Live Bug Boundy Hunting | Target: Udemy | HackerOne | Html injection

  Рет қаралды 24,036

Zodiac

Zodiac

Күн бұрын

Пікірлер: 58
@zedvn3792
@zedvn3792 4 ай бұрын
It will not get udemy cookies because xss runs on the website you specify
@mazzukmachu
@mazzukmachu 4 ай бұрын
But that xss is not in udemy it is triggered in the lab.?
@naveen1001
@naveen1001 4 ай бұрын
Bro that was no real XSS
@J-R105
@J-R105 2 ай бұрын
Solid approach for XSS hunting since it can be tempting to skip straight to XSS without trying the HTML injection to XSS route. Did you modify your payload to show impact before submitting the bug report? Many companies will push back if your PoC just includes the alert() payload.
@Shhukoihee
@Shhukoihee 4 ай бұрын
Bro that's nice explanation Can. You make more videos on how to find other vulnerability too your approach on real bug bounty target
@adithyakrishna_v
@adithyakrishna_v 4 ай бұрын
sure 👍
@bugbouty
@bugbouty 5 ай бұрын
bro make a video about how to use sqlmap tamper scripts for bypass waf
@Shanky..
@Shanky.. 3 ай бұрын
Thanks brother after seeing you video i also gone to udemy and started hunting and in less than 20mins i found a bug 🎉
@NicolasAlvesDias
@NicolasAlvesDias 3 ай бұрын
what bug have found can you please tell and how ? please
@Chronono
@Chronono 4 ай бұрын
Bro can you share, where you have submitted and how was bounty for same?
@adithyakrishna_v
@adithyakrishna_v 4 ай бұрын
At this stage it's an html injection so no boundy. Still testing on the end point to find loop holes in the sanitization. This almost worked alert(1)</script> but script tag is actually properly html encoded. Most of the event handlers like onclick, onerror, onmouseover etc.. are properly sanitized. But still attributes like , can be injected so there might be a loop hole still, targeting the end point.
@usrDev403
@usrDev403 4 ай бұрын
u wont get xss on main site.. u should try every parameter u see or try fetch some hidden parameter..than only u can.. but still everyone hunting on it so bigger chance u get dup
@sairavuri5585
@sairavuri5585 4 ай бұрын
How much bounty gain ?
@apranaya7782
@apranaya7782 3 ай бұрын
hey i am beginner in this field and have absolute 0 knowledge can u tell me how to start bug bounty its prerequisite what to leran how much time it takes to lern in general plz read this comment thx
@adithyakrishna_v
@adithyakrishna_v 3 ай бұрын
@@apranaya7782 Begin by learning how the web works, particularly web requests POST,GET,PUT),as it forms the foundation of web security. Next, focus on one vulnerability, like Cross-Site Scripting (XSS), and learn everything about it. Practice using labs like PortSwigger's Web Security Academy to understand how it works. Once you’re confident, create an account on platforms like Bugcrowd, HackerOne, or YesWeHack, and start with Vulnerability Disclosure Programs (VDPs) to gain experience. Pick a target and hunt for that specific vulnerability (e.g., XSS). After finding and reporting some bugs, move on to learning another vulnerability and apply both on your next target. The learning process takes time and dedication, but with consistent practice, you can start finding bugs within a few months. Keep pushing and growing!
@thenamehasbeenstolen4470
@thenamehasbeenstolen4470 2 ай бұрын
just hack,watch videos,play with burp fetched request,read hacking articles on medium or any online site, and play with kali linux terminal
@deepparasiya5641
@deepparasiya5641 4 ай бұрын
One of the best to look for xss Thank you very much Can you please share the resources that you used to build up this methodology.
@adithyakrishna_v
@adithyakrishna_v 4 ай бұрын
I didn't rely on any particular resources; I just practiced and refined my methodology over time.
