i mean there is a break after 100s so you get the best of both worlds: if you prefer 100s videos you can close the video there, or keep watching if you want. and fireship gets to upload 10min+ videos which helps with the youtube algorithm, which is a bonus for the channel.
@@nameless_9504 I mean, I have been doing it for a while. I like Fireship so much that I want a video on this. A few days back, I was testing a website - you could literally change the phone number on which they sent you the OTP and login with a different phone.
@@nameless_9504 The website used an API, and they POSTed the number to it in plaintext. I changed the request, and the OTP arrived on the updated number, whereas the webapp logged me in with the actual phone number.
@fireship used to publish literally 100 sec videous without going deep into the topic. These days, the first part is 100 sec bird-eye view on the topic and then comes the rest. That's why it is 100 sec of sth.
*My website recently got hacked, but it was so badly coded the hackers ended up giving me the fix to those vulnerabilities, Bad code can help sometimes.*
Well, CORS might seem to protect websites from requests of evil origins, but it's super weak, it can be bypassed easily by making requests outside of browsers or just by creating a Proxy, besides, the requests always hit the server, so in the end it's not really that helpful, and instead, it always annoys developers on every single project.
What kind of proxy are you talking about? A proxy running on the user's machine next to the browser? That's a lot harder to do than getting some javascript running in someone's browser.
Great content like always. Can you do a video on designing backend apis with a focus on creating the right endpoints (from a front-end engineer's perspective)?
Cors only applies to JSON and is enforced by the Client. It hardly prevents cross site scripting. The requests go through fine, you just can’t read the results.
I dont understand what CORS is even usefull for. He only explained what it blocks and not WHY. I dont see the benefit - i am searching for this and the title suggests that he explains it
because of allowed origins in the server side cors settings, only the whitelisted hosts are allowed to fetch or mutate data that is why you have to declare those hosts in the environment variables
I still dont quite get what this prevents. If i make a page i wont add in any requests to servers I dont want them to go. An attacker couldn't modify my page or inject any api calls. So why would I want a cors policy to be not widely open in that case
Can you explain a little why stylesheets and scripts were fine to grab from the external server but the api call was blocked? I understand the premise of CORS but is there a reason that css and scripts were ignored? Is there other things that CORS ignores as well?
@@cloudfox1908 got it. What about something like an HTTP GET request? While I’m not sending anything to my server is that still a part of the CORS model?
@@shaynepreston6055 ah I led you wrong before. When you download/GET a page, you are still making a request to a server for those resources. The reason it may be allowed is because "For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts." I'm assuming it's ok since it wasn't within a script, but this stuff is quite confusing for me too. Reference: stackoverflow.com/a/42605316/14056792
Off topic, was wondering if you can provide some insight to this question or anyone for that matter. I'm a javascript developer, love doing frontend development with react progressing towards fullstack but I'm a bit confused about what after fullstack? What are some viable career paths to choose, I'm open to branching out to other fields in relevance, I am learner and love to see my limits(Also interested in security but found my niche in web development due to low entry barrier) Feedbacks are much appreciated.
@7:40 he doesn't explain how making this request and getting the static files is possible through the external origin. Is it because the Express 'get()' acts as a middleware? Or is it because somehow 'public' folder is recognized as the same origin(url) due to its folder structure/location..?
You wouldn't believe it, But this tool is what I was trying to figure out yesterday and today, so that I can check CCAvenue Payment Gateway Integration vulnerability in my app. 🙏🙏🙏
The mime type. script/js, style/css, application/json. Json is forbidden - but it doesn't matter since he only explained what is blocked. not WHY as the title suggests
4:56 oups: the browser will comunicate with Origin B but when i receive the response if the header allow-origine is not there i will kick out the response
4:50 What am I missing here? If Origin B is the potentially malicious server, why is it Origin B that whitelists Origin A? And what is the browser protecting me from by preventing outward communication with Origin B? Or is Origin B the thing that CORS is protecting? I don't get it.
