I blame Tom Scott for this since he said that Google was fine in a video about XSS. He probably inspired people to try it.

Google: HEY HEY! STOP! Me: What? Google: 1

Amazing vulnerability! Loosely parsing html always seems silly to me. If browsers started being strict about displaying html, people would start being strict when writing it.

Unbelievable that Google had an XSS like that. Really interesting attack and great explanation, was really easy to understand. I hope Masato got a big bug bounty.

00:52 basics XSS 05:10 mutation XSS 05:35 Client-side sanitization, DOMPurifiy 07:47 masato, noscript element 10:38 DOM XSS

I got goosebumps when the alert(1) opened.

I think this is honestly, one of the best channels on KZbin. The time you put in to explain and share what you learn with us is GOLDEN! thanks dude. I'll support.

So, in conclusion: 1.) Sanitizing should be done on the client, because its hard to do on the the server. 2.) Woops!

With the second example with the invalid code, the browser was correct. tags are CDATA, meaning that the contents will never be interpreted as HTML. It also means they cannot be self closing. It is not because of parsers. With both examples, the browser is not being "weird". It is following the W3C spec, which states that scripts are CDATA, and that browsers must auto-close tags. BTW, great video!!!

This is brilliant, and the vid goes so deep and thorough on the topic. You really are the best security channel on YT.

Thankfully there is a javascript framework for everything :D

I always use regular expressions to parse HTML! :P

When you literally hacked Google and everyone else thinks it's just an April fool's joke. Achievement unlocked: Hacking Google.

What I like the most is that all videos are free to download offline on KZbin, thank you

Keep making websecurity videos keep up the good work

Every time i watch your videos i keep another mind as a spare, to replace the blown mind. thank you

He’s not the copypaste machine, he’s the one who makes the exploits Reference to your older video 🙃

Now this is scary how many sites use the template parser, which appears to be vulnerable

This video blows my mind in how it archives what happened - as it was happening!

2:53 neither html, head or body are required elements for valid html. in a minimalistic webpage, only the title element is required. Also, we're kinda talking here about code embedded into an already existing site, so the validity only comes down to "broken" tags and non escaped characters () inside an attribute.

LiveOverflow: "Google search is arguably the front page of the internet" Reddit: *sad noises*

holy f that debugger tip at 10:26 blew my mind! thanks!

New Facebook games may be an opportunity to hunt down bugs similar to this, they are quite often hurried through, especially the ones by smaller teams of programmers. I got one before, managed to insert html to play a KZbin video offscreen (for the sound effects). It actually got a laugh out of the programmers of the game before they fixed the issue - there were a ton of other bugs too, that I helped get removed before the game was attacked by someone else. No reward money though, but earned some kudos, none-the-less.

WOW i had to pause the video to actually understand something for the first time. VIDEO IS SO GOOOOOOOOOOD!!!

Anyone else who had their Google assistant Google JavaScript for you at 12:23 ?!

You race to the top of my favorite youtubers with videos like these...

i was looking at memes how i am here?

Thanks for keeping the Internet safe and us informed and entertained.

I did not understand a thing but I went along as watching you debug and hack is beautiful and enlightening.

having paused the video at 2:50 What the browser _should_ do, is saying: "Malformed document. Aborting execution." :P

I Love It! Your explanation is intuitive and easy. It is very helpful for studying!

masato did a great job..and you too by explaining the stuff behind the attack.

I don't understand anything but it's still sooooo interesting xD Gutes Video

Idk how I got here... Idk what's going on. I feel incredibly stupid.

Did you guys notice at 0:05, when @LiveOverflow puts quote it says "I put ' it gives bug" (a video by Liveoverflow, easter egg)

I thought this was impossible in google search. But this is amazing!!!

just test

HTML has reached a critical mass of bloat that there will always be a XSS vulnerability discovered every year.

search encrypt as an interesting approach to sanitizing their search requests.... it just takes out any < and > :D

Browsers should only parse strict and correct HTML.

Browsers should phase-out HTML correction. If a website requires inserting HTML tags, it should inform the user with some yellow bars at the top like the "prevented to open a window" message. There should be a config option to this like "notify", "ask", "reject", making the notify the default now, then after a year or two, making the "ask" the default, which should be as hard to click through as an invalid TLS cert. window. Really, pages without matching open/close tags and with syntactically bad javascripts are a major thing, errors should really be show up to the users, which will motivate companies to fix their annoying websites, then after a time it should not be allowed to work like nothing happened. No need to be as strict as certain required attribute missing or something semantically wrong trigger it, but if the structural syntax is broken, missing closing tag, closing braket, closing quote or so happens, it should not be rendered to the user at all.

wow. that's crazy! Thanks for explaining man and keep up the good work!

05:30 just parse html with parser library and escape attribute contents and texts and add closing tags and remove comments (do the fixing server-side) like:

Amazing. I said it because i don't know no more words =)

That is one historical mutated XSS example that will live on....

Is there any benefit of fixing invalid html code? I cannot find any. I think that pages should be blocked by browser.

This is a newly exploitable bug due to fixes for IE that were coded incorrectly, so it was never always possible, just a recent change that has been reverted.

One day I'll open a LiveOverflow video and suddenly a alert will pop up. One day some random user will make it.

i always use markdown to style text inputed by user

@7:16 It can't be a good sanitizer when there is image object in its template, no matter how good it's on attributes filtering. Strings are to be treated as strings.

