ok fine I’ll use alert(2)

It would have been funny for google to really alert 1 when you input alert(1) into search box

"Look into the chrome developer tools" *Opens firefox*

This channel has taught me so much

Funny thing is you're using a browser that shows the origin in the alert box regardless of message, so alert(1) is fine in those browsers. Though you do show the edge case where there is no origin (eg it's blank) the alert box title is different, so it's worth keeping that edge case in mind.

The reason we use alert is because of old browsers that didn't have such nice consoles. It was the easiest way to see something on screen. In fact I remember an old Microsoft site where I got a debug alert when I pressed some combination of buttons (by chance).

Why is there an “advertisement” mark at the top-right, and a mention of sponsorship by Google in the subtitles, but not in the video itself?

in the past, my reason for using alert was because it took the least amount of characters, where many forms that were being tested had character limits. also most things would check for eval specifically, however alert was often forgotten... hehe

Huh, never considered the bug bounty angle. From my experience with clients, issues in the components of a client's application were still very valid, and would often prompt further discussion and remediation across org boundaries, which I see as the ideal outcome. Good practice for XSS checks nonetheless, great video!

The more I watch you the more I find something new, interesting and worth my time. Thank you very much.

When you said Google at 6:37, you triggered my Google assistant. Too bad it interrupts the video otherwise you could open malicious web sites on the users behalf

One of those rare videos by you about which I can say that I knew most of the things you mentioned. But still, a great one as always! 👍

How do some people say "Good Video" or "Amazing Explanation"? The Video literally just released

Don’t use for security reasons. Uses for security reasons.

Chrome and Firefox both always display the origin domain in the alert, shown in the video for example at 3:41. I don't see the point of writing such a unnecessarily long payload, the video title seems a bit much clickbait, otherwise good explanation tho. alert(1) is still fine. btw: Opera and Vivaldi do it too, I guess all chromium based browsers.

I was working for a website and their filter of XSS has alert(1) in it

Different WAF'S Have diffrent responses to payloads some times destructuring the payload may work throw[onerror]=[alert],1

seems you accidentally left advertisements watermark in the top right corner for the video lol

Finally another masterpiece!

Very good , valuable and helpful information you are providing here. Thanks !

Use print() instead of alert() because browsers are disabling the alert() for cross-domain s.

But can i still deploy malware on the client machine via this xss? A bEEF hook could hook into the browser of the client. I would not call any xss a safe xss but i guess it is out of scope.

Amazing explanation

ok, I had to interrupt my lazy Saturday afternoon to actually learn something useful

Imagine getting a pop-up saying "2", that would be threatening

Your channel is pure gold. Thank you

Is there any practical difference between document.domain and window.origin for these purposes?

I'm new in bug hunting... I understand nothing but I watched this video

Thank you! This is good to bear in mind in future testing!

All your videos are my favorite. 💎 I really appreciate this one too 🙏

Ok thanks, ill use alert(2) instead

Very well explained! Thanks 👍

Thanks so much. You're doing great work. I would love more hunting videos. Very interesting

Very precious and important tips, thank you!

We use eval()

Great video as always

This is interesting! Cool video man!

For Pentesting you use alert(1) because you need to document everything that is vulnerable on a blackbox webapp. For bug bounty, however this will not work because of 'impact'.

man I believe in it I got a xss from an imortant web site thats belong to a very important organization that was pentested for 3 times 🤣🤣🤣

Excuse me my ignorance. What is the most dangerous thing you can do with that kind of attack? (xss) in Real life. I mean if I found a xss vuln the hacker just could catch my token/credentials by fishing? Or there is a other most power full attack. Excelente video and cheers from Argentina!

GREAT VIDEO! I never knew any of this.

Very Informative.............Keep it up

As usual 🔥🔥🔥🔥👌

Why is there an "advertisement" message in the top right corner ? Is it just a mistake ? Anyway, very instructive video ! (Like the others!)

Can I use alert(1337) ?

Are web workers another way of sandboxing potentially unsafe code?

Thank you for your suggestions on XSS! Your video is very good, so I want to translate it and share it on the Chinese video website (bilibili) in my free time. I will keep the introduction and title of your video consistent and declare the author, and I will not get any profit from it. Do you agree with this matter?

Wait, so I'm not allowed to name my Skyrim player this anymore? Darn.

Thank you so much 🙌🏻

which video editing tool you use to edit video

Very Beautiful Explanation :)

Very nice observation! keep it up!

That was great, very interesting video. Thank you

print(5)

Is this a new video-file format? the quality looks too compressed :|

Is it self or reflected XSS if I modify the response in BURP and it shows alert, but doesnt show in URL?

Why is it marked as a sponsored video? Did google sponsor this one?

Really nice clip. Thank you

We use alert because it predates chrome, firebug, and most useful 'consoles'

Cool, nice tut

Very informative video

destroying kids dreams under 12 minutes huahuahuahuahuahua

wonderful video Thanks @liveoverflow

me, who uses alert(): intensive sweating

I love this guy

For Chrome we can use print now

I use console.log or console.trace :)

dark mode intro pog

Superb video👌

Bro i have a suggestion.... can u please put a video on PEGASUS spyware...like I'm genuinely confused what is it and why news channels are milking it so much....is it a thing to be afraid of? I would love to see your perspective on this.... If not here maybe atleast in your other channel liveunderflow pls....?

I need help in APDU setup

Not all browsers support sandboxed s. Those browsers are vulnerable.

You make your videos really well. Amazing script, you speak clearly and enthusiastically, and you make cool graphics that are easy to understand and look nice in general, etc... The only thing I can complain about is that your IRL background looks kinda scary, like you are about to make an apology video or a documentary. It's not really a complaint but I though you could use the feedback. If you still have the breadboard pc you could make a counter and hang it in the background...or add some shelves or something. Unless you like the empty backdrop in which case ignore what I just said. Keep up the good work!

is this a recipe how to make user js safe?

5:02 Sorry Flash, f.

alert("You Are The Best")

alert(1)

I just realized I wasn’t subscribed. I fixed that.

Nice this video

4:22 But you are using the much better browser.... Firefox!

Use prompt(2) ?? :D

Advertisement, nice touch.

Why doesn't html just ignore scripts from the body?

thank you thank you....

Very interesting.

great info

Make a video on Pegasus Too..

alert("xss") -- a classic

Nice 👍

KZbin recommend me this and I don't understand a thing. Why youtube? Why?

damm super interesting :)

Good thing I use alert(2)

I generally just `alert(%27MyHandle%27)`

very cool

Please, work on you over all sound volume, each time i watch your channel have to wear a headset cus volume is too low compare to other channels. Thanks for your work!

Please try reverse engineering Synapse X. It will be a challenge for you

Michael Cera's cooler, more extraverted brother

Gold

Sir plese re upload how real hacking viedo sir you removed that viedo

And one more I have a came across a xss. But they aren't storing any information about user in cookies or localstorage. They are using completely stateless JSON web tokens and refresh token. When we are in certain endpoint then it will assign a in cookie using JWT. Best example using ( KEYCLOAK ). So I hosted a FORM to prove a attack possible in the domain.