DO NOT USE alert(1) for XSS

แชร์
ฝัง
  • เผยแพร่เมื่อ 23 ธ.ค. 2024

ความคิดเห็น • 252

  • @mattp12
    @mattp12 3 ปีที่แล้ว +748

    ok fine I’ll use alert(2)

    • @user-zu6ts5fb6g
      @user-zu6ts5fb6g 3 ปีที่แล้ว +19

      based

    • @magicmulder
      @magicmulder 3 ปีที่แล้ว +52

      alert(0.5+0.5);

    • @1Hippo
      @1Hippo 3 ปีที่แล้ว +19

      alert(Math.PI)

    • @FUTUREPES
      @FUTUREPES 3 ปีที่แล้ว +2

      😂

    • @goodrun88
      @goodrun88 3 ปีที่แล้ว +6

      console.log(1-alert(1)) or eval(alert(1))

  • @nk2ishere
    @nk2ishere 3 ปีที่แล้ว +568

    It would have been funny for google to really alert 1 when you input alert(1) into search box

    • @ThomasOrlita
      @ThomasOrlita 3 ปีที่แล้ว +38

      I think they did something like that once on the Bughunter page.

    • @2das
      @2das 3 ปีที่แล้ว +109

      Oh no, hell no, it would not. Imagine all the amateur bug hunters who then spam their reports to the google bug bounty XD

    • @wrng-i9f
      @wrng-i9f 3 ปีที่แล้ว +8

      @FBI Federal Bureau of Investigation Then they would pretty much ignore every XSS reports, sorry FBI.

    • @2das
      @2das 3 ปีที่แล้ว +1

      @LastName Almaember you better ignore my browsing history

    • @1e1001
      @1e1001 3 ปีที่แล้ว

      @@wrng-i9f well they can state that you have to use alert(document.domain) and just ignore all alert(1) ones or whatever

  • @whydoineedausername1386
    @whydoineedausername1386 3 ปีที่แล้ว +357

    "Look into the chrome developer tools" *Opens firefox*

    • @dertythegrower
      @dertythegrower 3 ปีที่แล้ว +13

      Yeah.. it calling home every time I open the browser..
      yeah, no go for me. Also lack of script-viewing tools on chrome compared to firefox... mm, minimal.

    • @nicoper
      @nicoper 3 ปีที่แล้ว +14

      Since this video is seemingly paid for by google, it's not strange that it contains some advertisement for Chrome.

    • @vaisakh_km
      @vaisakh_km 3 ปีที่แล้ว +22

      "In a browser, the chrome is any visible aspect of a browser aside from the webpages themselves (e.g., toolbars, menu bar, tabs)."
      - so technically dev tools is a chrome
      (Not google chrome , it's just a name of a browser which they stollen)

    • @sebastianelytron8450
      @sebastianelytron8450 3 ปีที่แล้ว +1

      @@vaisakh_km ^^ Can somebody verify that? I've literally never heard it before and information online on it is scarce. Is this really a technical term?

    • @vaisakh_km
      @vaisakh_km 3 ปีที่แล้ว +2

      @@sebastianelytron8450 I also came to know about this from one of his own videos...."sandbox escape in Firefox" or something like that.....
      Checkout that video

  • @charlesfries
    @charlesfries 3 ปีที่แล้ว +182

    This channel has taught me so much

    • @DawnnDusk-k4n
      @DawnnDusk-k4n 3 ปีที่แล้ว +2

      This guy precisely

    • @tytangameplay3118
      @tytangameplay3118 3 ปีที่แล้ว +3

      This channel got me a detention ;-;

    • @DeadDad1
      @DeadDad1 3 ปีที่แล้ว

      Same! I absolutely love way he explains things!

    • @cedricvillani8502
      @cedricvillani8502 3 ปีที่แล้ว

      You want his bounty all over your chin

    • @tytangameplay3118
      @tytangameplay3118 3 ปีที่แล้ว +3

      @@LethalSwizzle found xss and other vulnerabilities in school website, and apparently I violated some policy

  • @hikari_no_yume
    @hikari_no_yume 3 ปีที่แล้ว +99

    Why is there an “advertisement” mark at the top-right, and a mention of sponsorship by Google in the subtitles, but not in the video itself?

