hehe .. me not like use front end server thou

@@daruiraikage he meant almost everything in Javascript is an object.

"dont let the feminists see this" haha ... btw really cool work brother

So... everything in python is a cat ;)

I watched 2 of your videos and I realized how fucked we're gonna be when the world goes full digital.....

Totally agreed! This video earned him my sub. Interesting to watch his other videos.

This was a proof of concept. The real vulnerability shown is the property pollution and how it can be exploited in cases where user input isn't sanitized before being passed into library code that isn't safe. The proof of concept was just an example of what could happen in a specific case where Next.js and AMP was used, that would pass query parameters directly into the getServerSideProps through the unflatten function, as a way to run arbitrary code on the web server.

@@dealloc Thanks for the clarification. I Really appreciate it, but still I'm amazed of people who actually discover these exploits or vulnerabilities for the first time. How they think, how they do stuff amazes me.

@@hesh1700 inspiration from other vuln types, knowledge of building/coding stuff from scratch (you're a dev) and the time to sit around playing with things your interested (or are paid well) to research.

In the end, the attached HAS to pollute the code on the server for this to work.

Fun fact, you used to be able to overwrite undefined to a different value in JS... IIRC it was just window.undefined = true and suddenly everything breaks down

Happy holidays to you too :)

It scans for already known vulnerabilities. While there are ways to use somewhat scan for possible vulnerabilities with static analysis and checking for common flaws. But the best known solution is to check against a database of known vulnerabilities, that have been discovered and reported by people.

@@dealloc Hm well now I think of it, it should be pretty easy if you just look for outdated libraries which is dogwork for humans but very systematically approachable in some areas I think. This could for example be used in combination with the Log4jl REC exploit, where basically logging any user input in an outdated library is 'lethal'. What I also do know is that my friend actually tried InteliJ"s search to try to find a recent minecraft server crashing exploit. This exploit had been around for a few years in some, and is in the interest of some very hackerous communities. (shulker box dispenser world height exploit, 'hackerous communities' meaning 2b2t)

​@@gimmethedata4256 The issue is not so much to look up dependencies of libraries, that's easy. The hard part is finding the vulnerability in the original library or code where it originates. Any software the relies on code that has vulnerabilities will also inherit those vulnerabilities. But the severity depends on where and how it's used. So it doesn't mean that software that uses a library with vulnerabilities is itself vulnerable if the it's used in places that aren't exploitable. In the case of Log4Shell it is a severe vulnerability for any library and code that passes any user input, but not so much if it doesn't. This is sometimes a problem with automated systems as most of the results can be false positives, especially when scanning development-only environments. It adds a lot of noise and can hide the real threats that appear in code that interfaces with user and other external sources.

@@dealloc Yeah, but finding which things use the lib is already 20% of the most boring part of the work. I agree, it is rly hard to determine systematically whether or not something is an exploit, for therefore you first need to define what user input is. I agree that is really hard. Ig everything that goes through netty can be regarded as 'user input', but there I bet there are tons of ways to connect to netty so that is already a problem. Then you have also got libraries on top of the netty stuff ... then you need some algorithm to follow the stack trace of the user input and 'understand' a lot of internal functions, and how they change the user input. It is also kinda tricky to determine whether or not something is an exploit, I mean for RCE it should be pretty easy, but for teleportation exploits in game it is hard. But hey, even if you find 1% of the exploits systematically, then that is still an absolute win. I mean it is really 1% * times a thousand projects times 10 hidden exploits per project ... That's still a 100 exploits. So therefore I think you should focus on the easily systematically detectable exploits. Would you wanna collaborate on something like that? hobrin#4694

Addendum: I agree that in this case, the root cause is not the framework itself. However, it is a contributor to the issue and the CDN simply being compromised is another very possible and very unnecessary attack vector that using it adds to your application.

@@cybroxde Yeah, it looks quite insane to me to yolo-execute arbitrary code from a URL without verifying it via their public key with asymmetric cryptography. But AMP is evil anyways, so not too surprised they also added backdoors to servers that comply with them

yesAdmin = 'is';

technically yes, just not the same type of object, but they all have common superclass

@@vanjazed7021 no, seriously. The fact that you can invoke methods on a string literal does not mean that strings are objects, it's merely a convenience mechanism. Strings are passed by value and their "typeof" is not object, so they really are primitive (just like numbers, bools, undefined and null)

Check the description :)

Haha good eye. The video isn't supposed to be out this soon XD.

@@PwnFunction haha oops

gg

gg

Same kind of stuff happens in python and Php. Take a look at either language’ eval function. You should only ever use these kind of functions if you are 100% sure what you are doing is safe, but mostly this is mission impossible

how did you know 👀

@@PwnFunction you've been pwned

Before C++ was called C++, it was called "C with classes". The classes were a minor enhancement over structures.

The base "Object" is always global.

nc

I'm guessing the unflatten function itself does something to the input that overrides the global Object's __prototype__. Don't even need to return the value

Thanks! I'll apply that next time. A bunch of people also told me the same thing. I appreciate the feedback.

@@PwnFunction I really appreciated and enjoyed how it was broken down and explained. Subscribed and liked as well!

Consider putting in timestamps so people who already know it can skip ahead easily and beginners can still watch the basic stuff

@@PwnFunction btw what colorscheme you're using in vscode in this video, sir? mine is the default and not really that colorful...

This was heavily used for something called polyfills. Basically, if the browser doesn’t support a JS feature (or its implementation is buggy) you can conditionally add it to the language yourself. It’s used a lot less in modern code supporting modern clients. It’s also pretty useless for business logic. It was great for JavaScript because the number of runtimes that many projects supported. This would be a lot less useful in a compiled language because you know the compiler you’re targeting and the features it supports.