I saw some tricky XSS attacks but this one is next level in terms of creativity :D Also this is another example of Chrome XSS Auditor gone wrong. In my opinion XSS Auditor should be removed - the developer should be responsible for sanitizing user input properly because he knows the context of his application, not the browser.
If you just had to brute force a search, wouldn't a chrome extension that adds code to the search page do the job (no worries about cross site issues then)? I once used a similar technique to create a list of thousands of email addresses by entering a partial UK postcode into a search, instead of having to do it manually (still took a while and had to manually deal with captcha's)
This is probably a stupid question; but 2:15, was the name used to generate the session ID? As in; using the same name generates the same session ID? EDIT: 5:37 nevermind :)
how did u know the first part of the flag? i.e '35' or '35c3' ? If u already knew that, then u already had got the flag at this point 6:27. so why build a whole new script for checking that?
Q: How is it possible he found out letter after letter in (left2right) order if the serverside search condition is: if 'query' in FLAG: It would make sense if the condition was FLAG.startsWith(q) || iterating the FLAG by index A: u don't see the real flag you only get indication that it exist.. assuming the flag was "ABC" it would take 6 attempts Attemp #1, sending "A" = exists #2 AA = nope #3 AB = yes #4 ABA = nope #5 ABB = no #6 ABC = success hope it's not case sensetive
there are two options. 1. you know that the flags start with '35c3' or '35C3'. So start with that and you should leak the flag (what I did in the video) 2. let's say the flag is 'abcdefghijk'. Then you just start with a random character. Let's say you start with 'e', so using this you find 'efghijk'. Once you reach the end (no valid characters found) you continue by prepending new charcaters and search from the right2left.
Hey there, I recently watched your SIM card video and since I just heard of eSIM, I wondered if you could do a video on that. I imagine it has a lot more vulnerabilites than the standard sim.
The hash part of an url is client-side, so if you're on example and then go to example#test, the page does not need to reload because the hash does not need to get sent to the server. If the page is not loaded, loading a hash url reloads the page because the page isn't already loaded in the first place.
Must admit, I didn't follow how the xss attack was required to detect the presence/absence of particular code in the returned page. Is it something to do with the search - if you searched for "35" in the regular webapp would it not show the flag amongst other files?
Why couldn't you just determine whether a query is an error or not by the response code length? Since the response error is always the same length wouldn't it be easier and quicker? Also why not use python for that script? Was the a must?
wait am i missing something? why isnt just checking if the page has a script tag enough to detect if the search query was successful? no need to go trough an and make it crash right?
The malicious URL you would send to the admin to carry out the attack is outside the domain of the target web app. The browser enforces the same origin policy, which means scripts in your site cannot access the contents of sites outside your domain. The same origin policy and the CSRF protection is what is preventing you from just reading search results cross-site. You cannot force the admin to create a new file containing the malicious script due to CSRF protection. If it were no CSRF protection, then we could upload a malicious script, which will be in the same domain as the web app, and carry out the attack like you describe.
LiveOverflow So we send ip of our server to admin, which is a page with , then the script on page detects if the onload happened twice and...how to detect it with server? All the server gets is a http response, so it would be sent twice for each onload?
its early in the morning so my concentration might have lapsed, but as far as i understand the flag is publicly searchable if you know the name? so the webscrapy thing to do would be to send search queries like the hack solution, but then simply check the length. The reply is far longer (due to length of the javascript part) if the searchquery hit, so the inducing of XSS_auditor error page seems overkill to me. or did i miss something?
No. The site has a login. And the admin only has the file with the flag on his account. Thats why we had go execute the search from out website which we send to the admin to execute
@@LiveOverflow I'm also struggling to understand this part. I realize that we need to execute the search from our website which we send to the admin for execution, but would it not suffice to load the with search query like you did, but instead getElementsByTagName('pre') and retrieve the flag? If the tag doesn't exist it would mean that "no result" is returned then we will just continue looping the mechanism. I'm new to all this and just got interested through watching your video, please forgive me for my naivety.😅
@@LiveOverflow descovering the thickest clue in a twitter post lookup.. love your vids btw.. ussally i understand less then 30% but its slowly going up :)
why not just load some kind of browser rat and then just proxy the traffic from our browser to the "admin" browser and do the search manually and just get the flag
I dont dont what you try to say. At least for me the technique in this video this is the only way How you can leak some info cross origin. A browser cannot really speak raw TCP. Or just show me code that you think can read the search response :) code is easier to read than english
Great video, as always! I am wondering why you always use Chrome. There are also other browsers (Firefox, Opera, Safari). You should also look them and try to find and report their bugs.
why didnt we just try every letter of the alphabet until we find the flag? it DOES find multiple characters, right? maybe you would get a WR fastest ctf challenge solved within 9 seconds, 7 seconds, maybe even 5?
