other youtubers: "this video is sponsored by Raid Shadow Legends" LiveOverflow: "This video is sponsored by freaking google, showing bugs on their products!" what a legend
He's a true legend, just like our today's sponsor Google. Privacy? With Google you can have no privacy. Forget it. You don't care us taking your nudes from your android do you? Why are we asking anyway. 😂😂😂😂😂😂
Watching normal RUclips videos : Chill and Relax Watching LiveOverflow videos : Concentrate and Take notes. Watch again to check if flow of thoughts was correct. Watch again to see if you understood everything properly.
Its also an advertisement for Google even thought its technically talking about google negatively. Its kinda weird but i think google is trying to show that they listen to people reporting bugs and fix them, and also promoting their bug bounty system.
This is very interesting! These vulnerabilities arise from a common pattern: factory pattern. In factory pattern, you address the problem of creation, where basically you use unchecked types like strings and use unchecked data like strings, or in this case json, and then use polymorphism to polymorphically continue the object life cycle, this allows you to have object type related if statements in a centralized manner. So, by not having a whitelist, you can call arbitrary constructors like hlc. The interesting part, is that implementing a whitelist falls into another pattern: abstract factory pattern, where you define an includes method that uses a string list. Because of how convoluted abstract factory pattern seems, programmers often choose the concrete factory pattern, because they rarely see a benefit over using abstract factory. The most interesting thing is, that you could even exploit other kinds of systems, like java-based systems, because they also use this string gadget for loading classes during execution time.
@@lefteriseleftheriades7381 Regular factory: create an object directly. Abstract factory: provide an abstract method to create IThing and let SomeConcreteFactory (inheriting the abstract factory) create ThingThatInheritsFromIThing. Using the abstract factory pattern you get one more indirection between code using IThing and code creating a concrete IThing.
@@lefteriseleftheriades7381 look for "Uncle Bob factory pattern", he explains it in depth. The problem with factories is that statically you cannot know an object type beforehand, it's in runtime that through conditions you decide which object to use. When you add many seemingly related factories, as a dev it becomes difficult to know exactly which classes are being used on each of those factories, therefore in the abstract factory pattern you provide an abstract base class that the other factories have to derive from, this base class usually includes an abstract method called includes (or similar), by doing this you force derivative classes to implement it, which obligates them to use a list of strings to enumerate which classes are valid. This way, you provide some sort of type safety stated by lists of strings, that way whenever a factory receives an unexpected value, the includes method prevent you from creating an unexpected object by throwing an exception or something. In other words, this pattern is for devs to understand and for runtime guards, since the compiler can't statically figure this out and prompt an error. I hope this helps.
@@k3daevin No, the vulnerability comes correctly as said, from the implementation of the factory pattern, using JS (but JS has nothing to do with this)
This is some incredibly dense content for people learning development and cybersecurity. This helps us learn more about what more we could still learn about. I will always be grateful for all your inspiring and insightful content!
@@DominicNweze Dynamic programming is a misleading name for algorithms which break a problem into small recursive sub-problems and solves all the sub-problems in order to solve the overall problem.
I love this because it shows how complex development is. Basically this is main reason why I'm reluctant to change anything on complex project if it's not critical bug, and every change made feels like it'd require whole project to be tested again.
I just found this channel few hour ago and I'm already in love with your work... You're feeding all my curiosities... Love your approach how you explain things...
Far out, imagine getting sponsored by google, that’s absolutely awesome. You know, sometimes I just binge watch this channel, and it never gets old. I’m super proud dude!
That's a huge list of best practice violations: * Don't let a parameter specify an arbitrary function, use known values from an hashtable/switch statement instead * Don't let a postMessage pass a script url, just tell the page "do thing A" and it then knows what to do * Don't accept postMessages from arbitrary origins * Dissalow arbitrary script sources using CSP If any of these would have been done the vulnerability would not exist. There might be reasons why you want 2 and 4, but at least 1 and 3 should definitely be done. Edit: Hadn't finished watching the video. Why there even is a function that executes an arbitrary JavaScript from an URL was explained.
