Script Gadgets! Google Docs XSS Vulnerability Walkthrough

Рет қаралды 142,874

Күн бұрын

Пікірлер: 244

@reydion1648 4 жыл бұрын

other youtubers: "this video is sponsored by Raid Shadow Legends" LiveOverflow: "This video is sponsored by freaking google, showing bugs on their products!" what a legend

@sharkbeats1397 4 жыл бұрын

true legend indeed

@rakeshchowdhury202 4 жыл бұрын

He's a true legend, just like our today's sponsor Google. Privacy? With Google you can have no privacy. Forget it. You don't care us taking your nudes from your android do you? Why are we asking anyway. 😂😂😂😂😂😂

@_vsnwprintf_s_l 4 жыл бұрын

I got a RAID ad on this, so...

@rakeshchowdhury202 4 жыл бұрын

@@sabaundefined Just like our todays sponsor Raycon Shadow Legends. Use code Linus to get a discount

@arthurg5966 4 жыл бұрын

Watching normal KZbin videos : Chill and Relax Watching LiveOverflow videos : Concentrate and Take notes. Watch again to check if flow of thoughts was correct. Watch again to see if you understood everything properly.

@cwmd7651 4 жыл бұрын

Yeah I need to watch like 2 more times to understand everything lol

@fahmiirfan6923 4 жыл бұрын

So, true 😂

@soggybaguette8457 4 жыл бұрын

You know you've made it as a dev/techie when you get *google* themselves to sponsor a video

@metalpachuramon 4 жыл бұрын

This is very interesting! These vulnerabilities arise from a common pattern: factory pattern. In factory pattern, you address the problem of creation, where basically you use unchecked types like strings and use unchecked data like strings, or in this case json, and then use polymorphism to polymorphically continue the object life cycle, this allows you to have object type related if statements in a centralized manner. So, by not having a whitelist, you can call arbitrary constructors like hlc. The interesting part, is that implementing a whitelist falls into another pattern: abstract factory pattern, where you define an includes method that uses a string list. Because of how convoluted abstract factory pattern seems, programmers often choose the concrete factory pattern, because they rarely see a benefit over using abstract factory. The most interesting thing is, that you could even exploit other kinds of systems, like java-based systems, because they also use this string gadget for loading classes during execution time.

@lefteriseleftheriades7381 4 жыл бұрын

I could never understand the difference between a regular factory and an abstract factory, please help!

@wtwt8714 4 жыл бұрын

@@lefteriseleftheriades7381 Regular factory: create an object directly. Abstract factory: provide an abstract method to create IThing and let SomeConcreteFactory (inheriting the abstract factory) create ThingThatInheritsFromIThing. Using the abstract factory pattern you get one more indirection between code using IThing and code creating a concrete IThing.

@metalpachuramon 4 жыл бұрын

@@lefteriseleftheriades7381 look for "Uncle Bob factory pattern", he explains it in depth. The problem with factories is that statically you cannot know an object type beforehand, it's in runtime that through conditions you decide which object to use. When you add many seemingly related factories, as a dev it becomes difficult to know exactly which classes are being used on each of those factories, therefore in the abstract factory pattern you provide an abstract base class that the other factories have to derive from, this base class usually includes an abstract method called includes (or similar), by doing this you force derivative classes to implement it, which obligates them to use a list of strings to enumerate which classes are valid. This way, you provide some sort of type safety stated by lists of strings, that way whenever a factory receives an unexpected value, the includes method prevent you from creating an unexpected object by throwing an exception or something. In other words, this pattern is for devs to understand and for runtime guards, since the compiler can't statically figure this out and prompt an error. I hope this helps.

@k3daevin 4 жыл бұрын

The vulnerability comes from JavaScript.

@karserasl 4 жыл бұрын

@@k3daevin No, the vulnerability comes correctly as said, from the implementation of the factory pattern, using JS (but JS has nothing to do with this)

@anakinskywalkerrr 4 жыл бұрын

Sponsored by Google, "It's all Google security fault" video end. What a mad lad

@bryces8017 4 жыл бұрын

WHAT, google paid you, to talk about some guy who they paid to find bugs in their system, who they paid even more when he found a bug?

