i mean there is a break after 100s so you get the best of both worlds: if you prefer 100s videos you can close the video there, or keep watching if you want. and fireship gets to upload 10min+ videos which helps with the youtube algorithm, which is a bonus for the channel.
@@nameless_9504 I mean, I have been doing it for a while. I like Fireship so much that I want a video on this. A few days back, I was testing a website - you could literally change the phone number on which they sent you the OTP and login with a different phone.
@@nameless_9504 The website used an API, and they POSTed the number to it in plaintext. I changed the request, and the OTP arrived on the updated number, whereas the webapp logged me in with the actual phone number.
*My website recently got hacked, but it was so badly coded the hackers ended up giving me the fix to those vulnerabilities, Bad code can help sometimes.*
Well, CORS might seem to protect websites from requests of evil origins, but it's super weak, it can be bypassed easily by making requests outside of browsers or just by creating a Proxy, besides, the requests always hit the server, so in the end it's not really that helpful, and instead, it always annoys developers on every single project.
What kind of proxy are you talking about? A proxy running on the user's machine next to the browser? That's a lot harder to do than getting some javascript running in someone's browser.
@fireship used to publish literally 100 sec videous without going deep into the topic. These days, the first part is 100 sec bird-eye view on the topic and then comes the rest. That's why it is 100 sec of sth.
Cors only applies to JSON and is enforced by the Client. It hardly prevents cross site scripting. The requests go through fine, you just can’t read the results.
I dont understand what CORS is even usefull for. He only explained what it blocks and not WHY. I dont see the benefit - i am searching for this and the title suggests that he explains it
Great content like always. Can you do a video on designing backend apis with a focus on creating the right endpoints (from a front-end engineer's perspective)?
This video is? I mean if you know fetch, js, some online wordlists and how to press F12, you don't need to step out of your browser to do all penetration tests. F12 in browser is OP. Every aspect can be checked via developer tools, the networking, request/response, data manipulation, js manipulation and many more.
You wouldn't believe it, But this tool is what I was trying to figure out yesterday and today, so that I can check CCAvenue Payment Gateway Integration vulnerability in my app. 🙏🙏🙏
I still dont quite get what this prevents. If i make a page i wont add in any requests to servers I dont want them to go. An attacker couldn't modify my page or inject any api calls. So why would I want a cors policy to be not widely open in that case
Off topic, was wondering if you can provide some insight to this question or anyone for that matter. I'm a javascript developer, love doing frontend development with react progressing towards fullstack but I'm a bit confused about what after fullstack? What are some viable career paths to choose, I'm open to branching out to other fields in relevance, I am learner and love to see my limits(Also interested in security but found my niche in web development due to low entry barrier) Feedbacks are much appreciated.
because of allowed origins in the server side cors settings, only the whitelisted hosts are allowed to fetch or mutate data that is why you have to declare those hosts in the environment variables
Dear Mr. Jeff Fireship, If you opt for quality in your videos, then ensure more quality control in the collabs because they are sometimes boring and do not match the rest of the video.
Am I stupid or have u done an auth vid. Of not pls do. And like not with fire base. Thx. EDIT - thx for all the great vid. Keep em up, I love this channel.
I would rename "And why do we need CORS?" to "What does CORS do?" because the reason of the blocking (what i urge to understand) is not explained at all. The title is a little missleading
Can you explain a little why stylesheets and scripts were fine to grab from the external server but the api call was blocked? I understand the premise of CORS but is there a reason that css and scripts were ignored? Is there other things that CORS ignores as well?
@@cloudfox1908 got it. What about something like an HTTP GET request? While I’m not sending anything to my server is that still a part of the CORS model?
@@shaynepreston6055 ah I led you wrong before. When you download/GET a page, you are still making a request to a server for those resources. The reason it may be allowed is because "For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts." I'm assuming it's ok since it wasn't within a script, but this stuff is quite confusing for me too. Reference: stackoverflow.com/a/42605316/14056792
Good video, thanks for sharing. Can you please explain how a hacker could take advantage of a website not implementing CORS correctly? From what I understand this does nothing to protect the API as CORS is enforced by the browser. Thanks
@7:40 he doesn't explain how making this request and getting the static files is possible through the external origin. Is it because the Express 'get()' acts as a middleware? Or is it because somehow 'public' folder is recognized as the same origin(url) due to its folder structure/location..?
