It must be an AI. There is no way the Real liveoverflow would have ever let this slip, He cut it, he render it, he watch it He uploads it. Multiple occasions where an Actual human would have seen the magical number but not an AI.. For an AI it's just a number. Therefore Liveroverflow has replaced himself with an AI
Nice video explaining the issue. One thing that I think is good to mention is what is the underlying mistake. This makes it a better resource for devs and also for researchers. In my humble opinion this is due to the fact that the person implementing this tried to it's own filtering instead of using the native available functionality and/or standard package. The red flag beeing the specific list of characters used for filtering
This is not really JS problems as some people seems to think. Carelessly treating user's input would always lead to big problems. In general when developing FE applications we rarely set any user provided values in any context that could be evaluated like this. Concatenating user's input with code is just bad practice and big no-no. In general, interesting information, but highly theoretical: so many characters are disallowed while double quote still being allowed. I feel IRL, if such case would be allowed, would be either no input cleaning or stricter rules.
Sadly most websites stubbornly develop their own ways of providing rich text display methods instead of using standards, which generally just tends to expose users to exploits... I know that all too well. Been working on the frontend for a while (please kill me)
I have seen a lot of old codebase concatenating user's input with code, it really isn't that bad as long as you know what you are doing. Also in those applications you just can't rewrite the majority of the codebase just to fix a newly discovered XSS. Sorry I lied it was so damn bad that it has become a joke where the filter list just increases day by day. We slapped on a 5000$ IDS and IPS service and everyone pretends like everything is in control but deep inside we all know that the codebase is on fire. I know Robert had told me for a thousand time that concatenating user input with code is bad, but when deadline is chasing off my a** I just can't help but pray and do it anyway, I just want to go home. Sorry Robert, I swear it will be the last time I do it. Amen.
you are absolutely right. thats also almost always my first thought. but i have to throw that thought away for a moment because it gets more interessting if you think about all the existing websites who still could have flaws like this. and its also interesting just to see again how sh*tty and dirty compilcated and entangled javascript can be as a scripting language :D
it kind of is. javascript is dogshit and was made to do simple things when it was created but some clowns said "hold my beer" and other clowns took it seriously, then nodejs happened and embedded webshit posing as fully functional desktop applications known as electron came to be and it's at its worse. Thank God I don't ever was forced to dabble in this cesspool profesionally
Great video and explanation, professional, and gets to the point. I think one main takeaway one can get, that would especially help guys who may feel overwhelmed by these injections, is that the core problem here to be spotted while you are testing is the lack of the encoding / filtering of the double quotes, which allows you to escape the context of the string where the contents of the parameter is being injected. After that is just a matter of playing around to see what you are allowed to inject and find a way to run code, which is what these injections are all about.
I like this as a reoccurring video. It is nice to be able to decipher what someone was referring to. Given everyone has different levels of knowledge, I would give it a 2 thumbs up. Keep ‘em coming!
The longer I watched this the more upset I became at web development that 1. they're using direct string replace and 2. they didn't properly sanitize the input but then I became legitimately impressed with the use of the javascript uri the hex encoding, and the use of objects
This is a really cool format. Had this recommended, never seen your channel. Ngl I thought it was gonna be clickbaity and surface level, but this was great! I subbed
Great video! Really well explained and easy to understand. Would like more in this series to just explain a short exploit in a way that anyone can understand.
This mean TypeScript devs won't find this vuln, as they type the func to accept only N number of args, and TS will throw runtime error if they try to use N+K args, but in build time there code will create this vuln.
@@joechristo2 yeah but it can only type check intentionally authored code. TS will be no help at runtime against injected code, since that's all long after the type-checking time
As a Rust programmer, it blows my mind how messy Javascript has become. When a programming language gets obsessed with "convenience", it becomes impossible to keep track of changes. I think browsers should switch to simply running a WebAssembly runtime directly instead of Javascript.
