Yeah.. it calling home every time I open the browser.. yeah, no go for me. Also lack of script-viewing tools on chrome compared to firefox... mm, minimal.
"In a browser, the chrome is any visible aspect of a browser aside from the webpages themselves (e.g., toolbars, menu bar, tabs)." - so technically dev tools is a chrome (Not google chrome , it's just a name of a browser which they stollen)
@@vaisakh_km ^^ Can somebody verify that? I've literally never heard it before and information online on it is scarce. Is this really a technical term?
@@sebastianelytron8450 I also came to know about this from one of his own videos...."sandbox escape in Firefox" or something like that..... Checkout that video
The reason we use alert is because of old browsers that didn't have such nice consoles. It was the easiest way to see something on screen. In fact I remember an old Microsoft site where I got a debug alert when I pressed some combination of buttons (by chance).
Funny thing is you're using a browser that shows the origin in the alert box regardless of message, so alert(1) is fine in those browsers. Though you do show the edge case where there is no origin (eg it's blank) the alert box title is different, so it's worth keeping that edge case in mind.
The browser may show the origin in the alert but I think you're missing the point. It's not a bug. Using alert(1) would render a false positive and it would be better to use something other than alert(1) that shows an actual xss on the origin.
I think it was originally going to be that, then at the last moment he edited it out. The video is also low quality, almost as if he quickly downloaded it, edited and reuploaded
Huh, never considered the bug bounty angle. From my experience with clients, issues in the components of a client's application were still very valid, and would often prompt further discussion and remediation across org boundaries, which I see as the ideal outcome. Good practice for XSS checks nonetheless, great video!
in the past, my reason for using alert was because it took the least amount of characters, where many forms that were being tested had character limits. also most things would check for eval specifically, however alert was often forgotten... hehe
When you said Google at 6:37, you triggered my Google assistant. Too bad it interrupts the video otherwise you could open malicious web sites on the users behalf
saw a few german youtuber doing this for legal reasons. Otherwise competitors will assume you are breaking a law if some products are highlighted in the videos, even if there is no sponsorship. They will ask for money and for you to stop doing this in the feature (with some legal document ). In return those youtuber then have to explain that there is no sponsorship and might even need the assistance of a lawyer. If it was sponsored he probably has to pay money to the competitor. So they just place a advertisement note on every single video to just not having to deal with that kind of bullshit.
I mean, he does link to Googles new bug hunter University thing in the description and he does talk about how to do stuff in regards to google products throughout the video, so it being sponsored in some way isn't too far fetched. That said, it's weird he doesn't explicitly mention it anywhere...
Chrome and Firefox both always display the origin domain in the alert, shown in the video for example at 3:41. I don't see the point of writing such a unnecessarily long payload, the video title seems a bit much clickbait, otherwise good explanation tho. alert(1) is still fine. btw: Opera and Vivaldi do it too, I guess all chromium based browsers.
@@SolomonUcko They report the actual domain if it is set, blogger uses an too, see 4:26. In his selfmade example src is just not set, so it falls back to the generic message.
But can i still deploy malware on the client machine via this xss? A bEEF hook could hook into the browser of the client. I would not call any xss a safe xss but i guess it is out of scope.
For Pentesting you use alert(1) because you need to document everything that is vulnerable on a blackbox webapp. For bug bounty, however this will not work because of 'impact'.
Thank you for your suggestions on XSS! Your video is very good, so I want to translate it and share it on the Chinese video website (bilibili) in my free time. I will keep the introduction and title of your video consistent and declare the author, and I will not get any profit from it. Do you agree with this matter?
Excuse me my ignorance. What is the most dangerous thing you can do with that kind of attack? (xss) in Real life. I mean if I found a xss vuln the hacker just could catch my token/credentials by fishing? Or there is a other most power full attack. Excelente video and cheers from Argentina!
