How to search for XSS (with blacklisted HTML tags)!

Рет қаралды 21,072

Intigriti

Күн бұрын

Пікірлер: 46

@zipp5022 2 жыл бұрын

your voice is so calm and gentle, i need tutorials from your side mate!

@intigriti 2 жыл бұрын

Thank you so much for your kind words!

@evuri 3 жыл бұрын

Thank you so much Integriti,It increased my knowledge on XSS to 50 more percent.👌

@intigriti 3 жыл бұрын

Great to hear! Keep going 💪

@HamsterLover1337 Жыл бұрын

Nice, using the sniper functionality is really smart

@soapli3687 Жыл бұрын

hi.i wonder the reason we use the is that need to in some kind of tags like just can have a effect?

@alexman340 3 жыл бұрын

thank you so much, this real practical tutorial. There are plenty of theory videos on youtube or books about XSS they are talking about just nothing meaningless.

@intigriti 3 жыл бұрын

Glad it was helpful! We are trying to make our content as practical as possible to give all watchers a good idea about how things work 🔥

@oneplanet2198 3 жыл бұрын

You just opened me up to a whole new understanding...thank you sir ..you are great

@intigriti 3 жыл бұрын

Those are such nice words 🥰 Thank you very much for your feedback! We are glad you enjoyed the video!

@sinanawni575 3 жыл бұрын

What about the encoding tags ? How we can bypass them after entering tags into input field the response will including encoding HTML tags.

@intigriti 3 жыл бұрын

Sorry, can you elaborate a bit further what you mean? Do you mean for this specific challenge?

@sinanawni575 3 жыл бұрын

@@intigriti no, i mean when you see an input field for like search function, once you enter the xss payload it will print it out to the screen but nothing pop up, you view the page source then you see your payload being encoding to html , like you enter these tags : ">

@intigriti 3 жыл бұрын

@@sinanawni575 that is proper encoding by the application. You cannot get around that. That is telling you that you can not use angle brackets in your payload. Next, you would have to search for a payload that could potentially work without angle brackets. That said, depending on the application logic, you could try all sorts of things (e.g. sending multiple brackets, encoding them by yourself, etc.) and see how the app reacts.

@Fahodinho 2 жыл бұрын

3:44 there's a bug in your chair

@intigriti 2 жыл бұрын

This must be why they call it bug bounty!

@fusman9653 3 жыл бұрын

Thx...to explain, the way to explain is perfect

@intigriti 3 жыл бұрын

You're welcome! We are really happy if you like it 😇

@dizonnicolefranza.4181 3 жыл бұрын

Can we have the 2 link the cheat sheet thanks

@intigriti 3 жыл бұрын

Of couuurse! Our bad, we have linked it now in the description! 🔥

@dizonnicolefranza.4181 3 жыл бұрын

@@intigriti thanks

@gochaoqradze9687 3 жыл бұрын

In my previous post I was not righ. Yes need use animatetransform

@intigriti 3 жыл бұрын

Can you elaborate what you mean? 👀

@ThePhoenyx Жыл бұрын

Very good tutorial

@intigriti Жыл бұрын

Thank you! Cheers! 🥰

@semirberisha 2 жыл бұрын

at the minute, 4:06, why do you add %20 ?

@intigriti 2 жыл бұрын

Because we need a space character in the payload which is encoded as %20 in an HTTP request.

@wcovcrypto9796 2 жыл бұрын

the video is very good, but what if it does not have a laptop like mine. I can request how to find the weakness of a web manually in case there is such a filter or firewall. Thankyou 😊

@intigriti 2 жыл бұрын

We are not quite sure if we understand your question? 👀

@wcovcrypto9796 2 жыл бұрын

his intention is to give an example of how to find XSS loopholes in a way without any tools 😶

@lethalleet 3 жыл бұрын

First 🔥 How do you guys know i am online?😂

@intigriti 3 жыл бұрын

Gooood job 💪 Well, how do we know? 😅

@meljithpereira5532 3 жыл бұрын

@@intigriti KZbin algorithm

@cnx8377 3 жыл бұрын

Can bypass WAF??

@intigriti 3 жыл бұрын

This video did not focus on bypassing WAFs. If a specific payload is bypassing a WAF or not depends on the WAF solution used.

@meljithpereira5532 3 жыл бұрын

Can we automate your video in python...

@intigriti 3 жыл бұрын

You could automate some of the parts shown in the video in Python. However, the approach we have shown also includes the mind of a human to some extent. The method we show here is preferably used with Burp or e.g. ZAP.

@alexman340 3 жыл бұрын

I think , gather all payload and build scanning tools but tools will give you a lot of false-positive vulns

@tudasuda5501 3 жыл бұрын

Thnx!

@intigriti 3 жыл бұрын

You are welcome 😇. Glad you liked it!

@meljithpereira5532 3 жыл бұрын

Can we use ffuf!! Instead of burp..

@intigriti 3 жыл бұрын

Those two tools are performing two different tasks! If you want to play around with ffuf, have a look at blog.intigriti.com/2021/05/03/hacker-tools-ffuf-fuzz-faster-u-fool-2/