I found everything except the xss, but still enjoyed the challenge. Great work :)

I love these videos, especially as I am working on a web service myself. I honestly wouldn't have thought of a lot of the string that were pulled at in this exploit researching project, meaning I could've left myself open to these exact issues. The best way to ensure the projects I make are more secure, is learn how other projects are broken into, and learn from those attacks.

12:47 Pro tip: You can just write alert(1) - it's much shorter! ...just kidding :P

Absolute beauty! Thank you for putting this into a CTF.

What was the difficulty of this challenge, compared to the other challenges from CSCG 2021?

Perfect, I really enjoyed it :) It's always great if you find some vulnerabilities in the working context that result in a CTF challenge :D

I didn't try solving this (I haven't done CTF I just watch these for education as a developer who makes bugs rather than finds/exploits them), but based on this run-through it seems pretty hard. But yeah, it's nice to see this stuff just in case I write something where I need to pay more attention to security.

I really enjoyed this challenge! (SPOILERS / alternative solution ahead) . . . . . As an alternative to the OCR + timing, you can use the Chrome DevTools protocol to create a separate page (+ browser context) that outlives the screenshot page, which avoids the need for timing. From that separate page, you can use the DevTools protocol to listen to new pages being created in the browser, and use the trick you mention in the video to redirect to a URL that triggers the XSS. You might wonder how you connect to the API in the first place without needing to rely on one of the screenshot pages being alive (to avoid depending on the timing): it turns out you can connect to the "browser" rather than a "page" by using the WebSockets URL returned by /json/version, which is stable throughout the session.

Very nice! I had a feeling the 10 second timer would be a vulnerability, as well as the "startswith" bit. I don't know anything about docker or webdev in general, but this taught me a good bit! At least I don't have to worry about these kinds of vulnerabilities as a simple EE firmware developer for offline embedded systems 😅

I found 4 of the vulnerabilities but I was unable to puzzle them together into a successful attack. Thank you for showing it to us!

My brain autocompleted trailing slash after domain name so I didn't noticed the vulnerability there.

Haven't tried the challenge yet, but it reminds me very much of an exploit I found in the wild involving an HTML to PDF conversion library. By using XSS'ed s in the HTML content to be converted, I was able to hijack the headless browser process to fetch any local file I wanted via the file:// protocol. With this, I was able to dump the web.config contents into the output PDF file. Wouldn't this be possible here? Like, host a page with an that points to the absolute path of the flag.txt file on the victim box and use the @ trick to point the screenshot to your hosted URL. When the screenshot is returned, if the headless browser process had access to view the requested file on the OS level, then you should see the contents of that file within the in the screenshot.

Or, like mentioned in the CSCG discord, the malicious webpage could simply use the WebSocket API, bypassing the error prone OCR step

scanning for those missing quotes might be one of the few valid reasons to use an SCA tool lol

so ultimately ctfs are hacking speedruns, how fast was the winner? and pretty interesting, its a bit difficult but ultimately the key here is the timing, that suspicion slowly arises as one investigates more and more...

I dont really get the point at the end, what information is sent to the backend server from xss.html? The flagger user and password?

It’s awesome thank you

How many points for this challenge? How long it took for you to come up with the solution for the original problem?

I don't understand that much about hacking, but this is still a very interesting video!

this was AWESOME - did not come close to solving it, found couple of issues but failed to figure out the ssrf part due to lack of knowledge. Tried it again after watching the video - still hard - but an awesome lesson.

I really liked this because of the whole timing stuff. Really neat! The close timing aspect of this hack really feels like the overly-complicated hacking in action movies. Also, it's a reminder that hacking isn't always as simple as just sending payloads or attacking vulnerabilities, it is real hands-on precise hacking!

Absolutely lit 🔥

Most of times when youtubers use phrases like "OMAGAWD KEEP WATCHING BECAUSE IN THE END THERE IS SOMEGTHING RIILLYY IMPORTANTW!" I feel the urge to close the video. But when LiveOverflow warns me 3 times to not keep watching and do the challenge ... I keep watching :D

If you try to log in with the correct username but the wrong password, it will create a new user with the same username and the password you entered. This was apparently not intentional, and is not useful because it never compares users by the username, always by the uuid.

Oh my gosh.... I wish I could give this 2 thumbs up. Good Job and this was a great learning tool for me. Wow.... I going to have to watch it again.

Every time a see videos like this I want to learn cybersecurity

Me and my friend were talking about making a Live Overflow style video and he said "we got to hire a german guy to do the accent" 😂😂😂

Interesting. I would have probably used my good old keyboard instead of OCR, and failed because I can't type fast enough.

I have no idea what's going on but he is a good story teller. Watched till the end

is there anyone else who got triggered because he didn't put a space after the colon? 😂

Thank you very much for the challenge. I could try by myself and got the flag :) That challenge gave me more confidence to try other challenges.

dude are you crazy or somthing ??? my eyes are burning ... white website / black screen

Im only 13 seconds in but Isnt that literally what the wayback machine does in worse?

