It will not get udemy cookies because xss runs on the website you specify
@mazzukmachu4 ай бұрын
But that xss is not in udemy it is triggered in the lab.?
@naveen10014 ай бұрын
Bro that was no real XSS
@J-R1052 ай бұрын
Solid approach for XSS hunting since it can be tempting to skip straight to XSS without trying the HTML injection to XSS route. Did you modify your payload to show impact before submitting the bug report? Many companies will push back if your PoC just includes the alert() payload.
@Shhukoihee4 ай бұрын
Bro that's nice explanation Can. You make more videos on how to find other vulnerability too your approach on real bug bounty target
@adithyakrishna_v4 ай бұрын
sure 👍
@bugbouty5 ай бұрын
bro make a video about how to use sqlmap tamper scripts for bypass waf
@Shanky..3 ай бұрын
Thanks brother after seeing you video i also gone to udemy and started hunting and in less than 20mins i found a bug 🎉
@NicolasAlvesDias3 ай бұрын
what bug have found can you please tell and how ? please
@Chronono4 ай бұрын
Bro can you share, where you have submitted and how was bounty for same?
@adithyakrishna_v4 ай бұрын
At this stage it's an html injection so no boundy. Still testing on the end point to find loop holes in the sanitization. This almost worked alert(1)</script> but script tag is actually properly html encoded. Most of the event handlers like onclick, onerror, onmouseover etc.. are properly sanitized. But still attributes like , can be injected so there might be a loop hole still, targeting the end point.
@usrDev4034 ай бұрын
u wont get xss on main site.. u should try every parameter u see or try fetch some hidden parameter..than only u can.. but still everyone hunting on it so bigger chance u get dup
@sairavuri55854 ай бұрын
How much bounty gain ?
@apranaya77823 ай бұрын
hey i am beginner in this field and have absolute 0 knowledge can u tell me how to start bug bounty its prerequisite what to leran how much time it takes to lern in general plz read this comment thx
@adithyakrishna_v3 ай бұрын
@@apranaya7782 Begin by learning how the web works, particularly web requests POST,GET,PUT),as it forms the foundation of web security. Next, focus on one vulnerability, like Cross-Site Scripting (XSS), and learn everything about it. Practice using labs like PortSwigger's Web Security Academy to understand how it works. Once you’re confident, create an account on platforms like Bugcrowd, HackerOne, or YesWeHack, and start with Vulnerability Disclosure Programs (VDPs) to gain experience. Pick a target and hunt for that specific vulnerability (e.g., XSS). After finding and reporting some bugs, move on to learning another vulnerability and apply both on your next target. The learning process takes time and dedication, but with consistent practice, you can start finding bugs within a few months. Keep pushing and growing!
@thenamehasbeenstolen44702 ай бұрын
just hack,watch videos,play with burp fetched request,read hacking articles on medium or any online site, and play with kali linux terminal
@deepparasiya56414 ай бұрын
One of the best to look for xss Thank you very much Can you please share the resources that you used to build up this methodology.
@adithyakrishna_v4 ай бұрын
I didn't rely on any particular resources; I just practiced and refined my methodology over time.
@mahabaratam89084 ай бұрын
@@adithyakrishna_v can you share that methodology
@Robo747-n7l5 ай бұрын
Avasam face kanikkane thodangiyalle nalla kariyam English Velliya problem Ella Keep going🎉🎉🎉
@mahabaratam89084 ай бұрын
And also make a video for url encoding xsss
@LEOSTRIBEАй бұрын
it is simple html injection not real xss
@anirudhe_s2024 ай бұрын
nine suresh gopi kondu povum😅 nice video
@adithyakrishna_v4 ай бұрын
😅
@abdulx015 ай бұрын
Firstly I was totally sock to see your xss on udyme. 😅 Bro first you need learn xss to teach us. Noob boi 😅
@adithyakrishna_v5 ай бұрын
Let me explain: XSS (Cross-Site Scripting) allows attackers to inject malicious scripts into web pages viewed by other users. In this case, I was able to inject a complete tag along with its attributes, including an unsanitized target attribute, which was not properly filtered. It should have been considered as text. This is my payload: bug This payload demonstrates a combination attack rather than a direct XSS attack. The primary attack vector here is the misuse of the target attribute, which the application did not properly sanitize. This method reveals a potential vulnerability in handling the target attribute. Regular users can be tricked into following the link to an external site, exploiting the credibility of a legitimate site like Udemy to execute the attack. Ideally, a site like Udemy should not have a vulnerability like this. The goal was to highlight the issues in Udemy's input sanitization, demonstrate how it could be bypassed, and identify the type of sanitization used by a particular website. However, I acknowledge that a more direct approach would have been more effective in emphasizing the XSS vulnerability. Thank you for your feedback, and I am committed to improving my methods.
