Moral of the story: "Don't try to come up with original solutions during a CTF, but rather go to all tweets of the challenge author to find the trick."

"wtf is this magic!!!" Best line ever!!! ❤️

You truly understand what it means to "teach" effectively. I am glad I found your channel back in middle school, you inspired me to go into infosec. Great job leading us along the problem solving process, big thanks!

What a good damn journey! This _has_ to be most _convoluted_ XSS CTF I've ever seen Amazing work

Watched this a couple of times and still can’t wrap my head around it

Wow. I'm usually pretty good at following along with these videos but this was really tough for me. I think it would have helped if you had a diagram that showed all of the interfaces and how you chained the exploits to get across them. There's a lot of moving around here.

I fricking like this video format

This is the kind of content I love

I Like Your Funny Words, Magic Man

Nice video! This challenge was really hard - not yet to solve for me :( I've been watching you since a while. So I'm really proud of myself that I solved one of your challenges - I found a flag in your /ctf repo on your github :D

It seems i need to rewatch this video like 10 times more to understand "wtf is this magic" :-) Great video!

CTF challenges in other languages: buffer overflow, reverse engineering, memory leak, cryptography....... JS challenges: „how can i override the prototype 🤔“

Damn, mind=blown!!! One of the hardest xss challenge lol!

thank you very much

Vanakam Live Overflow can u put 2 videos per week so i can learn many things😅😅😅

This is sooo beautful!!

5:46 I was surprized that in JS you can just pass extra parameters to functions, and everything works

Seems like a contrived challenge, but interesting nonetheless (especially the srcdoc trick)

I still couldn't understand from the previous video until now LOL

I had to look up the explanation posted by the author of the trick at 11:30 in order to get it. It mostly came down to a lack of knowledge about the Javascript standard library. RegExp's ToString uses values from some of the attributes of the object. It doesn't matter which of the attributes used by tostring is selected for the attack. source happened to be chosen. flags should work just as well. the inconvenient object's source attribute is set to the exfil data by setting the attribute for the object prototype. the inconvenient object's tostring is configured to include the source attribute by setting the function for the object prototype to one which includes the source attribute (RegExp's tostring) concat calls tostring on the inconvenient object, which uses RegExp's tostring, which includes the source attribute, which was set to the exfil data. concat adds the result of tostring, which includes the exfil data, to the exfil url.

Can someone just clip the part 11:26 ? :D I feel like this everyday and never been happier with your comment on the challenges you've been working on. Great watch!

This is great !

Just saying that everyone would not mind for like a 20 or a 25 minute video, why? because it is interesting, and I would really love to know how you got to the solution, it sucked that you just jumped with the reason that there is no time, next time please make the video longer, we want to really understand and not just say, uhmmmm ok, Thanks

i love youuuuu

Well donde, that was a hard one

Nice.... I was stuck on a html injection on a angular site 10days back couldnt turn it into xss, all event handlers were blocked... Going to try with srcdoc.. Thanks

I believe this 14min video took me about 30min to watch 😅

5Head 🍷 ahh yes

interesting how none of ur latest vids (like last 3 weeks) have shown up in subbox

why don't people actually watch the video before commenting? edit: I posted this comment to poke fun at the people who do this, not get confused replies.

nice . can you please make a discord channel .it will be great

EARLY

I need a hogwarts scholarship

i am imaging that when i will understand him

yes?

damn it's boring waiting for a new video

WTF is this magic

Hi

Sec

wtf