>please excude my anger >calm concern follows German anger is something else Also I am mad too at that tweet about mastery, in any field where you can become an "expert" curiosity and ever expanding horizon are always key to success and being proud of your abilities.
To be fair, Safari actually gets a lot of the newer feature implemented faster than most other browsers. The issue is, though, that a lot of times it's a little too fast and end up with exploitable features, where most other vendors waits until it's as much tested as possible. The reason Apple does this is that they use a lot of the new features way ahead of others in their own products; which is safe enough to do as it is not the internet, but sometimes the features end up in the same or similar fashion when they get officially supported.
@@kmcat Safari has a lot of APIs under experimental flags before being pushed out. But that is not to mention; Data lists-while actually in WebKit behind a feature flag, it's an odd one that I couldn't find much information about. Service workers are supported in Safari now. They were proposed (in 2014) in collaboration between Google, Samsung and Mozilla and were implemented by them first, although behind experimental flags initially. Vibration API was removed from WebKit due to privacy concerns and is currently in a second draft in W3C.
@@IsaiahGamers Chrome uses its own engine called Blink, which is based on WebKit but heavily modified. Only on iOS does it use WebKit, as it is required by Apple.
amazing but you know why the first tweet was more popular? because it looked as if it explained what was going on... "here we have this" vs "lol/safari.html" the second one might be better, but it looks more like random jumble or a joke at first glance also it doesn't tag #xss like the first one, so you're less likely to find it randomly browsing
Maybe I'm a bit too pessimistic in this video, but I think it's a concrete example we can use talk about it. I know this video could be a bit controversial, and I did not want to focus on any people in particular - thus I censored the names of the example I criticise. It's not about the person but the work itself. So let me know what you think about it. Also this video contains a few possibly weird "easter-eggs" (or obscure references) that likely only a handful of people will get. So if you think I said something weird, just assume it's a reference to something :P
Some experts make simple things difficult to understand realizing that most people reading their content are beginners. Other experts wouldn't share it. It's beginners who think that it's cool because it's difficult to understand and spread it. Those experts get high when nobody understands them..
You say that "jAvAsCriPt:" uses unecessary capitalization, but actually it is completely unnecessary since it's not a protocol handler, it's, interpreted by eval() as an arbitrary javascript label. Labels should be followed by a colon. Then following the label is a single line comment. The whole javascript label, upper case, lower case or mixed case is unecessary :)
@LiveOverFlow How about last video where you mixed people talking DISCS and DISKS and blaming them when you were wrong when tried use DISC program for the DISK media? What you think about it? How about correction? I understand you are programmer and not after hardware... It makes sense such silly mistake.
@@XantheFIN I think there is a misunderstanding of the situation here. I thought I made it very clear in the video that it was a joke to blame the person, because right before of that I acknowledged how embarrassed I was. Also I think google search autocorrected disk/disc and I didn't pay attention when searching. And of course I thought a tool that can create an image of a CD could also create an image of a HDD, because on linux both is exposed as a regular block device that you can read from. So making an image with `dd` would be the same for CD as for a HDD. Thus I didn't think in the rush of the moment that this might be different for Windows. If you have further questions or want some more clarification, feel free to write me an email ;)
The Safari bug smells like someone messed up the protocol format verification routine, by cutting the protocol part substring one character too early. It'd still go through all internal conformance tests just fine, but leaving out that significant second slash opened up Safari to an interesting new exploit vector. Great video. Edit: my original comment made no sense, it seems I'm too tired to brain right now
I barely know anything about XSS but I got so mad as you started explaining why the first tweet is so inane. Goes to show how great you are at explaining things to people in a simple way that even a n00b like me understands lol. Thank you!
Hacking is essentially thinking outside the box. It's like some sort of IQ test, you can't hack something if you're not comfortable with lateral reasoning. Also, reminder that browsers are open source. Finding XSS vectors or ruling out ideas can be done at a lower level. It's still way out of my league but I have tried it a few times, to no avail (I wanted to trigger a network request from an SVG loaded in an img tag, so I looked into the Firefox source. It seems impossible)
this video gave me some confidence ........not everything present on internet is true ......sometimes i think i don't know the concept that's why i not understanding but now everything is clear...... A BIG THANKS TO YOU
5:37 Even to me a completely beginner at XSS you can tell that it makes no sense to use upper and lower case and that the script itself is intentionally confusing.
@@peterjohnson9438 it's a blacklisting escape if they are looking for 'javascript' or 'script' with a bad filter. I've seen some really bad filters, though with enough effort there's very few that survive the test.
I'm going to say it anyway... As for the tag example, it could be used to bypass basic filters, and it could also be for obfuscation (even though it is simple to clean up if you understand it well enough), a small-time dev will have a harder time searching logs for why their website broke.
that was not the point of the tweet though - it was about the XSS in the output tag (not about WAF bypasses). Imo it's simply an excuse used to distract from what I believe is the real reason: making it look more crazy to mislead and deceive people.
