German anger has changed a lot in 70 years, hahaha!

calmly and analytically breaking down why someone's statement is wrong is very much German anger :D

I wouldn't like to see German anger :|

Some experts make simple things difficult to understand realizing that most people reading their content are beginners. Other experts wouldn't share it. It's beginners who think that it's cool because it's difficult to understand and spread it. Those experts get high when nobody understands them..

You say that "jAvAsCriPt:" uses unecessary capitalization, but actually it is completely unnecessary since it's not a protocol handler, it's, interpreted by eval() as an arbitrary javascript label. Labels should be followed by a colon. Then following the label is a single line comment. The whole javascript label, upper case, lower case or mixed case is unecessary :)

You are fine. I leaned stuff as usual, thanks for sharing!

@LiveOverFlow How about last video where you mixed people talking DISCS and DISKS and blaming them when you were wrong when tried use DISC program for the DISK media? What you think about it? How about correction? I understand you are programmer and not after hardware... It makes sense such silly mistake.

​@@XantheFIN I think there is a misunderstanding of the situation here. I thought I made it very clear in the video that it was a joke to blame the person, because right before of that I acknowledged how embarrassed I was. Also I think google search autocorrected disk/disc and I didn't pay attention when searching. And of course I thought a tool that can create an image of a CD could also create an image of a HDD, because on linux both is exposed as a regular block device that you can read from. So making an image with `dd` would be the same for CD as for a HDD. Thus I didn't think in the rush of the moment that this might be different for Windows. If you have further questions or want some more clarification, feel free to write me an email ;)

To be fair, Safari actually gets a lot of the newer feature implemented faster than most other browsers. The issue is, though, that a lot of times it's a little too fast and end up with exploitable features, where most other vendors waits until it's as much tested as possible. The reason Apple does this is that they use a lot of the new features way ahead of others in their own products; which is safe enough to do as it is not the internet, but sometimes the features end up in the same or similar fashion when they get officially supported.

@@dealloc Data list Service workers Vibration API Battery API WebGl 2.0 Background sync API Web MIDI API TLS 1.3 WebM Push API Web Bluetooth

@@kmcat Safari has a lot of APIs under experimental flags before being pushed out. But that is not to mention; Data lists-while actually in WebKit behind a feature flag, it's an odd one that I couldn't find much information about. Service workers are supported in Safari now. They were proposed (in 2014) in collaboration between Google, Samsung and Mozilla and were implemented by them first, although behind experimental flags initially. Vibration API was removed from WebKit due to privacy concerns and is currently in a second draft in W3C.

Safari and Chrome use the same engine

@@IsaiahGamers Chrome uses its own engine called Blink, which is based on WebKit but heavily modified. Only on iOS does it use WebKit, as it is required by Apple.

good point there

who exactly browse #xss anyways, seems a bit skitty imo

Bots, probably

lol

who the fuck sleeps at 3 am

IT folk (and I guess especially hackers) are creatures of the night :)

Whats sleep?

Are u guys knew to sleep?

tHe pEoPLe wHo wErE meAnT tO sEe iT, iNdEeD SaW it

YoU KnOw, OnLy GeNiUsSeS WrItE LiKe ThIs

@@Walter_ Years ago, after a closed head traumatic brain injury, my husband wrote like this.

@rl1k Doe which is why we, at least in the enterprise Java world, use case insensitive and fuzzy matching for blacklists...

@rl1k Doe depends on the application :)

@@peterjohnson9438 it's a blacklisting escape if they are looking for 'javascript' or 'script' with a bad filter. I've seen some really bad filters, though with enough effort there's very few that survive the test.

that was not the point of the tweet though - it was about the XSS in the output tag (not about WAF bypasses). Imo it's simply an excuse used to distract from what I believe is the real reason: making it look more crazy to mislead and deceive people.