@@LiveOverflow I guess nothing gets "executed" because of the syntax error, but JavaScript does know in what order to execute this: first the concatenation, then the assignment. It just so happens that the expression makes no sense using that order
@@LiveOverflow My bad, I meant parsed, not executed. What I was trying to say is that the reason the expression in the video results in a syntax error is that the addition is treated as the left side of the assignment and is not assignable, and that it is similar to the 1 = 2 case in that regard. I looked it up in the ECMAScript documentation to try to be more precise this time and it seems that the reason it results in a syntax error is that the left side of the assignment is not a valid LeftHandSideExpression (13.3) or because of the second bullet in (13.15.1). The fun thing is that I actually tested that with " true ? 0 : (1 = 2) " before writing the comment and it did fail with a syntax error instead of executing.
7:07 I think rust mitigates this by making sure (1) parameters must be expressions, and (2) assignment MUST be statements (that return nothing). That's why "x++" doesn't work in rust. It is just "x=x+1;" but doesn't return value, so it cannot be hacked into other expressions.
finding an injection that compiles and executes dynamic rust code but filters characters would be quite impressive tho it's an interesting exercise how much you can do without (. I'm unable to come up with anything exciting
i think x++ just isnt a thing in rust but you can do x+=1? and well, putting assignments as expressions can be a very common bug even outside of injection, my friend accidentally put an = instead of an == inside of a conditional the other day. it can be hard to catch.
my first idea of what you can do without () is pointer shenanigins in order to buffer overflow and stuff so like, you can do basic logic without calling fns, just like ifs and loops and stuff so you can get a value on the stack, get its pointer, use unsafe to write a certain offset away, and thus replace the return address on the stack with whatever you want (probably the address of some other function you want to call) its a bit janky and im sure there is a better way to do this here's a bit of a proof of concept i made which prints out the stack and replaces the return address. weirdly enough, the print call in the flag fn causes a segmentation fault. watching in a debugger shows that it gets to the function successfully, though. this is super finnicky as changing how things are done will change the offset on the stack, ideally you'd want some sort of way to iterate over the diff parts of the stack and detect what looks like the return address. or even more ideally, perhaps if you could call a single closure/user defined fn you could have the return addr stuff set up in there, since a big issue with this is you can't really set up anything else (you wouldn't control the fn return) and then like kinda get screwed by not being able to return safely after the fn finishes. fn flag() { loop { println!("test"); }; } fn main() { let stackvalue: usize = 0x69; let stackaddr: usize = &stackvalue as *const usize as usize; let fnptr: usize = flag as *const usize as usize; let rowsize = 0x4; print!{" ADDRESS: "}; for col in 0x0..rowsize { print!{"{:016X} ", col*0x8}; } println!{}; for row in 0x0..0x30 { let offset = row * rowsize * 0x8; let addr = { stackaddr + offset }; print!{"{addr:012X}: "}; for col in 0x0..rowsize { let addr = addr + col * 0x8; let ptr = addr as *mut usize; let val = unsafe { *ptr }; if row == 0x2B && col == 0x1 { print!{"*"}; unsafe {*ptr = fnptr}; } let val = unsafe { *ptr }; print!{"{val:016X} "}; } println!{}; } print!{"done"}; let mut x = 3usize; while x < 1 { x += 1; } }
It feels like it's a special case of DOM Clobbering, right? We are overwriting the names/definitions of defined variables/functions with our payloads so that they get executed when the page's code calls the overwritten function without knowing it.
A couple of questions: When does the evaluation of the parameter takes place? Right after the function call and before any part of the function takes place? Are there any possible mitigations for this kind of exploit? I mean if this code runs before anything else I don’t see any possibility of mitigations which is wild, but I might be missing something
i have no idea what i’m talking about (as in the context of the video cuz i haven’t watched it) but JS might use C calling conventions in some cases i think (?) and with those, usually the parameters are passed to the function BEFORE the function gets “called” (as in the CALL assembly instruction) but it really doesn’t matter what the function “is” because it can be overrided to not even use the parameters in the first place but get called by the same name, which might be a security risk if some people don’t know what they’re doing
@@joechristo2 well in the video it’s shown that parameters are evaluated pre call to the function which causes a security risk at a fundamental level since the parameter inserted may contain js code that will run before the call of the function Maybe having input checks before each function calll can be a solution but still it seems clunky and weird
The assignment is evaluated before the function call. It has to because otherwise you couldn't use the return value of assignments in functions. The mitigation for this is to not have it in the first place e.g. sanitizing the userinput before placing it in the dom
For the first solution, what about using square brackets to define an array instead of an object? For the second solution, I believe the "new class b" part can be deleted if you replace the equals after toString with a colon. Great video!