@@LiveOverflow It's just an ego thing like: "my skill is this high, that obfuscating is the standart; look mom: I can read it fluently" or something like this. Does it even matter, if the author don't care to educate on twitter? I don't know the author, but I saw your dispute with this xss-tool-selling-dude, so if this payload belongs to misleading people to sell some shit, than the world will get your message. I also think, that the itsec community is build on learning from each other but if some dudes want to show their vitrual balls, there is no need to beat this tweets to death. Anyhow, cool vidoe. Learned something new. Would love to see some "more guide like" guides to bypass WAFs and how to work with different contexts and encoding.
People tend to like things more if they understand it and they think it's clever, so obscuring the first example achieved the feeling smart in more people because it's easier to understand for more people.
Ostensibly, the reason that the _ouput_ example got more likes and RTs than the _base_ example is because it is more straightforward and easier to figure out and understand, so people responded to it, but the other one is more confusing, so they ignored it. I figured out the first one in a couple of seconds, but for the second, I actually had to look up the base tag (I've never used it before), and check the specs to see how empty hrefs are handled, then had to decipher the regex. I learned nothing from the lazy attempt at basic obfuscation from the first, but learned a couple of things from the second. Your frustration is completely justified; I feel the same way. People are lazy and boring. They don't like challenge, they like simply, basic pablum.
The first tweet was at least successful in hiding the alert - by adding an eval, which to me is a blinking right danger sign that even more loudly and proudly screams "unsecure code" then any "javascript" or "alert" string could ever do.
I can sound silly, but the first tweet actually tweeted this for the stuff that allows custom HTML in your profile, like Samy Kamkar did with his "Hero" worm. This is used to mislead checks in the forums. But, there's still an XSS auditor, so we need to make the workaround.
I personally have no plans to go after bug bounties but this was neat, cause that's a pretty fun exploit. Safari bugs aren't something to be scoffed at, plenty of people use the browser.
How about a 1-week-coding challenge? I think it's the perfect fit for you since it would be the total opposite of what you do here right now. Love you, keep it going!
Glad i found your channel. Occasionally watch your videos(not enough time sadly) as i am a full time application developer and not in a security domain. Thanks so much for sharing.
Thanks for the awesome video! the application should encode any input of the < character and convert it to <. Check out the OWASP Character escape sequences on XSS Filter Evasion Cheat Sheet.... testing for the application accepting the < character is a much faster way. The character escape sequeces on OWASP is a fantastic way of learning the encoding styles.... anyway XSS will have a beef hook on it to deploy malware or cryptominer not just steal cookies.
The reason for the craziness is to account for poor parsing procedures. Developers who try to write their own security, but fail to account for one kind of character or another.
I was curious if maybe the first tweet was formatted that way with the specific purpose of bypassing the chrome/Firefox XSS auditor? I thought it was mostly pattern recognition but I might be wrong!
Great video! I was confused at the "bullshit" one as well. I mean, what's even the point if you're using onclick anyways? Probably won't even bypass any filters. The base XSS one was crazy though. It seems so basic, and without this video I wouldn't have thought anything about it.
I found a small vulnerability in my school's wifi blocking system (iboss). Some of the text on the page blocked screen were accessible in the URL of the site. I tried changing that and refreshing and it changed the text on the screen. I had recently learned about cross-site scripting so I tried adding HTML and it showed up, though it was only on the client (from what I know. I wasn't able to do any tests). I just can't believe wifi site blocking software by a company founded in 2003 still has an unpatched vulnerability that allowed HTML to be injected through the URL. I mean, Google has the search text in the URL (which makes sense) but it's at least filtered and doesn't allow HTML injection. Anyways, I'm still glad I figured that out because it was fun messing with it.
I have no clue about XSS, but I thought the Safari one had to be way more interesting because it's so specific... (like where is the difference in Safari that makes it react differently?)
Every time I watch one of these videos, I think of how I really *dont* know HTML, and even JavaScript, when I've built so many applications out of them.
Hear a question , if a professional program mer used other ppl app to pen test there work. Does that make them a script kiddy, sorry im just throwing our there.
