other youtubers: "this video is sponsored by Raid Shadow Legends" LiveOverflow: "This video is sponsored by freaking google, showing bugs on their products!" what a legend
He's a true legend, just like our today's sponsor Google. Privacy? With Google you can have no privacy. Forget it. You don't care us taking your nudes from your android do you? Why are we asking anyway. 😂😂😂😂😂😂
Its also an advertisement for Google even thought its technically talking about google negatively. Its kinda weird but i think google is trying to show that they listen to people reporting bugs and fix them, and also promoting their bug bounty system.
lvl1: paid to secure google source lvl2: paid to look at google source lvl3: paid for finding bugs while paid to look at google source lvl100: paid to make a video about google source bugs lvl10000: paid to make a video about google source bugs by freaking google :p
@@DominicNweze Dynamic programming is a misleading name for algorithms which break a problem into small recursive sub-problems and solves all the sub-problems in order to solve the overall problem.
Watching normal TH-cam videos : Chill and Relax Watching LiveOverflow videos : Concentrate and Take notes. Watch again to check if flow of thoughts was correct. Watch again to see if you understood everything properly.
This is very interesting! These vulnerabilities arise from a common pattern: factory pattern. In factory pattern, you address the problem of creation, where basically you use unchecked types like strings and use unchecked data like strings, or in this case json, and then use polymorphism to polymorphically continue the object life cycle, this allows you to have object type related if statements in a centralized manner. So, by not having a whitelist, you can call arbitrary constructors like hlc. The interesting part, is that implementing a whitelist falls into another pattern: abstract factory pattern, where you define an includes method that uses a string list. Because of how convoluted abstract factory pattern seems, programmers often choose the concrete factory pattern, because they rarely see a benefit over using abstract factory. The most interesting thing is, that you could even exploit other kinds of systems, like java-based systems, because they also use this string gadget for loading classes during execution time.
@@lefteriseleftheriades7381 Regular factory: create an object directly. Abstract factory: provide an abstract method to create IThing and let SomeConcreteFactory (inheriting the abstract factory) create ThingThatInheritsFromIThing. Using the abstract factory pattern you get one more indirection between code using IThing and code creating a concrete IThing.
@@lefteriseleftheriades7381 look for "Uncle Bob factory pattern", he explains it in depth. The problem with factories is that statically you cannot know an object type beforehand, it's in runtime that through conditions you decide which object to use. When you add many seemingly related factories, as a dev it becomes difficult to know exactly which classes are being used on each of those factories, therefore in the abstract factory pattern you provide an abstract base class that the other factories have to derive from, this base class usually includes an abstract method called includes (or similar), by doing this you force derivative classes to implement it, which obligates them to use a list of strings to enumerate which classes are valid. This way, you provide some sort of type safety stated by lists of strings, that way whenever a factory receives an unexpected value, the includes method prevent you from creating an unexpected object by throwing an exception or something. In other words, this pattern is for devs to understand and for runtime guards, since the compiler can't statically figure this out and prompt an error. I hope this helps.
@@k3daevin No, the vulnerability comes correctly as said, from the implementation of the factory pattern, using JS (but JS has nothing to do with this)
This is some incredibly dense content for people learning development and cybersecurity. This helps us learn more about what more we could still learn about. I will always be grateful for all your inspiring and insightful content!
That's a huge list of best practice violations: * Don't let a parameter specify an arbitrary function, use known values from an hashtable/switch statement instead * Don't let a postMessage pass a script url, just tell the page "do thing A" and it then knows what to do * Don't accept postMessages from arbitrary origins * Dissalow arbitrary script sources using CSP If any of these would have been done the vulnerability would not exist. There might be reasons why you want 2 and 4, but at least 1 and 3 should definitely be done. Edit: Hadn't finished watching the video. Why there even is a function that executes an arbitrary JavaScript from an URL was explained.