Wow, your channel has grown. I've been away from watching your vids for a while, so it's kinda amazing to see almost 500k subs on a tech channel that's not only about gaming rigs :) Love it , good work LiveOverflow
awesome video, awesome that you did so detailed chapter markings and great that you're talking about how this bug got introduced in the first place (that part could have been even more detailed)
I always thought wait for ur videos .. They are fun and very much self explanatory 😊 Thanks mate for all this contribution you are doing towards the community .
Paused at 3:13 to see if I understand the code, I think hlc creates an object that captures a port, url, and data as an array. Then it creates a function inside that object to stringify the message. Finally it creates a script tag and appends it along with a url.
knowing google, they would be flaming them too. Lets point out that this issue was SUPER buried .He explained it and i didnt understand so its very likely know one even saw it happening until this guy somehow found this bug. google takes security super seriously so im more surprised the bug was fixed and CAME BACK. the engineers who let that happen are going ot be in trouble lol
You know what this kind of intricate multi-step process reminds me of? Pokémon exploits. But you started covering that already so I'm sure there'll be more coming :-) Also, congrats in advance for your 500k subs, very much keeping the hacking spirit alive!
lvl1: paid to secure google source lvl2: paid to look at google source lvl3: paid for finding bugs while paid to look at google source lvl100: paid to make a video about google source bugs lvl10000: paid to make a video about google source bugs by freaking google :p
4 года назад
another google sponsored google product bug video. man, they're in the right direction. Love LiveOverflow!
This is why companies like Google, Apple, Microsoft and many others stay in business. They acknowledge that everything is vulnerable and are open to fixing them. Vice, many startups who try and punish those who exploit them, or Twitter, who makes no effort in securing their systems. Things could be better, but getting better starts with this mentality.
At first I was gonna say this feels like one of the many advantages of strongly typed languages. You would have to be explicit about what types of classes can be instantiated there. In the end, it was a lack of regression testing! They had strict checks but accidentally removed them. Really great video!
It is so dope to see cooperation and capitalism working and outputting free educational videos afterwards. This is a shining example of how we should behave in society lol
So, if a method is executing sensitive actions, it should embed the security check call? Does it really only apply to languages or should it be considered in other languages as well? (say c#)
Congratulations on another sponsor by Google. This video was great too, but the midroll ads really ruined it for me and I could not get through it enjoyably. Would be great if you can make these videos without midroll ads when you get a sponsor.
Oh boy, taking a user specified string without any validation and calling a function with that name really wasn't the finest implementation tbh. How did they NOT expect someone to exploit that?
The malicious spreadsheet attack... this is why it's unsafe for even clients to be able to attack themselves!! The attacker gets to be the client sometimes.
You can use Google chrome browser to read minified code, just click the {} for pretty print... All of the hacking I've done, I've used this. First in the Opera browser, and then using Chrome dev tools. I found several vulnerabilities in sites that way. With a bit of practice it's not very difficult to follow obfuscated code, especially when you can set breakpoints and skip through it. Everything I've reported got fixed, with nothing but a 'thanks' and not a bounty in sight (apart from Facebook's $500)... Now I can't be bothered reporting bugs or vulnerabilities, sometimes they'll be exploited for fun, but that is it.
As always, nice explanation! Why would you say this problem could never be found by an automated check? I'd argue that instantiating an object from a string is always a bad idea. It may be quite normal to do in Javascript, but that does not make it a good idea. It feels comparable to manually changing the instruction pointer based on some input. Yes, this can be powerful, but why the heck would you? I'd say creating a static mapping between strings and classes is definitely worth the effort. For example, Google's own language Go does not allow you to do anything like this without getting into the (literally called) unsafe package (if it's even possible with that). So to conclude: why not just disallow using a string for instantiating an object altogether. I use Javascript only limited professionally, so I'd love someone to tell me why this is not feasible/not applied in practice :-]
Saying that this bug couldn't be found by any tool is not a statement I would make. I am pretty sure a GPT3 like transformer for this purpose could find not only this but much more bugs that we can't even possibly understand.
Idk why they’d think it would ever be a good idea to rely on a string to construct things. Shouldn’t you have an inherent hesitation to do such a things? It’s like using eval. Same with accessing arrays of methods in obfuscated code by string properties. It’s actually crazy how many JS exploits you can take advantage of on most websites.