    • @jaralara6429
      @jaralara6429 3 ปีที่แล้ว +91

      Maybe this whole video is an ad from Google telling us to stop with the alert(1) reports 😂😂😂

    • @uttiya10
      @uttiya10 3 ปีที่แล้ว +7

      I guess the “paid promotion” message at the beginning might be enough?

    • @violetwtf
      @violetwtf 3 ปีที่แล้ว +2

      yeah this seems so sketchy

    • @luphoria
      @luphoria 3 ปีที่แล้ว +8

      @@violetwtf not really.. the video is an ad

    • @unicodefox
      @unicodefox 3 ปีที่แล้ว +3

      I think it was originally going to be that, then at the last moment he edited it out. The video is also low quality, almost as if he quickly downloaded it, edited and reuploaded

  • @TheMAZZTer
    @TheMAZZTer 3 ปีที่แล้ว +178

    Funny thing is you're using a browser that shows the origin in the alert box regardless of message, so alert(1) is fine in those browsers.
    Though you do show the edge case where there is no origin (eg it's blank) the alert box title is different, so it's worth keeping that edge case in mind.

    • @dasten123
      @dasten123 3 ปีที่แล้ว +9

      I though so too, but look at this case 7:30 it just says "An embedded page on this page says"

    • @_DeProgrammer
      @_DeProgrammer 3 ปีที่แล้ว +8

      The browser may show the origin in the alert but I think you're missing the point. It's not a bug. Using alert(1) would render a false positive and it would be better to use something other than alert(1) that shows an actual xss on the origin.

  • @4.0.4
    @4.0.4 3 ปีที่แล้ว +54

    The reason we use alert is because of old browsers that didn't have such nice consoles. It was the easiest way to see something on screen. In fact I remember an old Microsoft site where I got a debug alert when I pressed some combination of buttons (by chance).

  • @GiveAcademy
    @GiveAcademy 3 ปีที่แล้ว +10

    in the past, my reason for using alert was because it took the least amount of characters, where many forms that were being tested had character limits. also most things would check for eval specifically, however alert was often forgotten... hehe

  • @IsAMank
    @IsAMank 3 ปีที่แล้ว +27

    Huh, never considered the bug bounty angle. From my experience with clients, issues in the components of a client's application were still very valid, and would often prompt further discussion and remediation across org boundaries, which I see as the ideal outcome. Good practice for XSS checks nonetheless, great video!

  • @kissinger2867
    @kissinger2867 3 ปีที่แล้ว +2

    The more I watch you the more I find something new, interesting and worth my time. Thank you very much.

  • @thapr0digy
    @thapr0digy 3 ปีที่แล้ว +60

    When you said Google at 6:37, you triggered my Google assistant. Too bad it interrupts the video otherwise you could open malicious web sites on the users behalf

    • @yashrathi6862
      @yashrathi6862 3 ปีที่แล้ว +2

      Actually might, be a nice idea lol, but don't you have your voice recognition setup?

  • @OdinRu1es
    @OdinRu1es 3 ปีที่แล้ว +19

    Don’t use for security reasons.
    Uses for security reasons.

    • @jackharbor3347
      @jackharbor3347 3 ปีที่แล้ว +2

      Why we shouldn't use for security reasons?

    • @JustPlayerDE
      @JustPlayerDE 3 ปีที่แล้ว +7

      @@jackharbor3347 back in the past s where bad, now they are good i guess

  • @user-ko7oo2qg1g
    @user-ko7oo2qg1g 3 ปีที่แล้ว +6

    One of those rare videos by you about which I can say that I knew most of the things you mentioned. But still, a great one as always! 👍

  • @mekb-the
    @mekb-the 3 ปีที่แล้ว +43

    seems you accidentally left advertisements watermark in the top right corner for the video lol

    • @gurglemurgle5
      @gurglemurgle5 3 ปีที่แล้ว +9

      The vid might be sponsored by Google

    • @Test123747
      @Test123747 3 ปีที่แล้ว +21

      saw a few german youtuber doing this for legal reasons.
      Otherwise competitors will assume you are breaking a law if some products are highlighted in the videos, even if there is no sponsorship. They will ask for money and for you to stop doing this in the feature (with some legal document ).
      In return those youtuber then have to explain that there is no sponsorship and might even need the assistance of a lawyer. If it was sponsored he probably has to pay money to the competitor.
      So they just place a advertisement note on every single video to just not having to deal with that kind of bullshit.

