It would have been funny for google to really alert 1 when you input alert(1) into search box
@ThomasOrlita3 жыл бұрын
I think they did something like that once on the Bughunter page.
@2das3 жыл бұрын
Oh no, hell no, it would not. Imagine all the amateur bug hunters who then spam their reports to the google bug bounty XD
@castles9903 жыл бұрын
@FBI Federal Bureau of Investigation Then they would pretty much ignore every XSS reports, sorry FBI.
@2das3 жыл бұрын
@LastName Almaember you better ignore my browsing history
@1e10013 жыл бұрын
@@castles990 well they can state that you have to use alert(document.domain) and just ignore all alert(1) ones or whatever
@whydoineedausername13863 жыл бұрын
"Look into the chrome developer tools" *Opens firefox*
@dertythegrower3 жыл бұрын
Yeah.. it calling home every time I open the browser.. yeah, no go for me. Also lack of script-viewing tools on chrome compared to firefox... mm, minimal.
@nicoper3 жыл бұрын
Since this video is seemingly paid for by google, it's not strange that it contains some advertisement for Chrome.
@vaisakhkm7833 жыл бұрын
"In a browser, the chrome is any visible aspect of a browser aside from the webpages themselves (e.g., toolbars, menu bar, tabs)." - so technically dev tools is a chrome (Not google chrome , it's just a name of a browser which they stollen)
@sebastianelytron84503 жыл бұрын
@@vaisakhkm783 ^^ Can somebody verify that? I've literally never heard it before and information online on it is scarce. Is this really a technical term?
@vaisakhkm7833 жыл бұрын
@@sebastianelytron8450 I also came to know about this from one of his own videos...."sandbox escape in Firefox" or something like that..... Checkout that video
@TheMAZZTer3 жыл бұрын
Funny thing is you're using a browser that shows the origin in the alert box regardless of message, so alert(1) is fine in those browsers. Though you do show the edge case where there is no origin (eg it's blank) the alert box title is different, so it's worth keeping that edge case in mind.
@dasten1233 жыл бұрын
I though so too, but look at this case 7:30 it just says "An embedded page on this page says"
@_DeProgrammer3 жыл бұрын
The browser may show the origin in the alert but I think you're missing the point. It's not a bug. Using alert(1) would render a false positive and it would be better to use something other than alert(1) that shows an actual xss on the origin.
@thapr0digy3 жыл бұрын
When you said Google at 6:37, you triggered my Google assistant. Too bad it interrupts the video otherwise you could open malicious web sites on the users behalf
@yashrathi68623 жыл бұрын
Actually might, be a nice idea lol, but don't you have your voice recognition setup?
@mekb-the3 жыл бұрын
seems you accidentally left advertisements watermark in the top right corner for the video lol
@gurglemurgle53 жыл бұрын
The vid might be sponsored by Google
@Test1237473 жыл бұрын
saw a few german youtuber doing this for legal reasons. Otherwise competitors will assume you are breaking a law if some products are highlighted in the videos, even if there is no sponsorship. They will ask for money and for you to stop doing this in the feature (with some legal document ). In return those youtuber then have to explain that there is no sponsorship and might even need the assistance of a lawyer. If it was sponsored he probably has to pay money to the competitor. So they just place a advertisement note on every single video to just not having to deal with that kind of bullshit.
@bernhardschmidt98443 жыл бұрын
I mean, he does link to Googles new bug hunter University thing in the description and he does talk about how to do stuff in regards to google products throughout the video, so it being sponsored in some way isn't too far fetched. That said, it's weird he doesn't explicitly mention it anywhere...
@lilyliao95213 жыл бұрын
@@Test123747 interesting
@zaphooxx87793 жыл бұрын
Very good , valuable and helpful information you are providing here. Thanks !
@chiranjit95293 жыл бұрын
Amazing explanation
@piyh39623 жыл бұрын
This taught me more about XSS than any other video I've seen so far.
@michaeldouglas10522 жыл бұрын
Very precious and important tips, thank you!