How do you always know what I need😃?! I was wandering around entire internet for way of preventing some security issues in one of my project. CORS is of course one of 'em. Thanks Fireship❤ & of course huge thanks to Bartosz🙏 for explaining the whole process so easily...
The mime type. script/js, style/css, application/json. Json is forbidden - but it doesn't matter since he only explained what is blocked. not WHY as the title suggests
4:56 oups: the browser will comunicate with Origin B but when i receive the response if the header allow-origine is not there i will kick out the response
It's not much, but will continue to support your page. Your teaching is a breath of fresh air in a very stale curriculum.
I don't know if I'm just used to your rhythm of teaching, but this guy's teaching makes me want to open reddit and doomscroll while kinda listening
2x speed or more solves your problem
I love r/collapse also
At this point these are never 100s, but it's still high-quality videos with no BS, so I'm not complaining
i mean there is a break after 100s so you get the best of both worlds: if you prefer 100s videos you can close the video there, or keep watching if you want. and fireship gets to upload 10min+ videos which helps with the youtube algorithm, which is a bonus for the channel.
@@dom8429 nah, even the short ones are 2min +
Next video: Writing good code, or OTP vulnerabilities.
It's simple A brute force attack or found of apikeys to there sms provider nothing much
@@nameless_9504 Bruteforcing a 6 digit OTP, I doubt it is a good idea. Talking about master OTPs, intercepting requests, are better alternatives.
@@nameless_9504 I mean, I have been doing it for a while. I like Fireship so much that I want a video on this. A few days back, I was testing a website - you could literally change the phone number on which they sent you the OTP and login with a different phone.
@@DanishShakeel is it even possible? Never heard about it! Give me a example that may help me understand
@@nameless_9504 The website used an API, and they POSTed the number to it in plaintext. I changed the request, and the OTP arrived on the updated number, whereas the webapp logged me in with the actual phone number.
Holy shit you are literally covering every single corner of IT and all those subjects I learned at school as well.
This channel consistently provides awesome and educational content balanced with good entertainment. Keep up the great work
You make my favorite videos - the perfect TL;DR + details
*My website recently got hacked, but it was so badly coded the hackers ended up giving me the fix to those vulnerabilities, Bad code can help sometimes.*
Well, CORS might seem to protect websites from requests of evil origins, but it's super weak, it can be bypassed easily by making requests outside of browsers or just by creating a Proxy, besides, the requests always hit the server, so in the end it's not really that helpful, and instead, it always annoys developers on every single project.
What kind of proxy are you talking about? A proxy running on the user's machine next to the browser? That's a lot harder to do than getting some javascript running in someone's browser.
@@Norsilca No, a server proxy, you can easlily get the response from server to server and then return it with the CORS headers.
@@edisonarango Wouldn't your proxy have to be running at the same origin as the first party website?
@@Norsilcai don't think that guy has a clue what he's talking about based on his response. either that, or he's a genius and we're both baffled.
This 11 min video taught me what stckoverflow and other complicated explaining never taught me!!!
This is one of the best videos on ethical hacking
this doesn't seem like 100 seconds, but i'm watching all of it anyways
@fireship used to publish literally 100 sec videous without going deep into the topic. These days, the first part is 100 sec bird-eye view on the topic and then comes the rest. That's why it is 100 sec of sth.
'And why do we need CORS?'
Should be 'What is CORS?'
Omg after 2 years of confusion somebody finally explains sop properly
Love this channel!!
Cors only applies to JSON and is enforced by the Client. It hardly prevents cross site scripting. The requests go through fine, you just can’t read the results.
I dont understand what CORS is even usefull for. He only explained what it blocks and not WHY. I dont see the benefit - i am searching for this and the title suggests that he explains it
Lol please i am dying to know
Great content like always.
Can you do a video on designing backend apis with a focus on creating the right endpoints (from a front-end engineer's perspective)?
100 Seconds of XML is much needed
Are you a time traveling developer from 1995?
Being featured in Jeff's video is the ultimate accolade a content creator can earn - so jealous of Bartosz 😍
Notification Squad, attendance here, with a 👍.