    • @bernhardschmidt9844
      @bernhardschmidt9844 3 ปีที่แล้ว +9

      I mean, he does link to Googles new bug hunter University thing in the description and he does talk about how to do stuff in regards to google products throughout the video, so it being sponsored in some way isn't too far fetched.
      That said, it's weird he doesn't explicitly mention it anywhere...

    • @lilyliao9521
      @lilyliao9521 3 ปีที่แล้ว

      @@Test123747 interesting

  • @JPlexer
    @JPlexer 3 ปีที่แล้ว +34

    How do some people say "Good Video" or "Amazing Explanation"? The Video literally just released

    • @reastle1307
      @reastle1307 3 ปีที่แล้ว +7

      they fake it

    • @byekou
      @byekou 3 ปีที่แล้ว +5

      gotta earn the likes

    • @LiveOverflow
      @LiveOverflow  3 ปีที่แล้ว +86

      it's always true for my videos 🙃

    • @GamingBlake2002
      @GamingBlake2002 3 ปีที่แล้ว

      *cough cough* cyberchiranjit *cough cough*

    • @JPlexer
      @JPlexer 3 ปีที่แล้ว +5

      @@LiveOverflow well yes, but actually yes

  • @thomascodes
    @thomascodes 3 ปีที่แล้ว +2

    Different WAF'S Have diffrent responses to payloads some times destructuring the payload may work
    throw[onerror]=[alert],1

  • @menkiguo7805
    @menkiguo7805 3 ปีที่แล้ว +7

    I was working for a website and their filter of XSS has alert(1) in it

  • @1Hippo
    @1Hippo 3 ปีที่แล้ว +26

    Chrome and Firefox both always display the origin domain in the alert, shown in the video for example at 3:41. I don't see the point of writing such a unnecessarily long payload, the video title seems a bit much clickbait, otherwise good explanation tho. alert(1) is still fine.
    btw: Opera and Vivaldi do it too, I guess all chromium based browsers.

    • @SolomonUcko
      @SolomonUcko 3 ปีที่แล้ว +3

      It looks like inside s, at least browsers just say "an embedded page" rather than the actual domain or origin of the .

    • @dasten123
      @dasten123 3 ปีที่แล้ว +1

      See 7:30

    • @1Hippo
      @1Hippo 3 ปีที่แล้ว +3

      @@SolomonUcko They report the actual domain if it is set, blogger uses an too, see 4:26.
      In his selfmade example src is just not set, so it falls back to the generic message.

    • @1Hippo
      @1Hippo 3 ปีที่แล้ว

      @@dasten123 See 7:45, in any case you get basically the same info.

  • @marcoschincaglia
    @marcoschincaglia 3 ปีที่แล้ว +5

    ok, I had to interrupt my lazy Saturday afternoon to actually learn something useful

  • @devprogramming
    @devprogramming 2 ปีที่แล้ว +1

    Use print() instead of alert() because browsers are disabling the alert() for cross-domain s.

  • @zaphooxx8779
    @zaphooxx8779 3 ปีที่แล้ว +4

    Very good , valuable and helpful information you are providing here. Thanks !

  • @sharemarket1971
    @sharemarket1971 3 ปีที่แล้ว

    I'm new in bug hunting...
    I understand nothing but I watched this video

  • @Jimmy1985
    @Jimmy1985 3 ปีที่แล้ว +2

    But can i still deploy malware on the client machine via this xss? A bEEF hook could hook into the browser of the client. I would not call any xss a safe xss but i guess it is out of scope.

  • @realjameskii
    @realjameskii 3 ปีที่แล้ว +3

    Ok thanks, ill use alert(2) instead

  • @arivanhouten6343
    @arivanhouten6343 3 ปีที่แล้ว +6

    Finally another masterpiece!

