How did Masato find the Google Search XSS?

No video

How did Masato find the Google Search XSS?

Рет қаралды 161,846

Күн бұрын

We will go over a few puzzle pieces and discuss XSS research... and we find evidence of a XSS conspiracy!!11!!!1! 😱
fuzzing: gist.github.co...
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🔴 Stuff I use ]=
→ Microphone:* geni.us/ntg3b
→ Graphics tablet:* geni.us/wacom-...
→ Camera#1 for streaming:* geni.us/sony-c...
→ Lens for streaming:* geni.us/sony-l...
→ Connect Camera#1 to PC:* geni.us/cam-link
→ Keyboard:* geni.us/mech-k...
→ Old Microphone:* geni.us/mic-at...
US Store Front:* www.amazon.com...
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.

Пікірлер: 137

@4.0.4 5 жыл бұрын

1) join obscure group with few people 2) obsess over niche topics 3) spend years dwelling on the arcane *4) realize you've been initiated into a secret order of the elders*

@tacokoneko 5 жыл бұрын

as a minecraft player since 2010 i realized this is what i am to all the new players from the popularity surge simple survival tricks like elevators, auto farms and optimized pathway and construction techniques awe them god forbid i walk past people wearing early minecon capes, players gather and stare.. if only i could have put tens of thousands of hours into something actually useful like electronic engineering..

@rippspeck 4 жыл бұрын

Masato: I exploited the frontpage of the internet. rando: i liek minecraft

@TheDuked 4 жыл бұрын

@@tacokoneko damn, this comment hit hard bro, the amount of time I could have spent better.

@nug203 5 жыл бұрын

I knew it had to be a conspiracy. There's no other explanation for why I can't find $100k bugs with just one year of experience. Thanks for validating that its definitely not me!

@ultronhack8151 4 жыл бұрын

what about now let me know

@TypicalURL Ай бұрын

What about you now @@ultronhack8151

@Skulard 5 жыл бұрын

07:33 "Don't hug me I'm scared" the freaking Notepad!

@OrioPrisco 5 жыл бұрын

oh god no

@floatingblaze8405 5 жыл бұрын

I think that's the leafpad editor

@Skulard 5 жыл бұрын

@@floatingblaze8405 for me it looks like the notepad from dont hug me im scared the "creativity" episode

@JaytleBee 5 жыл бұрын

Now let's all agree To never be creative again

@macarena3184 5 жыл бұрын

green is NOT a creative color! ¯\_(ツ)_/¯

@finesseandstyle 5 жыл бұрын

Thanks for that final bit where you say not to be frustrated. I'm personally not into XSS atm but it still applies to what I want. Sometimes I just get frustrated at people who are much younger than me and accomplished much more in less time. I needed that

@AlbertoRestifo 5 жыл бұрын

I love how you never create this image of being genius, but always point out that your incredible knowledge is the result of years of dedicated work. You're an inspiration, keep up the incredible work!

@LasermanSteam 5 жыл бұрын

I thought the conspiracy was going to lead to "it turns out the way they are all connected is that they all... WROTE FOR SKILLSHARE, AN ONLINE LEARNING COMMUNITY WITH THOUSANDS OF CLASSES etc."

@Rngplayhard 5 жыл бұрын

Thank you... I as a new pentester I tend to feel demoralized sometimes but your video helps!

@Charioo 5 жыл бұрын

i love watching your videos but i hardly have any clue what they mean 99% of the time

@WhyGodby 5 жыл бұрын

99.9% of the audience

@lucasmenicucci8102 5 жыл бұрын

Yeah, sometimes I think the explanation goes to fast

@v380riMz 4 жыл бұрын

Lucas Menicucci you can’t really explain how browser parsers work within 10 minutes.To understand you’d have to work with them and dig deeper in the documentation. I didn’t understand shit either. These guys are on another level so it doesn’t really matter anyway

@danielchequer5842 4 жыл бұрын

I just like to pretend that I know programing bc I can explain to people what HTML means.

@user-zu6ts5fb6g 4 жыл бұрын

If you know javascript on an intermediate level, you will understand a lot of this. However only real xss researchers will read the documentation as closely as these guys did. This is what you'd have to do in order to understand this video.

@abdullahnaseer2533 5 жыл бұрын

I barely know complex concepts of coding etc but that XSS video was so well explained

@questwalkerko 4 жыл бұрын

"dont feel bad that you didn't find that stuff" and sometimes I lose a battery between the couch cushions that I never find again

@XDRosenheim 5 жыл бұрын

So basically, shower thoughts.

@devtekve1396 5 жыл бұрын

This is by far my favorite channel

@ewyg 5 жыл бұрын

hope you can make more video about xss. how can we find xss in multiple ways. where can we learn xss. what tools can we use to help us find xss.