I can explain partially. The browser is protecting you from another origin’s attack. If you have one tab open in the browser and open the second one with malicious software - JavaScript on this website can do anything that you can do on that 1st page (as a user). So for example it may be able to view sensitive data, read messages, or analyze DOM as you type in your password etc. Same origin policy does not allow these two tabs (origins) to communicate on this level. The browser checks if the JavaScript comes from an HTML page on the same origin or if it comes from an external origin. If that is the case - access is blocked by the browser.
From the diagram, it looks like Origin A wants to request the images, CSS styles, and scripts from Origin B. In this case, Origin A is the potentially malicious one, since it's the one requesting the data.
@@Aakrarvaxa It makes a little bit of sense but it also contradicts what the image shows. You say "Same origin policy does not allow these two tabs (origins) to communicate on this level" but tabs aren't origins. The servers are the origins. And how did this become about two tabs communicating?
@@tomihawk01 You're right actually, the diagram is drawn a bit weirdly. And yeah, I don't know what the guy was on about with the two browser tabs either. I think what they meant to imply was that the website displayed in the browser is hosted on Origin A. When the website requests data, the origin sent in the request is not the user's origin, it is still Origin A, since that's where the site is hosted.
This video is? I mean if you know fetch, js, some online wordlists and how to press F12, you don't need to step out of your browser to do all penetration tests. F12 in browser is OP. Every aspect can be checked via developer tools, the networking, request/response, data manipulation, js manipulation and many more.
Good video, thanks for sharing. Can you please explain how a hacker could take advantage of a website not implementing CORS correctly? From what I understand this does nothing to protect the API as CORS is enforced by the browser. Thanks
How do you always know what I need😃?! I was wandering around entire internet for way of preventing some security issues in one of my project. CORS is of course one of 'em. Thanks Fireship❤ & of course huge thanks to Bartosz🙏 for explaining the whole process so easily...
I would rename "And why do we need CORS?" to "What does CORS do?" because the reason of the blocking (what i urge to understand) is not explained at all. The title is a little missleading
Am I stupid or have u done an auth vid. Of not pls do. And like not with fire base. Thx. EDIT - thx for all the great vid. Keep em up, I love this channel.
Dear Mr. Jeff Fireship, If you opt for quality in your videos, then ensure more quality control in the collabs because they are sometimes boring and do not match the rest of the video.
What i never understood is: so how APIs work. Lets say my react app that works on port 3000 needs some resource from an external api, how does this work
It's not much, but will continue to support your page. Your teaching is a breath of fresh air in a very stale curriculum.
I don't know if I'm just used to your rhythm of teaching, but this guy's teaching makes me want to open reddit and doomscroll while kinda listening
2x speed or more solves your problem
I love r/collapse also
At this point these are never 100s, but it's still high-quality videos with no BS, so I'm not complaining
i mean there is a break after 100s so you get the best of both worlds: if you prefer 100s videos you can close the video there, or keep watching if you want. and fireship gets to upload 10min+ videos which helps with the youtube algorithm, which is a bonus for the channel.
@@dom8429 nah, even the short ones are 2min +
Next video: Writing good code, or OTP vulnerabilities.
It's simple A brute force attack or found of apikeys to there sms provider nothing much
@@nameless_9504 Bruteforcing a 6 digit OTP, I doubt it is a good idea. Talking about master OTPs, intercepting requests, are better alternatives.
@@nameless_9504 I mean, I have been doing it for a while. I like Fireship so much that I want a video on this. A few days back, I was testing a website - you could literally change the phone number on which they sent you the OTP and login with a different phone.
@@DanishShakeel is it even possible? Never heard about it! Give me a example that may help me understand
@@nameless_9504 The website used an API, and they POSTed the number to it in plaintext. I changed the request, and the OTP arrived on the updated number, whereas the webapp logged me in with the actual phone number.
Holy shit you are literally covering every single corner of IT and all those subjects I learned at school as well.