@dandogamer 4 жыл бұрын

Who paid a developer to introduce a bug and who paid another developer to fix said bug 😉

@misaalanshori 4 жыл бұрын

Its also an advertisement for Google even thought its technically talking about google negatively. Its kinda weird but i think google is trying to show that they listen to people reporting bugs and fix them, and also promoting their bug bounty system.

@RnVjayBZb3V0dWJl 4 жыл бұрын

Just because he is sponsored, doesn't it mean that he is getting payed ^^

@phagesuffersatgaming.3797 4 жыл бұрын

@@RnVjayBZb3V0dWJl sponsor= paid to advertise. Are you for real dude?

@couch9416 4 жыл бұрын

@@RnVjayBZb3V0dWJl sponsored literally means to get paid for it. Get a dictionary

@blackblather 4 жыл бұрын

Uses google ads: no one bats an eye Google actually sponsors the video: Holy shit

@pietrosanchez7484 4 жыл бұрын

This is some incredibly dense content for people learning development and cybersecurity. This helps us learn more about what more we could still learn about. I will always be grateful for all your inspiring and insightful content!

@kryvxde6950 4 жыл бұрын

google sponsoring, dammn youve gone long way. gg

@alexanderdell2623 4 жыл бұрын

Thats cool,but wheres referral link to google?

@rakeshchowdhury202 4 жыл бұрын

Next Video sponsored by Raycon Earbuds

@humanflybzzz4568 4 жыл бұрын

Wow, your channel has grown. I've been away from watching your vids for a while, so it's kinda amazing to see almost 500k subs on a tech channel that's not only about gaming rigs :) Love it , good work LiveOverflow

@jacobcollins934 4 жыл бұрын

Far out, imagine getting sponsored by google, that’s absolutely awesome. You know, sometimes I just binge watch this channel, and it never gets old. I’m super proud dude!

@ThatGamerBlue 4 жыл бұрын

Just enrolled in the college of XSS, wish me luck as a brand new copy paste machine :)

@sonofmars1337 4 жыл бұрын

i wish you luck and hope you ctrl-c ctrl-v your way to a bug bounty

@parabolicpanorama 4 жыл бұрын

Where did you start from? Which resources would you recommend?

@dingusbrule5756 4 жыл бұрын

@@parabolicpanorama Look into Burp Suite

@Folsets 4 жыл бұрын

God bless your fingers!

@vincent-thomas 2 жыл бұрын

Youre fcked if your v key doesnt work

@jbmagination2 4 жыл бұрын

"It's all the Google security team's fault"

@兽Arufisu 4 жыл бұрын

bruh moment edit: how the table have turned(what i said in the live chat at the end)

@Vaaaaadim 4 жыл бұрын

Trust nobody(with security) not even yourself.

@keineahnung1919 4 жыл бұрын

didn't want to ruin the perfect 69 likes

@__________________________177 4 жыл бұрын

but you did it... you just did it... ;(

@4n1eu 4 жыл бұрын

Google paid him to say "f you" to their own security team

@0x-SHx 4 жыл бұрын

I just found this channel few hour ago and I'm already in love with your work... You're feeding all my curiosities... Love your approach how you explain things...

@LostInAutism 4 жыл бұрын

When dynamic programming becomes too dynamic

@LugnutsK 4 жыл бұрын

“Dynamic programming” doesnt mean what you think it means

@andreidicu2882 4 жыл бұрын

@@chyza2012 like cpp with dynamic programming? u ok bro?

@DominicNweze 2 жыл бұрын

@@LugnutsK what's dynamic programming 🤔

@DominicNweze 2 жыл бұрын

@@andreidicu2882 what's dynamic programming

@LugnutsK 2 жыл бұрын

@@DominicNweze Dynamic programming is a misleading name for algorithms which break a problem into small recursive sub-problems and solves all the sub-problems in order to solve the overall problem.

@smithwillnot 4 жыл бұрын

I love this because it shows how complex development is. Basically this is main reason why I'm reluctant to change anything on complex project if it's not critical bug, and every change made feels like it'd require whole project to be tested again.