@@LiveOverflow It's just an ego thing like: "my skill is this high, that obfuscating is the standart; look mom: I can read it fluently" or something like this. Does it even matter, if the author don't care to educate on twitter? I don't know the author, but I saw your dispute with this xss-tool-selling-dude, so if this payload belongs to misleading people to sell some shit, than the world will get your message. I also think, that the itsec community is build on learning from each other but if some dudes want to show their vitrual balls, there is no need to beat this tweets to death. Anyhow, cool vidoe. Learned something new. Would love to see some "more guide like" guides to bypass WAFs and how to work with different contexts and encoding.

No, plenty of people do coding challenges. This is one of few people who make good security-related videos.

Brute logic is such a hack.

Razvan Nechifor it’s called script kiddies but use your own script.

@@aniketpatil6111 sorry I didn't know that... But I just learned a new thing txh man :D

Razvan Nechifor no worries mate just don’t be script kiddies. Use tool and learn how is it made actually hacker definition is the one who is curious about how computers work and trying to enhance them. That’s it ! Be that hacker www.catb.org/esr/faqs/hacker-howto.html read the essays of ESR

The best way to learn programming is, or at least starts with, reading good code. Obviously to internalize that knowledge you have to write your own shit that utilizes what you've learned in practice but it starts with looking at what has been done before. All knowledge is cumulative and builds on previous work. Ask a lot of questions (Why is this built this way? How do you use this in X situation? How do I apply this? What about X other technology?) and don't give up until you find your answers.

@@0dWHOHWb0 Of corse but you need to understand what are you looking at right ?

That sounds a lot like fixing SQL injection by banning specific characters (in that someone will find a way to make it work anyway). An easier way to prevent XSS is to never include any user input in your HTML response without HTML-encoding it first. Becaude then, in addition to using a more reliable way, you actually allow people to *discuss* HTML and CSS stuff on your website without having to trigger a "banned words" filter.

Every video on this channel is awesome

Maybe WebKit specific? Both browsers based on WebKit

Except the slashes at the end, I'm glad you explained that.

Ach der gute alte ITA... Wenigstens musst du deinem "HTML-Lehrer" (sic!) nicht erklären dass es auch gibt. Wenigstens nutzt du deine Zeit sinnvoll, wir haben alle Pokemon auf Emulator gezockt :D Ach der gute alte "Taschenrechner" der dir bei 13+37 einfach so Adminrechte gegeben hat, XP war schon was feines.

@@chaosmagican Naja, das Fach heißt zwar Datenbanken, aber wir machen da auch HTML, ja...

​@@Juplay_FV Das waren bei uns zwei Fächer, wobei Datenbanken im ersten Jahr Excel bedeutete. Der Lehrer (ein Inder mit schlechtem deutsch) war aber der geilste. Der hat uns immer DINA1 (sic!) Blätter mit Aufgaben ausgedruckt. Wenn man eine Frage hatte "druckst du F1 kriegst du Hilfe" 😂 (wobei ich nicht weiß ob ich weinen oder lachen soll). Ich hoffe du hast halbwegs kompetentere Lehrer als sowas. Retrospektiv habe ich den ITA (+Fachabi) nur wegen es Fachabis gemacht. Bis auf ein bisschen iOS (das von Cisco) habe ich dort nicht wirklich was gelernt. Eine Frage habe ich aber noch. Ich war damals der erste Jahrgang der von folgendem Deal gebrauch machen konnte: Nach ITA-Abschluss gehst du 6-Monate Praxis sammeln (irgendwas technisches sollte es wohl sein) und dann kannst du deinen FiSi-Abschluss bei der IHK machen (nur Prüfung+Projekt). Ich war einer von dreien in meiner Klasse die das gemacht haben, war eigentlich ziemlich easy für mich. Ich habe nur für den Wirtschaftsteil gepaukt. Ist sowas mittlerweile Standard bzw. kannst du sowas auch machen? Bei mir war es damals jedenfalls eine Kooperation meiner Schule und der IHK. Bin jetzt FiSi obwohl ich eigentlich zu 95% Anwendungsentwicklung mache.

@@chaosmagican bei unserer Schule (BK Rheine) zumindest ist das inzwischen Standard, weiß jedoch nicht ob das für alle Schulen gilt. Ich konnte es jedoch nicht machen, da das Programm das Jahr schon voll war.