You can try downloading the page and run it offline, but that usually breaks the page, or you can use some kind of proxy to load your modified js file instead. Then you can add debug prints or dump objects for information easily
I think we could automate this using Selenium. We could test it but it might we might have a lot of time developing the framework the google project. I might be wrong thou haha
Am I misunderstanding something? I don't see the issue here. you create a google doc, then modify it so that when you embed it, and tell it to run javascript, it runs javascript. Can't you just... run the javascript? If you have control over the embedding site like that, can't you just write your own javascript directly?
You are not supposed to be able to embed arbitrary JavaScript into embedded Google Doc. The embedded Google Doc has access to visitor's account which you shouldn't have access to. It is true that you can just embed any JavaScript. But it should only happen when the embedded content also comes from your website. XSS happens when you can embed code to other's website, which is accessed with a different set of credentials & cookies.
Took a lot of cross referencing and searching but found it if anyone wants it, called burp: portswigger.net/burp/documentation/desktop/tools/proxy/using
other youtubers: "this video is sponsored by Raid Shadow Legends"
LiveOverflow: "This video is sponsored by freaking google, showing bugs on their products!"
what a legend
true legend indeed
He's a true legend, just like our today's sponsor Google. Privacy? With Google you can have no privacy. Forget it. You don't care us taking your nudes from your android do you? Why are we asking anyway. 😂😂😂😂😂😂
I got a RAID ad on this, so...
@@sabaundefined Just like our todays sponsor Raycon Shadow Legends. Use code Linus to get a discount
Watching normal RUclips videos : Chill and Relax
Watching LiveOverflow videos : Concentrate and Take notes. Watch again to check if flow of thoughts was correct. Watch again to see if you understood everything properly.
Yeah I need to watch like 2 more times to understand everything lol
So, true 😂
WHAT, google paid you, to talk about some guy who they paid to find bugs in their system, who they paid even more when he found a bug?
Who paid a developer to introduce a bug and who paid another developer to fix said bug 😉
Its also an advertisement for Google even thought its technically talking about google negatively. Its kinda weird but i think google is trying to show that they listen to people reporting bugs and fix them, and also promoting their bug bounty system.
Just because he is sponsored, doesn't it mean that he is getting payed ^^
@@RnVjayBZb3V0dWJl sponsor= paid to advertise. Are you for real dude?
@@RnVjayBZb3V0dWJl sponsored literally means to get paid for it. Get a dictionary
This is very interesting! These vulnerabilities arise from a common pattern: factory pattern.
In factory pattern, you address the problem of creation, where basically you use unchecked types like strings and use unchecked data like strings, or in this case json, and then use polymorphism to polymorphically continue the object life cycle, this allows you to have object type related if statements in a centralized manner.
So, by not having a whitelist, you can call arbitrary constructors like hlc. The interesting part, is that implementing a whitelist falls into another pattern: abstract factory pattern, where you define an includes method that uses a string list.
Because of how convoluted abstract factory pattern seems, programmers often choose the concrete factory pattern, because they rarely see a benefit over using abstract factory.
The most interesting thing is, that you could even exploit other kinds of systems, like java-based systems, because they also use this string gadget for loading classes during execution time.
I could never understand the difference between a regular factory and an abstract factory, please help!
@@lefteriseleftheriades7381 Regular factory: create an object directly. Abstract factory: provide an abstract method to create IThing and let SomeConcreteFactory (inheriting the abstract factory) create ThingThatInheritsFromIThing. Using the abstract factory pattern you get one more indirection between code using IThing and code creating a concrete IThing.
@@lefteriseleftheriades7381 look for "Uncle Bob factory pattern", he explains it in depth.
The problem with factories is that statically you cannot know an object type beforehand, it's in runtime that through conditions you decide which object to use. When you add many seemingly related factories, as a dev it becomes difficult to know exactly which classes are being used on each of those factories, therefore in the abstract factory pattern you provide an abstract base class that the other factories have to derive from, this base class usually includes an abstract method called includes (or similar), by doing this you force derivative classes to implement it, which obligates them to use a list of strings to enumerate which classes are valid.