Thank for such a great explanation. Keep Posting

"Google search is arguably the front page of the Internet" *reddit ceo is angry*

What blows my mind is the bounty he'll probably get on this. XSS in Google's home page is a no-no. Browsers are kind of those weird machines. So much going on.

Browsers should add support to new optional header, which would fully disable any DOM corrections - for companies like google it only produces problems.

i didn't understand anything but this is amazing

interesting exploit, it shows that even big companies can suffer from these things

Wait... I can get the point of needing styles in HTML emails, there one would need to have some HTML tags. But why did they not just escape any and all unsafe characters in the search bar - you know, replace "

wonderful explanation and great catch

I think there is also a problem with the browser reassembling the innerHTML property at 8:35 ... In the DOM view, the is clearly interpreted as attribute-text. However, when reassembled to innerHTML, the attribute-text is not encoded properly. While the DOM contains valid HTML, the reassembled innerHTML does not. I really think the browser should have encoded the attribute-text based on its interpretation of it as text, thus replacing with &lt;/&gt; within innerHTML and returning a valid HTML.

Oh my god! This was really amazing

0:05 *flackback* i try put ' it gives bug

Just escape the quotes and "greater than"/"less than" tags. Google doesn't need to parse HTML anyways.

ist Security Flag GmbH deine eigene Firma? aber cooles Video :D und habe ein Abo da gelassen!

On the one hand, I like that bugs like this exist, it warms my heart to see the extent of human ingenuity. On the other, I wonder how much could be fixed by something like , where anything semi-valid is proactively rejected.

This blows my mind

Can confirm that this also works on Firefox version: 66.0.2 (64-bit)

0:00 REDDIT WANTS TO KNOW YOUR LOCATION

How come the biggest tech companies still get these kind of errors?

It seems rather close to April first for something like this to happen

Hello, thank you for the very informative video, it was well explained, but I havent quite grasp the point about the XSS problem in that case. I see that you basically alter the HTML of the server to get some JavaScript executed. But as long as you dont get googles servers to execute that it should be relatively harmless right? You could even use like ctrl+shift+i in google Chrome to get your browers debugging and can change any HTML attribute add Scripts and what not which would get to the same result. As you have shown in the video. I am aware that if you happen to be able get your scripts embedded into the youtube comment section by just posting it there it will be executed by the clients of every user that watches the comments. So this indeed is a huge problem. But what exactly do you gain by executing java script on your client in your googles search bar? Because there is only you who would see it. Sending someone a link similar to what you got at the start of the video is of course an option, but so would any other link of a site you have control over. with a similar looking URL also its not quite seamless as you had to click into the search bar to get it executed. could you or someone else please explain it to me?

Me: - not knowing dick about programming - KZbin: yo watch this video about programming.

Want to learn more about xss. Please upload some more videos on critical xss bugs

Your video blows my mind

Im pretty new to all this but from what can follow. The writes the script in a way that the paser fixs rewrites the script. Now the wbsite thinks its okay put it just help script to work and take over .

"Google is arguably the front page of the internet" Reddit would to have a word with you.

0:00 _Reddit has left the chat_

Am I right in saying search engines are in an unusual position in that they are meant to allow for users to search for code online, therefore must accept the characters. Many sites could just block these inputs.

That's indeed mindblowing, thank you for sharing this with us :) But what I don't get is, why is google using this sanitizer at all in this case? I'm not aware that the search input requires partial parsing, it should be shown as plain text everywhere and this should be simple to escape... Where is this needed?

why do we still have XSS Vulnerabilities in 2019 ?

But, can i just do htmlspecialchars() to prevent it ??

Good tutorial, interesting title music...who is it BTW?...👍👍👍👍👍

Why not use xhtml so if something breaks you don't get anything at all?

So maybe I missunderstood something, but why is it possible to enter HTML inside the Google Search bar that gets interpreted somehow? Is there any valid reason? From a Search Engine I expect, that everything that is entered in the search field gets "interpreted" as Text I am searching for. And the example with Webmailers shows me, that we definitely need a different Standard for those types of Input, that is not HTML. Something like Markdown or so. But not HTML that can cause Problems in Browsers.

0:05 I put ' it gives bug

Humans still working on google, don´t expect everything to be perfect...

Isn't there like a big bounty on exploiting Google? Did he get any money?

3:36 I don't know much of anything about html or web But why is the browser trying to fix invalid HTML. If I put an incorrect account number to my bank, my bank doesn't try to fix it and say "did you mean this"

dude... seriously... this is sick lol fabulous insight

Can this be used for malicious stuff?

@LiveOverflow, Very convincing ;)

you're welcome

Was the commit part of some attempt to hack the Nintendo switch and needed to add some small vulnerability to pull it off?

I‘ve just found a XSS bug in my dad‘s website: He‘s a photographer and has an image archive on his website. This archive has a search feature where you just need to enter something like alert(1) to run JS

I understand this code completely but would've never thought of trying to use an exploit like this. It's just not something you think about if you're "just" a developer. When you keep asking yourself "what if...", you'll eventually stumble upon weird quirks like this.

A lot of these issues come from browsers not being strict in parsing HTML, at some points even modifying it to make it "work". "use strict" for html, when?

Why did Google do sanitizing for search field that just wants plain text (not any html tags)?

@LiveOverflow what is the best way to protect the message form from xss?

Very helpful 👍

The parsing of the div inside the script is bizarre to me. The closing script tag is inside a string literal, but it's still seen as a closing script tag?!