How did the web app react to duplicate session cookies? If it accepts duplicate cookies and the right one takes precedence you might be able to perform a session fixation / login csrf attack from *.appspot.com if you can control a subdomain to it, either by signing up for service or if there is an XSS anywhere on appspot.com, which should not be too hard to find. Take a your own session cookie value and via an XSS on *.appspot.com run: "document.cookie='session=YOURSESSIONIDVALUE; domain=.appspot.com';" impose it on the the victim (CTF box). In your session (shared by victim) create a file with a (self-)XSS that should make the CTF client leak its own session cookie (httponly isn't set) when it is opened in origin filemanager.appspot.com instead of the origin of your XSS on subdomain; or alternatively write javascript to delete the duplicate session cookie on the victim side and some more code to the leak the flag from the original session running your xss on the ctf browser.
If important security research is only available in twitter conversations then I would say that is the fault of the researchers for failing to publish their findings properly, not on other users for not staying up to date.
You connect to the headless Chrome instance of the admin and tell it to go to the malicious URL, which would then perform the XS-Search attack from the admin's perspective, thus scanning the admin's files.
Hi LiveOverflow, I am trying to access raspberry pi, which is behind a Nat ‘ed network from internet without port forwarding and third party website. The functionality I am looking is something like what dataplicity.com is doing. I am noob to networking and python. But have strong coding knowledge with Microsoft .net and Angular 2 and higher. I would like to host my own website with this functionality. Could you please help me with this? Aslo dataplicity’s client agent can be found at github.com/wildfoundry/dataplicity-agent
@@JamEngulfer yeah, I guess it aint that bad. I just have this personal vendetta against midrolls.😁 I've seen gaming news channel have 2 midrolls, all they do is narrate.
So what's really the solution to any of these problems? Who has time to subscribe to like 50 different people on Twitter and watch as they re-tweet and re-post some random political bullshit 90% of the time to dig out the hidden gems? And is Google planning on fixing this issue?
So what you're saying is... We should stalk CTF organizers (and their social feeds) for insight on challenges? Now that's proper social engineering!
time for maltego?
can we just brute force all possible queries from normal url loading and check if there is flag.. anyone reply ??
@@rajkumar-ro8co wdym by 'normal' loading?
> make xss auditor to prevent XSS attacks
> hackers use the xss auditor to do xss attacks
> shocked_pikachu.jpg
This is why they ended up just removing the xss auditor
More than 3/4 of your video went over my head. Still, it's an interesting one and I have tons to google xD
watching this made me realize how close I was when time ran out.
great challenge and cool video
opfer geh zum arzt
@@teslalive4240 oof
*zajebiste*
kaj si hrvat
заебись это да...
Tak!
@@Dan2000kr aeeee, я не один
awesome as always, the moving pointer while you explain xssearch function is super useful, thanks!
I saw some tricky XSS attacks but this one is next level in terms of creativity :D Also this is another example of Chrome XSS Auditor gone wrong. In my opinion XSS Auditor should be removed - the developer should be responsible for sanitizing user input properly because he knows the context of his application, not the browser.
11:24 "pretty simple, right?" mad respect for him getting to this.
If you just had to brute force a search, wouldn't a chrome extension that adds code to the search page do the job (no worries about cross site issues then)? I once used a similar technique to create a list of thousands of email addresses by entering a partial UK postcode into a search, instead of having to do it manually (still took a while and had to manually deal with captcha's)
Hey it's up! Cool to see the process and what goes into just one video.
This is probably a stupid question; but 2:15, was the name used to generate the session ID? As in; using the same name generates the same session ID? EDIT: 5:37 nevermind :)
nope, always random
Can u share like a book or source to make u understand about browser protocols
humble and informative and a great guy
how did u know the first part of the flag? i.e '35' or '35c3' ?
If u already knew that, then u already had got the flag at this point 6:27. so why build a whole new script for checking that?
Because the CTF had other challenges and flags typically follow the same format
@@LiveOverflow ohk. so that was a guess start. What if someone doesn't have an idea about the flow?
And yes, the question still remains: you already had the answer at 6:27, right?
Is it somehow possible to play those challenges even after the CTF event is over? Would like to try it out myself before watching your video :D
I remembered someone talked about it in his videos but could not remember who that was. Really cool tricks btw.
Pls remember the videos. I want to see them!!!
