly mentioned in the video that the excuse could be "bypass filter", but I don't buy it. For me that's just an excuse.
@Electropretzel5 жыл бұрын
Don't get me wrong, you are right about the tweet, hence my second part of the comment. BUT if someone does want to learn about XSS (and that time will come very fast), by analyzing that crappy post like you did in your video, he will learn a bunch of new stuff. That's why I said "I don't totally agree".
@LiveOverflow5 жыл бұрын
@@Electropretzel but if it is about WAF bypass, how could they analyze it? The author didn't provide a test site with a specific WAF where you can play around and analyse the bypass. For sb. who doesn't know/understand WAF, analyzing this will just be confusing, and for anybody who knows how you can encode stuff, there is nothing new.
@Kendo121e5 жыл бұрын
what editor did you use to write that php stuff?
@Gameboygenius5 жыл бұрын
Looks like Sublime.
@Kendo121e5 жыл бұрын
@@Gameboygenius yea I thought it was so I downloaded it. It is
@sandeepjadam42205 жыл бұрын
How can I trace and capture my tv set top box data plz.. Make video
@Philbertsroom5 жыл бұрын
"Identifying good research" on twitter
@faik...5 жыл бұрын
I would like to start studying Reverse engineering and security. I only know java,C# and javascript.
@leisureclub_5 жыл бұрын
You forgot that Existing filters/WAF's expects the pattern of xss payloads too. So in order to bypass those filters, one could add unnecessary things to the payloads...
@LiveOverflow5 жыл бұрын
which would require careful analysis of this particular filter/WAF. A generic random collection of weird things is no help at all.
@leisureclub_5 жыл бұрын
@@LiveOverflow Yes,. In order to bypass protection, first we see the behavior of each application...So, may be in first Vector (for which you've said that these characters are useless/ garbage in the payload) may be working good for the payload itself to bypass rules of WAF. As there may be black list instead of white list.
@RAGHAVENDRASINGH175 жыл бұрын
No dude capitalization is used to bypass filter and WAFS
@maheshrai61805 жыл бұрын
Sir I need some help in ctf challenge can you help me please..
@auxchar5 жыл бұрын
I once got xss via minecraft chat. There was a server that hat a chat widget on their website that would show the minecraft server's chat, but it didn't do any sanitization.
@Kitsudote5 жыл бұрын
lol, so you could just enter a script tag into the chat and it would work?
@rastakiwi38995 жыл бұрын
LiveOverflow hey did you heard a lot of hacking channels have been shut down by KZfaq, in other words, censured? Guided hacking and cheat the game for example. They did tutorials to cheat known games, but it was nothing illegal nor online and they worked hard for it. This is really sad and unfair. I hope the hacking community will react, and even more people, because KZfaq is censuring more and more stuff.
@youssef800005 жыл бұрын
Hey I was wondering if u had a video on VPNs and how they are coded
@AcheronLupus15 жыл бұрын
I thought you were going to say "A piece of valuable art" as opposed to "A piece of valuable research" there for a moment.
@dinargali42975 жыл бұрын
Best ever i seen, thx maestro!
@XZzYassin5 жыл бұрын
The second exploit is cool, but why would any production web server ask Safari to disable the XSS auditor?! because as I can tell it blocks the exploit from being executed.
@LiveOverflow5 жыл бұрын
Could also be a stored XSS and then the auditor wouldn't matter. Just wanted to create a simple test environment.
@alissonbezerra75 жыл бұрын
Awesome video!
@valentingiorgetti11415 жыл бұрын
thinking about the safari xss, instead of adding multiple slashes at the end, you could maybe just add a starting multiline comment, didnt test it. anyway your video is very good
@Gameboygenius5 жыл бұрын
The relative path calculation is probably done before the JS is evaluated.
@josephademircedenobonilla6235 жыл бұрын
I reached here without knowing and don't understand what's going on here, but have your like Unknown programer.
@usamaxwati46964 жыл бұрын
People have made XSS a business, they are selling their tools; for no reason! ALAS! Love you ❤️.
@ungebildet5 жыл бұрын
I can't find his tweet somehow. Can you post a direct link, please? I'd like to upvote it.
@Einimas4 жыл бұрын
That pressing of a like button was my original idea, lol.
@adrian24335 жыл бұрын
14:36 can't you use that to trigger an onerror event?
@xppaicyber38235 жыл бұрын
"Ding ding"
@HardikGhoshal5 жыл бұрын
Dunning Kruger effect on action
@mkontent5 жыл бұрын
I think you didn't do good enough of a job explaining why the second tweet is so cool. You made it sound like some elitist bullshit (this is art, this is true hacking). So let me help you out: the reason it is so cool is because it demonstrates the understanding required to construct complex attacks that would work on real systems and setups (as opposed to dull hackmes and homebrew code).
@lukamitrovic78735 жыл бұрын
Which OS do you use?
@dramforever5 жыл бұрын
13:20 I couldn't help but want to say just put a 
 there.... maybe?
@sodiboo4 жыл бұрын
Wouldn’t the comment negate that as just plaintext?
@dramforever4 жыл бұрын
@@sodiboo You reminded me to actually try it and it seems that neither of us are correct. 
 in a href attribute seems to just get stripped away. To be honest I don't really know or care much about why since I don't do this stuff...
@tortotifa52875 жыл бұрын
Don’t you think that the first tweet script could be some WAF evasion??