Ikr, these sort of challenges are almost always about stealing the cookies... No idea how it went upto Recording mic xD Good video as usual anyways

Good catch, my Israeli friend. ;)

yA

It made my day 😂

1. No need to use any third parties proxy or that fancy shit, Firefox has all of it built in in network tools. You just need to find the post request in the left of the panel and click it, then clik on header in the right and send again. 2. I got the server to make a 500 by basically copying all of the string, so the cookie was content=content... This is typically an indication there are other vulnerabilities

I drink milk with toast and Nutella

Yeah I hope so

Yeah, it might be usefull for "organizing" all sorts of things ...

Yeah bro i also watched his video

Saaaaame

Currently writing similar thing for my team, turns out online collaborative environments are pretty hard to write (who knew)

Looks really insane

@@d3line I also hacked together a tool for my team for a CTF we just finished. Maybe you could consider using the collaboration tool they used called "codimd", coding it from scratch would be a nightmare 😭

8iter, Anime Piano Videos thanks for mentioning it! I wasn’t trying to build full-on collaborative editing, but this thing will be a nice addition;)

You can modify requests and responses live, and you can easily resend requests with modifications. Also, it works across all tabs

changing the request before sending it to the server so in this video he changed a content=... to content[x]=... made it much faster then go to networking copy the cmd/bash command and change it over there

@@MakerTim I mean is it really faster? I just copy as fetch and modify it...

In this case it doesn't really make a difference, because he only used the repeater function and only changed small parts in an already small request. But Burp has a lot more to offer and if you're unsure how big of a task you're looking at, it's at least not a bad habit to default to using it. In this video he's simply non-invasively querying an API, that's totally doable with just the browser's dev tools, that's true. For really small tasks that only need a handful of requests I'd do that too, but sometimes stuff takes longer than planned and copy-pasting gets tedious after a while and you start regretting not using a tool in the first place.

@@matzibeater Yea, that makes sense. Never done any "bigger" vulnerability testing, thanks for the info!

Oh wow after 3 minutes of the John Hammond linked video provided, I think I understand why frontend sanitization is good enough sometimes? This XSS attack basically only allows a client to attack his own computer. And any frontend sanitizer will allow that, but we don't care, cuz that's not an attack vector to anyone, really.

I think it has to do with the fact web server languages are not "designed to understand HTML" as a browser does, so it's more likely to miss something. Something along those lines IIRC.

@@Demonslay335 but after all it is possible to get to the server bypassing the user interface and then all sense of sanitizing on it is absent and there is a necessity of sanitizing on the server

@@krlst.5977 Aha, he actually did cover this topic last year, rewatching again myself: kzbin.info/www/bejne/oniahmacqrOqaaM

There are good tech talks on it from black hat. I think they call it polymorphic XSS or DOM based XXS or something like that.

@@krlst.5977 It's only necessary if you want to allow HTML in a post. If you do not allow any fancy shit, then the standard serverside encoding before output is enough. The problem though is, that many services now want to allow users to add both CSS and HTML to a post. That's when it gets dangerous because there are different executiuon contexts in the same piece of code, which needs different kinds of escaping. When you lock everything down then there is only one execution context, which is HTML and you can HTML encode the special chars on output that's enough.

Yes, but cannot modify the request I don't think

Because the browser will understand HTML differently than the server. If there is a difference, it can be exploited. Each browser might have small differences. How would the server know which differences there are?

@@LiveOverflow great question. I will have to ponder about this some more. But just intuitively, and first impression thought, it seems to me this kind of thing would be solved better on the server side, as if a request or package of data as it were, could be actually stripped of its non safe content on the server side entirely, and responded with only valid or white listed content, static HTML. Or what am I missing here? Because it seems to me, the insecurities lie squarely within the javascript domain and its inherent type-unsafety. And seeing as we have websockets today, data could be as dynamic as we ever could get it with javascript, but the server would act as some form of compiler receiving source code essentially and responding with the compiled data, ie HTML only, and having javascript only existing only as a very, very thin layer on the client side. Which is completely contrary to how webdevelopment works today.

Checkout the Google XSS video. Iirc I talk about this topic a bit more there

Nice!

wat

I spoke too soon, this is complicated. Still not sure why a frontend parser is good though! But now I know I need to learn why, instead of learn why people use them xD

I love that - The TJMike button, what I thought was the "check if you got the right attack to get the information" was really the feature y'all were attacking. Meta.

I wanna know SO bad! Why is it better to do sanitization on the frontend??

I have a problem with 8:01 - the server didn't expect a string it expected a sanitized string! Unless this was a real bug... (Which makes this video even COOLER than it already is)

There is a difference between sanitizing HTML and escaping any input. So if you simply want to have TEXT placed into the website, then yes, do the escaping before you place the content into the page. So this can be done in the backend (when your site renders the sites on the backend, for example in php). Or if you have something like REACT, then REACT will escape the text before rendering the page on the client. But if you are trying to have safe HTML (for example you want to allow , or allow but without event handlers like onerror), then you open a can of worms which I briefly mentioned here. But also go checkout my Google Search XSS video which goes into it a bit more. Every browser interprets HTML maybe slightly differently, so the backend cannot know how exactly the browser will interpret it. DOMPurify now uses the browser to render the HTML but without executing any javascript. This is an amazing trick, because now DOMPurify sees the HTML exactly how the browser parses the HTML. And then DOMPurify can go over it and remove any javascript. Thus it is better to do it in the client - because the backend could never exactly understand HTML how the browser does it.

Happy Cirno day! 🇵🇱

@@panel2844 thanks! ⑨

He also did a video: "CTF's are awesome"

Me too!

"easy" 😃 I also thinks it sounds fun and very interesting to find such exploits/holes, but I have no idea who they get the idea to get Cookies, get the microphone, my clipboard.... I host a couple of services on my server that are open to the public and I'm super paranoid that I'm doing something obviously stupid in terms of security, but I my "programming" skills are far beyond the scope of finig out bugs and exploits like that, basically I just blindly trust that the people making the software are competent and that I do not mess up the settings/implementations too much :) I try to keep most of my exposure down to simple ssh type of exposure, but I've tried my luck with php and Sqrl and honestly I just hope that the collection of copy pasted "tutorials" that I've edited together to fidtmy use aren't a big old light house of easy bounty for hackers :)

We are so proud of you

@@cold_ultra thanks ❤️

Nice, well done. I hope to beat you next time, i am not from India though. Do i still qualify for this challenge?