I agree with the others, your voice, pacing and structure are just ..“easily enjoyable“, which is highlighted in contrast to the other guy.
First
Edit: Second Gold
Is there any reward after 10?
Love your videos!
yup
congratulations you won... idk what
Gold! 🥇
We needed this
You are my inspiration
I have decided to open my own programming youtube channel like you but in my own regional language
Do JWT authentication next if you haven't already (access tokens, refresh tokens, etc.)
Learn to google before you ask
@@weshuiz1325 I could learn anything using Google, you're missing the point entirely lol
@@okie9025 hey already did jwt if you looked for it
@@weshuiz1325 😂😂😂😂😂😂😂😂😂😂😂😂😂😂
Really mind boggling explanation, thank you very much, i would like to see more videos like this.
Thanks, I have no luck... This video was uploaded after my interview... So yeah 🙃
Your videos are pure gold. Thank you.
Please make 100 second & beyond videos for social media APIs like Instagram Twitter UA-cam Facebook tiktok etc
You suouldnt be thanking for watching dude
We who have to thank you for amazing materials
You can simply pronounce "Bartosz" as "Bartosh" 😁
Good video as always!
😂
This video is? I mean if you know fetch, js, some online wordlists and how to press F12, you don't need to step out of your browser to do all penetration tests. F12 in browser is OP. Every aspect can be checked via developer tools, the networking, request/response, data manipulation, js manipulation and many more.
Honestly If my web security doesn’t have a Slavic accent idk if I could fully trust him/her. This guy really knows his target market.
I am learning this already and i found one problem on reddit, i found it when i was trying to use a normal user as a bot. I already reported it.
As always, quality and informative videos!
I wish I had teacher like you. thanks man😍😍😍
You wouldn't believe it, But this tool is what I was trying to figure out yesterday and today, so that I can check CCAvenue Payment Gateway Integration vulnerability in my app.
🙏🙏🙏
This channel was made in heaven
Me after 3 years of hacking journey when first see the title (Ethical Hacking in 100 Seconds) :)
I still dont quite get what this prevents.
If i make a page i wont add in any requests to servers I dont want them to go. An attacker couldn't modify my page or inject any api calls. So why would I want a cors policy to be not widely open in that case
When you're ready to lean how to do Smart Contracts? I've been writing a Truffle tutorial on how to use react and MetaMask.
Off topic, was wondering if you can provide some insight to this question or anyone for that matter. I'm a javascript developer, love doing frontend development with react progressing towards fullstack but I'm a bit confused about what after fullstack? What are some viable career paths to choose, I'm open to branching out to other fields in relevance, I am learner and love to see my limits(Also interested in security but found my niche in web development due to low entry barrier)
Feedbacks are much appreciated.
You can also load an external image to but you won't be able to modify it
Nice video. Would have been nice if the video included an example where the external api was whitelising origin a
And why is it that static files are allowed (including executables scripts) but calling the API is not?
because of allowed origins in the server side cors settings, only the whitelisted hosts are allowed to fetch or mutate data that is why you have to declare those hosts in the environment variables
Your voice is like a soft caramel.. I love listening to you
Great video! What icon set do you use? These colorful icons are beautiful 🤩
沒想到豆豆會提到馬來西亞(我是馬來西亞人)。看完整個系列我也被燒到了,bucket list世界多一項
Dear Mr. Jeff Fireship,
If you opt for quality in your videos, then ensure more quality control in the collabs because they are sometimes boring and do not match the rest of the video.
Am I stupid or have u done an auth vid. Of not pls do. And like not with fire base. Thx.
EDIT - thx for all the great vid. Keep em up, I love this channel.
I would rename "And why do we need CORS?" to "What does CORS do?" because the reason of the blocking (what i urge to understand) is not explained at all. The title is a little missleading
Next video: Chrome Extension and Outlook Add-ins
Can you explain a little why stylesheets and scripts were fine to grab from the external server but the api call was blocked? I understand the premise of CORS but is there a reason that css and scripts were ignored? Is there other things that CORS ignores as well?
Edit: This is WRONG:
The basic premise is that you can receive/download assets from the external origin, but you cannot send anything to it.