You make my favorite videos - the perfect TL;DR + details
This channel consistently provides awesome and educational content balanced with good entertainment. Keep up the great work
This is one of the best videos on ethical hacking
this doesn't seem like 100 seconds, but i'm watching all of it anyways
@fireship used to publish literally 100 sec videous without going deep into the topic. These days, the first part is 100 sec bird-eye view on the topic and then comes the rest. That's why it is 100 sec of sth.
*My website recently got hacked, but it was so badly coded the hackers ended up giving me the fix to those vulnerabilities, Bad code can help sometimes.*
Love this channel!!
Omg after 2 years of confusion somebody finally explains sop properly
Well, CORS might seem to protect websites from requests of evil origins, but it's super weak, it can be bypassed easily by making requests outside of browsers or just by creating a Proxy, besides, the requests always hit the server, so in the end it's not really that helpful, and instead, it always annoys developers on every single project.
What kind of proxy are you talking about? A proxy running on the user's machine next to the browser? That's a lot harder to do than getting some javascript running in someone's browser.
@@Norsilca No, a server proxy, you can easlily get the response from server to server and then return it with the CORS headers.
@@edisonarango Wouldn't your proxy have to be running at the same origin as the first party website?
@@Norsilcai don't think that guy has a clue what he's talking about based on his response. either that, or he's a genius and we're both baffled.
Great content like always.
Can you do a video on designing backend apis with a focus on creating the right endpoints (from a front-end engineer's perspective)?
'And why do we need CORS?'
Should be 'What is CORS?'
100 Seconds of XML is much needed
Are you a time traveling developer from 1995?
Notification Squad, attendance here, with a 👍.
Your videos are pure gold. Thank you.
This 11 min video taught me what stckoverflow and other complicated explaining never taught me!!!
Being featured in Jeff's video is the ultimate accolade a content creator can earn - so jealous of Bartosz 😍
We needed this
You are my inspiration
I have decided to open my own programming youtube channel like you but in my own regional language
Really mind boggling explanation, thank you very much, i would like to see more videos like this.
First
Edit: Second Gold
Is there any reward after 10?
Love your videos!
yup
congratulations you won... idk what
Gold! 🥇
Cors only applies to JSON and is enforced by the Client. It hardly prevents cross site scripting. The requests go through fine, you just can’t read the results.
I dont understand what CORS is even usefull for. He only explained what it blocks and not WHY. I dont see the benefit - i am searching for this and the title suggests that he explains it
Lol please i am dying to know
As always, quality and informative videos!
And why is it that static files are allowed (including executables scripts) but calling the API is not?
because of allowed origins in the server side cors settings, only the whitelisted hosts are allowed to fetch or mutate data that is why you have to declare those hosts in the environment variables
I agree with the others, your voice, pacing and structure are just ..“easily enjoyable“, which is highlighted in contrast to the other guy.
You can simply pronounce "Bartosz" as "Bartosh" 😁
Good video as always!
😂
I wish I had teacher like you. thanks man😍😍😍
Thanks, I have no luck... This video was uploaded after my interview... So yeah 🙃
I still dont quite get what this prevents.
If i make a page i wont add in any requests to servers I dont want them to go. An attacker couldn't modify my page or inject any api calls. So why would I want a cors policy to be not widely open in that case
Me after 3 years of hacking journey when first see the title (Ethical Hacking in 100 Seconds) :)
Do JWT authentication next if you haven't already (access tokens, refresh tokens, etc.)
Learn to google before you ask
@@weshuiz1325 I could learn anything using Google, you're missing the point entirely lol
@@okie9025 hey already did jwt if you looked for it
@@weshuiz1325 😂😂😂😂😂😂😂😂😂😂😂😂😂😂
Honestly If my web security doesn’t have a Slavic accent idk if I could fully trust him/her. This guy really knows his target market.
Can you explain a little why stylesheets and scripts were fine to grab from the external server but the api call was blocked? I understand the premise of CORS but is there a reason that css and scripts were ignored? Is there other things that CORS ignores as well?
Edit: This is WRONG:
The basic premise is that you can receive/download assets from the external origin, but you cannot send anything to it.