Well, it helps me understand that browser discard useless information or those they cannot understand at least. So it's not completely useless i guess :)
i know i am about 3 years late, but in the video you say that the "base" payload is safari specific. However I tried a similar payload in firefox and it works all fine there too. the main difference I see is that the link tag needs an actual value in the href attribute to make it work. if the href is empty as in the last line of the tweet it wont work as it wont prepend the base url to an empty href. however a simple "#" is sufficient. maybe this is just something that is possible now and wasnt 2018? whatever , what are the odds someone actually reads this post :)
Heh, schau' deine Videos wie immer im Unterricht, da dies immernoch um einiges interessanter ist als 4 Stunden in etwas zu machen was 1.sowieso unsicher und outdated ist 2. Man schon vor 2 Jahren privat gelernt hat. 3. Wovon selbst der Lehrer keine Ahnung hat. (Der dachte u.a. bis heute das PHP und Js beide serverseitig laufen und das bootstrap ein Programm wäre um Webseiten per drag and drop zu gestalten)(und Ja, ich mache gerade eine schulische Ausbildung zum Informationstechnischen Assistent)
Ach der gute alte ITA... Wenigstens musst du deinem "HTML-Lehrer" (sic!) nicht erklären dass es auch gibt. Wenigstens nutzt du deine Zeit sinnvoll, wir haben alle Pokemon auf Emulator gezockt :D Ach der gute alte "Taschenrechner" der dir bei 13+37 einfach so Adminrechte gegeben hat, XP war schon was feines.
@@Juplay_FV Das waren bei uns zwei Fächer, wobei Datenbanken im ersten Jahr Excel bedeutete. Der Lehrer (ein Inder mit schlechtem deutsch) war aber der geilste. Der hat uns immer DINA1 (sic!) Blätter mit Aufgaben ausgedruckt. Wenn man eine Frage hatte "druckst du F1 kriegst du Hilfe" 😂 (wobei ich nicht weiß ob ich weinen oder lachen soll). Ich hoffe du hast halbwegs kompetentere Lehrer als sowas. Retrospektiv habe ich den ITA (+Fachabi) nur wegen es Fachabis gemacht. Bis auf ein bisschen iOS (das von Cisco) habe ich dort nicht wirklich was gelernt. Eine Frage habe ich aber noch. Ich war damals der erste Jahrgang der von folgendem Deal gebrauch machen konnte: Nach ITA-Abschluss gehst du 6-Monate Praxis sammeln (irgendwas technisches sollte es wohl sein) und dann kannst du deinen FiSi-Abschluss bei der IHK machen (nur Prüfung+Projekt). Ich war einer von dreien in meiner Klasse die das gemacht haben, war eigentlich ziemlich easy für mich. Ich habe nur für den Wirtschaftsteil gepaukt. Ist sowas mittlerweile Standard bzw. kannst du sowas auch machen? Bei mir war es damals jedenfalls eine Kooperation meiner Schule und der IHK. Bin jetzt FiSi obwohl ich eigentlich zu 95% Anwendungsentwicklung mache.
@@chaosmagican bei unserer Schule (BK Rheine) zumindest ist das inzwischen Standard, weiß jedoch nicht ob das für alle Schulen gilt. Ich konnte es jedoch nicht machen, da das Programm das Jahr schon voll war.
A different vulnerability was talked-about on this channel, and it only netted I think like $5k from Google, along with a browser-crash handler as a form of protection, since Apple isn't putting a lot of love into Webkit.
@@Omio9999 $7500 I believe, saw that video recently. Apple wouldn't have awarded anything for it, even though it was a WebKit issue. Google paid out because the guy reported it to them thinking it was a Chrome issue, and they were kind enough to reward him regardless. Afaik Apple don't really value this sort of stuff, so in terms of a bounty it's worthless.
@@JamesBalazs Until the industry changes, and either throws Apple out of business, or Apple gets back into actually fixing their still-open exploits, I still agree.
LiveOverflow hey did you heard a lot of hacking channels have been shut down by TH-cam, in other words, censured? Guided hacking and cheat the game for example. They did tutorials to cheat known games, but it was nothing illegal nor online and they worked hard for it. This is really sad and unfair. I hope the hacking community will react, and even more people, because TH-cam is censuring more and more stuff.
What I really wonder is how you would stumble upon these quirks. Is it eternal research? Throwing "random" stuff into "random" places? Researching weird bugs, finding what caused them and then seeing if you can exploit it? If anyone could tell me it'd be highly appreciated!
TBH I think that liveoverflowperson.grabname() (i dont know your name) is genuinly one of the few large coders who try to help people learn instead of putting them off. Well done nice vid
The second exploit is cool, but why would any production web server ask Safari to disable the XSS auditor?! because as I can tell it blocks the exploit from being executed.
I'd like to see a nice concise XSS border case list... AFAIK banning "", "script", "object", "link", "svg", "*[on*]", "img[src~=.svg]", "style[innerHTML~=url(.*.svg]" will prevent XSS
That sounds a lot like fixing SQL injection by banning specific characters (in that someone will find a way to make it work anyway). An easier way to prevent XSS is to never include any user input in your HTML response without HTML-encoding it first. Becaude then, in addition to using a more reliable way, you actually allow people to *discuss* HTML and CSS stuff on your website without having to trigger a "banned words" filter.
I once got xss via minecraft chat. There was a server that hat a chat widget on their website that would show the minecraft server's chat, but it didn't do any sanitization.
but there is alot of things you didn't talk about sending a request using js (ajax-xmlhttprequest) to steal info cookie + you could add browser exploit
You're not being too pessimistic. Poor educational materials are frustrating for anybody, especially the people that devoted their time to learning from that resource.