Agreed that the toString in object literal should work too.... maybe they're trying to be general as far as including the case that different characters are prohibited (for example the colon). I think your suggestion with the array gives a nice way of solving it if curly braces are prohibited too.
@@KirkWaiblinger this! if colon is available, might as well use the first example. If it isnt, but one of many whitespace/line terminator/multiline comment characters are, we can use the second example. [location=name] is a good point!
but in lua members of objects are referred to by square brackets as WELL as members of arrays because every variable is an object in lua and every variable is an object in JS
I’ve never seen an actual real world example of a successful XSS or SQL injection attack. It’s always a stupid example form that was purposefully set up to be vulnerable to such injection attacks. I wish someone could show this working when someone uses proper input sanitization.
Why would it get automatically escaped by the input form. Or the correct question would be, why would it not get automatically escapes by PHP? Well. Because PHP doesn’t do that automatically. If you want that you need to program that
Just make sure you're using built-in functions to filter user's input. In case of passing data to JS, it would be even better if you use JSON. For PHP it should look like this: x("a", ); Note the lack of double quotes in the second argument. That's because json_encode() wraps the value of $xss in quotes if it's a string.
Why cyber security is hard to learn, when learning web development you ask a question and you get the answer, in cyber security you have no one to ask and you don't get the actually answer..
i refuse to create a twitter account, and twitter doesn't allow viewing without a account so. i can't look at the links you posted. at least Tiktok allows you to view stuff without requiring a account. but i hate tiktok
Hi I'm a noob here. I think this is interesting but I don't see how this can be a vulnerability since it can only trigger on a client that you obviously have already access to...
Could you discuss Denuvo and MKDEV's explanation on Denuvo anti-tamper/drm running on a VM and stuff? Since you're a "influencer" maybe 'Special For' would be comfortable revealing the secrets? They did promise an explanation and technically gave one (albeit brief). But it'd be interesting to review the re-ing of hypervisor code on ida/ghidra.
the question is how you will control the window.open() ? probably it is gonna be hardcoded values. please someone explain, i couldn't understand that!!!
Yeah let's just ignore the part where the entire setup hinges on a fact of having a badly written server template language (which is all of them that didn't start off a client-render library) coupled with badly written sanitizer interpolating the values directly into the html (that also means no http caching btw). Also it's a problem specific to backend development which uses a badly written server template language for frontend instead of splitting responsibilities. For some reason the brain of a typical developer in this stack completely turns off and they think interpolating values directly into html is completely okay because it's just a string, bro! Bonus points if it lives alongside the code which loads libs from other languages and follows all rituals of cross-language interop with all the boilerplate.
This episode could have been 13m37s in length, surely...!
oooof.... missed opportunity
@@LiveOverfloweeh leet, leat, same thing
It must be an AI.
There is no way the Real liveoverflow would have ever let this slip,
He cut it, he render it, he watch it
He uploads it.
Multiple occasions where an Actual human would have seen the magical number but not an AI..
For an AI it's just a number.
Therefore Liveroverflow has replaced himself with an AI
could, but wans't
@@lukasjetu9776 I think Leet + 9 seconds bonus is also cool. Nice video, now I'm hungry for more XSS.
Nice video explaining the issue. One thing that I think is good to mention is what is the underlying mistake. This makes it a better resource for devs and also for researchers. In my humble opinion this is due to the fact that the person implementing this tried to it's own filtering instead of using the native available functionality and/or standard package. The red flag beeing the specific list of characters used for filtering
This is not really JS problems as some people seems to think. Carelessly treating user's input would always lead to big problems. In general when developing FE applications we rarely set any user provided values in any context that could be evaluated like this.
Concatenating user's input with code is just bad practice and big no-no.