@@cloudfox1908 got it. What about something like an HTTP GET request? While I’m not sending anything to my server is that still a part of the CORS model?
@@shaynepreston6055 ah I led you wrong before. When you download/GET a page, you are still making a request to a server for those resources. The reason it may be allowed is because "For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts." I'm assuming it's ok since it wasn't within a script, but this stuff is quite confusing for me too.
Reference: stackoverflow.com/a/42605316/14056792
@@cloudfox1908 ah that makes more sense. Thanks!
dude your channel is priceless.
Good video, thanks for sharing. Can you please explain how a hacker could take advantage of a website not implementing CORS correctly? From what I understand this does nothing to protect the API as CORS is enforced by the browser. Thanks
CORS is there to protect the Client, not the Server
Compared to Burp commercial ( free) version, i find ZAP more appealing in features and usability
1:25 It's really hard to hack and takes a lot of years ... you just click "start attack"
@7:40 he doesn't explain how making this request and getting the static files is possible through the external origin. Is it because the Express 'get()' acts as a middleware? Or is it because somehow 'public' folder is recognized as the same origin(url) due to its folder structure/location..?
Express.js (and all other backend libraries) disables CORS by default on static files
I'm here for my daily tech knowledge bytes :D
Gonna put this on 2x speed and learn it in 50 seconds 😎
put me in the woosh
Next video: oAuth 2.0 in 100 Seconds and beyond
Interesting topic, even tho im still learning ES6 JS
Loool right in the middle of security class too 😂 so strange
Bro I'm also Bartosz and I got the same shirt 😅 Good vid
😂😂😂
How do you always know what I need😃?! I was wandering around entire internet for way of preventing some security issues in one of my project. CORS is of course one of 'em. Thanks Fireship❤ & of course huge thanks to Bartosz🙏 for explaining the whole process so easily...
I am really happy you like it! 😍
can you please provide a roadmap or guide on how to get started with ethical hacking. thanks a lot.
“Given us permission” as they say
Please do a reverse engineering on Apple’s new iPad Pro webpage. Their web designs are on completely next level.
But then why do the external stylesheets and scripts and images get loaded?
They are also cross-origin but yet they are not blocked by the browser???
I might be wrong but i though that it was the preflight request that failed in case of CORS policy and not the actual Request/Response.
Ayyyy, hi Poland!
👋😻
Nice video dude
Yeah I'm a Full DevOps Stack Hacker
Go in 100 seconds please!
make a video about best practices of a REST api design or the purpose of header and body and so on...
Lol, I had this error yesterday but fixed it by doing another approach
video idea: 100 seconds of laravel
Good video, but title is misleading.
Video suggestion: how to write good commit messages
I also commented this on another video lol
Ethical hacking is like you are developing nuclear power just to use it for peaceful purposes. 😄
You're certainly a mind hacker...
I was so fast there are no dislikes!
You are awesome !!
Pls do something on DevOs, MLOps
I would gladly have my credit card on the dark web if it meant I never had to deal with CORS again
I'd like to suggest .ENV in 100 seconds.
Great video 👍
Wondering cross policy is only for frontend. If anyone try to fetch using backend language, then it ignores cross policy.
What is the difference between first GET to 8081 to fetch css and js during page rendering and later GET to 8081 triggered by button?
The mime type. script/js, style/css, application/json. Json is forbidden - but it doesn't matter since he only explained what is blocked. not WHY as the title suggests
Nice video! Can you give ReScript a try and let us know your opinion about it?
"Guys, we're in".
1:13 Yes I really want to get arrested today
Finally, I can stop being a script kiddie that install Kali along with a desktop environment.
Amazing video but i was annoyed by the fact that his video was difficult to watch with all that editing cuts
Can't I just run a proxy and add the 'Access-Control-Allow-Origin' manually and bypass the browser's security?
Someone please respond to this. I have the same concern
please a video on the new Angular State management StateAdapt!!!
This channel is so good, but bro.. these videos are getting to be way long than 100 seconds😅
Great need more ethical hacking videos
Burp suit, such a horrible name but does a good job.
So you can retrieve static files from and external server but not call its api
4:56 oups: the browser will comunicate with Origin B but when i receive the response if the header allow-origine is not there i will kick out the response