knowing google, they would be flaming them too. Lets point out that this issue was SUPER buried .He explained it and i didnt understand so its very likely know one even saw it happening until this guy somehow found this bug. google takes security super seriously so im more surprised the bug was fixed and CAME BACK. the engineers who let that happen are going ot be in trouble lol
You can use Google chrome browser to read minified code, just click the {} for pretty print... All of the hacking I've done, I've used this. First in the Opera browser, and then using Chrome dev tools. I found several vulnerabilities in sites that way. With a bit of practice it's not very difficult to follow obfuscated code, especially when you can set breakpoints and skip through it. Everything I've reported got fixed, with nothing but a 'thanks' and not a bounty in sight (apart from Facebook's $500)... Now I can't be bothered reporting bugs or vulnerabilities, sometimes they'll be exploited for fun, but that is it.
Oh boy, taking a user specified string without any validation and calling a function with that name really wasn't the finest implementation tbh. How did they NOT expect someone to exploit that?
Wow, your channel has grown. I've been away from watching your vids for a while, so it's kinda amazing to see almost 500k subs on a tech channel that's not only about gaming rigs :) Love it , good work LiveOverflow
So, if a method is executing sensitive actions, it should embed the security check call? Does it really only apply to languages or should it be considered in other languages as well? (say c#)
Idk why they’d think it would ever be a good idea to rely on a string to construct things. Shouldn’t you have an inherent hesitation to do such a things? It’s like using eval. Same with accessing arrays of methods in obfuscated code by string properties. It’s actually crazy how many JS exploits you can take advantage of on most websites.
I think we could automate this using Selenium. We could test it but it might we might have a lot of time developing the framework the google project. I might be wrong thou haha
You know what this kind of intricate multi-step process reminds me of? Pokémon exploits. But you started covering that already so I'm sure there'll be more coming :-) Also, congrats in advance for your 500k subs, very much keeping the hacking spirit alive!
The malicious spreadsheet attack... this is why it's unsafe for even clients to be able to attack themselves!! The attacker gets to be the client sometimes.
You can use Google chrome browser to read minified code, just click the {} for pretty print... All of the hacking I've done, I've used this. First in the Opera browser, and then using Chrome dev tools. I found several vulnerabilities in sites that way. With a bit of practice it's not very difficult to follow obfuscated code, especially when you can set breakpoints and skip through it. Everything I've reported got fixed, with nothing but a 'thanks' and not a bounty in sight (apart from Facebook's $500)... Now I can't be bothered reporting bugs or vulnerabilities, sometimes they'll be exploited for fun, but that is it.
This is immoral how silly money they pay for such a hard work when they earn SO MUCH. SHAME on you Google! Moreover Google just showed us how shitty their code is - thanks Google but I won't be your another low paid worker.
Saying that this bug couldn't be found by any tool is not a statement I would make. I am pretty sure a GPT3 like transformer for this purpose could find not only this but much more bugs that we can't even possibly understand.
It is so dope to see cooperation and capitalism working and outputting free educational videos afterwards. This is a shining example of how we should behave in society lol
And Google keeps saying we are not smart enough to work there because we are not able reverse a linked list under pressure the way they expect us to! LOL
Actually his job could be easier if he had access to the source code and internal google tools. But that would mean he’d be a google employee with a 6+ figure salary. Instead they pay him actual pennies for the bounty.
Am I misunderstanding something? I don't see the issue here. you create a google doc, then modify it so that when you embed it, and tell it to run javascript, it runs javascript. Can't you just... run the javascript? If you have control over the embedding site like that, can't you just write your own javascript directly?
You are not supposed to be able to embed arbitrary JavaScript into embedded Google Doc. The embedded Google Doc has access to visitor's account which you shouldn't have access to. It is true that you can just embed any JavaScript. But it should only happen when the embedded content also comes from your website. XSS happens when you can embed code to other's website, which is accessed with a different set of credentials & cookies.