@@cloudfox1908 got it. What about something like an HTTP GET request? While I’m not sending anything to my server is that still a part of the CORS model?
@@shaynepreston6055 ah I led you wrong before. When you download/GET a page, you are still making a request to a server for those resources. The reason it may be allowed is because "For security reasons, browsers restrict cross-origin HTTP requests initiated from within scripts." I'm assuming it's ok since it wasn't within a script, but this stuff is quite confusing for me too.
Reference: stackoverflow.com/a/42605316/14056792
@@cloudfox1908 ah that makes more sense. Thanks!
Nice video. Would have been nice if the video included an example where the external api was whitelising origin a
Please make 100 second & beyond videos for social media APIs like Instagram Twitter TH-cam Facebook tiktok etc
You suouldnt be thanking for watching dude
We who have to thank you for amazing materials
I am learning this already and i found one problem on reddit, i found it when i was trying to use a normal user as a bot. I already reported it.
Great video! What icon set do you use? These colorful icons are beautiful 🤩
When you're ready to lean how to do Smart Contracts? I've been writing a Truffle tutorial on how to use react and MetaMask.
This channel was made in heaven
1:25 It's really hard to hack and takes a lot of years ... you just click "start attack"
You can also load an external image to but you won't be able to modify it
Off topic, was wondering if you can provide some insight to this question or anyone for that matter. I'm a javascript developer, love doing frontend development with react progressing towards fullstack but I'm a bit confused about what after fullstack? What are some viable career paths to choose, I'm open to branching out to other fields in relevance, I am learner and love to see my limits(Also interested in security but found my niche in web development due to low entry barrier)
Feedbacks are much appreciated.
So you can retrieve static files from and external server but not call its api
Interesting topic, even tho im still learning ES6 JS
@7:40 he doesn't explain how making this request and getting the static files is possible through the external origin. Is it because the Express 'get()' acts as a middleware? Or is it because somehow 'public' folder is recognized as the same origin(url) due to its folder structure/location..?
Express.js (and all other backend libraries) disables CORS by default on static files
Loool right in the middle of security class too 😂 so strange
Wondering cross policy is only for frontend. If anyone try to fetch using backend language, then it ignores cross policy.
But then why do the external stylesheets and scripts and images get loaded?
They are also cross-origin but yet they are not blocked by the browser???
You wouldn't believe it, But this tool is what I was trying to figure out yesterday and today, so that I can check CCAvenue Payment Gateway Integration vulnerability in my app.
🙏🙏🙏
Can you please make a video on webgl?
That's on the list
Great video 👍
What is the difference between first GET to 8081 to fetch css and js during page rendering and later GET to 8081 triggered by button?
The mime type. script/js, style/css, application/json. Json is forbidden - but it doesn't matter since he only explained what is blocked. not WHY as the title suggests
can you please provide a roadmap or guide on how to get started with ethical hacking. thanks a lot.
4:56 oups: the browser will comunicate with Origin B but when i receive the response if the header allow-origine is not there i will kick out the response
4:50 What am I missing here? If Origin B is the potentially malicious server, why is it Origin B that whitelists Origin A? And what is the browser protecting me from by preventing outward communication with Origin B? Or is Origin B the thing that CORS is protecting? I don't get it.
I can explain partially.
The browser is protecting you from another origin’s attack. If you have one tab open in the browser and open the second one with malicious software - JavaScript on this website can do anything that you can do on that 1st page (as a user). So for example it may be able to view sensitive data, read messages, or analyze DOM as you type in your password etc.
Same origin policy does not allow these two tabs (origins) to communicate on this level. The browser checks if the JavaScript comes from an HTML page on the same origin or if it comes from an external origin. If that is the case - access is blocked by the browser.
From the diagram, it looks like Origin A wants to request the images, CSS styles, and scripts from Origin B.
In this case, Origin A is the potentially malicious one, since it's the one requesting the data.
@@Aakrarvaxa It makes a little bit of sense but it also contradicts what the image shows. You say "Same origin policy does not allow these two tabs (origins) to communicate on this level" but tabs aren't origins. The servers are the origins. And how did this become about two tabs communicating?