@krrishogx4 ай бұрын
same thinking bhai :)
@FahadMuneer-d6c2 ай бұрын
hey abdul, I see alot of you guys rendering it not being the XSS but I think it is since we can redirect a user to another website that could be malicious. in other words its open redirection through xss because it resulted from the input we injected. although it requires social engineering to work but it is a URL redirection through xss. plz elaborate if im wrong. Thanks ,
@saidulsheikh-f3lАй бұрын
need new video whith live example . please bro
@adithyakrishna_vАй бұрын
@@saidulsheikh-f3l sure
@rashidyaseen62705 ай бұрын
So did you earnt something for this
@adithyakrishna_v4 ай бұрын
No at this stage it's an html injection. Still testing on the end point to find loop holes in the sanitization. This almost worked alert(1)</script> but script tag is actually properly html encoded. Most of the event handlers like onclick, onerror, onmouseover etc.. are properly sanitized. But still attributes like , can be injected so there might be a loop hole still, targeting the end point.
@FahadMuneer-d6c2 ай бұрын
@@adithyakrishna_v Hey Aditya, I see alot of guys rendering it not being the XSS but I think it is since we can redirect a user to another website that could be malicious. in other words its open redirection through xss because it resulted from the input we injected. although it requires social engineering to work but it is a URL redirection through xss. plz elaborate if im wrong. Thanks ,
@Dayanandhansubramani-rj6tc4 ай бұрын
are you from kerala :)
@adithyakrishna_v4 ай бұрын
ya
@dummy94224 ай бұрын
Video is pretty good. But can you please stop saying "see" so frequently. It's little bit irritating
@adithyakrishna_v4 ай бұрын
sure😅
@STRhacker4203 ай бұрын
❤
@it070vijaysingh25 ай бұрын
Xss portswigger lab ka h 😂😂, pag al mt bnaoo logo ko
@abdulx015 ай бұрын
😅
@adithyakrishna_v5 ай бұрын
Let me explain: XSS (Cross-Site Scripting) allows attackers to inject malicious scripts into web pages viewed by other users. In this case, I was able to inject a complete tag along with its attributes, including an unsanitized target attribute, which was not properly filtered. It should have been considered as text. This is my payload: bug This payload demonstrates a combination attack rather than a direct XSS attack. The primary attack vector here is the misuse of the target attribute, which the application did not properly sanitize. This method reveals a potential vulnerability in handling the target attribute. Regular users can be tricked into following the link to an external site, exploiting the credibility of a legitimate site like Udemy to execute the attack. Ideally, a site like Udemy should not have a vulnerability like this. The goal was to highlight the issues in Udemy's input sanitization, demonstrate how it could be bypassed, and identify the type of sanitization used by a particular website. However, I acknowledge that a more direct approach would have been more effective in emphasizing the XSS vulnerability. Thank you for your feedback, and I am committed to improving my methods.
@abdulx015 ай бұрын
@@adithyakrishna_v This type. Called self xss.. If you increase the impact then this could be valid. Your payload got fired another domain.
@adithyakrishna_v5 ай бұрын
@@abdulx01 Let me explain: It is an indirect or Cross-Context XSS and not Self-XSS . Cross-Context XSS involves using a trusted site (Udemy) to inject a payload that redirects and executes on another site. The primary vulnerability here is the lack of proper attribute sanitization by Udemy, allowing the crafting of such a payload. In self-XSS attacker tricks the user into executing malicious scripts in their own browser. Typically, this involves convincing the user to paste malicious code into the browser’s console or into a form on a trusted website.
@The_ancestor_of_Mars_humans4 ай бұрын
@@adithyakrishna_v chat gpt to thik se use kar le bhai
@_sigma001Ай бұрын
Bhai tu lagta to indian hai lekin English mai kyu bol rha hai angrez log pahile se hi aage hai ap bus hum kare