The slashes are treated as subdirectories on the web server not as comments. If I understood correctly by clicking a relative url ("../lol/safari.html") the browser tries to evaluate the base url. I Assume the broser parses the payload as a subdirectory on the web server. Thats why we need to add enough slashes at the end that the relative URL does not "step out of the payload subdirectory". Then because the base url starts with "javascript:" the following javascript is executed.
When I first saw this video when it was new, I didn’t really understand why it mattered, but now I see the prowess that was involved with the Safari one.
You forgot that Existing filters/WAF's expects the pattern of xss payloads too. So in order to bypass those filters, one could add unnecessary things to the payloads...
@@LiveOverflow Yes,. In order to bypass protection, first we see the behavior of each application...So, may be in first Vector (for which you've said that these characters are useless/ garbage in the payload) may be working good for the payload itself to bypass rules of WAF. As there may be black list instead of white list.
Where's the link to the tweet to be able to like and retweet it? D: EDIT: For anyone who doesn't want to type it in manually: twitter.com/garethheyes/status/1019658133503987713 I know it's visible in the URL just before the end of the video, but the average user ain't got time for that.
I think you didn't do good enough of a job explaining why the second tweet is so cool. You made it sound like some elitist bullshit (this is art, this is true hacking). So let me help you out: the reason it is so cool is because it demonstrates the understanding required to construct complex attacks that would work on real systems and setups (as opposed to dull hackmes and homebrew code).
thinking about the safari xss, instead of adding multiple slashes at the end, you could maybe just add a starting multiline comment, didnt test it. anyway your video is very good
>please excude my anger
>calm concern follows
German anger is something else
Also I am mad too at that tweet about mastery, in any field where you can become an "expert" curiosity and ever expanding horizon are always key to success and being proud of your abilities.
German anger has changed a lot in 70 years, hahaha!
calmly and analytically breaking down why someone's statement is wrong is very much German anger :D
I wouldn't like to see German anger :|
author of second tweet just didn't wrote "#xss" in his post:(
good point there
who exactly browse #xss anyways, seems a bit skitty imo
Bots, probably
Hacker at an event.
First guy: This is Javascript.
Crowd: **silence**
Second guy: The thing that it is jAvAScRipT
Crowd: AAAAAAAAAAAAAAAAAA!
I'm more amazed that Safari supports base url
To be fair, Safari actually gets a lot of the newer feature implemented faster than most other browsers. The issue is, though, that a lot of times it's a little too fast and end up with exploitable features, where most other vendors waits until it's as much tested as possible.
The reason Apple does this is that they use a lot of the new features way ahead of others in their own products; which is safe enough to do as it is not the internet, but sometimes the features end up in the same or similar fashion when they get officially supported.
@@dealloc
Data list
Service workers
Vibration API
Battery API
WebGl 2.0
Background sync API
Web MIDI API
TLS 1.3
WebM
Push API
Web Bluetooth
@@kmcat
Safari has a lot of APIs under experimental flags before being pushed out. But that is not to mention;
Data lists-while actually in WebKit behind a feature flag, it's an odd one that I couldn't find much information about.
Service workers are supported in Safari now. They were proposed (in 2014) in collaboration between Google, Samsung and Mozilla and were implemented by them first, although behind experimental flags initially.
Vibration API was removed from WebKit due to privacy concerns and is currently in a second draft in W3C.
Safari and Chrome use the same engine
@@IsaiahGamers Chrome uses its own engine called Blink, which is based on WebKit but heavily modified. Only on iOS does it use WebKit, as it is required by Apple.
@13:00 "console cleared at 3:13 am" get some sleep man
lol
who the fuck sleeps at 3 am
IT folk (and I guess especially hackers) are creatures of the night :)
Whats sleep?
Are u guys knew to sleep?
amazing
but you know why the first tweet was more popular?
because it looked as if it explained what was going on...
"here we have this"
vs
"lol/safari.html"
the second one might be better, but it looks more like random jumble or a joke at first glance
also it doesn't tag #xss like the first one, so you're less likely to find it randomly browsing
tHe pEoPLe wHo wErE meAnT tO sEe iT, iNdEeD SaW it
Maybe I'm a bit too pessimistic in this video, but I think it's a concrete example we can use talk about it. I know this video could be a bit controversial, and I did not want to focus on any people in particular - thus I censored the names of the example I criticise. It's not about the person but the work itself. So let me know what you think about it.
Also this video contains a few possibly weird "easter-eggs" (or obscure references) that likely only a handful of people will get. So if you think I said something weird, just assume it's a reference to something :P
Some experts make simple things difficult to understand realizing that most people reading their content are beginners. Other experts wouldn't share it. It's beginners who think that it's cool because it's difficult to understand and spread it. Those experts get high when nobody understands them..