You make your videos really well. Amazing script, you speak clearly and enthusiastically, and you make cool graphics that are easy to understand and look nice in general, etc... The only thing I can complain about is that your IRL background looks kinda scary, like you are about to make an apology video or a documentary. It's not really a complaint but I though you could use the feedback. If you still have the breadboard pc you could make a counter and hang it in the background...or add some shelves or something. Unless you like the empty backdrop in which case ignore what I just said. Keep up the good work!
Bro i have a suggestion.... can u please put a video on PEGASUS spyware...like I'm genuinely confused what is it and why news channels are milking it so much....is it a thing to be afraid of? I would love to see your perspective on this.... If not here maybe atleast in your other channel liveunderflow pls....?
Please, work on you over all sound volume, each time i watch your channel have to wear a headset cus volume is too low compare to other channels. Thanks for your work!
It would have been funny for google to really alert 1 when you input alert(1) into search box
I think they did something like that once on the Bughunter page.
Oh no, hell no, it would not. Imagine all the amateur bug hunters who then spam their reports to the google bug bounty XD
@FBI Federal Bureau of Investigation Then they would pretty much ignore every XSS reports, sorry FBI.
@LastName Almaember you better ignore my browsing history
@@wrng-i9f well they can state that you have to use alert(document.domain) and just ignore all alert(1) ones or whatever
ok fine I’ll use alert(2)
based
alert(0.5+0.5);
alert(Math.PI)
😂
console.log(1-alert(1)) or eval(alert(1))
"Look into the chrome developer tools" *Opens firefox*
Yeah.. it calling home every time I open the browser..
yeah, no go for me. Also lack of script-viewing tools on chrome compared to firefox... mm, minimal.
Since this video is seemingly paid for by google, it's not strange that it contains some advertisement for Chrome.
"In a browser, the chrome is any visible aspect of a browser aside from the webpages themselves (e.g., toolbars, menu bar, tabs)."
- so technically dev tools is a chrome
(Not google chrome , it's just a name of a browser which they stollen)
@@vaisakh_km ^^ Can somebody verify that? I've literally never heard it before and information online on it is scarce. Is this really a technical term?
@@sebastianelytron8450 I also came to know about this from one of his own videos...."sandbox escape in Firefox" or something like that.....
Checkout that video
This channel has taught me so much
This guy precisely
This channel got me a detention ;-;
Same! I absolutely love way he explains things!
You want his bounty all over your chin
@@LethalSwizzle found xss and other vulnerabilities in school website, and apparently I violated some policy
The reason we use alert is because of old browsers that didn't have such nice consoles. It was the easiest way to see something on screen. In fact I remember an old Microsoft site where I got a debug alert when I pressed some combination of buttons (by chance).
Funny thing is you're using a browser that shows the origin in the alert box regardless of message, so alert(1) is fine in those browsers.
Though you do show the edge case where there is no origin (eg it's blank) the alert box title is different, so it's worth keeping that edge case in mind.
I though so too, but look at this case 7:30 it just says "An embedded page on this page says"
The browser may show the origin in the alert but I think you're missing the point. It's not a bug. Using alert(1) would render a false positive and it would be better to use something other than alert(1) that shows an actual xss on the origin.
The more I watch you the more I find something new, interesting and worth my time. Thank you very much.
Why is there an “advertisement” mark at the top-right, and a mention of sponsorship by Google in the subtitles, but not in the video itself?
Maybe this whole video is an ad from Google telling us to stop with the alert(1) reports 😂😂😂
I guess the “paid promotion” message at the beginning might be enough?
yeah this seems so sketchy
@@violetwtf not really.. the video is an ad
I think it was originally going to be that, then at the last moment he edited it out. The video is also low quality, almost as if he quickly downloaded it, edited and reuploaded
Huh, never considered the bug bounty angle. From my experience with clients, issues in the components of a client's application were still very valid, and would often prompt further discussion and remediation across org boundaries, which I see as the ideal outcome. Good practice for XSS checks nonetheless, great video!
in the past, my reason for using alert was because it took the least amount of characters, where many forms that were being tested had character limits. also most things would check for eval specifically, however alert was often forgotten... hehe
One of those rare videos by you about which I can say that I knew most of the things you mentioned. But still, a great one as always! 👍
When you said Google at 6:37, you triggered my Google assistant. Too bad it interrupts the video otherwise you could open malicious web sites on the users behalf
Actually might, be a nice idea lol, but don't you have your voice recognition setup?