@mahabaratam8908
@mahabaratam8908 4 ай бұрын
@@adithyakrishna_v can you share that methodology
@Robo747-n7l
@Robo747-n7l 5 ай бұрын
Avasam face kanikkane thodangiyalle nalla kariyam English Velliya problem Ella Keep going🎉🎉🎉
@mahabaratam8908
@mahabaratam8908 4 ай бұрын
And also make a video for url encoding xsss
@LEOSTRIBE
@LEOSTRIBE Ай бұрын
it is simple html injection not real xss
@anirudhe_s202
@anirudhe_s202 4 ай бұрын
nine suresh gopi kondu povum😅 nice video
@adithyakrishna_v
@adithyakrishna_v 4 ай бұрын
😅
@abdulx01
@abdulx01 5 ай бұрын
Firstly I was totally sock to see your xss on udyme. 😅 Bro first you need learn xss to teach us. Noob boi 😅
@adithyakrishna_v
@adithyakrishna_v 5 ай бұрын
Let me explain: XSS (Cross-Site Scripting) allows attackers to inject malicious scripts into web pages viewed by other users. In this case, I was able to inject a complete tag along with its attributes, including an unsanitized target attribute, which was not properly filtered. It should have been considered as text. This is my payload: bug This payload demonstrates a combination attack rather than a direct XSS attack. The primary attack vector here is the misuse of the target attribute, which the application did not properly sanitize. This method reveals a potential vulnerability in handling the target attribute. Regular users can be tricked into following the link to an external site, exploiting the credibility of a legitimate site like Udemy to execute the attack. Ideally, a site like Udemy should not have a vulnerability like this. The goal was to highlight the issues in Udemy's input sanitization, demonstrate how it could be bypassed, and identify the type of sanitization used by a particular website. However, I acknowledge that a more direct approach would have been more effective in emphasizing the XSS vulnerability. Thank you for your feedback, and I am committed to improving my methods.
@krrishogx
@krrishogx 4 ай бұрын
same thinking bhai :)
@FahadMuneer-d6c
@FahadMuneer-d6c 2 ай бұрын
hey abdul, I see alot of you guys rendering it not being the XSS but I think it is since we can redirect a user to another website that could be malicious. in other words its open redirection through xss because it resulted from the input we injected. although it requires social engineering to work but it is a URL redirection through xss. plz elaborate if im wrong. Thanks ,
@saidulsheikh-f3l
@saidulsheikh-f3l Ай бұрын
need new video whith live example . please bro
@adithyakrishna_v
@adithyakrishna_v Ай бұрын
@@saidulsheikh-f3l sure
@rashidyaseen6270
@rashidyaseen6270 5 ай бұрын
So did you earnt something for this
@adithyakrishna_v
@adithyakrishna_v 4 ай бұрын
No at this stage it's an html injection. Still testing on the end point to find loop holes in the sanitization. This almost worked alert(1)</script> but script tag is actually properly html encoded. Most of the event handlers like onclick, onerror, onmouseover etc.. are properly sanitized. But still attributes like , can be injected so there might be a loop hole still, targeting the end point.
@FahadMuneer-d6c
@FahadMuneer-d6c 2 ай бұрын
@@adithyakrishna_v Hey Aditya, I see alot of guys rendering it not being the XSS but I think it is since we can redirect a user to another website that could be malicious. in other words its open redirection through xss because it resulted from the input we injected. although it requires social engineering to work but it is a URL redirection through xss. plz elaborate if im wrong. Thanks ,
@Dayanandhansubramani-rj6tc
@Dayanandhansubramani-rj6tc 4 ай бұрын
are you from kerala :)
@adithyakrishna_v
@adithyakrishna_v 4 ай бұрын
ya
@dummy9422
@dummy9422 4 ай бұрын
Video is pretty good. But can you please stop saying "see" so frequently. It's little bit irritating