You say that "jAvAsCriPt:" uses unecessary capitalization, but actually it is completely unnecessary since it's not a protocol handler, it's, interpreted by eval() as an arbitrary javascript label. Labels should be followed by a colon. Then following the label is a single line comment. The whole javascript label, upper case, lower case or mixed case is unecessary :)
You are fine. I leaned stuff as usual, thanks for sharing!
@LiveOverFlow How about last video where you mixed people talking DISCS and DISKS and blaming them when you were wrong when tried use DISC program for the DISK media?
What you think about it? How about correction?
I understand you are programmer and not after hardware... It makes sense such silly mistake.
@@XantheFIN I think there is a misunderstanding of the situation here. I thought I made it very clear in the video that it was a joke to blame the person, because right before of that I acknowledged how embarrassed I was.
Also I think google search autocorrected disk/disc and I didn't pay attention when searching. And of course I thought a tool that can create an image of a CD could also create an image of a HDD, because on linux both is exposed as a regular block device that you can read from. So making an image with `dd` would be the same for CD as for a HDD. Thus I didn't think in the rush of the moment that this might be different for Windows. If you have further questions or want some more clarification, feel free to write me an email ;)
The Safari bug smells like someone messed up the protocol format verification routine, by cutting the protocol part substring one character too early. It'd still go through all internal conformance tests just fine, but leaving out that significant second slash opened up Safari to an interesting new exploit vector.
Great video.
Edit: my original comment made no sense, it seems I'm too tired to brain right now
for guys who are confused with the minus symbol:
can be written as
I barely know anything about XSS but I got so mad as you started explaining why the first tweet is so inane. Goes to show how great you are at explaining things to people in a simple way that even a n00b like me understands lol. Thank you!
Great video man! I've been playing with XSS the whole day, just to get more knowledge about it. You've been helping me with your videos :D
Hacking is essentially thinking outside the box. It's like some sort of IQ test, you can't hack something if you're not comfortable with lateral reasoning. Also, reminder that browsers are open source. Finding XSS vectors or ruling out ideas can be done at a lower level. It's still way out of my league but I have tried it a few times, to no avail (I wanted to trigger a network request from an SVG loaded in an img tag, so I looked into the Firefox source. It seems impossible)
this video gave me some confidence ........not everything present on internet is true ......sometimes i think i don't know the concept that's why i not understanding but now everything is clear...... A BIG THANKS TO YOU
5:37 Even to me a completely beginner at XSS you can tell that it makes no sense to use upper and lower case and that the script itself is intentionally confusing.
YoU KnOw, OnLy GeNiUsSeS WrItE LiKe ThIs
@@Walter_ Years ago, after a closed head traumatic brain injury, my husband wrote like this.
@rl1k Doe which is why we, at least in the enterprise Java world, use case insensitive and fuzzy matching for blacklists...
@rl1k Doe depends on the application :)
@@peterjohnson9438 it's a blacklisting escape if they are looking for 'javascript' or 'script' with a bad filter. I've seen some really bad filters, though with enough effort there's very few that survive the test.
When's SIM part 3 coming? Also awesome content, keep up!
This channel is very underrated. You are a great teacher mate, I hope you will succeed. Thanks
Can't tell you how much I enjoy your vids. Both the content and presentation. Thank you
I'm going to say it anyway... As for the tag example, it could be used to bypass basic filters, and it could also be for obfuscation (even though it is simple to clean up if you understand it well enough), a small-time dev will have a harder time searching logs for why their website broke.
that was not the point of the tweet though - it was about the XSS in the output tag (not about WAF bypasses). Imo it's simply an excuse used to distract from what I believe is the real reason: making it look more crazy to mislead and deceive people.
@@LiveOverflow It's just an ego thing like: "my skill is this high, that obfuscating is the standart; look mom: I can read it fluently" or something like this. Does it even matter, if the author don't care to educate on twitter? I don't know the author, but I saw your dispute with this xss-tool-selling-dude, so if this payload belongs to misleading people to sell some shit, than the world will get your message. I also think, that the itsec community is build on learning from each other but if some dudes want to show their vitrual balls, there is no need to beat this tweets to death.
Anyhow, cool vidoe. Learned something new. Would love to see some "more guide like" guides to bypass WAFs and how to work with different contexts and encoding.
People tend to like things more if they understand it and they think it's clever, so obscuring the first example achieved the feeling smart in more people because it's easier to understand for more people.
Ostensibly, the reason that the _ouput_ example got more likes and RTs than the _base_ example is because it is more straightforward and easier to figure out and understand, so people responded to it, but the other one is more confusing, so they ignored it.
I figured out the first one in a couple of seconds, but for the second, I actually had to look up the base tag (I've never used it before), and check the specs to see how empty hrefs are handled, then had to decipher the regex. I learned nothing from the lazy attempt at basic obfuscation from the first, but learned a couple of things from the second.