@iamskidrow 4 жыл бұрын

I'll pretend I understood Everything

@realENGY 4 жыл бұрын

I love that google is sponsoring you! Really cool to see your channel grow. :)

@cheaterman49 4 жыл бұрын

You know what this kind of intricate multi-step process reminds me of? Pokémon exploits. But you started covering that already so I'm sure there'll be more coming :-) Also, congrats in advance for your 500k subs, very much keeping the hacking spirit alive!

@soksamnang2150 4 жыл бұрын

I like the way he flamed Google's security team even though he is sponsored by Google :D

@steefant 4 жыл бұрын

rest assured that they will get roasted for this internally as long as they are employed there ;)

@pvic6959 4 жыл бұрын

knowing google, they would be flaming them too. Lets point out that this issue was SUPER buried .He explained it and i didnt understand so its very likely know one even saw it happening until this guy somehow found this bug. google takes security super seriously so im more surprised the bug was fixed and CAME BACK. the engineers who let that happen are going ot be in trouble lol

@LiveOverflow 4 жыл бұрын

The engineers are not at all in trouble. They interviewed with me :) this is totally normal and shouldn’t be shamed.

@pvic6959 4 жыл бұрын

@@LiveOverflow learning from mistakes is the best thing we can do!

@Wowthatsfail 4 жыл бұрын

Seeing since WE are googles security team, I don't think they care.

@dontaskme1625 4 жыл бұрын

awesome video, awesome that you did so detailed chapter markings and great that you're talking about how this bug got introduced in the first place (that part could have been even more detailed)

@RN-kl4kp 4 жыл бұрын

I always thought wait for ur videos .. They are fun and very much self explanatory 😊 Thanks mate for all this contribution you are doing towards the community .

@iyxan23 4 жыл бұрын

I've never seen someone sponsored by Google before

@G0NZA11 4 жыл бұрын

I love these insights, it shows you that they are experts but not perfects, everybody needs a team

@bernardosulzbach 4 жыл бұрын

What a grade video. Oddly good for a sponsored one!

@cannuhlar8229 4 жыл бұрын

This is actually awesome content. Both listening from the implementers and the pentester is an amazing oppurtunity.

@blenderpanzi 4 жыл бұрын

That's a huge list of best practice violations: * Don't let a parameter specify an arbitrary function, use known values from an hashtable/switch statement instead * Don't let a postMessage pass a script url, just tell the page "do thing A" and it then knows what to do * Don't accept postMessages from arbitrary origins * Dissalow arbitrary script sources using CSP If any of these would have been done the vulnerability would not exist. There might be reasons why you want 2 and 4, but at least 1 and 3 should definitely be done. Edit: Hadn't finished watching the video. Why there even is a function that executes an arbitrary JavaScript from an URL was explained.

@TechTips-zf4pj 4 жыл бұрын

thanks to this video, it cleared up some of my doubts about cybersecurity being replaced by AI in the near future.

@권현준-o1k 4 жыл бұрын

Wow... that's amazing... And that was a perfect explanation. Thank you for your video!

@mrappu2884 4 жыл бұрын

going to be 500k ..congrats @LiveOverflow

4 жыл бұрын

another google sponsored google product bug video. man, they're in the right direction. Love LiveOverflow!

@secureitmania 4 жыл бұрын

Eagerly waiting to see😍

@myhackertech 4 жыл бұрын

It is interesting to know that Google sponsored it ! I wonder if this XSS was exploited in the wild

@bls7879 4 жыл бұрын

6:16 Subtitle: "He knows that Jesus is a Javascript library". Okey

@bitrr3482 4 жыл бұрын

CarbonCopy yeah! Just use Jesus.convert(water, wine)

@bitrr3482 4 жыл бұрын

CarbonCopy That returns the now wine

@squirrel1620 4 жыл бұрын

Awesome! Love the in depth.. and that's my world, ECMAScript. In this world we rely on the closures and scope for security 😏

@heisenberg5168 4 жыл бұрын

Absolutely great content! Super interesting video!!!