  • @chiranjit9529
    @chiranjit9529 3 ปีที่แล้ว +6

    Amazing explanation

    • @piyh3962
      @piyh3962 3 ปีที่แล้ว +1

      This taught me more about XSS than any other video I've seen so far.

  • @medpro5612
    @medpro5612 3 ปีที่แล้ว +2

    Can I use alert(1337) ?

  • @HacknMate
    @HacknMate 3 ปีที่แล้ว +2

    For Pentesting you use alert(1) because you need to document everything that is vulnerable on a blackbox webapp. For bug bounty, however this will not work because of 'impact'.

    • @coldplay5467
      @coldplay5467 3 ปีที่แล้ว +1

      Not unless the organization’s webapp you’re pentesting is purposely allowing scripts to be executed by the end-users.

    • @HacknMate
      @HacknMate 3 ปีที่แล้ว

      @@coldplay5467 that would be an isolated case. I'm talking in general.

  • @scou1yy
    @scou1yy 3 ปีที่แล้ว +2

    Imagine getting a pop-up saying "2", that would be threatening

  • @asdfghyter
    @asdfghyter 3 ปีที่แล้ว +1

    Is there any practical difference between document.domain and window.origin for these purposes?

  • @soroushhd2408
    @soroushhd2408 3 ปีที่แล้ว +2

    man I believe in it I got a xss from an imortant web site thats belong to a very important organization that was pentested for 3 times 🤣🤣🤣

  • @shaswatmjha
    @shaswatmjha 2 ปีที่แล้ว

    Is it self or reflected XSS if I modify the response in BURP and it shows alert, but doesnt show in URL?

    • @LiveOverflow
      @LiveOverflow  2 ปีที่แล้ว +1

      Neither ;) it’s nothing ;)

    • @shaswatmjha
      @shaswatmjha 2 ปีที่แล้ว

      @@LiveOverflow

  • @elessandro39
    @elessandro39 3 ปีที่แล้ว

    Your channel is pure gold. Thank you

  • @drahoxx3076
    @drahoxx3076 3 ปีที่แล้ว +2

    Why is there an "advertisement" message in the top right corner ? Is it just a mistake ?
    Anyway, very instructive video ! (Like the others!)

    • @tercmd
      @tercmd ปีที่แล้ว

      It's because Google paid him to produce this for Bug Hunter University and he thought it to be a good video, so he published here.

  • @paprika5487
    @paprika5487 3 ปีที่แล้ว

    Thank you! This is good to bear in mind in future testing!

  • @ceilidhDwy
    @ceilidhDwy 3 ปีที่แล้ว +1

    Why is it marked as a sponsored video? Did google sponsor this one?

    • @tercmd
      @tercmd ปีที่แล้ว

      They paid for it to be created and he thought it to be a good video, so he published it on LiveOverflow

  • @TheJDebski
    @TheJDebski 3 ปีที่แล้ว +2

    Thanks so much. You're doing great work. I would love more hunting videos. Very interesting

  • @h4ckv157
    @h4ckv157 3 ปีที่แล้ว

    All your videos are my favorite. 💎 I really appreciate this one too 🙏

  • @DiThi
    @DiThi 3 ปีที่แล้ว

    Are web workers another way of sandboxing potentially unsafe code?

  • @Hackerone1444
    @Hackerone1444 ปีที่แล้ว +1

    print(5)

  • @michaeldouglas1052
    @michaeldouglas1052 2 ปีที่แล้ว

    Very precious and important tips, thank you!

  • @arenaesports2580
    @arenaesports2580 3 ปีที่แล้ว +1

    For Chrome we can use print now

  • @156785543
    @156785543 3 ปีที่แล้ว

    Excuse me my ignorance. What is the most dangerous thing you can do with that kind of attack? (xss) in Real life. I mean if I found a xss vuln the hacker just could catch my token/credentials by fishing? Or there is a other most power full attack. Excelente video and cheers from Argentina!

  • @MrItrollaround
    @MrItrollaround 3 ปีที่แล้ว +3

    Wait, so I'm not allowed to name my Skyrim player this anymore? Darn.