@eigenmishi_in_3d 5 жыл бұрын

Thank you for the info, and for the positive encouragement

@DEBBAH1907 5 жыл бұрын

I was never this early.

@iyxan2340 5 жыл бұрын

Mee to

@sebastianelytron8450 5 жыл бұрын

If you're early post something witty/clever to get lots of likes!! People these days smh

@DEBBAH1907 5 жыл бұрын

@@sebastianelytron8450 I don't care about likes m8

@ra6160 5 жыл бұрын

thx to liveoverflow, u rock!

@technostrife1330 5 жыл бұрын

BeautifulSoup in python is not vulnerable to this attack

@sebastianelytron8450 5 жыл бұрын

What next? Your mom is not vulnerable to rape? EVERYTHING is vulnerable

@bailey125 5 жыл бұрын

@@sebastianelytron8450 Notice how they said 'THIS attack'? They never said "BeautifulSoup in python is not vulnerable to any attack". Of course everything is vulnerable, but many things are immune to certain attacks.

@juliavanderkris5156 5 жыл бұрын

@@sebastianelytron8450 They said "this attack", you idiot. As in, this specific payload.

@glowingone1774 5 жыл бұрын

@@sebastianelytron8450 god dam you're fucking stupid.

@tmack729 5 жыл бұрын

@@sebastianelytron8450 cringe

@4pThorpy 5 жыл бұрын

Loved the "don't hug me I'm scared reference" green is not a creative colour!

@batchrocketproject4720 Жыл бұрын

This is fascinating, thanks for posting. I have a very naive question that hopefully some reader can answer. I'm well aware of the idea of xss and the efforts put into preventing it but my question is - why? What can it do? The only examples I've ever seen involve showing a popup. Now I get that an xss can execute more than js alert but so what? What use is, for example, reading a cookie to a hacker? How would they ever get the results of their script? Before I get shouted down, I'm not for one minute suggesting there is not a problem, I just want to understand what the problem is. Thanks.

@ganstabreakincity 5 жыл бұрын

Great video, I commented you on twitter the other day about gmail xss

@iyxan2340 4 жыл бұрын

Past: hello Too Ez Man! Now :

@gabohXD 5 жыл бұрын

And I'm just here... starting with html and css :')

@masonp1314 5 жыл бұрын

So, say someone finds an XSS, but on some website you might not have been asked to find an exploit.. how do you alert the company, without getting into trouble?

@EricWilliamsCG 5 жыл бұрын

Why would you worry about getting in trouble? If you really want to stay anonymous email them from temp-mail.org or a similar temp mail service.

@renakunisaki 5 жыл бұрын

It's tricky. Many will be grateful if you just send an email with your findings, but occasionally you get the dingus who threatens to sue you for "hacking their internets". It's best to report them anonymously, just in case.

@DylanMaddocks 5 жыл бұрын

There's a site called hacker one, along with similar sites where companies put their websites up and give rewards for any vulnerabilities you find. The larger the site (Facebook, squarespace, etc.) the more you get for the bug. I checked it out a few years ago and they can pay thousands of dollars for the discovery of a bug. If the site is not on hacker one or the similar sites check if they have the code on github and you can submit the bug there. Otherwise find their TECH email. I would not recommend telling just anyone at the company about it, they're likely to panic and their superiors might try to sue you for breaking their terms of service.

@JonathanGray89 5 жыл бұрын

That's easy, unless there is a bug bounty or something for it, just don't. It's simply not ethical to exploit a machine without permission. If you happened to already find the exploit then that's mistake number one. Mistake number two would be doing something about it. It's not your problem unless you make it your problem.

@kevinwydler7305 Жыл бұрын

Thank you, this was really motivating!

@yugioh8810 5 жыл бұрын

I thought he was saying My Quest instead of Mike West.

@bnal5tab90 5 жыл бұрын

the funny thing I was developing CSH (client side hacker) and found this wired parsing but I didn't think it will be in Google as it is huge company

@bnal5tab90 5 жыл бұрын

this was 2 week ago

@steeveedeee 5 жыл бұрын

Amazing video. So inspiring!!

@Taaz2 5 жыл бұрын

Thank you very much for doing these videos ! :)

@sunnyyang1191 5 жыл бұрын

Hey there’s a website called BugMeNot which you may or may not have heard of. It used to be completely safe but now hackers are using it to share login credentials. Many accounts were hacked during the discord leak which were used on BugMeNot.

@aceinside 5 жыл бұрын

long story short, if you want to do security you'll never catch up and always be behind

@nataoh 5 жыл бұрын

Thank you very much for this video. It inspired me a lot. Thank you!!!

@RAGHAVENDRASINGH17 5 жыл бұрын

Your channel is awesome

@SianaGearz 5 жыл бұрын

6:55 in case someone knows where the gif of a girl putting a box on her head comes from, i'd be thankful.