@@Dxpress_ I don't see anything in the diagram showing Origins requesting data. Origin A and B are the servers. They don't request anything.
@@tomihawk01 You're right actually, the diagram is drawn a bit weirdly. And yeah, I don't know what the guy was on about with the two browser tabs either.
I think what they meant to imply was that the website displayed in the browser is hosted on Origin A. When the website requests data, the origin sent in the request is not the user's origin, it is still Origin A, since that's where the site is hosted.
Your voice is like a soft caramel.. I love listening to you
This video is? I mean if you know fetch, js, some online wordlists and how to press F12, you don't need to step out of your browser to do all penetration tests. F12 in browser is OP. Every aspect can be checked via developer tools, the networking, request/response, data manipulation, js manipulation and many more.
Good video, thanks for sharing. Can you please explain how a hacker could take advantage of a website not implementing CORS correctly? From what I understand this does nothing to protect the API as CORS is enforced by the browser. Thanks
CORS is there to protect the Client, not the Server
沒想到豆豆會提到馬來西亞(我是馬來西亞人)。看完整個系列我也被燒到了,bucket list世界多一項
I'm here for my daily tech knowledge bytes :D
Bro I'm also Bartosz and I got the same shirt 😅 Good vid
😂😂😂
Pls do something on DevOs, MLOps
Gonna put this on 2x speed and learn it in 50 seconds 😎
put me in the woosh
Anyone knows where can I find the gif at 1:25? I'd love to use it in my lectures
Ethical hacking is like you are developing nuclear power just to use it for peaceful purposes. 😄
Please do a video on DGraph :)
Nice video! Can you give ReScript a try and let us know your opinion about it?
please a video on the new Angular State management StateAdapt!!!
The line between the role of the hat (hat_role) is just intention.
On the other hand, those that are using the the tools are they the hackers?
Do php and manipulation of databases
I might be wrong but i though that it was the preflight request that failed in case of CORS policy and not the actual Request/Response.
Can't I just run a proxy and add the 'Access-Control-Allow-Origin' manually and bypass the browser's security?
Someone please respond to this. I have the same concern
Nice video dude
Lol, I had this error yesterday but fixed it by doing another approach
Next video: Chrome Extension and Outlook Add-ins
Next video: oAuth 2.0 in 100 Seconds and beyond
Compared to Burp commercial ( free) version, i find ZAP more appealing in features and usability
How do you always know what I need😃?! I was wandering around entire internet for way of preventing some security issues in one of my project. CORS is of course one of 'em. Thanks Fireship❤ & of course huge thanks to Bartosz🙏 for explaining the whole process so easily...
I am really happy you like it! 😍
Great need more ethical hacking videos
I would rename "And why do we need CORS?" to "What does CORS do?" because the reason of the blocking (what i urge to understand) is not explained at all. The title is a little missleading
“Given us permission” as they say
make a video about best practices of a REST api design or the purpose of header and body and so on...
dude your channel is priceless.
Am I stupid or have u done an auth vid. Of not pls do. And like not with fire base. Thx.
EDIT - thx for all the great vid. Keep em up, I love this channel.
Dear Mr. Jeff Fireship,
If you opt for quality in your videos, then ensure more quality control in the collabs because they are sometimes boring and do not match the rest of the video.
Go in 100 seconds please!
I was so fast there are no dislikes!
Apologies for asking something irrelevant,.. what is the bg music?
video idea: 100 seconds of laravel
Can u make DevOps please!
I am in cyperSec and i am surprised
What i never understood is: so how APIs work. Lets say my react app that works on port 3000 needs some resource from an external api, how does this work
APIs configure their response headers to allow for other sites to access them
@@tjgdddfcn thank you, so that's the way to go, i thought that was just a hack or some unsecure option
"Guys, we're in".
Good video, but title is misleading.
Yeah I'm a Full DevOps Stack Hacker
can we get strict mode in 100sec.
What is the name of this music ?