ok fine I’ll use alert(2)

It would have been funny for google to really alert 1 when you input alert(1) into search box

"Look into the chrome developer tools" *Opens firefox*

Funny thing is you're using a browser that shows the origin in the alert box regardless of message, so alert(1) is fine in those browsers. Though you do show the edge case where there is no origin (eg it's blank) the alert box title is different, so it's worth keeping that edge case in mind.

When you said Google at 6:37, you triggered my Google assistant. Too bad it interrupts the video otherwise you could open malicious web sites on the users behalf

seems you accidentally left advertisements watermark in the top right corner for the video lol

Very good , valuable and helpful information you are providing here. Thanks !

Amazing explanation

Very precious and important tips, thank you!

Great video as always

Why is there an "advertisement" message in the top right corner ? Is it just a mistake ? Anyway, very instructive video ! (Like the others!)

Very Informative.............Keep it up

Advertisement, nice touch.

I use console.log or console.trace :)

alert("You Are The Best")

Wait, so I'm not allowed to name my Skyrim player this anymore? Darn.

You make your videos really well. Amazing script, you speak clearly and enthusiastically, and you make cool graphics that are easy to understand and look nice in general, etc... The only thing I can complain about is that your IRL background looks kinda scary, like you are about to make an apology video or a documentary. It's not really a complaint but I though you could use the feedback. If you still have the breadboard pc you could make a counter and hang it in the background...or add some shelves or something. Unless you like the empty backdrop in which case ignore what I just said. Keep up the good work!

Are web workers another way of sandboxing potentially unsafe code?

Why is it marked as a sponsored video? Did google sponsor this one?

I generally just `alert(%27MyHandle%27)`

Is it self or reflected XSS if I modify the response in BURP and it shows alert, but doesnt show in URL?

Gold

Use prompt(2) ?? :D

nice

Please try reverse engineering Synapse X. It will be a challenge for you

1

oh

Michael Cera's cooler, more extraverted brother

Zeguridy izzu

And one more I have a came across a xss. But they aren't storing any information about user in cookies or localstorage. They are using completely stateless JSON web tokens and refresh token. When we are in certain endpoint then it will assign a in cookie using JWT. Best example using ( KEYCLOAK ). So I hosted a FORM to prove a attack possible in the domain.

Sir plese re upload how real hacking viedo sir you removed that viedo

I see Firefox ... Lol

Can you crash the whole shitty internet please? If someone read this who can, just do it. Like nike is using childs for Manufacturing. Only do it.

You are an ALERT()ist!

It's annoying as fuck as a user.

Is it just me or are you "unsharp" in almost every part of the video? Looks almost like you're out of focus most of the time.

Why is there an “advertisement” mark at the top-right, and a mention of sponsorship by Google in the subtitles, but not in the video itself?

This channel has taught me so much

How do some people say "Good Video" or "Amazing Explanation"? The Video literally just released

Don’t use for security reasons. Uses for security reasons.

Huh, never considered the bug bounty angle. From my experience with clients, issues in the components of a client's application were still very valid, and would often prompt further discussion and remediation across org boundaries, which I see as the ideal outcome. Good practice for XSS checks nonetheless, great video!

I was working for a website and their filter of XSS has alert(1) in it

The reason we use alert is because of old browsers that didn't have such nice consoles. It was the easiest way to see something on screen. In fact I remember an old Microsoft site where I got a debug alert when I pressed some combination of buttons (by chance).

in the past, my reason for using alert was because it took the least amount of characters, where many forms that were being tested had character limits. also most things would check for eval specifically, however alert was often forgotten... hehe

Chrome and Firefox both always display the origin domain in the alert, shown in the video for example at 3:41. I don't see the point of writing such a unnecessarily long payload, the video title seems a bit much clickbait, otherwise good explanation tho. alert(1) is still fine. btw: Opera and Vivaldi do it too, I guess all chromium based browsers.

But can i still deploy malware on the client machine via this xss? A bEEF hook could hook into the browser of the client. I would not call any xss a safe xss but i guess it is out of scope.

Ok thanks, ill use alert(2) instead

Different WAF'S Have diffrent responses to payloads some times destructuring the payload may work throw[onerror]=[alert],1

man I believe in it I got a xss from an imortant web site thats belong to a very important organization that was pentested for 3 times 🤣🤣🤣

One of those rare videos by you about which I can say that I knew most of the things you mentioned. But still, a great one as always! 👍

alert(1)

ok, I had to interrupt my lazy Saturday afternoon to actually learn something useful

destroying kids dreams under 12 minutes huahuahuahuahuahua

We use eval()

Can I use alert(1337) ?

Imagine getting a pop-up saying "2", that would be threatening

We use alert because it predates chrome, firebug, and most useful 'consoles'

Finally another masterpiece!

Thank you for your suggestions on XSS! Your video is very good, so I want to translate it and share it on the Chinese video website (bilibili) in my free time. I will keep the introduction and title of your video consistent and declare the author, and I will not get any profit from it. Do you agree with this matter?

print(5)

Use print() instead of alert() because browsers are disabling the alert() for cross-domain s.

Thanks so much. You're doing great work. I would love more hunting videos. Very interesting

For Chrome we can use print now

The more I watch you the more I find something new, interesting and worth my time. Thank you very much.

Is there any practical difference between document.domain and window.origin for these purposes?

damm super interesting :)

ok i will use alert('fucked')

Bro i have a suggestion.... can u please put a video on PEGASUS spyware...like I'm genuinely confused what is it and why news channels are milking it so much....is it a thing to be afraid of? I would love to see your perspective on this.... If not here maybe atleast in your other channel liveunderflow pls....?

gif mi bounti plis

alert("xss")

Excuse me my ignorance. What is the most dangerous thing you can do with that kind of attack? (xss) in Real life. I mean if I found a xss vuln the hacker just could catch my token/credentials by fishing? Or there is a other most power full attack. Excelente video and cheers from Argentina!

He looks like Mr beast

GREAT VIDEO! I never knew any of this.

KZbin recommend me this and I don't understand a thing. Why youtube? Why?

thank you thank you....

5:02 Sorry Flash, f.

Not all browsers support sandboxed s. Those browsers are vulnerable.

Very well explained! Thanks 👍

Cool, nice tut

Nice this video

I just realized I wasn’t subscribed. I fixed that.

This is interesting! Cool video man!

se eu quiser uso sim, oxi kk

That was interesting, but he repeated himself a lot, the video could have been half the lenght.

Is this a new video-file format? the quality looks too compressed :|

Kiii

I'm new in bug hunting... I understand nothing but I watched this video

4:22 But you are using the much better browser.... Firefox!

Thank you so much 🙌🏻

As usual 🔥🔥🔥🔥👌

69

alert("xss") -- a classic

.

Good thing I use alert(2)

1337

I need help in APDU setup

me, who uses alert(): intensive sweating

wonderful video Thanks @liveoverflow

Very informative video