This way, you provide some sort of type safety stated by lists of strings, that way whenever a factory receives an unexpected value, the includes method prevent you from creating an unexpected object by throwing an exception or something.
In other words, this pattern is for devs to understand and for runtime guards, since the compiler can't statically figure this out and prompt an error.
I hope this helps.
The vulnerability comes from JavaScript.
@@k3daevin No, the vulnerability comes correctly as said, from the implementation of the factory pattern, using JS (but JS has nothing to do with this)
You know you've made it as a dev/techie when you get *google* themselves to sponsor a video
Sponsored by Google, "It's all Google security fault" video end. What a mad lad
This is some incredibly dense content for people learning development and cybersecurity. This helps us learn more about what more we could still learn about. I will always be grateful for all your inspiring and insightful content!
"It's all the Google security team's fault"
bruh moment
edit: how the table have turned(what i said in the live chat at the end)
Trust nobody(with security) not even yourself.
didn't want to ruin the perfect 69 likes
but you did it... you just did it... ;(
Google paid him to say "f you" to their own security team
When dynamic programming becomes too dynamic
“Dynamic programming” doesnt mean what you think it means
@@chyza2012 like cpp with dynamic programming? u ok bro?
@@LugnutsK what's dynamic programming 🤔
@@andreidicu2882 what's dynamic programming
@@DominicNweze Dynamic programming is a misleading name for algorithms which break a problem into small recursive sub-problems and solves all the sub-problems in order to solve the overall problem.
I love this because it shows how complex development is. Basically this is main reason why I'm reluctant to change anything on complex project if it's not critical bug, and every change made feels like it'd require whole project to be tested again.
I'll pretend I understood Everything
Just enrolled in the college of XSS, wish me luck as a brand new copy paste machine :)
i wish you luck and hope you ctrl-c ctrl-v your way to a bug bounty
Where did you start from? Which resources would you recommend?
@@parabolicpanorama Look into Burp Suite
God bless your fingers!
Youre fcked if your v key doesnt work
I just found this channel few hour ago and I'm already in love with your work...
You're feeding all my curiosities... Love your approach how you explain things...
Uses google ads: no one bats an eye
Google actually sponsors the video: Holy shit
Far out, imagine getting sponsored by google, that’s absolutely awesome. You know, sometimes I just binge watch this channel, and it never gets old. I’m super proud dude!
That's a huge list of best practice violations:
* Don't let a parameter specify an arbitrary function, use known values from an hashtable/switch statement instead
* Don't let a postMessage pass a script url, just tell the page "do thing A" and it then knows what to do
* Don't accept postMessages from arbitrary origins
* Dissalow arbitrary script sources using CSP
If any of these would have been done the vulnerability would not exist. There might be reasons why you want 2 and 4, but at least 1 and 3 should definitely be done.
Edit: Hadn't finished watching the video. Why there even is a function that executes an arbitrary JavaScript from an URL was explained.
Wow, your channel has grown. I've been away from watching your vids for a while, so it's kinda amazing to see almost 500k subs on a tech channel that's not only about gaming rigs :) Love it , good work LiveOverflow
google sponsoring, dammn youve gone long way. gg
Thats cool,but wheres referral link to google?
Next Video sponsored by Raycon Earbuds
I love these insights, it shows you that they are experts but not perfects, everybody needs a team
I've never seen someone sponsored by Google before
thanks to this video, it cleared up some of my doubts about cybersecurity being replaced by AI in the near future.
awesome video, awesome that you did so detailed chapter markings and great that you're talking about how this bug got introduced in the first place (that part could have been even more detailed)
I love that google is sponsoring you! Really cool to see your channel grow. :)
I always thought wait for ur videos ..
They are fun and very much self explanatory 😊
Thanks mate for all this contribution you are doing towards the community .
This is actually awesome content. Both listening from the implementers and the pentester is an amazing oppurtunity.
Paused at 3:13 to see if I understand the code, I think hlc creates an object that captures a port, url, and data as an array. Then it creates a function inside that object to stringify the message. Finally it creates a script tag and appends it along with a url.
going to be 500k ..congrats @LiveOverflow
Wow... that's amazing...
And that was a perfect explanation. Thank you for your video!