Your frustration is completely justified; I feel the same way. People are lazy and boring. They don't like challenge, they like simply, basic pablum.
The first tweet was at least successful in hiding the alert - by adding an eval, which to me is a blinking right danger sign that even more loudly and proudly screams "unsecure code" then any "javascript" or "alert" string could ever do.
I can sound silly, but the first tweet actually tweeted this for the stuff that allows custom HTML in your profile, like Samy Kamkar did with his "Hero" worm. This is used to mislead checks in the forums. But, there's still an XSS auditor, so we need to make the workaround.
I personally have no plans to go after bug bounties but this was neat, cause that's a pretty fun exploit. Safari bugs aren't something to be scoffed at, plenty of people use the browser.
From your recent twitter activities, I was waiting for the video going after brutelogic LOL
Brute logic is such a hack.
Found a parameter > Copy & paste XSS payload > Alert !!! > Report > Get Bounty > Tweet it like a champ. No Offense :)
How about a 1-week-coding challenge? I think it's the perfect fit for you since it would be the total opposite of what you do here right now. Love you, keep it going!
No, plenty of people do coding challenges. This is one of few people who make good security-related videos.
Glad i found your channel. Occasionally watch your videos(not enough time sadly) as i am a full time application developer and not in a security domain. Thanks so much for sharing.
who knew that google xss would have actually popped up in 2k19
When u are currently watching ome of his tutorials and notification comes for a new video :/
Thanks for the awesome video! the application should encode any input of the < character and convert it to <. Check out the OWASP Character escape sequences
on XSS Filter Evasion Cheat Sheet.... testing for the application accepting the < character is a much faster way. The character escape sequeces on OWASP is a fantastic way of learning the encoding styles.... anyway XSS will have a beef hook on it to deploy malware or cryptominer not just steal cookies.
We can also get around the // in javascript by giving a new line
character .
how can i send cookie in html event tag ? i dont want just alert1, and ' " ' is filtered?
The reason for the craziness is to account for poor parsing procedures. Developers who try to write their own security, but fail to account for one kind of character or another.
I was curious if maybe the first tweet was formatted that way with the specific purpose of bypassing the chrome/Firefox XSS auditor? I thought it was mostly pattern recognition but I might be wrong!
Or even skip some HTML sanitizers
@@jozsefsebestyen8228 I don't think any scanner is going to allow a onclick attr…
Great video! I was confused at the "bullshit" one as well. I mean, what's even the point if you're using onclick anyways? Probably won't even bypass any filters. The base XSS one was crazy though. It seems so basic, and without this video I wouldn't have thought anything about it.
I found a small vulnerability in my school's wifi blocking system (iboss). Some of the text on the page blocked screen were accessible in the URL of the site. I tried changing that and refreshing and it changed the text on the screen. I had recently learned about cross-site scripting so I tried adding HTML and it showed up, though it was only on the client (from what I know. I wasn't able to do any tests). I just can't believe wifi site blocking software by a company founded in 2003 still has an unpatched vulnerability that allowed HTML to be injected through the URL. I mean, Google has the search text in the URL (which makes sense) but it's at least filtered and doesn't allow HTML injection. Anyways, I'm still glad I figured that out because it was fun messing with it.
so wait your telling me i was miss pronuncing regex all this time
I used the simplified first one to show an alert on the Poem of the Masses
I feel accomplished now
Man its like a poem. Respect!
I have no clue about XSS, but I thought the Safari one had to be way more interesting because it's so specific... (like where is the difference in Safari that makes it react differently?)
It uses WebKit, a different engine
I have no clue what are you talking about but I like it
Every time I watch one of these videos, I think of how I really *dont* know HTML, and even JavaScript, when I've built so many applications out of them.
That safari vector is actually pretty cool. I'm technically not even in chapter one, but I understood the code from the start, lol.
Except the slashes at the end, I'm glad you explained that.
I like the casual use or port 1337
Hear a question , if a professional program mer used other ppl app to pen test there work. Does that make them a script kiddy, sorry im just throwing our there.
If you don't understand what the program is doing, then yes.
Well, it helps me understand that browser discard useless information or those they cannot understand at least. So it's not completely useless i guess :)
So if you can actually inject HTML stuff into inputs, why do websites just don't remove the before the query gets used and executed?
that is what they are supposed to do! encode the < into < and not execute it... issue is developers learn to develop fast and loose with old ways
@@Jimmy1985Oh well, thank you!