In general, interesting information, but highly theoretical: so many characters are disallowed while double quote still being allowed. I feel IRL, if such case would be allowed, would be either no input cleaning or stricter rules.
Sadly most websites stubbornly develop their own ways of providing rich text display methods instead of using standards, which generally just tends to expose users to exploits... I know that all too well. Been working on the frontend for a while (please kill me)
I have seen a lot of old codebase concatenating user's input with code, it really isn't that bad as long as you know what you are doing. Also in those applications you just can't rewrite the majority of the codebase just to fix a newly discovered XSS.
Sorry I lied it was so damn bad that it has become a joke where the filter list just increases day by day. We slapped on a 5000$ IDS and IPS service and everyone pretends like everything is in control but deep inside we all know that the codebase is on fire. I know Robert had told me for a thousand time that concatenating user input with code is bad, but when deadline is chasing off my a** I just can't help but pray and do it anyway, I just want to go home.
Sorry Robert, I swear it will be the last time I do it.
Amen.
you are absolutely right. thats also almost always my first thought. but i have to throw that thought away for a moment because it gets more interessting if you think about all the existing websites who still could have flaws like this. and its also interesting just to see again how sh*tty and dirty compilcated and entangled javascript can be as a scripting language :D
it kind of is. javascript is dogshit and was made to do simple things when it was created but some clowns said "hold my beer" and other clowns took it seriously, then nodejs happened and embedded webshit posing as fully functional desktop applications known as electron came to be and it's at its worse. Thank God I don't ever was forced to dabble in this cesspool profesionally
I'm really into all kinds of quirks of js and I can't believe that knowledge finally paid off and I was able to fully follow a liveoverflow video 🎉
Yea its one of the more easy to follow videos for web soydevs like us :D
PLEASE do more vids like these! I love the way you explained every bit.
Great video and explanation, professional, and gets to the point. I think one main takeaway one can get, that would especially help guys who may feel overwhelmed by these injections, is that the core problem here to be spotted while you are testing is the lack of the encoding / filtering of the double quotes, which allows you to escape the context of the string where the contents of the parameter is being injected. After that is just a matter of playing around to see what you are allowed to inject and find a way to run code, which is what these injections are all about.
I like this as a reoccurring video. It is nice to be able to decipher what someone was referring to. Given everyone has different levels of knowledge, I would give it a 2 thumbs up. Keep ‘em coming!
neat! these tricks go straight into my notes ! Nice video format too. I'd like to watch more of this kind
This format is fun and useful, please do it again!
would also work in this example
Cool format, please more of this :)
It's such a weird filtering when you disallow ( ' and ` but allow " < and >
Very insight and presented in a way you can understand. I had no idea about XSS or an and now I do.
same
This was super interesting and fun to learn about. Great lesson! Hope to see more of your content, keep up the great work
Not even a minute of reproduction and I can say "I love this series"
The longer I watched this the more upset I became at web development that 1. they're using direct string replace and 2. they didn't properly sanitize the input
but then I became legitimately impressed with the use of the javascript uri the hex encoding, and the use of objects
as always Xcelent Xplanation....
you don't need to write , those tags are all optional and are inserted automatically
This is a really cool format. Had this recommended, never seen your channel. Ngl I thought it was gonna be clickbaity and surface level, but this was great! I subbed
Great video! Really well explained and easy to understand. Would like more in this series to just explain a short exploit in a way that anyone can understand.
this was an open tab for so long. greatly explained !!
Wow thanks! It's so important for people to have a handle on this sort of thing so we can be aware of what we need to look out for when writing code.
This mean TypeScript devs won't find this vuln, as they type the func to accept only N number of args, and TS will throw runtime error if they try to use N+K args, but in build time there code will create this vuln.
TS will not throw a runtime error if a function is called with extra arguments. At runtime it's just raw JS and anything goes.