@caboseisstupid 5 жыл бұрын

tenor.com/view/embarrassed-box-corner-asian-hide-gif-5201468

@filipstamcar6553 5 жыл бұрын

Why didn't Google just block all HTML tags? I understand they are needed for cases like emails but why then need HTML in search query?

@MEfe-de6in 5 жыл бұрын

then what ? there is a vulnreability always .you cant block everything.

@AbdulKarim-fs5iw 5 жыл бұрын

Thanks for the follow up n details... ✌🏿️🖖🏿

@voulyful 2 жыл бұрын

What is the advantage to launch code in the clients (myself) browser?

@ilyboc 3 жыл бұрын

That's what people mean when they talk about hacking google with HTML

@j3r3miasmg 5 жыл бұрын

Every time you show some twitter prints, I keep thinking if you are part of this kind of conspiracy, this is just friendship between security researchers or if you are just stalking the top researchers like I do...

@soft-alloy2495 5 жыл бұрын

wow i thought this vid had been out longer

@quad7375 5 жыл бұрын

same here i thought this was old as well

@georgplaz 3 жыл бұрын

7:34 ptsd flashbacks ._.

@AnnoyingRains 4 жыл бұрын

XSS sounds like a programming language. .xss

@amogus7 2 жыл бұрын

why parse twice? just append already-sanitized DOM object to the document

@vexioz 5 жыл бұрын

Thanks for another interesting video

@hblaub 5 жыл бұрын

Experience = another word for just being old.

@NOLlFE1 5 жыл бұрын

No im 15 years old and i was a part of twitters hackathon.

@mix3k818 5 жыл бұрын

"LiveOverflow" Hm, I wonder where you got that from...

@sebastianelytron8450 5 жыл бұрын

lol good one

@mrdott2275 5 жыл бұрын

yah thats so good thank you so much love you

@seifenspender 5 жыл бұрын

That DHMIS reference :D

@tomrow32 5 жыл бұрын

Why not just change all characters to Unicode lookalikes before sending it to the renderer?

@amyshaw893 5 жыл бұрын

I'm pretty sure ive found a small exploit in a website. I can get html tag injection, but no xss, sadly

@want-diversecontent3887 4 жыл бұрын

Try injecting alert(1)

@jmannUSMC 5 жыл бұрын

Per👏se👏ver👏ance👏

@ultramoxx1148 5 жыл бұрын

0:10 yeah its just a XSS but!!! Its a XSS on fcking google! xD

@earl5954 5 жыл бұрын

Im learning a lot at the same time

@tomrow32 5 жыл бұрын

7:34 Oh no

@calebsykes4898 5 жыл бұрын

That was a really good video

@stephenkamenar 5 жыл бұрын

XSS is TRICKY

@Ouchie 5 жыл бұрын

6:52 IU!

@dayumnson9769 4 жыл бұрын

I think it's twitter 8:30 :D

@abdelmohyminzerocode8311 5 жыл бұрын

Good work pro

@birb9254 5 жыл бұрын

what is parsing?

@naufalhakim2828 5 жыл бұрын

Very interesting

@afzalsayed96 5 жыл бұрын

3:45 Draw puzzle pieces much? 😂

@AlexVasiluta 5 жыл бұрын

Nice

@ryanwakebradtelle8682 4 жыл бұрын

So what is the endgame of this type of exploitation?

@jstock2317 5 жыл бұрын

Complexity within your system creates nonrigorous behavior, and fundamentally represents weak design.

@eigenmishi_in_3d 5 жыл бұрын

Complexity represents weak design? How to create powerful systems then?

@jstock2317 5 жыл бұрын

Eigenmishi in 3D Ooh yeah, what I meant to say was that each part of a system should be simple and compartmentalized. But when the fundamentals are complex as well, then it represents poor abstraction and may be quite difficult to expand.

@MEfe-de6in 5 жыл бұрын

we are about to getting a fetish level that even not possible.

@jamesaylward2303 5 жыл бұрын

I would watch your videos but I know nothing : |

@erikjohansson1814 5 жыл бұрын

It feels as if you know a little bit about computers? Just guessing....

@Matt0x00 5 жыл бұрын

man i miss ha.ckers and sla.ckers

@BadAimWeeb 5 жыл бұрын

*seen*

@jwrm22 5 жыл бұрын

I won't say that getting as good as these guys is a waste of time. But keep in mind that working 12 years on XSS today might not be as beneficial. We do not know what the world will look like in 12 years. Everything you do now will help you in the future, so learn a new skill.

@user-tn3fo3pj2x 5 жыл бұрын

i got to bet you need 10years to become software pros, and another 10 years to become a real hacker!

@4.0.4 5 жыл бұрын

It highly depends on challenging yourself constantly. Some people spend decades doing the same thing and are just barely good at it. Others become masters in their craft after a few years. The difference? The real pros don't see it as a job, but a passion. You too can become LiveOverflow if you Live the Overflow.