xss brute is a brazilian guy that is well known to be the creator of some of the most god tier polyglots out there I remember taking one polyglot that he made and inserting into a random website's search parameter, and it worked right away. the website was behind cloudflare too
100% and possibly now more important than ever. XSS is still the #1 vulnerability found in Hackerone and I'm working on a video right now showing how ChatGPT/AI doesn't even come close to understanding what the course teaches. I recommend getting in now, because I'm adding more content soon and the price will go up.
. i never , amd suppose everyone should not comsodee this bad . specially for me that i was only studying this to counter attacks . keep uploading dude
Hello, thanks for the videos, a question and if you have filtered the simbols &/\" ' ()* and the numbers, the polyglot a question and if you have filtered it will not work.
It can work but it will be very limited. This is actually a limitation of using polyglots - a website can be vulnerable but some simple filters can stop it from executing. If you go to the challenge for this recipe on chefsecure.com (this one is free) you can see this hands-on. The polyglot is too long. Just a warning: the challenge is difficult if you haven't had experience. I might make a video explaining it in the future.
This is a more advanced recipe from my XSS course. You can check out the first video on my channel or do the full lesson here for free: chefsecure.com/courses/xss/recipes/hacking-websites-with-cross-site-scripting
If you check out the challenge on the website, you'll see there is no single best payload. They all have pros and cons. The key is the know the context where you're injecting.
Depends on what the filter does - there are so many things that it could be so you'll need to explore. Does it strip out the event handler entirely? Is execution blocked by CSP? Have you tried other event handlers, like onload or onclick? Is it looking for an exact pattern you can bypass like: on*="*" Which can be bypassed with single quotes or no quotes -> onerror='alert()' or onerror=alert() or even mixed capitalization OnErRor="alert()" Etc.
![[Limbus Company - PV] Chapter.7 - Oblivion](http://i.ytimg.com/vi/VUpkXPkvoxU/mqdefault.jpg)
This is so far the most simple and understandable xss video I’ve ever seen
This channel = the best info quality explained ever.
Awesome! Thanks Hermes! 😎
Your contents are great. Upload more often
Got more coming. Thanks for watching!
@@chefsecure use some more 'types' of hacking except for XSS, it would be helpful. Thank you.
@@lone.wo1f Will do. Planning one now. Thanks!
This channel is amazing, the explanation is so straightforward and clear, thanks!
Your video are very interesting..and fun! Make more!!
@@sabinaghidossi6690 Thanks. Anything else you'd like to see?
I got it now ,as you only uploaded 3 videos,so hell you didn't got popular though video content is Damm good
xss brute is a brazilian guy that is well known to be the creator of some of the most god tier polyglots out there
I remember taking one polyglot that he made and inserting into a random website's search parameter, and it worked right away. the website was behind cloudflare too
Great content! Keep them coming
hey is your xss course still relevant in 2023? like the methods you teach, concepts and all.
100% and possibly now more important than ever. XSS is still the #1 vulnerability found in Hackerone and I'm working on a video right now showing how ChatGPT/AI doesn't even come close to understanding what the course teaches. I recommend getting in now, because I'm adding more content soon and the price will go up.
This is great sir
. i never , amd suppose everyone should not comsodee this bad . specially for me that i was only studying this to counter attacks . keep uploading dude
Yo juz awesome I'm subscribing
Hello, thanks for the videos, a question and if you have filtered the simbols &/\" ' ()* and the numbers, the polyglot a question and if you have filtered
it will not work.
It can work but it will be very limited.
This is actually a limitation of using polyglots - a website can be vulnerable but some simple filters can stop it from executing.
If you go to the challenge for this recipe on chefsecure.com (this one is free) you can see this hands-on. The polyglot is too long.
Just a warning: the challenge is difficult if you haven't had experience. I might make a video explaining it in the future.
@@chefsecure Thanks very much for your response
hello
What did you thought, did you thought that RUclips is not secured enough?🤣🤣
@@waterlord6969 i was getting bored so i did so
🤣😆
worth a shot!
networkchucks brother??
Create more video about xss . You should think about newie . More simple description needs
This is a more advanced recipe from my XSS course. You can check out the first video on my channel or do the full lesson here for free: chefsecure.com/courses/xss/recipes/hacking-websites-with-cross-site-scripting
does regulat expression change on different languages
how to inject
Check out my first video in the course. This is a full payload you can use in the example
Hello sir what to do if opening and closing tag blocks is it possible to bypass sir please suggest me a best payload
If you check out the challenge on the website, you'll see there is no single best payload.
They all have pros and cons. The key is the know the context where you're injecting.
What vulnerability scanner were you using????
That was OWASP ZAP
If works and event handlers inside that isnt work.then what is the advanced filter bypass on event handler inside img tag
Depends on what the filter does - there are so many things that it could be so you'll need to explore.
Does it strip out the event handler entirely? Is execution blocked by CSP? Have you tried other event handlers, like onload or onclick? Is it looking for an exact pattern you can bypass like: on*="*"
Which can be bypassed with single quotes or no quotes -> onerror='alert()' or onerror=alert()
or even mixed capitalization OnErRor="alert()"
Etc.
Whats the point of this. It is client-sided, so will this affect others?
U can inject any js code into the website and change the website's content, and also steal user cookies.
@DreyAnd Andrej so you are saying that we can affect others with console ?
DreyAnd Andrej and how can we do that ?
Aarav Bhutani By finding vulnerable parameters for example.
DreyAnd Andrej 😅 im a beginner so i’m not getting it
What if the website security level is set to high
What to do
If it's blocking the polyglot, you'll need to be more subtle. Only try what's necessary to avoid being caught by firewalls.
@@chefsecure Thankyou
Ok
@@chefsecure Does it mean the website is XSS Secure
is he ricky martin? :D
. dont have any other choice but to just follow the comments irr
I can't understand anything 😂
This is a an advanced example that pieces together each basic part of the course. Without a deeper understanding, however, it's just alien magic.
how does this help in compromising the website. i don't understand
You have to understand what you can do with xss atacks
@@dkkdkdkddkdkdk5810 javascript commands