You can try downloading the page and run it offline, but that usually breaks the page, or you can use some kind of proxy to load your modified js file instead. Then you can add debug prints or dump objects for information easily
As always, nice explanation! Why would you say this problem could never be found by an automated check? I'd argue that instantiating an object from a string is always a bad idea. It may be quite normal to do in Javascript, but that does not make it a good idea. It feels comparable to manually changing the instruction pointer based on some input. Yes, this can be powerful, but why the heck would you? I'd say creating a static mapping between strings and classes is definitely worth the effort. For example, Google's own language Go does not allow you to do anything like this without getting into the (literally called) unsafe package (if it's even possible with that). So to conclude: why not just disallow using a string for instantiating an object altogether. I use Javascript only limited professionally, so I'd love someone to tell me why this is not feasible/not applied in practice :-]
This is why companies like Google, Apple, Microsoft and many others stay in business. They acknowledge that everything is vulnerable and are open to fixing them. Vice, many startups who try and punish those who exploit them, or Twitter, who makes no effort in securing their systems. Things could be better, but getting better starts with this mentality.
I just found this channel few hour ago and I'm already in love with your work... You're feeding all my curiosities... Love your approach how you explain things...
Took a lot of cross referencing and searching but found it if anyone wants it, called burp: portswigger.net/burp/documentation/desktop/tools/proxy/using
I wonder.. how is this dangerous? If you have the ability to actually put the there in the first place, then why can't you just create your own code in the same place instead of running it through google docs?
I always thought wait for ur videos .. They are fun and very much self explanatory 😊 Thanks mate for all this contribution you are doing towards the community .
I love this because it shows how complex development is. Basically this is main reason why I'm reluctant to change anything on complex project if it's not critical bug, and every change made feels like it'd require whole project to be tested again.
Far out, imagine getting sponsored by google, that’s absolutely awesome. You know, sometimes I just binge watch this channel, and it never gets old. I’m super proud dude!
Paused at 3:13 to see if I understand the code, I think hlc creates an object that captures a port, url, and data as an array. Then it creates a function inside that object to stringify the message. Finally it creates a script tag and appends it along with a url.
4 ปีที่แล้ว
another google sponsored google product bug video. man, they're in the right direction. Love LiveOverflow!
awesome video, awesome that you did so detailed chapter markings and great that you're talking about how this bug got introduced in the first place (that part could have been even more detailed)
other youtubers: "this video is sponsored by Raid Shadow Legends"
LiveOverflow: "This video is sponsored by freaking google, showing bugs on their products!"
what a legend
true legend indeed
He's a true legend, just like our today's sponsor Google. Privacy? With Google you can have no privacy. Forget it. You don't care us taking your nudes from your android do you? Why are we asking anyway. 😂😂😂😂😂😂
I got a RAID ad on this, so...
@@sabaundefined Just like our todays sponsor Raycon Shadow Legends. Use code Linus to get a discount
WHAT, google paid you, to talk about some guy who they paid to find bugs in their system, who they paid even more when he found a bug?
Who paid a developer to introduce a bug and who paid another developer to fix said bug 😉
Its also an advertisement for Google even thought its technically talking about google negatively. Its kinda weird but i think google is trying to show that they listen to people reporting bugs and fix them, and also promoting their bug bounty system.
Just because he is sponsored, doesn't it mean that he is getting payed ^^
@@RnVjayBZb3V0dWJl sponsor= paid to advertise. Are you for real dude?
@@RnVjayBZb3V0dWJl sponsored literally means to get paid for it. Get a dictionary
lvl1: paid to secure google source
lvl2: paid to look at google source
lvl3: paid for finding bugs while paid to look at google source
lvl100: paid to make a video about google source bugs
lvl10000: paid to make a video about google source bugs by freaking google :p
When dynamic programming becomes too dynamic
“Dynamic programming” doesnt mean what you think it means
@@chyza2012 like cpp with dynamic programming? u ok bro?
