Moral of the story: "Don't try to come up with original solutions during a CTF, but rather go to all tweets of the challenge author to find the trick."
@terjanq4 жыл бұрын
None of the intended parts of the solutions were to be found on my Twitter wall. That was just a fully unintended way to solve the challenge by weaponazing some of my tricks ;)
@advaithmadhukar26094 жыл бұрын
lol
@Zedoy4 жыл бұрын
"wtf is this magic!!!" Best line ever!!! ❤️
@danielfernandes10104 жыл бұрын
I got so scared when he said that lmao
@AntiAtheismIsUnstoppable4 жыл бұрын
LO is very under rated. This might be a bit too complex for me, but the way he thinks is extremely good for teaching beginners about work ethics. I don't know many other who thinks the same way. It's like an art form.
@neekonsaadat25324 жыл бұрын
You truly understand what it means to "teach" effectively. I am glad I found your channel back in middle school, you inspired me to go into infosec. Great job leading us along the problem solving process, big thanks!
@internetdoggo48393 жыл бұрын
What a good damn journey! This _has_ to be most _convoluted_ XSS CTF I've ever seen Amazing work
@flirtyemy042 Жыл бұрын
Watched this a couple of times and still can’t wrap my head around it
@soggytoast1113 жыл бұрын
Wow. I'm usually pretty good at following along with these videos but this was really tough for me. I think it would have helped if you had a diagram that showed all of the interfaces and how you chained the exploits to get across them. There's a lot of moving around here.
@ajholmes48674 жыл бұрын
I fricking like this video format
@Timooooooooooooooo4 жыл бұрын
This is the kind of content I love
@rasool27534 жыл бұрын
I Like Your Funny Words, Magic Man
@maruswielki51744 жыл бұрын
Nice video! This challenge was really hard - not yet to solve for me :( I've been watching you since a while. So I'm really proud of myself that I solved one of your challenges - I found a flag in your /ctf repo on your github :D
@krlst.59774 жыл бұрын
It seems i need to rewatch this video like 10 times more to understand "wtf is this magic" :-) Great video!
@580maramir4 жыл бұрын
CTF challenges in other languages: buffer overflow, reverse engineering, memory leak, cryptography....... JS challenges: „how can i override the prototype 🤔“
@nukexplosion66794 жыл бұрын
LOL
@DHIRAL29084 жыл бұрын
Damn, mind=blown!!! One of the hardest xss challenge lol!
@AntiAtheismIsUnstoppable4 жыл бұрын
Yes, but how can you inject an if is not allowed. An is an no matter the source, isn't it?
@ence78464 жыл бұрын
@@AntiAtheismIsUnstoppable Actually they are allowed but the CSPs leads to restrictions on their source, but when using srcdoc, is considered without source so it does not interfere with CSPs
@AntiAtheismIsUnstoppable4 жыл бұрын
@@ence7846 OK, I need to read up on this with srcdoc, because I do use CSP, and I absolutely want it to work as I intend, not everyone else, lol
@techchannel31073 жыл бұрын
thank you very much
@darklord_6564 жыл бұрын
Vanakam Live Overflow can u put 2 videos per week so i can learn many things😅😅😅
@kevinwydler44053 жыл бұрын
This is sooo beautful!!
@kezzyhko4 жыл бұрын
5:46 I was surprized that in JS you can just pass extra parameters to functions, and everything works
@mrocto3292 жыл бұрын
JS works in such a way that it never gives errors basically, if you have a function foo that takes no args and a bar that takes one all of the following are valid: foo(3) bar() bar(3, 5)
@samfoxman70464 жыл бұрын
Seems like a contrived challenge, but interesting nonetheless (especially the srcdoc trick)
@adtiyamuhammadakbar27114 жыл бұрын
I still couldn't understand from the previous video until now LOL
@klikkolee4 жыл бұрын
I had to look up the explanation posted by the author of the trick at 11:30 in order to get it. It mostly came down to a lack of knowledge about the Javascript standard library. RegExp's ToString uses values from some of the attributes of the object. It doesn't matter which of the attributes used by tostring is selected for the attack. source happened to be chosen. flags should work just as well. the inconvenient object's source attribute is set to the exfil data by setting the attribute for the object prototype. the inconvenient object's tostring is configured to include the source attribute by setting the function for the object prototype to one which includes the source attribute (RegExp's tostring) concat calls tostring on the inconvenient object, which uses RegExp's tostring, which includes the source attribute, which was set to the exfil data. concat adds the result of tostring, which includes the exfil data, to the exfil url.
@lukor-tech4 жыл бұрын
Can someone just clip the part 11:26 ? :D I feel like this everyday and never been happier with your comment on the challenges you've been working on. Great watch!
@DevsLikeUs4 жыл бұрын
This is great !
@liorcraftblockil59953 жыл бұрын
Just saying that everyone would not mind for like a 20 or a 25 minute video, why? because it is interesting, and I would really love to know how you got to the solution, it sucked that you just jumped with the reason that there is no time, next time please make the video longer, we want to really understand and not just say, uhmmmm ok, Thanks
@mnj-adam38623 жыл бұрын
i love youuuuu
@metalpachuramon4 жыл бұрын
Well donde, that was a hard one
@RohanOnBike4 жыл бұрын
Nice.... I was stuck on a html injection on a angular site 10days back couldnt turn it into xss, all event handlers were blocked... Going to try with srcdoc.. Thanks
@AntiAtheismIsUnstoppable4 жыл бұрын
I don't uynbderstand how you can inject an when is not allowed. That doesn't make any sense.
@lingon273 жыл бұрын
I believe this 14min video took me about 30min to watch 😅
@ichigo-nms94184 жыл бұрын
5Head 🍷 ahh yes
@ve94 жыл бұрын
interesting how none of ur latest vids (like last 3 weeks) have shown up in subbox
@jakekarreofficial4 жыл бұрын
why don't people actually watch the video before commenting? edit: I posted this comment to poke fun at the people who do this, not get confused replies.
@jakekarreofficial4 жыл бұрын
@TutorialsByKevin I only stated that because I looked at the recent comments, and saw a bunch of people saying "hi" which has nothing to do with the video.
@namenlos41984 жыл бұрын
Are you new to the KZbin game?
@jakekarreofficial4 жыл бұрын
@@namenlos4198 no i just thought someone would see this and agree
@heroslippy66664 жыл бұрын
why does it matter, it's been happening forever?
@medjassertoubib44674 жыл бұрын
nice . can you please make a discord channel .it will be great