@seclilc3 жыл бұрын
Great video as always
@drahoxx30763 жыл бұрын
Why is there an "advertisement" message in the top right corner ? Is it just a mistake ? Anyway, very instructive video ! (Like the others!)
@tercmd Жыл бұрын
It's because Google paid him to produce this for Bug Hunter University and he thought it to be a good video, so he published here.
@soonpeace99383 жыл бұрын
Very Informative.............Keep it up
@velho62983 жыл бұрын
Advertisement, nice touch.
@danhorus3 жыл бұрын
I use console.log or console.trace :)
@b391i3 жыл бұрын
alert("You Are The Best")
@MrItrollaround3 жыл бұрын
Wait, so I'm not allowed to name my Skyrim player this anymore? Darn.
@muha06443 жыл бұрын
You make your videos really well. Amazing script, you speak clearly and enthusiastically, and you make cool graphics that are easy to understand and look nice in general, etc... The only thing I can complain about is that your IRL background looks kinda scary, like you are about to make an apology video or a documentary. It's not really a complaint but I though you could use the feedback. If you still have the breadboard pc you could make a counter and hang it in the background...or add some shelves or something. Unless you like the empty backdrop in which case ignore what I just said. Keep up the good work!
@DiThi3 жыл бұрын
Are web workers another way of sandboxing potentially unsafe code?
@ceilidhDwy3 жыл бұрын
Why is it marked as a sponsored video? Did google sponsor this one?
@tercmd Жыл бұрын
They paid for it to be created and he thought it to be a good video, so he published it on LiveOverflow
@IudiciumInfernalum3 жыл бұрын
I generally just `alert(%27MyHandle%27)`
@shaswat22 жыл бұрын
Is it self or reflected XSS if I modify the response in BURP and it shows alert, but doesnt show in URL?
@LiveOverflow2 жыл бұрын
Neither ;) it’s nothing ;)
@shaswat22 жыл бұрын
@@LiveOverflow
@neilthomas50263 жыл бұрын
Gold
@lmaoroflcopter3 жыл бұрын
Use prompt(2) ?? :D
@yuck8713 жыл бұрын
nice
@iicloudbob87933 жыл бұрын
Please try reverse engineering Synapse X. It will be a challenge for you
@spongechair3 жыл бұрын
1
@lior_haddad3 жыл бұрын
oh
@bibelwalker3 жыл бұрын
Michael Cera's cooler, more extraverted brother
@mwint19823 жыл бұрын
Zeguridy izzu
@nameless_95043 жыл бұрын
And one more I have a came across a xss. But they aren't storing any information about user in cookies or localstorage. They are using completely stateless JSON web tokens and refresh token. When we are in certain endpoint then it will assign a in cookie using JWT. Best example using ( KEYCLOAK ). So I hosted a FORM to prove a attack possible in the domain.
@me-ashacker2333 жыл бұрын
Sir plese re upload how real hacking viedo sir you removed that viedo
@ripplerxeon3 жыл бұрын
I see Firefox ... Lol
@Andre-xz5ky3 жыл бұрын
Can you crash the whole shitty internet please? If someone read this who can, just do it. Like nike is using childs for Manufacturing. Only do it.
@hblaub3 жыл бұрын
You are an ALERT()ist!
@theMoporter3 жыл бұрын
It's annoying as fuck as a user.
@UlfKlose3 жыл бұрын
Is it just me or are you "unsharp" in almost every part of the video? Looks almost like you're out of focus most of the time.
@hikari_no_yume3 жыл бұрын
Why is there an “advertisement” mark at the top-right, and a mention of sponsorship by Google in the subtitles, but not in the video itself?
@jaralara64293 жыл бұрын
Maybe this whole video is an ad from Google telling us to stop with the alert(1) reports 😂😂😂
@uttiya103 жыл бұрын
I guess the “paid promotion” message at the beginning might be enough?