@@LugnutsK what's dynamic programming 🤔
@@andreidicu2882 what's dynamic programming
@@DominicNweze Dynamic programming is a misleading name for algorithms which break a problem into small recursive sub-problems and solves all the sub-problems in order to solve the overall problem.
I'll pretend I understood Everything
You know you've made it as a dev/techie when you get *google* themselves to sponsor a video
"It's all the Google security team's fault"
bruh moment
edit: how the table have turned(what i said in the live chat at the end)
Trust nobody(with security) not even yourself.
didn't want to ruin the perfect 69 likes
but you did it... you just did it... ;(
Google paid him to say "f you" to their own security team
Sponsored by Google, "It's all Google security fault" video end. What a mad lad
Watching normal TH-cam videos : Chill and Relax
Watching LiveOverflow videos : Concentrate and Take notes. Watch again to check if flow of thoughts was correct. Watch again to see if you understood everything properly.
Yeah I need to watch like 2 more times to understand everything lol
So, true 😂
Uses google ads: no one bats an eye
Google actually sponsors the video: Holy shit
This is very interesting! These vulnerabilities arise from a common pattern: factory pattern.
In factory pattern, you address the problem of creation, where basically you use unchecked types like strings and use unchecked data like strings, or in this case json, and then use polymorphism to polymorphically continue the object life cycle, this allows you to have object type related if statements in a centralized manner.
So, by not having a whitelist, you can call arbitrary constructors like hlc. The interesting part, is that implementing a whitelist falls into another pattern: abstract factory pattern, where you define an includes method that uses a string list.
Because of how convoluted abstract factory pattern seems, programmers often choose the concrete factory pattern, because they rarely see a benefit over using abstract factory.
The most interesting thing is, that you could even exploit other kinds of systems, like java-based systems, because they also use this string gadget for loading classes during execution time.
I could never understand the difference between a regular factory and an abstract factory, please help!
@@lefteriseleftheriades7381 Regular factory: create an object directly. Abstract factory: provide an abstract method to create IThing and let SomeConcreteFactory (inheriting the abstract factory) create ThingThatInheritsFromIThing. Using the abstract factory pattern you get one more indirection between code using IThing and code creating a concrete IThing.
@@lefteriseleftheriades7381 look for "Uncle Bob factory pattern", he explains it in depth.
The problem with factories is that statically you cannot know an object type beforehand, it's in runtime that through conditions you decide which object to use. When you add many seemingly related factories, as a dev it becomes difficult to know exactly which classes are being used on each of those factories, therefore in the abstract factory pattern you provide an abstract base class that the other factories have to derive from, this base class usually includes an abstract method called includes (or similar), by doing this you force derivative classes to implement it, which obligates them to use a list of strings to enumerate which classes are valid.
This way, you provide some sort of type safety stated by lists of strings, that way whenever a factory receives an unexpected value, the includes method prevent you from creating an unexpected object by throwing an exception or something.
In other words, this pattern is for devs to understand and for runtime guards, since the compiler can't statically figure this out and prompt an error.
I hope this helps.
The vulnerability comes from JavaScript.
@@k3daevin No, the vulnerability comes correctly as said, from the implementation of the factory pattern, using JS (but JS has nothing to do with this)
google sponsoring, dammn youve gone long way. gg
Thats cool,but wheres referral link to google?
Next Video sponsored by Raycon Earbuds
so its all google security team's fault xD
6:16 Subtitle: "He knows that Jesus is a Javascript library".
Okey
CarbonCopy yeah! Just use Jesus.convert(water, wine)
CarbonCopy That returns the now wine
This is some incredibly dense content for people learning development and cybersecurity. This helps us learn more about what more we could still learn about. I will always be grateful for all your inspiring and insightful content!
i don't think 4 grand is justified - this guy needs to be given 20 racks at least 😡😡😡😡😡😡😡😡😡
That's a huge list of best practice violations:
* Don't let a parameter specify an arbitrary function, use known values from an hashtable/switch statement instead
* Don't let a postMessage pass a script url, just tell the page "do thing A" and it then knows what to do
* Don't accept postMessages from arbitrary origins
* Dissalow arbitrary script sources using CSP
If any of these would have been done the vulnerability would not exist. There might be reasons why you want 2 and 4, but at least 1 and 3 should definitely be done.