  • @soonpeace9938
    @soonpeace9938 3 ปีที่แล้ว

    Very Informative.............Keep it up

  • @4ag2
    @4ag2 3 ปีที่แล้ว +1

    Very well explained! Thanks 👍

  • @dasten123
    @dasten123 3 ปีที่แล้ว +1

    This is interesting! Cool video man!

  • @ZelenoJabko
    @ZelenoJabko 3 ปีที่แล้ว +1

    Not all browsers support sandboxed s. Those browsers are vulnerable.

    • @ThePizzabrothersGaming
      @ThePizzabrothersGaming 3 ปีที่แล้ว +1

      which one doesn't, internet explorer? thats EoL

    • @ZelenoJabko
      @ZelenoJabko 3 ปีที่แล้ว +1

      @@ThePizzabrothersGaming your mom doesn't

  • @aldison5070
    @aldison5070 3 ปีที่แล้ว +4

    We use eval()

  • @omri9325
    @omri9325 3 ปีที่แล้ว

    Is this a new video-file format? the quality looks too compressed :|

  • @seclilc
    @seclilc 3 ปีที่แล้ว +1

    Great video as always

  • @KickoffCentral24
    @KickoffCentral24 3 ปีที่แล้ว

    I need help in APDU setup

  • @starkline3962
    @starkline3962 3 ปีที่แล้ว

    which video editing tool you use to edit video

  • @10oneluv10
    @10oneluv10 2 ปีที่แล้ว

    GREAT VIDEO! I never knew any of this.

  • @isvladxxe
    @isvladxxe 3 ปีที่แล้ว

    is this a recipe how to make user js safe?

  • @pixelorange9651
    @pixelorange9651 3 ปีที่แล้ว +1

    Thank you for your suggestions on XSS! Your video is very good, so I want to translate it and share it on the Chinese video website (bilibili) in my free time. I will keep the introduction and title of your video consistent and declare the author, and I will not get any profit from it. Do you agree with this matter?

  • @gradientO
    @gradientO 3 ปีที่แล้ว +3

    alert(1)

  • @lmaoroflcopter
    @lmaoroflcopter 3 ปีที่แล้ว

    Use prompt(2) ?? :D

  • @b391i
    @b391i 3 ปีที่แล้ว

    alert("You Are The Best")

  • @Lantalia
    @Lantalia 3 ปีที่แล้ว +2

    We use alert because it predates chrome, firebug, and most useful 'consoles'

  • @b33bo93
    @b33bo93 3 ปีที่แล้ว

    Why doesn't html just ignore scripts from the body?

    • @lmaoroflcopter
      @lmaoroflcopter 3 ปีที่แล้ว

      📎 Hi it looks like you're trying to use a CSP?

  • @Seedhi-Baat
    @Seedhi-Baat 3 ปีที่แล้ว

    Very nice observation! keep it up!

  • @thejswaroop5230
    @thejswaroop5230 3 ปีที่แล้ว

    Bro i have a suggestion....
    can u please put a video on PEGASUS spyware...like I'm genuinely confused what is it and why news channels are milking it so much....is it a thing to be afraid of?
    I would love to see your perspective on this....
    If not here maybe atleast in your other channel liveunderflow pls....?

  • @hawk__
    @hawk__ 3 ปีที่แล้ว

    Very Beautiful Explanation :)

  • @krlst.5977
    @krlst.5977 3 ปีที่แล้ว

    That was great, very interesting video. Thank you

  • @dclxviclan
    @dclxviclan 2 ปีที่แล้ว

    Cool, nice tut

  • @danhorus
    @danhorus 3 ปีที่แล้ว +1

    I use console.log or console.trace :)

  • @mekb-the
    @mekb-the 3 ปีที่แล้ว

    dark mode intro pog

  • @rafaeldacosta8581
    @rafaeldacosta8581 2 ปีที่แล้ว +1

    destroying kids dreams under 12 minutes huahuahuahuahuahua

  • @mindreader3947
    @mindreader3947 3 ปีที่แล้ว

    wonderful video Thanks @liveoverflow

  • @sql7002
    @sql7002 3 ปีที่แล้ว +1

    As usual 🔥🔥🔥🔥👌

  • @HackoMedia404
    @HackoMedia404 2 ปีที่แล้ว

    Very informative video

  • @fairchild9able
    @fairchild9able 3 ปีที่แล้ว

    Really nice clip. Thank you

  • @spv420
    @spv420 3 ปีที่แล้ว

    I just realized I wasn’t subscribed. I fixed that.