@violetwtf3 жыл бұрын
yeah this seems so sketchy
@luphoria3 жыл бұрын
@@violetwtf not really.. the video is an ad
@unicodefox3 жыл бұрын
I think it was originally going to be that, then at the last moment he edited it out. The video is also low quality, almost as if he quickly downloaded it, edited and reuploaded
@charlesfries3 жыл бұрын
This channel has taught me so much
@DawnnDusk-k4n3 жыл бұрын
This guy precisely
@tytangameplay31183 жыл бұрын
This channel got me a detention ;-;
@DeadDad13 жыл бұрын
Same! I absolutely love way he explains things!
@cedricvillani85023 жыл бұрын
You want his bounty all over your chin
@tytangameplay31183 жыл бұрын
@@LethalSwizzle found xss and other vulnerabilities in school website, and apparently I violated some policy
@JPlexer3 жыл бұрын
How do some people say "Good Video" or "Amazing Explanation"? The Video literally just released
@reastle13073 жыл бұрын
they fake it
@byekou3 жыл бұрын
gotta earn the likes
@LiveOverflow3 жыл бұрын
it's always true for my videos 🙃
@GamingBlake20023 жыл бұрын
*cough cough* cyberchiranjit *cough cough*
@JPlexer3 жыл бұрын
@@LiveOverflow well yes, but actually yes
@OdinRu1es3 жыл бұрын
Don’t use for security reasons. Uses for security reasons.
@jackharbor33473 жыл бұрын
Why we shouldn't use for security reasons?
@JustPlayerDE3 жыл бұрын
@@jackharbor3347 back in the past s where bad, now they are good i guess
@IsAMank3 жыл бұрын
Huh, never considered the bug bounty angle. From my experience with clients, issues in the components of a client's application were still very valid, and would often prompt further discussion and remediation across org boundaries, which I see as the ideal outcome. Good practice for XSS checks nonetheless, great video!
@menkiguo78053 жыл бұрын
I was working for a website and their filter of XSS has alert(1) in it
@4.0.43 жыл бұрын
The reason we use alert is because of old browsers that didn't have such nice consoles. It was the easiest way to see something on screen. In fact I remember an old Microsoft site where I got a debug alert when I pressed some combination of buttons (by chance).
@GiveAcademy3 жыл бұрын
in the past, my reason for using alert was because it took the least amount of characters, where many forms that were being tested had character limits. also most things would check for eval specifically, however alert was often forgotten... hehe
@1Hippo3 жыл бұрын
Chrome and Firefox both always display the origin domain in the alert, shown in the video for example at 3:41. I don't see the point of writing such a unnecessarily long payload, the video title seems a bit much clickbait, otherwise good explanation tho. alert(1) is still fine. btw: Opera and Vivaldi do it too, I guess all chromium based browsers.
@SolomonUcko3 жыл бұрын
It looks like inside s, at least browsers just say "an embedded page" rather than the actual domain or origin of the .
@dasten1233 жыл бұрын
See 7:30
@1Hippo3 жыл бұрын
@@SolomonUcko They report the actual domain if it is set, blogger uses an too, see 4:26. In his selfmade example src is just not set, so it falls back to the generic message.
@1Hippo3 жыл бұрын
@@dasten123 See 7:45, in any case you get basically the same info.
@Jimmy19853 жыл бұрын
But can i still deploy malware on the client machine via this xss? A bEEF hook could hook into the browser of the client. I would not call any xss a safe xss but i guess it is out of scope.
@realjameskii3 жыл бұрын
Ok thanks, ill use alert(2) instead
@thomascodes3 жыл бұрын
Different WAF'S Have diffrent responses to payloads some times destructuring the payload may work throw[onerror]=[alert],1
@soroushhd24083 жыл бұрын
man I believe in it I got a xss from an imortant web site thats belong to a very important organization that was pentested for 3 times 🤣🤣🤣
@user-ko7oo2qg1g3 жыл бұрын
One of those rare videos by you about which I can say that I knew most of the things you mentioned. But still, a great one as always! 👍
@gradientO3 жыл бұрын
alert(1)
@marcoschincaglia3 жыл бұрын
ok, I had to interrupt my lazy Saturday afternoon to actually learn something useful
@rafaeldacosta8581 Жыл бұрын
destroying kids dreams under 12 minutes huahuahuahuahuahua
@aldison50703 жыл бұрын
We use eval()
@medpro56123 жыл бұрын
Can I use alert(1337) ?