Edit: Hadn't finished watching the video. Why there even is a function that executes an arbitrary JavaScript from an URL was explained.
Just enrolled in the college of XSS, wish me luck as a brand new copy paste machine :)
i wish you luck and hope you ctrl-c ctrl-v your way to a bug bounty
Where did you start from? Which resources would you recommend?
@@parabolicpanorama Look into Burp Suite
God bless your fingers!
Youre fcked if your v key doesnt work
Are we sure that was a fault? maybe it was sitting there for some selected people to use..
*Sponsered by Google to talk about Google Security's team fault.*
I like the way he flamed Google's security team even though he is sponsored by Google :D
rest assured that they will get roasted for this internally as long as they are employed there ;)
knowing google, they would be flaming them too. Lets point out that this issue was SUPER buried .He explained it and i didnt understand so its very likely know one even saw it happening until this guy somehow found this bug. google takes security super seriously so im more surprised the bug was fixed and CAME BACK. the engineers who let that happen are going ot be in trouble lol
The engineers are not at all in trouble. They interviewed with me :) this is totally normal and shouldn’t be shamed.
@@LiveOverflow learning from mistakes is the best thing we can do!
Seeing since WE are googles security team, I don't think they care.
You can use Google chrome browser to read minified code, just click the {} for pretty print...
All of the hacking I've done, I've used this. First in the Opera browser, and then using Chrome dev tools. I found several vulnerabilities in sites that way. With a bit of practice it's not very difficult to follow obfuscated code, especially when you can set breakpoints and skip through it. Everything I've reported got fixed, with nothing but a 'thanks' and not a bounty in sight (apart from Facebook's $500)... Now I can't be bothered reporting bugs or vulnerabilities, sometimes they'll be exploited for fun, but that is it.
Oh boy, taking a user specified string without any validation and calling a function with that name really wasn't the finest implementation tbh. How did they NOT expect someone to exploit that?
dang my company uses an SSO service which abuses jsonp in its token handling. really makes me think...
I've never seen someone sponsored by Google before
going to be 500k ..congrats @LiveOverflow
Why does this video end up feeling like TOP 5 TIMES the Google SECURITY Team Got GIT BLAMED
Wow, your channel has grown. I've been away from watching your vids for a while, so it's kinda amazing to see almost 500k subs on a tech channel that's not only about gaming rigs :) Love it , good work LiveOverflow
So, if a method is executing sensitive actions, it should embed the security check call? Does it really only apply to languages or should it be considered in other languages as well? (say c#)
Idk why they’d think it would ever be a good idea to rely on a string to construct things. Shouldn’t you have an inherent hesitation to do such a things? It’s like using eval. Same with accessing arrays of methods in obfuscated code by string properties.
It’s actually crazy how many JS exploits you can take advantage of on most websites.
It's pronounced cross ss not xss
(jk)
I think we could automate this using Selenium. We could test it but it might we might have a lot of time developing the framework the google project. I might be wrong thou haha
Fact: The guy(thefl0w) who discovered a kernel exploit for ps4 was paid 10,000$ by sony!
SPONSORED BY GOOGLE?
we're out here bois
5:27 RUSSIAN DETECTED!
You know what this kind of intricate multi-step process reminds me of? Pokémon exploits. But you started covering that already so I'm sure there'll be more coming :-)
Also, congrats in advance for your 500k subs, very much keeping the hacking spirit alive!
Imagine if he got demonitized..
The malicious spreadsheet attack... this is why it's unsafe for even clients to be able to attack themselves!! The attacker gets to be the client sometimes.