Great video once again, awesome work!
Q: How is it possible he found out letter after letter in (left2right) order if the serverside search condition is:
if 'query' in FLAG:
It would make sense if the condition was FLAG.startsWith(q) || iterating the FLAG by index
A: u don't see the real flag you only get indication that it exist..
assuming the flag was "ABC" it would take 6 attempts
Attemp #1, sending "A" = exists
#2 AA = nope
#3 AB = yes
#4 ABA = nope
#5 ABB = no
#6 ABC = success
hope it's not case sensetive
there are two options.
1. you know that the flags start with '35c3' or '35C3'. So start with that and you should leak the flag (what I did in the video)
2. let's say the flag is 'abcdefghijk'. Then you just start with a random character. Let's say you start with 'e', so using this you find 'efghijk'. Once you reach the end (no valid characters found) you continue by prepending new charcaters and search from the right2left.
LiveOverflow so in those challenges you know the first four characters of the flag? Is that always the case or just in this challenge?
Its typical that the flag follows a special format, so you know when you find it. But that obviously depends on the CTF
Hey there, I recently watched your SIM card video and since I just heard of eSIM, I wondered if you could do a video on that. I imagine it has a lot more vulnerabilites than the standard sim.
Good stuff
Great video (already)!
Great content!
Which editor (colorscheme) are you using, ~10min
Just wow 😍
awesome sir
Did you get a new recording setup or mic?
no, why?
Q: What effect does the hash(#leak or #test) have on server response? or it is catched by browser?
The hash part of an url is client-side, so if you're on example and then go to example#test, the page does not need to reload because the hash does not need to get sent to the server. If the page is not loaded, loading a hash url reloads the page because the page isn't already loaded in the first place.
Must admit, I didn't follow how the xss attack was required to detect the presence/absence of particular code in the returned page. Is it something to do with the search - if you searched for "35" in the regular webapp would it not show the flag amongst other files?
Only the logged in admin can search for its own files and the flag. Our logged in user doesnt have the flag
Why couldn't you just determine whether a query is an error or not by the response code length?
Since the response error is always the same length wouldn't it be easier and quicker?
Also why not use python for that script? Was the a must?
You don't have access to the response. All you have is the onload event
Awesome video :)
I was so confused becose there was 35c3 ctf junior for begginets right?
Yeah there was a normal and juniors ctf
Q: what do i need to do/read to understand this video?
@@user-ir4tu7fb3u oh yeah yeah
wait am i missing something? why isnt just checking if the page has a script tag enough to detect if the search query was successful? no need to go trough an and make it crash right?
how would you do that? You need to send your attack script to the admin and let the admin execute it.
The malicious URL you would send to the admin to carry out the attack is outside the domain of the target web app. The browser enforces the same origin policy, which means scripts in your site cannot access the contents of sites outside your domain. The same origin policy and the CSRF protection is what is preventing you from just reading search results cross-site.
You cannot force the admin to create a new file containing the malicious script due to CSRF protection. If it were no CSRF protection, then we could upload a malicious script, which will be in the same domain as the web app, and carry out the attack like you describe.
@@yosoyboi thanks for the explanation, think i get it now
LiveOverflow So we send ip of our server to admin, which is a page with , then the script on page detects if the onload happened twice and...how to detect it with server? All the server gets is a http response, so it would be sent twice for each onload?
Need more research before diving straight into CTF hell holes. Noted
So it gives a different response if there's a matching file even if you don't have access to it?
yes, because the session cookie is still sent along. we can't directly read it out though.B that's why we have to do this sidechannel attack
its early in the morning so my concentration might have lapsed, but as far as i understand the flag is publicly searchable if you know the name?
so the webscrapy thing to do would be to send search queries like the hack solution, but then simply check the length. The reply is far longer (due to length of the javascript part) if the searchquery hit, so the inducing of XSS_auditor error page seems overkill to me. or did i miss something?
No. The site has a login. And the admin only has the file with the flag on his account. Thats why we had go execute the search from out website which we send to the admin to execute
@@LiveOverflow I'm also struggling to understand this part. I realize that we need to execute the search from our website which we send to the admin for execution, but would it not suffice to load the with search query like you did, but instead getElementsByTagName('pre') and retrieve the flag? If the tag doesn't exist it would mean that "no result" is returned then we will just continue looping the mechanism. I'm new to all this and just got interested through watching your video, please forgive me for my naivety.😅
You cant access the DOM of another domain ;)
@@LiveOverflow Ah now I see why. Thanks 😂
can we just brute force all possible queries from normal url loading and check if there is flag ...