@Thmyris 4 жыл бұрын

Congratz on 500k subs, any time now

@cryptonative 4 жыл бұрын

lvl1: paid to secure google source lvl2: paid to look at google source lvl3: paid for finding bugs while paid to look at google source lvl100: paid to make a video about google source bugs lvl10000: paid to make a video about google source bugs by freaking google :p

@DragonStoneCreations 4 жыл бұрын

U r one of the best teachers out there ❤️

@ZombieBrine1309 4 жыл бұрын

Damn. Google sponsored a video on their own platform. That's a rare one!

@OMorningStar 4 жыл бұрын

Paused at 3:13 to see if I understand the code, I think hlc creates an object that captures a port, url, and data as an array. Then it creates a function inside that object to stringify the message. Finally it creates a script tag and appends it along with a url.

@ASHStudios 4 жыл бұрын

so its all google security team's fault xD

@driziiD 4 жыл бұрын

pretty sophisticated programming concepts discussed here. would be impressed if civilians could grok this one.

@LemonChieff 4 жыл бұрын

Sponsored by Google? You officially won the internet. Also:

@Sky_Shaymin 4 жыл бұрын

At first I was gonna say this feels like one of the many advantages of strongly typed languages. You would have to be explicit about what types of classes can be instantiated there. In the end, it was a lack of regression testing! They had strict checks but accidentally removed them. Really great video!

@alice-smith 4 жыл бұрын

Congrats for the sponsor!

@1008OH 4 жыл бұрын

So you got sponsored by google? Damn that's some serious drip

@amaan5676 4 жыл бұрын

hi i learn a lot from u

@ijwarren170 4 жыл бұрын

This is why companies like Google, Apple, Microsoft and many others stay in business. They acknowledge that everything is vulnerable and are open to fixing them. Vice, many startups who try and punish those who exploit them, or Twitter, who makes no effort in securing their systems. Things could be better, but getting better starts with this mentality.

@paxdriver 4 жыл бұрын

It is so dope to see cooperation and capitalism working and outputting free educational videos afterwards. This is a shining example of how we should behave in society lol

@missingno6618 4 жыл бұрын

Great video man! Also, can you do a video with Ezequiel Pereira? His vulns are super awesome.

@raqha4575 4 жыл бұрын

WOT THE FUCK, ich dachte mir so ok wird schon interessant, nein einfach gesponsort by google und ein absolut informatives video

@Janos0206 4 жыл бұрын

Awesome! Very inspiring

@barefeg 4 жыл бұрын

Cool content keep it coming

@jeromej.1992 4 жыл бұрын

So, if a method is executing sensitive actions, it should embed the security check call? Does it really only apply to languages or should it be considered in other languages as well? (say c#)

@whistletoe 4 жыл бұрын

dude this is so cool

@ariseyhun2085 4 жыл бұрын

Congratulations on another sponsor by Google. This video was great too, but the midroll ads really ruined it for me and I could not get through it enjoyably. Would be great if you can make these videos without midroll ads when you get a sponsor.

@LiveOverflow 4 жыл бұрын

Use adblock. Also pls read the latest news on midroll ad changes by KZbin

@innocentRoot 4 жыл бұрын

Very interesting

@Mitsunee_ 4 жыл бұрын

Why does this video end up feeling like TOP 5 TIMES the Google SECURITY Team Got GIT BLAMED

@Konstantin-qk6hv 4 жыл бұрын

Nice interview

@sccp1997 4 жыл бұрын

*Sponsered by Google to talk about Google Security's team fault.*

@ostanin_vadym 4 жыл бұрын

Thank you for content

@chadsoftwarefreedom65 4 жыл бұрын

awesome

@Nossody 4 жыл бұрын

SPONSORED BY GOOGLE? we're out here bois

@berndeckenfels 4 жыл бұрын

Btw I think recognizing the usafe Gadget function would be in the realm of automated tools

@TheMrKeksLp 4 жыл бұрын

Oh boy, taking a user specified string without any validation and calling a function with that name really wasn't the finest implementation tbh. How did they NOT expect someone to exploit that?

@threeMetreJim 4 жыл бұрын

You can use Google chrome browser to read minified code, just click the {} for pretty print... All of the hacking I've done, I've used this. First in the Opera browser, and then using Chrome dev tools. I found several vulnerabilities in sites that way. With a bit of practice it's not very difficult to follow obfuscated code, especially when you can set breakpoints and skip through it. Everything I've reported got fixed, with nothing but a 'thanks' and not a bounty in sight (apart from Facebook's $500)... Now I can't be bothered reporting bugs or vulnerabilities, sometimes they'll be exploited for fun, but that is it.