It is interesting to know that Google sponsored it ! I wonder if this XSS was exploited in the wild
Damn. Google sponsored a video on their own platform. That's a rare one!
I like the way he flamed Google's security team even though he is sponsored by Google :D
rest assured that they will get roasted for this internally as long as they are employed there ;)
knowing google, they would be flaming them too. Lets point out that this issue was SUPER buried .He explained it and i didnt understand so its very likely know one even saw it happening until this guy somehow found this bug. google takes security super seriously so im more surprised the bug was fixed and CAME BACK. the engineers who let that happen are going ot be in trouble lol
The engineers are not at all in trouble. They interviewed with me :) this is totally normal and shouldn’t be shamed.
@@LiveOverflow learning from mistakes is the best thing we can do!
Seeing since WE are googles security team, I don't think they care.
What a grade video. Oddly good for a sponsored one!
You know what this kind of intricate multi-step process reminds me of? Pokémon exploits. But you started covering that already so I'm sure there'll be more coming :-)
Also, congrats in advance for your 500k subs, very much keeping the hacking spirit alive!
lvl1: paid to secure google source
lvl2: paid to look at google source
lvl3: paid for finding bugs while paid to look at google source
lvl100: paid to make a video about google source bugs
lvl10000: paid to make a video about google source bugs by freaking google :p
another google sponsored google product bug video. man, they're in the right direction.
Love LiveOverflow!
This is why companies like Google, Apple, Microsoft and many others stay in business. They acknowledge that everything is vulnerable and are open to fixing them. Vice, many startups who try and punish those who exploit them, or Twitter, who makes no effort in securing their systems.
Things could be better, but getting better starts with this mentality.
Awesome! Love the in depth.. and that's my world, ECMAScript. In this world we rely on the closures and scope for security 😏
At first I was gonna say this feels like one of the many advantages of strongly typed languages. You would have to be explicit about what types of classes can be instantiated there. In the end, it was a lack of regression testing! They had strict checks but accidentally removed them. Really great video!
6:16 Subtitle: "He knows that Jesus is a Javascript library".
Okey
CarbonCopy yeah! Just use Jesus.convert(water, wine)
CarbonCopy That returns the now wine
so its all google security team's fault xD
It is so dope to see cooperation and capitalism working and outputting free educational videos afterwards. This is a shining example of how we should behave in society lol
pretty sophisticated programming concepts discussed here. would be impressed if civilians could grok this one.
U r one of the best teachers out there ❤️
So, if a method is executing sensitive actions, it should embed the security check call? Does it really only apply to languages or should it be considered in other languages as well? (say c#)
Eagerly waiting to see😍
Absolutely great content! Super interesting video!!!
Awesome! Very inspiring
Very interesting
Congrats for the sponsor!
dude this is so cool
Congratulations on another sponsor by Google. This video was great too, but the midroll ads really ruined it for me and I could not get through it enjoyably.
Would be great if you can make these videos without midroll ads when you get a sponsor.
Use adblock. Also pls read the latest news on midroll ad changes by RUclips
awesome
Great video man!
Also, can you do a video with Ezequiel Pereira? His vulns are super awesome.
hi i learn a lot from u
Oh boy, taking a user specified string without any validation and calling a function with that name really wasn't the finest implementation tbh. How did they NOT expect someone to exploit that?
Congratz on 500k subs, any time now
Why does this video end up feeling like TOP 5 TIMES the Google SECURITY Team Got GIT BLAMED
*Sponsered by Google to talk about Google Security's team fault.*
The malicious spreadsheet attack... this is why it's unsafe for even clients to be able to attack themselves!! The attacker gets to be the client sometimes.
You can use Google chrome browser to read minified code, just click the {} for pretty print...
All of the hacking I've done, I've used this. First in the Opera browser, and then using Chrome dev tools. I found several vulnerabilities in sites that way. With a bit of practice it's not very difficult to follow obfuscated code, especially when you can set breakpoints and skip through it. Everything I've reported got fixed, with nothing but a 'thanks' and not a bounty in sight (apart from Facebook's $500)... Now I can't be bothered reporting bugs or vulnerabilities, sometimes they'll be exploited for fun, but that is it.
As always, nice explanation!