@rupesholee3 жыл бұрын
why not
@scou1yy3 жыл бұрын
Imagine getting a pop-up saying "2", that would be threatening
@Lantalia3 жыл бұрын
We use alert because it predates chrome, firebug, and most useful 'consoles'
@arivanhouten63433 жыл бұрын
Finally another masterpiece!
@pixelorange96513 жыл бұрын
Thank you for your suggestions on XSS! Your video is very good, so I want to translate it and share it on the Chinese video website (bilibili) in my free time. I will keep the introduction and title of your video consistent and declare the author, and I will not get any profit from it. Do you agree with this matter?
@Hackerone144411 ай бұрын
print(5)
@devprogramming2 жыл бұрын
Use print() instead of alert() because browsers are disabling the alert() for cross-domain s.
@TheJDebski3 жыл бұрын
Thanks so much. You're doing great work. I would love more hunting videos. Very interesting
@arenaesports25803 жыл бұрын
For Chrome we can use print now
@kissinger28673 жыл бұрын
The more I watch you the more I find something new, interesting and worth my time. Thank you very much.
@asdfghyter3 жыл бұрын
Is there any practical difference between document.domain and window.origin for these purposes?
@w3w3w33 жыл бұрын
damm super interesting :)
@vinayjain322 Жыл бұрын
ok i will use alert('fucked')
@thejswaroop52303 жыл бұрын
Bro i have a suggestion.... can u please put a video on PEGASUS spyware...like I'm genuinely confused what is it and why news channels are milking it so much....is it a thing to be afraid of? I would love to see your perspective on this.... If not here maybe atleast in your other channel liveunderflow pls....?
@2das3 жыл бұрын
gif mi bounti plis
@techdevils15972 жыл бұрын
alert("xss")
@1567855433 жыл бұрын
Excuse me my ignorance. What is the most dangerous thing you can do with that kind of attack? (xss) in Real life. I mean if I found a xss vuln the hacker just could catch my token/credentials by fishing? Or there is a other most power full attack. Excelente video and cheers from Argentina!
@anandakumar625xib810 ай бұрын
He looks like Mr beast
@10oneluv102 жыл бұрын
GREAT VIDEO! I never knew any of this.
@ThatGuy-bx3pv3 жыл бұрын
KZbin recommend me this and I don't understand a thing. Why youtube? Why?
@charlie5tanley Жыл бұрын
thank you thank you....
@Epinardscaramel3 жыл бұрын
5:02 Sorry Flash, f.
@ZelenoJabko3 жыл бұрын
Not all browsers support sandboxed s. Those browsers are vulnerable.
@ThePizzabrothersGaming3 жыл бұрын
which one doesn't, internet explorer? thats EoL
@ZelenoJabko3 жыл бұрын
@@ThePizzabrothersGaming your mom doesn't
@4ag23 жыл бұрын
Very well explained! Thanks 👍
@dclxviclan2 жыл бұрын
Cool, nice tut
@mualifulmizan90663 жыл бұрын
Nice this video
@spv4203 жыл бұрын
I just realized I wasn’t subscribed. I fixed that.
@dasten1233 жыл бұрын
This is interesting! Cool video man!
@pedrophillipe3 жыл бұрын
se eu quiser uso sim, oxi kk
@sourandbitter30623 жыл бұрын
That was interesting, but he repeated himself a lot, the video could have been half the lenght.
@omri93253 жыл бұрын
Is this a new video-file format? the quality looks too compressed :|
@Hackedpw3 жыл бұрын
Kiii
@sharemarket19713 жыл бұрын
I'm new in bug hunting... I understand nothing but I watched this video
@Quget3 жыл бұрын
4:22 But you are using the much better browser.... Firefox!