@adithyakrishna_v
@adithyakrishna_v 4 ай бұрын
sure😅
@STRhacker420
@STRhacker420 3 ай бұрын
@it070vijaysingh2
@it070vijaysingh2 5 ай бұрын
Xss portswigger lab ka h 😂😂, pag al mt bnaoo logo ko
@abdulx01
@abdulx01 5 ай бұрын
😅
@adithyakrishna_v
@adithyakrishna_v 5 ай бұрын
Let me explain: XSS (Cross-Site Scripting) allows attackers to inject malicious scripts into web pages viewed by other users. In this case, I was able to inject a complete tag along with its attributes, including an unsanitized target attribute, which was not properly filtered. It should have been considered as text. This is my payload: bug This payload demonstrates a combination attack rather than a direct XSS attack. The primary attack vector here is the misuse of the target attribute, which the application did not properly sanitize. This method reveals a potential vulnerability in handling the target attribute. Regular users can be tricked into following the link to an external site, exploiting the credibility of a legitimate site like Udemy to execute the attack. Ideally, a site like Udemy should not have a vulnerability like this. The goal was to highlight the issues in Udemy's input sanitization, demonstrate how it could be bypassed, and identify the type of sanitization used by a particular website. However, I acknowledge that a more direct approach would have been more effective in emphasizing the XSS vulnerability. Thank you for your feedback, and I am committed to improving my methods.
@abdulx01
@abdulx01 5 ай бұрын
@@adithyakrishna_v This type. Called self xss.. If you increase the impact then this could be valid. Your payload got fired another domain.
@adithyakrishna_v
@adithyakrishna_v 5 ай бұрын
@@abdulx01 Let me explain: It is an indirect or Cross-Context XSS and not Self-XSS . Cross-Context XSS involves using a trusted site (Udemy) to inject a payload that redirects and executes on another site. The primary vulnerability here is the lack of proper attribute sanitization by Udemy, allowing the crafting of such a payload. In self-XSS attacker tricks the user into executing malicious scripts in their own browser. Typically, this involves convincing the user to paste malicious code into the browser’s console or into a form on a trusted website.
@The_ancestor_of_Mars_humans
@The_ancestor_of_Mars_humans 4 ай бұрын
@@adithyakrishna_v chat gpt to thik se use kar le bhai
@_sigma001
@_sigma001 Ай бұрын
Bhai tu lagta to indian hai lekin English mai kyu bol rha hai angrez log pahile se hi aage hai ap bus hum kare
@faramon9213
@faramon9213 4 ай бұрын
Bro malayalathil video cheyo
@adithyakrishna_v
@adithyakrishna_v 4 ай бұрын
kzbin.info/aero/PL2K366VwU2XEjLQf7er_dBYgUDA-gyqSb
@faramon9213
@faramon9213 4 ай бұрын
@@adithyakrishna_v bug bounty malayalathil cheyo real world
@nadhilan2187
@nadhilan2187 4 ай бұрын
nice do more videos.add more tips while hunting
@VulnVentures
@VulnVentures 2 ай бұрын
@tinu-xskullx5780
@tinu-xskullx5780 4 ай бұрын
NA
@z-root8955
@z-root8955 4 ай бұрын
Bruuh come on 😂 xss on portswigger
@gg-mr4qr
@gg-mr4qr 3 ай бұрын
Right bro it's not udamy
Bug Hunting is easy if you KNOW this
8:23
Bug Hunter Labs
Рет қаралды 36 М.
I used AI to hack this website...
23:23
Tech Raj
Рет қаралды 142 М.
小丑教训坏蛋 #小丑 #天使 #shorts
00:49
好人小丑
Рет қаралды 54 МЛН
How much money I made in my 1st year of bug bounty? Bounty vlog #4
17:02
Bug Bounty Reports Explained
Рет қаралды 168 М.
Why Cybersecurity Training is a SCAM
10:37
Technical Institute of America
Рет қаралды 268 М.
Easy $500 Vulnerabilities! // How To Bug Bounty
13:19
NahamSec
Рет қаралды 83 М.
Live Bug Boundy Hunting | Leaked Credentials | TruffleHog
5:29
How to Approach Live Bug Bounty Target for beginner | etsy.com | part-1
29:20