@@KirkWaiblingertypescript is meant to PREVENT runtime errors from even happening
@@joechristo2 yeah but it can only type check intentionally authored code. TS will be no help at runtime against injected code, since that's all long after the type-checking time
Man, I almost never do websec, so this was fascinating. I learned a ton, your content is always top notch! Thanks for this ❤
As a Rust programmer, it blows my mind how messy Javascript has become. When a programming language gets obsessed with "convenience", it becomes impossible to keep track of changes. I think browsers should switch to simply running a WebAssembly runtime directly instead of Javascript.
people are gonna lose track of the difference between asmjs and wasm, thinking they are the same thing thus doing damage to the web as a whole
Super interesting video, liked this very much!
Love this explanation. Would use this as a quick explanation for javascript injection methods in general
great video. learned a lot. would love to see more like it 👍
9:00 Concatenation is executed first and the result is a string, which cannot be assigned to. It's essentially equivalent to writing 1 = 2
No, because you get a syntax error ;)
@@LiveOverflow I guess nothing gets "executed" because of the syntax error, but JavaScript does know in what order to execute this: first the concatenation, then the assignment. It just so happens that the expression makes no sense using that order
@@LiveOverflow My bad, I meant parsed, not executed.
What I was trying to say is that the reason the expression in the video results in a syntax error is that the addition is treated as the left side of the assignment and is not assignable, and that it is similar to the 1 = 2 case in that regard.
I looked it up in the ECMAScript documentation to try to be more precise this time and it seems that the reason it results in a syntax error is that the left side of the assignment is not a valid LeftHandSideExpression (13.3) or because of the second bullet in (13.15.1).
The fun thing is that I actually tested that with " true ? 0 : (1 = 2) " before writing the comment and it did fail with a syntax error instead of executing.
I would love to see more of this new format.
wow it's an awesome idea, I always took ton of researches to understand.
Super useful and interesting format. Thanks for sharing
7:07 I think rust mitigates this by making sure (1) parameters must be expressions, and (2) assignment MUST be statements (that return nothing). That's why "x++" doesn't work in rust. It is just "x=x+1;" but doesn't return value, so it cannot be hacked into other expressions.
finding an injection that compiles and executes dynamic rust code but filters characters would be quite impressive
tho it's an interesting exercise how much you can do without (. I'm unable to come up with anything exciting
i think x++ just isnt a thing in rust but you can do x+=1? and well, putting assignments as expressions can be a very common bug even outside of injection, my friend accidentally put an = instead of an == inside of a conditional the other day. it can be hard to catch.
my first idea of what you can do without () is pointer shenanigins in order to buffer overflow and stuff
so like, you can do basic logic without calling fns, just like ifs and loops and stuff
so you can get a value on the stack, get its pointer, use unsafe to write a certain offset away, and thus replace the return address on the stack with whatever you want (probably the address of some other function you want to call)
its a bit janky and im sure there is a better way to do this
here's a bit of a proof of concept i made which prints out the stack and replaces the return address. weirdly enough, the print call in the flag fn causes a segmentation fault. watching in a debugger shows that it gets to the function successfully, though. this is super finnicky as changing how things are done will change the offset on the stack, ideally you'd want some sort of way to iterate over the diff parts of the stack and detect what looks like the return address. or even more ideally, perhaps if you could call a single closure/user defined fn you could have the return addr stuff set up in there, since a big issue with this is you can't really set up anything else (you wouldn't control the fn return) and then like kinda get screwed by not being able to return safely after the fn finishes.
fn flag() {
loop {
println!("test");
};
}
fn main() {
let stackvalue: usize = 0x69;
let stackaddr: usize = &stackvalue as *const usize as usize;
let fnptr: usize = flag as *const usize as usize;
let rowsize = 0x4;
print!{" ADDRESS: "};
for col in 0x0..rowsize {
print!{"{:016X} ", col*0x8};
}
println!{};
for row in 0x0..0x30 {
let offset = row * rowsize * 0x8;
let addr = { stackaddr + offset };
print!{"{addr:012X}: "};
for col in 0x0..rowsize {
let addr = addr + col * 0x8;
let ptr = addr as *mut usize;
let val = unsafe { *ptr };
if row == 0x2B && col == 0x1 {
print!{"*"};
unsafe {*ptr = fnptr};
}
let val = unsafe { *ptr };
print!{"{val:016X} "};
}
println!{};
}
print!{"done"};
let mut x = 3usize;
while x < 1 {
x += 1;
}
}
Good usage for the new Twitter logo 👏👏
very fun format! :) learnt a few tricks
About using the name variable, wouldn't that only work on your window? I can't see how the xss would do something nefarious on a targets browser.