This was really interesting! Vielen dank!

programming seems to be same as building houses of toothpicks and glue -

I'm watching this, acting like I'm understanding it xD

Having a metaphorical nosebleed trying to suck up as much as I can from this. Mad Respect. I feel like I'm mentally challenged when I try to follow your train of thought. People around me tell me they feel challenged trying to follow me... ... I have to wonder if other people around you makes YOU feel 'dumb/slow/ whatever you want to call it when you feel stupider than another human being and feel 'humbled' . ?? ty

your new videos are so dark, I literally have to turn brightness up to 100% and drain my battery like crazy to see something… love them otherwise tho :)

Hi...i am an app reverser...if an app is written in java then i can reverse it to make the premium features purchased...but nowadays developers are using flutter and all the essential codes are stored in lib( .so format)...so can you upload some tutorials on lib??maybe a video with an app's lib??

I'm a bit confused. Your exploit relies on the fact that you can create a websocket and connect to this debug port. But that was only accessible after you altered the files to expose that port.

Do i need to Know about vlan for hacking?

I'm trying to learn cybersecurity, i know nothing at all but I'm glad I came across your video ... I'll try it , thanks man

imagine being the flagger user here lol you go to take a screenshot, and then suddenly there is (something from the xss) on your screen and you have no idea what happened

Why is the list.txt changing http to https? When in the pipeline does that occur, does anyone know? I love your videos man, please keep making more. React / vue ctf would be awesome if you're interested. I bet you know tons of tricks with hooks and stateful component apps.

SPOILERS BELOW! . . . . . I did see that startsWith with the http url, but instead of extending the URL, making cscg a subdomain or username, I was thinking of editing the hosts file to point cscg to a different ip address. That way you don't have to have or pay for a domain name. It would also make it possible to do this attack if the code had startsWith with a slash at the end, something that the URL extention won't be able to bypass.

who could explain me what he tried to exploit?

Very cool

In addition to the issue you highlighted with the template engine this really shows also why you should probably just be using uritools or your languages equivalent RFC 3986 library to parse information from URI's. Even then you probably still should never assume an external program will parse the URI exactly the same way, someone can probably craft a URI that will break one or both. But if you try to reinvent the wheel here breaking your implementation is likely to be rather trivial RFC 3986 implementation has a lot of edge cases making it deceptively easy to fall into one of the many pitfalls.

I'll probably test in the recess between YT watching and Python trainings someday. Good explanation, bro!

Va mama 😀

ERROR: The Compose file './docker-compose.yaml' is invalid because: Unsupported config option for services.admin: 'platform' Unsupported config option for services.chrome: 'platform' How to resolve the above error??

Cool video, and big thanks for adding full English captions to all your videos :)

cool challenge! unfortunately, I have no enough knowledge to solve)

Why he not making ctf like jhon & ippsec

Please, what's this vscode theme?

Hi , please restart IOT hacking series. Its a kind request

I just know that Scott Pilgrim is a master hacker

You must be one of the most wholesome persons out there, just love ya man

A video talking about the bug that you find in real world would be great a lot!

Instead of using OCR couldn't we have made a website which the headless browser would load and would have, in JavaScript, fetch /json/list and connect to the WS???

I wish i can do that challenge how do i learn those things ?

mostly this is made of python and i am quite pro in it

4:43 line 12 syntax error? -> missing )

I think it's ridiculous that the flask template allows xss like that. Looks like a terrible design decision

Thank you

Very informative and educational about a ctf you made, respect and thanks a lot

16:11 I love the irony of a page that only says "content"

I am a newbie. I understand nothing! 😒

Sleep is healthy .

Just a great species

This is powerful hacking

incredible

WOW 😯

Please can you make more videos like this ?

Amazing Thanks a lot for sharing and explaining

No CORS on that websocket?

I really like your presentation style, but as a casual watcher I sometimes feel that you gloss over crucial parts that would make your explanation easier to follow. Did I understand correctly that the browser taking the screenshot is screenshotting *its own* debug endpoint? Also at the very end, you're making the admin user's browser send the page it's showing which contains the flag that it added as a note (which you only mentioned in the beginning), to your server. Just mentioning these things explicitly would make your videos much easier to follow.

Cool challenge, especially since you need to check some of the code

Awesome!

Coole idee :)

Wow really slick! :)

wow one of the best videos so far

Nice

Okæy then

Top notch content! Learnt some new things :)

Jo war ne nette challenge :) hatte sie gelöst

Danke sehr : love you loF

how is it hard to understand a URL :D :D :D

So this is the level after oswe.

ok

This is a good one.

... my comment... gone :|

Deutsch?

next level explanations and visuals as ever dude! love the challenge, super creative and realistic and.. i probably would not have solved it 👀😅

I can hack Cookie Clicker (and no not just by using auto clicker) Btw dude, please use a different color background, I can nearly see you without having to set my screen to its brightest

Awesome

Live overflow: DO NOT USE ALERT FOR XSS Also live overflow: onload=alert(document.body)

nice, good job!

Wow

Amazing mate