Please help me
How to bypass speed hack detection in game ??
🙏🙏🙏♥️♥️♥️🙏🙏♥️♥️
Please help me
How to bypass speed hack detection in game ??
🙏🙏🙏♥️♥️♥️🙏🙏♥️♥️
You can use Google chrome browser to read minified code, just click the {} for pretty print...
All of the hacking I've done, I've used this. First in the Opera browser, and then using Chrome dev tools. I found several vulnerabilities in sites that way. With a bit of practice it's not very difficult to follow obfuscated code, especially when you can set breakpoints and skip through it. Everything I've reported got fixed, with nothing but a 'thanks' and not a bounty in sight (apart from Facebook's $500)... Now I can't be bothered reporting bugs or vulnerabilities, sometimes they'll be exploited for fun, but that is it.
This is immoral how silly money they pay for such a hard work when they earn SO MUCH.
SHAME on you Google!
Moreover Google just showed us how shitty their code is - thanks Google but I won't be your another low paid worker.
Only $4,000 for a pretty substantial bug? Next time maybe Nikolai should see if there’s a higher bidder ;)
Saying that this bug couldn't be found by any tool is not a statement I would make. I am pretty sure a GPT3 like transformer for this purpose could find not only this but much more bugs that we can't even possibly understand.
Is it only me that thinks Nikolay looks like Elliot?
Great video man!
Also, can you do a video with Ezequiel Pereira? His vulns are super awesome.
It is so dope to see cooperation and capitalism working and outputting free educational videos afterwards. This is a shining example of how we should behave in society lol
Damn. Google sponsored a video on their own platform. That's a rare one!
I want to go into cyber security. bug hunting, penetration testing (with social engineering), but I feel like I know so little about all of it. :/
It is interesting to know that Google sponsored it ! I wonder if this XSS was exploited in the wild
Only $4133.70 for his great work ?
Whenever i hear the word i just shiver, ugwha.
And Google keeps saying we are not smart enough to work there because we are not able reverse a linked list under pressure the way they expect us to! LOL
damn, this guy is farming money from google's security team
Actually his job could be easier if he had access to the source code and internal google tools. But that would mean he’d be a google employee with a 6+ figure salary. Instead they pay him actual pennies for the bounty.
awesome
Am I misunderstanding something? I don't see the issue here. you create a google doc, then modify it so that when you embed it, and tell it to run javascript, it runs javascript. Can't you just... run the javascript? If you have control over the embedding site like that, can't you just write your own javascript directly?
You are not supposed to be able to embed arbitrary JavaScript into embedded Google Doc. The embedded Google Doc has access to visitor's account which you shouldn't have access to.
It is true that you can just embed any JavaScript. But it should only happen when the embedded content also comes from your website. XSS happens when you can embed code to other's website, which is accessed with a different set of credentials & cookies.
Google sponsors. Good your channel is less likely to be demonetized.
Bạn đang dùng những phần mềm nào trong video này?
How can i analyse obfuscated javascript code ? Any suggestions. it’s difficult to analyse a.b b.this like these codes
You can try downloading the page and run it offline, but that usually breaks the page, or you can use some kind of proxy to load your modified js file instead. Then you can add debug prints or dump objects for information easily
If google really rewards then I will report vulnubs
amazing video's!
can you add a link to the bug report in the description?
Eagerly waiting to see😍
Just put XSS as out of scope, problem solved.
So you got sponsored by google? Damn that's some serious drip
Wow... that's amazing...
And that was a perfect explanation. Thank you for your video!
As always, nice explanation!
Why would you say this problem could never be found by an automated check? I'd argue that instantiating an object from a string is always a bad idea. It may be quite normal to do in Javascript, but that does not make it a good idea. It feels comparable to manually changing the instruction pointer based on some input. Yes, this can be powerful, but why the heck would you? I'd say creating a static mapping between strings and classes is definitely worth the effort. For example, Google's own language Go does not allow you to do anything like this without getting into the (literally called) unsafe package (if it's even possible with that).