@iamjoris 4 жыл бұрын

As always, nice explanation! Why would you say this problem could never be found by an automated check? I'd argue that instantiating an object from a string is always a bad idea. It may be quite normal to do in Javascript, but that does not make it a good idea. It feels comparable to manually changing the instruction pointer based on some input. Yes, this can be powerful, but why the heck would you? I'd say creating a static mapping between strings and classes is definitely worth the effort. For example, Google's own language Go does not allow you to do anything like this without getting into the (literally called) unsafe package (if it's even possible with that). So to conclude: why not just disallow using a string for instantiating an object altogether. I use Javascript only limited professionally, so I'd love someone to tell me why this is not feasible/not applied in practice :-]

@arisweedler4703 4 жыл бұрын

The malicious spreadsheet attack... this is why it's unsafe for even clients to be able to attack themselves!! The attacker gets to be the client sometimes.

@FurriousFox 4 жыл бұрын

amazing video's! can you add a link to the bug report in the description?

@prashantsharma4846 4 жыл бұрын

How can i analyse obfuscated javascript code ? Any suggestions. it’s difficult to analyse a.b b.this like these codes

@madghostek3026 4 жыл бұрын

You can try downloading the page and run it offline, but that usually breaks the page, or you can use some kind of proxy to load your modified js file instead. Then you can add debug prints or dump objects for information easily

@roxrosa 4 жыл бұрын

I think we could automate this using Selenium. We could test it but it might we might have a lot of time developing the framework the google project. I might be wrong thou haha

@bren.r 4 жыл бұрын

Idk why they’d think it would ever be a good idea to rely on a string to construct things. Shouldn’t you have an inherent hesitation to do such a things? It’s like using eval. Same with accessing arrays of methods in obfuscated code by string properties. It’s actually crazy how many JS exploits you can take advantage of on most websites.

@0xcallmesenpai 4 жыл бұрын

I lost you after 0:01 ☹️

@valrina 4 жыл бұрын

Saying that this bug couldn't be found by any tool is not a statement I would make. I am pretty sure a GPT3 like transformer for this purpose could find not only this but much more bugs that we can't even possibly understand.

@TheNitroPython 4 жыл бұрын

Where did you find the step by step instructions originally for this cross site script vulnerability?

@LiveOverflow 4 жыл бұрын

If you understand how XSS works it’s just creativity to come up with it

@leozendo3500 4 жыл бұрын

Google sponsors. Good your channel is less likely to be demonetized.

@w1d3r75 4 жыл бұрын

Subscribed:)

@VerifyBot 4 жыл бұрын

Interesting!

@Sezdik 4 жыл бұрын

Are we sure that was a fault? maybe it was sitting there for some selected people to use..

@some1purple 4 жыл бұрын

I had a dream about a script execution exploit in Google sheets a few months ago.

@NicmeisteR 4 жыл бұрын

Please tell me what packet analyzer you're using??

@NicmeisteR 4 жыл бұрын

Took a lot of cross referencing and searching but found it if anyone wants it, called burp: portswigger.net/burp/documentation/desktop/tools/proxy/using

@ameisee4 4 жыл бұрын

+1 for "allowlist"

@RaceForMoney 4 жыл бұрын

5:27 RUSSIAN DETECTED!

@amyshaw893 4 жыл бұрын

Am I misunderstanding something? I don't see the issue here. you create a google doc, then modify it so that when you embed it, and tell it to run javascript, it runs javascript. Can't you just... run the javascript? If you have control over the embedding site like that, can't you just write your own javascript directly?

@KuromiAK 4 жыл бұрын

You are not supposed to be able to embed arbitrary JavaScript into embedded Google Doc. The embedded Google Doc has access to visitor's account which you shouldn't have access to. It is true that you can just embed any JavaScript. But it should only happen when the embedded content also comes from your website. XSS happens when you can embed code to other's website, which is accessed with a different set of credentials & cookies.