Don’t use for security reasons.
Uses for security reasons.
Why we shouldn't use for security reasons?
@@jackharbor3347 back in the past s where bad, now they are good i guess
How do some people say "Good Video" or "Amazing Explanation"? The Video literally just released
they fake it
gotta earn the likes
it's always true for my videos 🙃
*cough cough* cyberchiranjit *cough cough*
@@LiveOverflow well yes, but actually yes
seems you accidentally left advertisements watermark in the top right corner for the video lol
The vid might be sponsored by Google
saw a few german youtuber doing this for legal reasons.
Otherwise competitors will assume you are breaking a law if some products are highlighted in the videos, even if there is no sponsorship. They will ask for money and for you to stop doing this in the feature (with some legal document ).
In return those youtuber then have to explain that there is no sponsorship and might even need the assistance of a lawyer. If it was sponsored he probably has to pay money to the competitor.
So they just place a advertisement note on every single video to just not having to deal with that kind of bullshit.
I mean, he does link to Googles new bug hunter University thing in the description and he does talk about how to do stuff in regards to google products throughout the video, so it being sponsored in some way isn't too far fetched.
That said, it's weird he doesn't explicitly mention it anywhere...
@@Test123747 interesting
Different WAF'S Have diffrent responses to payloads some times destructuring the payload may work
throw[onerror]=[alert],1
I was working for a website and their filter of XSS has alert(1) in it
Very good , valuable and helpful information you are providing here. Thanks !
ok, I had to interrupt my lazy Saturday afternoon to actually learn something useful
Finally another masterpiece!
Use print() instead of alert() because browsers are disabling the alert() for cross-domain s.
Chrome and Firefox both always display the origin domain in the alert, shown in the video for example at 3:41. I don't see the point of writing such a unnecessarily long payload, the video title seems a bit much clickbait, otherwise good explanation tho. alert(1) is still fine.
btw: Opera and Vivaldi do it too, I guess all chromium based browsers.
It looks like inside s, at least browsers just say "an embedded page" rather than the actual domain or origin of the .
See 7:30
@@SolomonUcko They report the actual domain if it is set, blogger uses an too, see 4:26.
In his selfmade example src is just not set, so it falls back to the generic message.
@@dasten123 See 7:45, in any case you get basically the same info.
I'm new in bug hunting...
I understand nothing but I watched this video
Ok thanks, ill use alert(2) instead
Your channel is pure gold. Thank you
All your videos are my favorite. 💎 I really appreciate this one too 🙏
Thanks so much. You're doing great work. I would love more hunting videos. Very interesting
Thank you! This is good to bear in mind in future testing!
Imagine getting a pop-up saying "2", that would be threatening
Amazing explanation
This taught me more about XSS than any other video I've seen so far.
But can i still deploy malware on the client machine via this xss? A bEEF hook could hook into the browser of the client. I would not call any xss a safe xss but i guess it is out of scope.
Very precious and important tips, thank you!
Wait, so I'm not allowed to name my Skyrim player this anymore? Darn.
For Pentesting you use alert(1) because you need to document everything that is vulnerable on a blackbox webapp. For bug bounty, however this will not work because of 'impact'.
Not unless the organization’s webapp you’re pentesting is purposely allowing scripts to be executed by the end-users.
@@coldplay5467 that would be an isolated case. I'm talking in general.
This is interesting! Cool video man!
We use eval()
Very well explained! Thanks 👍
GREAT VIDEO! I never knew any of this.