You link them to your website, that redirects with the name "parameter"?
@@schwingedeshaehers thanks i was confused
super cool bug, and great explanation!
The coolest part about this video was the intro.
It feels like it's a special case of DOM Clobbering, right? We are overwriting the names/definitions of defined variables/functions with our payloads so that they get executed when the page's code calls the overwritten function without knowing it.
A couple of questions:
When does the evaluation of the parameter takes place? Right after the function call and before any part of the function takes place?
Are there any possible mitigations for this kind of exploit? I mean if this code runs before anything else I don’t see any possibility of mitigations which is wild, but I might be missing something
i have no idea what i’m talking about (as in the context of the video cuz i haven’t watched it) but JS might use C calling conventions in some cases i think (?) and with those, usually the parameters are passed to the function BEFORE the function gets “called” (as in the CALL assembly instruction) but it really doesn’t matter what the function “is” because it can be overrided to not even use the parameters in the first place but get called by the same name, which might be a security risk if some people don’t know what they’re doing
@@joechristo2 well in the video it’s shown that parameters are evaluated pre call to the function which causes a security risk at a fundamental level since the parameter inserted may contain js code that will run before the call of the function
Maybe having input checks before each function calll can be a solution but still it seems clunky and weird
The assignment is evaluated before the function call. It has to because otherwise you couldn't use the return value of assignments in functions.
The mitigation for this is to not have it in the first place e.g. sanitizing the userinput before placing it in the dom
This video started my web hacking journey, Thank you!
Super interesting. Thanks for the explanation.
This is great, Insiteful as always @LiveOverflow, can this type of xss vulnerabilities be found in react applications as well ?
Yes
if it runs javascript, it runs
the hex encoding trick is impressive too.
Nice, we want more :)
Thanks mate, as always.
For the first solution, what about using square brackets to define an array instead of an object?
For the second solution, I believe the "new class b" part can be deleted if you replace the equals after toString with a colon.
Great video!
Agreed that the toString in object literal should work too.... maybe they're trying to be general as far as including the case that different characters are prohibited (for example the colon). I think your suggestion with the array gives a nice way of solving it if curly braces are prohibited too.
@@KirkWaiblinger this! if colon is available, might as well use the first example. If it isnt, but one of many whitespace/line terminator/multiline comment characters are, we can use the second example. [location=name] is a good point!
but in lua members of objects are referred to by square brackets as WELL as members of arrays because every variable is an object in lua and every variable is an object in JS
Love this format!
Most valuable piece of information I saw today
yes, this was both fun and useful! thanks liveoverflow
That's crazy creative. I'd be interested in learning how this could be mitigated. Better input sanitation?
I really enjoyed this format
This video should have been "The Secret Step-by-step Guide to hacking: Deep Dive" 😂
Great video tho.
Would you be able to create an array, instead of an object?
If this amuses you, you have a lot to learn! And that's exciting
This was utterly amazing
What will be the use case and what it is use for.
Sorry just want to know/learn more, for me it looks useless to set an alert for myself
You can set any javascript instead of alert, so you can do anything at the server.
@@jaideepshekhar4621 so If someone else accesses the same page he will get the same script which I injected
Hm does it make sense to cancel out name on top of each page (or can it CSPed?)
Loved this one! Please, keep them coming :)
Loved it. Please continue.
I’ve never seen an actual real world example of a successful XSS or SQL injection attack. It’s always a stupid example form that was purposefully set up to be vulnerable to such injection attacks. I wish someone could show this working when someone uses proper input sanitization.
But, is this like, preventable with input validation?
Как же круто ты объясняешь. Плохо знаю английский, но при этом всё понял
Why would the input end up as ""..."" instead of "\"...\""? Why would the quotes not get automatically escaped by the input form?