XSS level: tries to share a XSS script on twitter... XSS twitter.
i know i am about 3 years late, but in the video you say that the "base" payload is safari specific. However I tried a similar payload in firefox and it works all fine there too. the main difference I see is that the link tag needs an actual value in the href attribute to make it work. if the href is empty as in the last line of the tweet it wont work as it wont prepend the base url to an empty href. however a simple "#" is sufficient. maybe this is just something that is possible now and wasnt 2018? whatever , what are the odds someone actually reads this post :)
Maybe WebKit specific? Both browsers based on WebKit
Hey I was wondering if u had a video on VPNs and how they are coded
I didn't realize you can access other attributes on a DOM element as arguments in the onclick event handler.
Heh, schau' deine Videos wie immer im Unterricht, da dies immernoch um einiges interessanter ist als 4 Stunden in etwas zu machen was
1.sowieso unsicher und outdated ist
2. Man schon vor 2 Jahren privat gelernt hat.
3. Wovon selbst der Lehrer keine Ahnung hat. (Der dachte u.a. bis heute das PHP und Js beide serverseitig laufen und das bootstrap ein Programm wäre um Webseiten per drag and drop zu gestalten)(und Ja, ich mache gerade eine schulische Ausbildung zum Informationstechnischen Assistent)
Ach der gute alte ITA... Wenigstens musst du deinem "HTML-Lehrer" (sic!) nicht erklären dass es auch gibt. Wenigstens nutzt du deine Zeit sinnvoll, wir haben alle Pokemon auf Emulator gezockt :D Ach der gute alte "Taschenrechner" der dir bei 13+37 einfach so Adminrechte gegeben hat, XP war schon was feines.
@@chaosmagican Naja, das Fach heißt zwar Datenbanken, aber wir machen da auch HTML, ja...
@@Juplay_FV Das waren bei uns zwei Fächer, wobei Datenbanken im ersten Jahr Excel bedeutete. Der Lehrer (ein Inder mit schlechtem deutsch) war aber der geilste. Der hat uns immer DINA1 (sic!) Blätter mit Aufgaben ausgedruckt. Wenn man eine Frage hatte "druckst du F1 kriegst du Hilfe" 😂 (wobei ich nicht weiß ob ich weinen oder lachen soll).
Ich hoffe du hast halbwegs kompetentere Lehrer als sowas. Retrospektiv habe ich den ITA (+Fachabi) nur wegen es Fachabis gemacht. Bis auf ein bisschen iOS (das von Cisco) habe ich dort nicht wirklich was gelernt.
Eine Frage habe ich aber noch. Ich war damals der erste Jahrgang der von folgendem Deal gebrauch machen konnte: Nach ITA-Abschluss gehst du 6-Monate Praxis sammeln (irgendwas technisches sollte es wohl sein) und dann kannst du deinen FiSi-Abschluss bei der IHK machen (nur Prüfung+Projekt). Ich war einer von dreien in meiner Klasse die das gemacht haben, war eigentlich ziemlich easy für mich. Ich habe nur für den Wirtschaftsteil gepaukt. Ist sowas mittlerweile Standard bzw. kannst du sowas auch machen? Bei mir war es damals jedenfalls eine Kooperation meiner Schule und der IHK.
Bin jetzt FiSi obwohl ich eigentlich zu 95% Anwendungsentwicklung mache.
@@chaosmagican bei unserer Schule (BK Rheine) zumindest ist das inzwischen Standard, weiß jedoch nicht ob das für alle Schulen gilt. Ich konnte es jedoch nicht machen, da das Programm das Jahr schon voll war.
How can I trace and capture my tv set top box data plz.. Make video
make a website and hide something inside of it and we need to try to find the secret
Sir I need some help in ctf challenge can you help me please..
yo, but where did the sim cards/cellular network hacking videos go? I was sooo thrilled for them
Wait, wouldn't it work in Chrome on iOS? It could make it actually worth some $.
A different vulnerability was talked-about on this channel, and it only netted I think like $5k from Google, along with a browser-crash handler as a form of protection, since Apple isn't putting a lot of love into Webkit.
is $5k less?
@@silverzero9524 If Apple were to actually ever bother to FIX Webkit, then yeah, it'd be probably $25,000, which is some more serious bank.
@@Omio9999 $7500 I believe, saw that video recently. Apple wouldn't have awarded anything for it, even though it was a WebKit issue. Google paid out because the guy reported it to them thinking it was a Chrome issue, and they were kind enough to reward him regardless. Afaik Apple don't really value this sort of stuff, so in terms of a bounty it's worthless.
@@JamesBalazs Until the industry changes, and either throws Apple out of business, or Apple gets back into actually fixing their still-open exploits, I still agree.
Your videos keep being educational and interesting.
Would this be considered dom xss? The second one.
LiveOverflow hey did you heard a lot of hacking channels have been shut down by TH-cam, in other words, censured? Guided hacking and cheat the game for example. They did tutorials to cheat known games, but it was nothing illegal nor online and they worked hard for it. This is really sad and unfair. I hope the hacking community will react, and even more people, because TH-cam is censuring more and more stuff.
Feels like the first tweet was a code joke; Especially with the setup.