  • @Baeyk
    @Baeyk 2 ปีที่แล้ว

    I love this guy

  • @anthonation
    @anthonation 3 ปีที่แล้ว +1

    Thank you so much 🙌🏻

  • @randomguy3784
    @randomguy3784 3 ปีที่แล้ว

    Superb video👌

  • @velho6298
    @velho6298 3 ปีที่แล้ว

    Advertisement, nice touch.

  • @mrspy8972
    @mrspy8972 3 ปีที่แล้ว

    Make a video on Pegasus Too..

  • @Epinardscaramel
    @Epinardscaramel 3 ปีที่แล้ว

    5:02 Sorry Flash, f.

  • @ThatGuy-bx3pv
    @ThatGuy-bx3pv 3 ปีที่แล้ว

    TH-cam recommend me this and I don't understand a thing. Why youtube? Why?

  • @Quget
    @Quget 3 ปีที่แล้ว +3

    4:22
    But you are using the much better browser.... Firefox!

  • @TianyuQi
    @TianyuQi 3 ปีที่แล้ว

    me, who uses alert(): intensive sweating

  • @mualifulmizan9066
    @mualifulmizan9066 3 ปีที่แล้ว +1

    Nice this video

  • @prawnstarrr
    @prawnstarrr 3 ปีที่แล้ว

    alert("xss") -- a classic

  • @charlie5tanley
    @charlie5tanley 2 ปีที่แล้ว

    thank you thank you....

  • @Agilato
    @Agilato 3 ปีที่แล้ว

    Please, work on you over all sound volume, each time i watch your channel have to wear a headset cus volume is too low compare to other channels. Thanks for your work!

  • @iooosef6006
    @iooosef6006 3 ปีที่แล้ว

    Good thing I use alert(2)

  • @me-ashacker233
    @me-ashacker233 3 ปีที่แล้ว

    Sir plese re upload how real hacking viedo sir you removed that viedo

  • @ThePowerRanger
    @ThePowerRanger 3 ปีที่แล้ว

    Very interesting.

  • @w3w3w3
    @w3w3w3 3 ปีที่แล้ว +1

    damm super interesting :)

  • @thesheep6248
    @thesheep6248 3 ปีที่แล้ว

    great info

  • @iicloudbob8793
    @iicloudbob8793 3 ปีที่แล้ว

    Please try reverse engineering Synapse X. It will be a challenge for you

  • @AntiWanted
    @AntiWanted 3 ปีที่แล้ว

    Nice 👍

  • @muha0644
    @muha0644 3 ปีที่แล้ว

    You make your videos really well. Amazing script, you speak clearly and enthusiastically, and you make cool graphics that are easy to understand and look nice in general, etc...
    The only thing I can complain about is that your IRL background looks kinda scary, like you are about to make an apology video or a documentary. It's not really a complaint but I though you could use the feedback. If you still have the breadboard pc you could make a counter and hang it in the background...or add some shelves or something.
    Unless you like the empty backdrop in which case ignore what I just said. Keep up the good work!

  • @IudiciumInfernalum
    @IudiciumInfernalum 3 ปีที่แล้ว

    I generally just `alert(%27MyHandle%27)`

  • @nameless_9504
    @nameless_9504 3 ปีที่แล้ว

    And one more I have a came across a xss. But they aren't storing any information about user in cookies or localstorage. They are using completely stateless JSON web tokens and refresh token. When we are in certain endpoint then it will assign a in cookie using JWT. Best example using ( KEYCLOAK ). So I hosted a FORM to prove a attack possible in the domain.

  • @Jason-uv5tm
    @Jason-uv5tm 3 ปีที่แล้ว

    very cool

  • @bibelwalker
    @bibelwalker 3 ปีที่แล้ว

    Michael Cera's cooler, more extraverted brother

  • @techdevils1597
    @techdevils1597 3 ปีที่แล้ว

    alert("xss")