Why would it get automatically escaped by the input form. Or the correct question would be, why would it not get automatically escapes by PHP?
Well. Because PHP doesn’t do that automatically. If you want that you need to program that
awesome format! i learned so much
One of such video which I followed start to end!
In the 'name' case, is it really an XSS, when you need to open the window with the page in a special way?
Now if I make a website, how can I avoid exploits like this?
Just make sure you're using built-in functions to filter user's input. In case of passing data to JS, it would be even better if you use JSON. For PHP it should look like this:
x("a", );
Note the lack of double quotes in the second argument. That's because json_encode() wraps the value of $xss in quotes if it's a string.
could you upload a video about how to learn effektively?
How can I land on the first cyber security job?
This was awesome. Lots of love.
This will be a great series
brilliant breakdown
What are they really looking for in cyber security role? are the courses that we see online really enough? probably not even close, right?
Did I only understand about 20% of this? Yes.
Did I watch it all and want more anyway? Also yes.
Why cyber security is hard to learn, when learning web development you ask a question and you get the answer, in cyber security you have no one to ask and you don't get the actually answer..
Yes, this video was funny, it was useful, and now I find javascript even much more strange than it already was.
I absolutely love this!!!!!! You literally read my mind but I didnt have the guts to ask.
i refuse to create a twitter account, and twitter doesn't allow viewing without a account so. i can't look at the links you posted. at least Tiktok allows you to view stuff without requiring a account. but i hate tiktok
Does the name trick also work in stored xss when another user doesnt set his window name to the xss-payload?
Wouldn't it be a little cleaner to just put the payload in an array like this: x(""+[location=name]) ?
Amazing, more of these type of videos!
Please make more vids like this!
Aren't there many other ways too? Like...
"[location=name],"
".a=location=name,"
A"?location=name:0,"
clever approach
I love these videos. Insightful!
You should do this with John Carmack tweets!
What if they use "htmlspecialchars" php function?
Hi I'm a noob here. I think this is interesting but I don't see how this can be a vulnerability since it can only trigger on a client that you obviously have already access to...
Amazing, thank you for this!
What IDE were you using for the testbed?
Oh nvm, its VSCode!
@@CrazymadlybuzzaVSCODE IS ELECTRON IT’S JS
+{toString:e=>location=name}
-{toString:e=>location=name}
0>{toString:e=>location=name}
...etc
replace toString with valueOf or [Symbol.toPrimitive]
[...{[Symbol.iterator]:e=>location=name}]
1 instanceof {[Symbol.hasInstance]:e=>location=name}
Awesome content. Make more like this, please.
Could you discuss Denuvo and MKDEV's explanation on Denuvo anti-tamper/drm running on a VM and stuff? Since you're a "influencer" maybe 'Special For' would be comfortable revealing the secrets? They did promise an explanation and technically gave one (albeit brief). But it'd be interesting to review the re-ing of hypervisor code on ida/ghidra.
ghidra as in the decompiler made by the cia?
Can I bypass router login page
the question is how you will control the window.open() ? probably it is gonna be hardcoded values. please someone explain, i couldn't understand that!!!
You execute this from your own domain. So the victim visits your site and you trigger that
What is a day life in a cyber security job? can you show a real examples of tasks and jobs?
Nice video series idea
that was amazing, thanks for the video
I like these videos. It also supports my war against too much (unnecessary) JS on Websites and that user input is always bad 😁
feedback is technically user input so your comments are always bad
@@joechristo2 so is yours 🤔😂
Yeah let's just ignore the part where the entire setup hinges on a fact of having a badly written server template language (which is all of them that didn't start off a client-render library) coupled with badly written sanitizer interpolating the values directly into the html (that also means no http caching btw). Also it's a problem specific to backend development which uses a badly written server template language for frontend instead of splitting responsibilities. For some reason the brain of a typical developer in this stack completely turns off and they think interpolating values directly into html is completely okay because it's just a string, bro! Bonus points if it lives alongside the code which loads libs from other languages and follows all rituals of cross-language interop with all the boilerplate.
Could you go over a fiddler use?
In 2023, the only safe way to accept user input is via post letters