What I really wonder is how you would stumble upon these quirks. Is it eternal research? Throwing "random" stuff into "random" places? Researching weird bugs, finding what caused them and then seeing if you can exploit it?
If anyone could tell me it'd be highly appreciated!
Eternal research and educated guesses.
It funny that the one author use unicode (\u0061) for the payload and the other (\u2028 \u2029) for his twitter username
It's just LO explaining the philosophy of hacking, not the hacking itself.
TBH I think that liveoverflowperson.grabname() (i dont know your name) is genuinly one of the few large coders who try to help people learn instead of putting them off. Well done nice vid
That pressing of a like button was my original idea, lol.
The second exploit is cool, but why would any production web server ask Safari to disable the XSS auditor?! because as I can tell it blocks the exploit from being executed.
Could also be a stored XSS and then the auditor wouldn't matter. Just wanted to create a simple test environment.
I'd like to see a nice concise XSS border case list... AFAIK banning "", "script", "object", "link", "svg", "*[on*]", "img[src~=.svg]", "style[innerHTML~=url(.*.svg]" will prevent XSS
That sounds a lot like fixing SQL injection by banning specific characters (in that someone will find a way to make it work anyway). An easier way to prevent XSS is to never include any user input in your HTML response without HTML-encoding it first. Becaude then, in addition to using a more reliable way, you actually allow people to *discuss* HTML and CSS stuff on your website without having to trigger a "banned words" filter.
You could say obfuscation a code isn't crazy because the output is not made to bypass the website (aka xss)
I once got xss via minecraft chat. There was a server that hat a chat widget on their website that would show the minecraft server's chat, but it didn't do any sanitization.
lol, so you could just enter a script tag into the chat and it would work?
Very thoughtful!
5:37 Did you hear about the self-retweeting tweet?
my dude i thought when I saw it too /**/ too great minds lol
but there is alot of things you didn't talk about sending a request using js (ajax-xmlhttprequest) to steal info cookie + you could add browser exploit
14:36 can't you use that to trigger an onerror event?
You're not being too pessimistic. Poor educational materials are frustrating for anybody, especially the people that devoted their time to learning from that resource.
Are you thinking on making a Discord server any time soon? Through a Discord server this community could grow so much, it could be awesome!
Great video. More please!
I'm early! I can tell this is gonna be a good vid.
Every video on this channel is awesome
Love your analysis, sub'ed
Best ever i seen, thx maestro!
I would like to start studying Reverse engineering and security. I only know java,C# and javascript.
Awesome video!
Nice . Keep making useful videos
I would love if u upload poc u find in some sites then explain that
"Identifying good research" on twitter
Awesome explanation
Well made video! Thanks.
No dude capitalization is used to bypass filter and WAFS
Is there a reason that you have to use ///// at the end of the payload instead of just /*? I don't have a Mac so can't test it...
it's explain in the video keep watching
i don't think /* would work in a url the same way it works in a regex
The slashes are treated as subdirectories on the web server not as comments.
If I understood correctly by clicking a relative url ("../lol/safari.html") the browser tries to evaluate the base url.
I Assume the broser parses the payload as a subdirectory on the web server. Thats why we need to add enough slashes at the end that the relative URL does not "step out of the payload subdirectory". Then because the base url starts with "javascript:" the following javascript is executed.
I reached here without knowing and don't understand what's going on here, but have your like Unknown programer.
When I first saw this video when it was new, I didn’t really understand why it mattered, but now I see the prowess that was involved with the Safari one.
"Ding ding"
You forgot that Existing filters/WAF's expects the pattern of xss payloads too. So in order to bypass those filters, one could add unnecessary things to the payloads...
which would require careful analysis of this particular filter/WAF. A generic random collection of weird things is no help at all.
@@LiveOverflow Yes,. In order to bypass protection, first we see the behavior of each application...So, may be in first Vector (for which you've said that these characters are useless/ garbage in the payload) may be working good for the payload itself to bypass rules of WAF. As there may be black list instead of white list.
I can't find his tweet somehow. Can you post a direct link, please? I'd like to upvote it.
U do great work man!
Where's the link to the tweet to be able to like and retweet it? D:
EDIT: For anyone who doesn't want to type it in manually: twitter.com/garethheyes/status/1019658133503987713
I know it's visible in the URL just before the end of the video, but the average user ain't got time for that.
AMAZING
I think you didn't do good enough of a job explaining why the second tweet is so cool. You made it sound like some elitist bullshit (this is art, this is true hacking). So let me help you out: the reason it is so cool is because it demonstrates the understanding required to construct complex attacks that would work on real systems and setups (as opposed to dull hackmes and homebrew code).
thinking about the safari xss, instead of adding multiple slashes at the end, you could maybe just add a starting multiline comment, didnt test it. anyway your video is very good
The relative path calculation is probably done before the JS is evaluated.