Great video as always
print(5)
Very Informative.............Keep it up
Is there any practical difference between document.domain and window.origin for these purposes?
man I believe in it I got a xss from an imortant web site thats belong to a very important organization that was pentested for 3 times 🤣🤣🤣
dark mode intro pog
alert(1)
That was great, very interesting video. Thank you
I love this guy
As usual 🔥🔥🔥🔥👌
We use alert because it predates chrome, firebug, and most useful 'consoles'
Very Beautiful Explanation :)
Very nice observation! keep it up!
Why is there an "advertisement" message in the top right corner ? Is it just a mistake ?
Anyway, very instructive video ! (Like the others!)
It's because Google paid him to produce this for Bug Hunter University and he thought it to be a good video, so he published here.
alert("You Are The Best")
Thank you so much 🙌🏻
Cool, nice tut
Thank you for your suggestions on XSS! Your video is very good, so I want to translate it and share it on the Chinese video website (bilibili) in my free time. I will keep the introduction and title of your video consistent and declare the author, and I will not get any profit from it. Do you agree with this matter?
Very informative video
Really nice clip. Thank you
wonderful video Thanks @liveoverflow
Excuse me my ignorance. What is the most dangerous thing you can do with that kind of attack? (xss) in Real life. I mean if I found a xss vuln the hacker just could catch my token/credentials by fishing? Or there is a other most power full attack. Excelente video and cheers from Argentina!
You make your videos really well. Amazing script, you speak clearly and enthusiastically, and you make cool graphics that are easy to understand and look nice in general, etc...
The only thing I can complain about is that your IRL background looks kinda scary, like you are about to make an apology video or a documentary. It's not really a complaint but I though you could use the feedback. If you still have the breadboard pc you could make a counter and hang it in the background...or add some shelves or something.
Unless you like the empty backdrop in which case ignore what I just said. Keep up the good work!
thank you thank you....
For Chrome we can use print now
Superb video👌
I just realized I wasn’t subscribed. I fixed that.
I use console.log or console.trace :)
Not all browsers support sandboxed s. Those browsers are vulnerable.
which one doesn't, internet explorer? thats EoL
@@ThePizzabrothersGaming your mom doesn't
Nice this video
Advertisement, nice touch.
Can I use alert(1337) ?
why not
Are web workers another way of sandboxing potentially unsafe code?
Why is it marked as a sponsored video? Did google sponsor this one?
They paid for it to be created and he thought it to be a good video, so he published it on LiveOverflow
Very interesting.
which video editing tool you use to edit video
great info
destroying kids dreams under 12 minutes huahuahuahuahuahua
damm super interesting :)
Is this a new video-file format? the quality looks too compressed :|
very cool
Bro i have a suggestion....
can u please put a video on PEGASUS spyware...like I'm genuinely confused what is it and why news channels are milking it so much....is it a thing to be afraid of?
I would love to see your perspective on this....
If not here maybe atleast in your other channel liveunderflow pls....?
Nice 👍
Gold
Is it self or reflected XSS if I modify the response in BURP and it shows alert, but doesnt show in URL?
Neither ;) it’s nothing ;)
@@LiveOverflow
RUclips recommend me this and I don't understand a thing. Why youtube? Why?
Make a video on Pegasus Too..
I need help in APDU setup
Ahh that's great
Interesting
I generally just `alert(%27MyHandle%27)`
is this a recipe how to make user js safe?
nice
Good thing I use alert(2)
5:02 Sorry Flash, f.
Why doesn't html just ignore scripts from the body?
📎 Hi it looks like you're trying to use a CSP?
me, who uses alert(): intensive sweating
Use prompt(2) ?? :D
alert("xss") -- a classic
4:22
But you are using the much better browser.... Firefox!
Please, work on you over all sound volume, each time i watch your channel have to wear a headset cus volume is too low compare to other channels. Thanks for your work!
Michael Cera's cooler, more extraverted brother