Or even skip some HTML sanitizers

@@jozsefsebestyen8228 I don't think any scanner is going to allow a onclick attr…

A different vulnerability was talked-about on this channel, and it only netted I think like $5k from Google, along with a browser-crash handler as a form of protection, since Apple isn't putting a lot of love into Webkit.

is $5k less?

@@silverzero9524 If Apple were to actually ever bother to FIX Webkit, then yeah, it'd be probably $25,000, which is some more serious bank.

@@Omio9999 $7500 I believe, saw that video recently. Apple wouldn't have awarded anything for it, even though it was a WebKit issue. Google paid out because the guy reported it to them thinking it was a Chrome issue, and they were kind enough to reward him regardless. Afaik Apple don't really value this sort of stuff, so in terms of a bounty it's worthless.

@@JamesBalazs Until the industry changes, and either throws Apple out of business, or Apple gets back into actually fixing their still-open exploits, I still agree.

It uses WebKit, a different engine

Eternal research and educated guesses.

that is what they are supposed to do! encode the < into &lt; and not execute it... issue is developers learn to develop fast and loose with old ways

@@Jimmy1985Oh well, thank you!

If you don't understand what the program is doing, then yes.

yup, but it's not so bad... I can also send you a link and you will probably click on it ;)

@@LiveOverflow Definitely, but users would trust links embedded on a site they know far more than they would trust a link randomly sent to them imo. Thanks for the reply!

it's explain in the video keep watching

i don't think /* would work in a url the same way it works in a regex

The slashes are treated as subdirectories on the web server not as comments. If I understood correctly by clicking a relative url ("../lol/safari.html") the browser tries to evaluate the base url. I Assume the broser parses the payload as a subdirectory on the web server. Thats why we need to add enough slashes at the end that the relative URL does not "step out of the payload subdirectory". Then because the base url starts with "javascript:" the following javascript is executed.

it's equally useless for learning about different WAF bypass ideas and techniques.

@@LiveOverflow I am not aware of your background as a developer in the commercial industry, but believe me, I saw enough stupidy where people try to defend themselves against XSS by writting "fancy filtering stuff" which leads to being vulnerable against the "crap" you're "raging" about. But in general yeah, crap cakes.

I'm very aware of those ;) But these filters are unique, and a generic tweet doesn't make sense. These might all be valid options to bypass some filters, but the tweet was about the "" tag and not about filters. I briefly mentioned in the video that the excuse could be "bypass filter", but I don't buy it. For me that's just an excuse.

Don't get me wrong, you are right about the tweet, hence my second part of the comment. BUT if someone does want to learn about XSS (and that time will come very fast), by analyzing that crappy post like you did in your video, he will learn a bunch of new stuff. That's why I said "I don't totally agree".

@@Electropretzel but if it is about WAF bypass, how could they analyze it? The author didn't provide a test site with a specific WAF where you can play around and analyse the bypass. For sb. who doesn't know/understand WAF, analyzing this will just be confusing, and for anybody who knows how you can encode stuff, there is nothing new.

Looks like Sublime.

@@Gameboygenius yea I thought it was so I downloaded it. It is

which would require careful analysis of this particular filter/WAF. A generic random collection of weird things is no help at all.

@@LiveOverflow Yes,. In order to bypass protection, first we see the behavior of each application...So, may be in first Vector (for which you've said that these characters are useless/ garbage in the payload) may be working good for the payload itself to bypass rules of WAF. As there may be black list instead of white list.

lol, so you could just enter a script tag into the chat and it would work?

Could also be a stored XSS and then the auditor wouldn't matter. Just wanted to create a simple test environment.

The relative path calculation is probably done before the JS is evaluated.

Wouldn’t the comment negate that as just plaintext?

@@sodiboo You reminded me to actually try it and it seems that neither of us are correct. &NewLine; in a href attribute seems to just get stripped away. To be honest I don't really know or care much about why since I don't do this stuff...

that's the excuse