This is gold, I'm glad this was randomly recommended to me

I’m definitely not infosec, your videos attract people and you are definitely a special channel for being able to pull anyone into the topic

Developer here, your video was randomly recommended to me, and while I'm familiar with many injection-type attacks, I hadn't actually seen this one before. Thanks for the info, that was really interesting.

You actually made me realise that my Express app is insecure in the context I woudn't have even think of. I was explicitly assuming all parameters would be as strings, not arrays. Fortunately it's nothing severe and it doesn't crash the server, it just throws 500 anyways but it's good to be aware. :)

This is great content, you'll go places.

PHP backend dev here, info sec only as hobby. Thank you so much for this. You've gained a loyal subscriber.

Another interesting angle I only recently learned of about messing with query parameters is that (at least in PHP) ending a parameter with square brackets (like &quote[]=cats ) will cause the type of $_GET['quote'] (without the brackets) to no longer be a scalar string but rather an array, which can also mess logic up if not properly checked/handled.

Dev here. This was recommended at random, and it's spot on. You have a knack to teach things, which is not the most common thing! Pace, focus, depth... I've subscribed to your channel. Keep it up.

This really is an amazing video dude, please do not stop creating content

Lesson: If you’re not escaping output and casting/coercing data on input then you’re doing it wrong. i.e. Always escape content to the correct encoding when outputting (e.g. escape HTML entities when output to HTML, encode URL/URI entities when intended for a URI parameter, etc). Also, always force the type when taking input and also perform some basic validation. E.g. if it’s a string, cast it to a string, validate it and/or compare it to a set of known possible values and so on (that’s just a limited example). Basically…. Treat ALL input as hostile.

im a dev and i watch ur videos.. was not shared by a infosec friend, but rather i subscribe to infosec to keep myself on my toes.

As a developer, I'm always looking to learn new stuff. Cheers for adding another bit of info to my life. Subbed!

Recently got a project where I need to consider this kinda thing, so glad you came up in my recommended

One of the finest content I have ever found on KZbin. Please don't stop making videos. I will patron you.

You explain it so well. Don't stop creating content! InfoSec Community loves you!

"Parse, don't validate." This is why it's so important to coerce requests into structured data where invariants are enforced, rather than manually checking for bad behavior.

I'm not InfoSec, but the way you explain is really clearly and I love it. Keep going sir!

I love the subtle Matrix reference with the names.

Not in the infosec community but still in uni (gonna do software dev after), really helpful video for when doing critical work to keep these things in mind, thank you

Keep it up! Great content, I wd say the best content for me on sec-field so far!

I coded a few rudimentary webservers from scratch and in one where I used query parameters, I came across the conundrum of how to address multiple matches, among other syntactic oddities. Interesting to see that this question can be highly significant.

Great videos! You are a natural at explaining the topics in an easy to understand manner and at a perfect pace. The Hacker101 videos are nice, but they go way too fast and not enough depth. You doing this perfectly! You might consider redoing their videos in a new series breaking them down into smaller chunks. Great work, please keep them coming. You might setup a patreon as well. I’d glad support you financially

I work for a team that's vaguely in the infosec world, but actually am a fullstack web dev, so your message hit its mark.

You can tell the effort put into this video was not a small amount. Really good job, made it easy to understand fully

Nice overview of a simple CSRF attack. This form of attack is marked on the top 25 most dangerous software weaknesses in 2020. It is also an easy attack to resolve.

Definitely something I will search for in the web applications I am developing at work! Thanks for the great content!

Web developer trying to get better. You came up recommended after a Nextjs Auth with Firebase tutorital and have been binging. Love the content and looking forward to making my applications more secure. Thank You!

Great explanation bruh ....... keep making such videos !!! Love from INDIA, Mumbai :)

Great content. Made me understand it. Here before 100k!

The algorithm has blessed me with this video

I feel like the default behavior of a web framework should be to throw an error in this case, and force you to specify which behavior you want if you really need it.

The best youtuber award goes to @PwnFunction You are awssome keep doing this type of content

Excellent! Infosec here for sure, but I will be sharing this with my developers.

you make a small website for every video? that definetly earned my sub !

I work with bare-metal hardware programming, I don't do anything with high-level stuff like HTTP or PHP or what-have-you. My programming is almost all Assembly or C for microcontrollers. This is still very interesting and good stuff. Thanks to KZbin for the recommendation!

First time here you really did a great job in this tutorial. Thanks for this

now this is the type of content I'm looking for !! great job

explaination is clean, easy to understand and enjoyable.

This is really awesome 😎... I love your videos ❤️❤️

As an entry-level backend developer, I didn't know about this attack. Thanks

10:17 nowdays developers are more aware. Even in my studies they teach me how to prevent direct parameter passing with SQL by using placeholder variables instead. This way SQL injection might be prevented. There are countless other methods developers can work around this, it's just an example. It doesn't take away the fact that a lot of old bricks (websites that made the web exist in the end) of the internet still contain a massive amount of errors when these things weren't as clear yet in the time the internet rose up.

Awesome Video :) I was quite confused with HPP attack. Please make more videos like this on XXE, SSRF :D

I am a developer, and your vids are watched by devs too

Awesome video like always:). Keep em coming!