So to conclude: why not just disallow using a string for instantiating an object altogether. I use Javascript only limited professionally, so I'd love someone to tell me why this is not feasible/not applied in practice :-]
Obfuscated/minified code is kinda pointless when you can just beatify it. I think all JS code should have sourcemaps
"This god damn Google Security team can´t do anything right! Well I guess we´ll just say it´s larry´s fault then."
I just stumbled upon your video's. I understand most of it, but i gotta ask. Why is xss so bad?
If you can run JS, you can steal cookies or, in the worst cases, even passwords!
This is why companies like Google, Apple, Microsoft and many others stay in business. They acknowledge that everything is vulnerable and are open to fixing them. Vice, many startups who try and punish those who exploit them, or Twitter, who makes no effort in securing their systems.
Things could be better, but getting better starts with this mentality.
I just found this channel few hour ago and I'm already in love with your work...
You're feeding all my curiosities... Love your approach how you explain things...
It requires you to understand code structure. Can't be explained in such video. We can only trust on what Nicoli's work.
Where did you find the step by step instructions originally for this cross site script vulnerability?
If you understand how XSS works it’s just creativity to come up with it
Please tell me what packet analyzer you're using??
Took a lot of cross referencing and searching but found it if anyone wants it, called burp:
portswigger.net/burp/documentation/desktop/tools/proxy/using
I wonder.. how is this dangerous? If you have the ability to actually put the there in the first place, then why can't you just create your own code in the same place instead of running it through google docs?
because then the code runs from google docs, so it has access to the google login cookies and stuff like that
@@szymonnn Oh, I see! Thanks.
I wonder how they come up with the ammount of $$ that they pay as bug bountys.
Why exactly 4133,70 $?
Why not just 4100$ or 4130$?
Weird ...
1337
@@LiveOverflow Well ...
I see it now ...
I always thought wait for ur videos ..
They are fun and very much self explanatory 😊
Thanks mate for all this contribution you are doing towards the community .
pretty sophisticated programming concepts discussed here. would be impressed if civilians could grok this one.
I love this because it shows how complex development is. Basically this is main reason why I'm reluctant to change anything on complex project if it's not critical bug, and every change made feels like it'd require whole project to be tested again.
this is good, but why would you add an hlc to the HTML???
JSONP sanbox
hi i learn a lot from u
wow, this bug has "you programmers were so preoccupied with wether or not they could, they didn't stop to think if they should" all over it.
Plis give subsitel indonesia
Don't get cocky... Anyone can make security mistakes, even Google!
Far out, imagine getting sponsored by google, that’s absolutely awesome. You know, sometimes I just binge watch this channel, and it never gets old. I’m super proud dude!
How long did it take him to find
WOT THE FUCK, ich dachte mir so ok wird schon interessant, nein einfach gesponsort by google und ein absolut informatives video
Paused at 3:13 to see if I understand the code, I think hlc creates an object that captures a port, url, and data as an array. Then it creates a function inside that object to stringify the message. Finally it creates a script tag and appends it along with a url.
another google sponsored google product bug video. man, they're in the right direction.
Love LiveOverflow!
They don’t pay much
It's reasonable because those security engineers are following the "best practice" and forgot to consult the developer!
I had a dream about a script execution exploit in Google sheets a few months ago.
Cool content keep it coming
awesome video, awesome that you did so detailed chapter markings and great that you're talking about how this bug got introduced in the first place (that part could have been even more detailed)
Sponsored by Google? You officially won the internet. Also:
Bug hunting ebook
+1 for "allowlist"
Awesome! Love the in depth.. and that's my world, ECMAScript. In this world we rely on the closures and scope for security 😏
Btw I think recognizing the usafe Gadget function would be in the realm of automated tools
my brain hurts