So basically at the end of the day this was sort of a social engineering challenge :D
How so?
@@LiveOverflow descovering the thickest clue in a twitter post lookup.. love your vids btw.. ussally i understand less then 30% but its slowly going up :)
Ah! Heh
why not just load some kind of browser rat and then just proxy the traffic from our browser to the "admin" browser and do the search manually and just get the flag
"browser rats" also can't magically break the same origin policy.
@@LiveOverflow does the "same origin" policy also apply to direct tcp/udp connections or only for http(s) ?
I dont dont what you try to say. At least for me the technique in this video this is the only way How you can leak some info cross origin. A browser cannot really speak raw TCP. Or just show me code that you think can read the search response :) code is easier to read than english
@@LiveOverflow also, I'm not sure if I fully understand the challenge, I'll try to recreate it later ant let you know if I find anything.
If I got your idea right, then I have to say that it's not possible to read cross-domain content to start with.
Next time I'll try too
This is so complex!
i dont understand a single word :D lots to learn
Good to know... Thanks for the video
Great video, as always!
I am wondering why you always use Chrome. There are also other browsers (Firefox, Opera, Safari). You should also look them and try to find and report their bugs.
I like Chrome the most ;)
Yes, but other browsers may be in interesting to try 🙂. Firefox have many improvements from last year, but other are also interesting.
why didnt we just try every letter of the alphabet until we find the flag? it DOES find multiple characters, right?
maybe you would get a WR fastest ctf challenge solved within 9 seconds, 7 seconds, maybe even 5?
why did u have to brute force it, i mean ifu enter any char that is.part of the flag u get the flag. I might be missing something
How did the web app react to duplicate session cookies? If it accepts duplicate cookies and the right one takes precedence you might be able to perform a session fixation / login csrf attack from *.appspot.com if you can control a subdomain to it, either by signing up for service or if there is an XSS anywhere on appspot.com, which should not be too hard to find. Take a your own session cookie value and via an XSS on *.appspot.com run: "document.cookie='session=YOURSESSIONIDVALUE; domain=.appspot.com';" impose it on the the victim (CTF box). In your session (shared by victim) create a file with a (self-)XSS that should make the CTF client leak its own session cookie (httponly isn't set) when it is opened in origin filemanager.appspot.com instead of the origin of your XSS on subdomain; or alternatively write javascript to delete the duplicate session cookie on the victim side and some more code to the leak the flag from the original session running your xss on the ctf browser.
what is the name of ur music. I'm in love with it.
Sooraj JP Darude - Sandstorm
Why do you have a sticker of the workers party of Korea flag on your laptop in your profile pic?
If important security research is only available in twitter conversations then I would say that is the fault of the researchers for failing to publish their findings properly, not on other users for not staying up to date.
Nice vid
HOLLY SHIT BRO.. i feel like a real script kiddie now :(
i wish after one month in time i will be able to understand this
How did you find the password when every user that you create has a different database of files?
You connect to the headless Chrome instance of the admin and tell it to go to the malicious URL, which would then perform the XS-Search attack from the admin's perspective, thus scanning the admin's files.
Who wants to do a CTF with me?
Testing rly
@@atsohg3963 Yes.
I would like to do it but i think i am not good enough😂
Which one is better? Django or Flask?
Express.
This is some high level shit
The thumbs up - as promised :-)
Hi LiveOverflow,
I am trying to access raspberry pi, which is behind a Nat ‘ed network from internet without port forwarding and third party website. The functionality I am looking is something like what dataplicity.com is doing. I am noob to networking and python. But have strong coding knowledge with Microsoft .net and Angular 2 and higher. I would like to host my own website with this functionality. Could you please help me with this? Aslo dataplicity’s client agent can be found at github.com/wildfoundry/dataplicity-agent
Заебато челик раскладывает
Duuuuuude, 2 midroll ads. On a 13 minute long video... uncool
Love your vids anyway
Adblock
They're making content for you for free. The least you can do is watch an ad.
@@LiveOverflow touche. Kodus for answering a negative comment😀
@@JamEngulfer yeah, I guess it aint that bad. I just have this personal vendetta against midrolls.😁
I've seen gaming news channel have 2 midrolls, all they do is narrate.
I watch all of your videos But I don't understand shit
I didn't understand shit
Last
So what's really the solution to any of these problems?
Who has time to subscribe to like 50 different people on Twitter and watch as they re-tweet and re-post some random political bullshit 90% of the time to dig out the hidden gems?
And is Google planning on fixing this issue?
ok after all i just understood the word HTML :(
first