Why would you say this problem could never be found by an automated check? I'd argue that instantiating an object from a string is always a bad idea. It may be quite normal to do in Javascript, but that does not make it a good idea. It feels comparable to manually changing the instruction pointer based on some input. Yes, this can be powerful, but why the heck would you? I'd say creating a static mapping between strings and classes is definitely worth the effort. For example, Google's own language Go does not allow you to do anything like this without getting into the (literally called) unsafe package (if it's even possible with that).
So to conclude: why not just disallow using a string for instantiating an object altogether. I use Javascript only limited professionally, so I'd love someone to tell me why this is not feasible/not applied in practice :-]
So you got sponsored by google? Damn that's some serious drip
Thank you for content
Cool content keep it coming
Btw I think recognizing the usafe Gadget function would be in the realm of automated tools
SPONSORED BY GOOGLE?
we're out here bois
Saying that this bug couldn't be found by any tool is not a statement I would make. I am pretty sure a GPT3 like transformer for this purpose could find not only this but much more bugs that we can't even possibly understand.
Idk why they’d think it would ever be a good idea to rely on a string to construct things. Shouldn’t you have an inherent hesitation to do such a things? It’s like using eval. Same with accessing arrays of methods in obfuscated code by string properties.
It’s actually crazy how many JS exploits you can take advantage of on most websites.
How can i analyse obfuscated javascript code ? Any suggestions. it’s difficult to analyse a.b b.this like these codes
You can try downloading the page and run it offline, but that usually breaks the page, or you can use some kind of proxy to load your modified js file instead. Then you can add debug prints or dump objects for information easily
WOT THE FUCK, ich dachte mir so ok wird schon interessant, nein einfach gesponsort by google und ein absolut informatives video
amazing video's!
can you add a link to the bug report in the description?
Sponsored by Google? You officially won the internet. Also:
I was wondering whether anything like this would happen after looking into the scripting features about a year ago.
Are we sure that was a fault? maybe it was sitting there for some selected people to use..
I think we could automate this using Selenium. We could test it but it might we might have a lot of time developing the framework the google project. I might be wrong thou haha
Google sponsors. Good your channel is less likely to be demonetized.
Nice interview
I had a dream about a script execution exploit in Google sheets a few months ago.
Where did you find the step by step instructions originally for this cross site script vulnerability?
If you understand how XSS works it’s just creativity to come up with it
+1 for "allowlist"
this is good, but why would you add an hlc to the HTML???
JSONP sanbox
Interesting!
Great ending
It's reasonable because those security engineers are following the "best practice" and forgot to consult the developer!
How long did it take him to find
Am I misunderstanding something? I don't see the issue here. you create a google doc, then modify it so that when you embed it, and tell it to run javascript, it runs javascript. Can't you just... run the javascript? If you have control over the embedding site like that, can't you just write your own javascript directly?
You are not supposed to be able to embed arbitrary JavaScript into embedded Google Doc. The embedded Google Doc has access to visitor's account which you shouldn't have access to.
It is true that you can just embed any JavaScript. But it should only happen when the embedded content also comes from your website. XSS happens when you can embed code to other's website, which is accessed with a different set of credentials & cookies.
Please tell me what packet analyzer you're using??
Took a lot of cross referencing and searching but found it if anyone wants it, called burp:
portswigger.net/burp/documentation/desktop/tools/proxy/using
❤️
wow, this bug has "you programmers were so preoccupied with wether or not they could, they didn't stop to think if they should" all over it.
Don't get cocky... Anyone can make security mistakes, even Google!
I loved this video, too bad his website is broken and you can't really read more about him
Bạn đang dùng những phần mềm nào trong video này?
Please help me
How to bypass speed hack detection in game ??
🙏🙏🙏♥️♥️♥️🙏🙏♥️♥️
nice
Google must be about to fire all their security team.
Obfuscated/minified code is kinda pointless when you can just beatify it. I think all JS code should have sourcemaps
dang my company uses an SSO service which abuses jsonp in its token handling. really makes me think...
Is it only me that thinks Nikolay looks like Elliot?
"This god damn Google Security team can´t do anything right! Well I guess we´ll just say it´s larry´s fault then."
Google: I see this is a win win.