Man I swear you're brilliant

Sick video, keep up the good work!

This is amazing content! subscribed

Another great video! Please keep them coming..

Awesome Content! Keep doing it man!

Amazing... I am impressed .. Keep'em coming..

i realy understand in one go .. THANKS man!..great content

That tip from John @2:00 cracks me :)

Reminds me of the time I was messing with the q and oq parameters in both query and hash string in Google, and got a infinitely reloading page that also occasionally flashed code at me. Checked back the next week and it didn't work anymore, guess they noticed :p

Nice vid, keep up the good work!:)

Subscribed! ...Useful and interesting and intelligent content!!

Yo this content is so lit! Love it

I love the way you explain bro.....specially..those sketchy diagrams. Make more videos bro.

I'm a developer and ethical hacker, so I gain quite a bit from this 😄

really good video, so clear and make sense

Hold on a sec, the backend only take from the request the "to" and "amount" parameters, if "from" parameter passed with the request it will ignored, because the back-end will generate the form parameter from the session and will not take it from the request parameters it will only look for "to" and "amount" parameters which can change from the UI anyway. unless the backend-developer decide that if a "from" parameter passed with the request then take it and use (which means logical thinking problem and problem and he will use it to steal the company money)

Wow i am so glad i got this channel suggested gj

I'm glad it got into my recommended

Dev here 👋🏻 i‘ll keep this in mind, thank you

Great explanation; didn't know about this! One small thing: "parameter" is pronounced as paRAmeter, not paraMEter. Just a heads-up in case you're asked to present it at a conference :-)

Dude you got a sub for life. You just said, exactly what nobody else on this platform has even eluded to what you just said. Im not much of a compliment giver, but .... holy shit, thank you so very much. my brain clicked so fucking hard right there that i think imma med an EEG before Tues.. lol

Very underrated channel

Sensetive info like this is usually sent as POST requests. Also, in well designed APIs GET will only be used to get information.

I'm a developer. Thanks for letting me know about this vulnerability. At first, I thought who cares, but it is important to have a standard.

I will definitely watch out for this attack in my Flask app, thanks!!

Nice simple thing, well explained

Amazing video, subbed

Loving this channel and expecting for future content

Hey your voice is splendid 💙 you didn't have to put up the apology :)

Lit content man, amazing

This is the best video ever i have seen on web hacking beside liveoverflow videos. My concept was not good with HTTP Parameter Pollution attack but not after watch this video now in clearly understand about this attack. Please also write summary of video in last Also please make video on DOM Base XSS so that we understand clearly Thanks ,really a great job

I'm shit at coding and idk much about computer science but i love your videos anyways :'3

The algorithm just blessed you

Wow Amazing . So clear :) Thanks

This attack seems to be application specific. Query string parsing is an application level task not the job of the web server and can be done differently in any language, i.e. the application developer chooses how to interpret multiple duplicate keys. JSP + Tomcat does not return the first value, the developer chooses whether to use getParameter or getParameterValues. I'm sure it is the same with other cases.

Wonderfully explained! Thank you!

Thenk you for giving me inspiration that I can be developer. Instant sub.

pretty cool intro mate, thanks for sharing

really great content. good luck sir .

I think all search terms are considered in search engines like yahoo and google. They then do some query filtering and boolean retrieval to obtain results instead of choosing one query term over the other. If you search for “Apple mango” on a search engine, it would retrieve results that have “Apple AND mango”. In yahoo’s case it could’ve favored more results on Apple due to some relevance ranking.

plz never stop making videos

One contention. Just because a websites URL ends with say .php, that DOES NOT allow you to conclude that the backend or frontend uses php. In fact many frameworks allow you to complete customize what your urls look like. I can make a jsp website that has .html at the end of every endpoint for example.

Very good video, keep going !

Developer here - thank you :)

in regards to the question asked at the beginning of the video: as far as I'm concerned if I'm the backend developer you're getting a 400 error and nothing else

7:40 I'm not quite sure how this would work unless the backend is very poorly designed. If the from value is grabbed from the cookie and the backend somehow adds it as a from parameter to the beginning of the query params for some reason, then yeah. I can see the backend then working on the query string and getting the fake value. But wouldn't the backend just get the current user from the cookie and work on that as a separate value and throwaway all values it's not explicitly looking for? Either way I see this as a good example of what could be done but I can't imagine this example ever working in practice.

I have no idea how you don't have more subscribers. Super useful videos for anyone interested in CTF's and the vulnerabilities of the web in general, keep up the good shit dude.

WOAH! YOU'RE MY HERO

Your videos are wonderful. Thank you so much! I

Your contents are best

Concepts are cleared buddy :)

You even make the fake the voice, good job bro.

Awesome! Keep continuing

Hi! was "active in the scene" (lol) in the 00's, in french community (so at that time, about a year of delay from the wild wide worst) that topic was discussed way prior 08, so maybe it was a matter of having no paper released prior that time in zines or security research magazines.

Nice video! Thank you very much!! Also, I would like to know what tools do you use to make videos. It is drawing by hand or it is a kind of tool ?

Sometimes the YT algorithm actually recommends good videos