正在加载视频...

视频加载失败

返回首页

Do not use the script tag when testing for XSS

gregxsunday's profile picture

Bug Bounty Reports Explained

54,188 subscribers

41,260 次观看 • 2 年前 •via X (Twitter)

新闻政治科学技术教育
LIVE

Anya Rossi• Live Now

Private livecam show

7 条评论

Tib3rius 的头像
Tib3rius2 年前

Better advice would be to not use exploit payloads for XSS detection in the first place, IMO. I personally like @cinzinga_'s goto payload of <s>asdf since it's small, easily searchable, and the strike-through text is more noticeable.

Anton 的头像
Anton2 年前

In case your sink is innerHTML, but you still need to load <script> use this: <iframe srcdoc="<script src=''></script>"></iframe> Last time I saw this trick in @bbuerhaus article

Bug Bounty Reports Explained 的头像
Bug Bounty Reports Explained2 年前

@bbuerhaus Yes, I've used for actually exploiting the innerHTML XSS but not for detecting it.

Olajeedae Jr 🇳🇬 的头像
Olajeedae Jr 🇳🇬2 年前

Learnt this the hard way on hacker101 CTF

Mr. Robot.txt 的头像
Mr. Robot.txt2 年前

That brings me to the question that has been bugging me for a while now (Noob here) When you payload is being encoded, is that the end of the road? Cause usually i get stuck at this point

Bug Bounty Reports Explained 的头像
Bug Bounty Reports Explained2 年前

yes, encoding is a proper defence against xss and there's nothing you can do

Bug Bounty Reports Explained 的头像
Bug Bounty Reports Explained2 年前

Event handlers use need the same ''unsafe-inline' directive as inline scripts so what you say doesn't make sense.

相关视频

What do drivers do at testing when they’re not testing? 🤔
0:37

What do drivers do at testing when they’re not testing? 🤔

Mercedes-AMG PETRONAS F1 Team

44,075 次观看 • 3 个月前

My name's Patty. I'll be testing you. When you do good, I use the green pen. When you do bad, I use the red pen. Any questions?
0:20

My name's Patty. I'll be testing you. When you do good, I use the green pen. When you do bad, I use the red pen. Any questions?

Simpsons Daily Glavins

39,070 次观看 • 16 天前

introducing Live Previews for YOUR website in tweakcn customize your shadcn site's theme in real-time by simply adding a script tag. no need to go back and forth when testing themes!
0:23

introducing Live Previews for YOUR website in tweakcn customize your shadcn site's theme in real-time by simply adding a script tag. no need to go back and forth when testing themes!

Sahaj

91,057 次观看 • 7 个月前

I said I'm going to publish a technical article on how to test newsletter subscription functionality for BAC/XSS, I'll just drop it here instead; before we jump into testing these "newsletter subscription" features, we need to find them; here's a dork I use to find them [ site: ("subscribe"|"newsletter"|"unsubscribe") ]... most hackers don't look into these features, so this is a good opportunity; you can find vulnerabilities like XSS, IDOR/BAC, and even SQLi. In some cases the form only asks for your email, no name, country, etc. That doesn't stop you from testing XSS, but it can make IDOR testing harder to spot... if the email you enter is reflected back on the page, that's a great vector to test for XSS.
4:07

I said I'm going to publish a technical article on how to test newsletter subscription functionality for BAC/XSS, I'll just drop it here instead; before we jump into testing these "newsletter subscription" features, we need to find them; here's a dork I use to find them [ site: ("subscribe"|"newsletter"|"unsubscribe") ]... most hackers don't look into these features, so this is a good opportunity; you can find vulnerabilities like XSS, IDOR/BAC, and even SQLi. In some cases the form only asks for your email, no name, country, etc. That doesn't stop you from testing XSS, but it can make IDOR testing harder to spot... if the email you enter is reflected back on the page, that's a great vector to test for XSS.

Gospel

12,567 次观看 • 7 个月前

They use the same tired, tried-and-tested script… WHY DO THE AMERICAN PUBLIC FALL FOR IT AGAIN. AND AGAIN. AND AGAIN‼️
0:39

They use the same tired, tried-and-tested script… WHY DO THE AMERICAN PUBLIC FALL FOR IT AGAIN. AND AGAIN. AND AGAIN‼️

Earth Hippy 🌎🕊️💚

33,016 次观看 • 5 个月前

When learning Japanese do NOT use Duolingo!🚫
1:56

When learning Japanese do NOT use Duolingo!🚫

SephirothSword57 🇯🇵

16,697,329 次观看 • 11 个月前

Why do we not use the proper name for other countries?
0:44

Why do we not use the proper name for other countries?

Geoff Norcott

14,806 次观看 • 4 个月前

AI voice acting. AI script writing. How do you feel when you know AI is being use in huge parts of the game you are playing? Vtuber: Yomi Quinnley
0:44

AI voice acting. AI script writing. How do you feel when you know AI is being use in huge parts of the game you are playing? Vtuber: Yomi Quinnley

Hiokleo 💀🎟️🌸 Horror Vtuber

21,849 次观看 • 1 年前

Do not use extensions for this please!
0:59

Do not use extensions for this please!

Dr. Chinonso Egemba

953,233 次观看 • 8 个月前

- "Use GD Script!!!" - "Godot can't do 3D" - "Godot's Physics system is terrible" oh...
0:22

- "Use GD Script!!!" - "Godot can't do 3D" - "Godot's Physics system is terrible" oh...

Barji

54,936 次观看 • 2 年前

do not turn up the volume do not use headphones 😭
0:48

Sensitive content

do not turn up the volume do not use headphones 😭

sim

163,942 次观看 • 9 个月前

#BiologicallyDefeated use the same script as #DickPoliceUnit & #BlackMenDefenseForce “Good for me but not for you & we’ll pretend like it’s not happening until caught, then there are valid reasons why” Did they plan this together?!
0:44

Sensitive content

#BiologicallyDefeated use the same script as #DickPoliceUnit & #BlackMenDefenseForce “Good for me but not for you & we’ll pretend like it’s not happening until caught, then there are valid reasons why” Did they plan this together?!

‎ Anos Voldigoad V

167,329 次观看 • 26 天前

PentestGPT can now find XSS vulnerabilities for you!
0:30

PentestGPT can now find XSS vulnerabilities for you!

HackerAI

69,087 次观看 • 1 年前

Wow, this is crazy. 40% of those being tested for paternity at these DNA testing centers, the man ends up not being the father of the child. How large do you think that number is when you factor in people not getting tested?
0:56

Wow, this is crazy. 40% of those being tested for paternity at these DNA testing centers, the man ends up not being the father of the child. How large do you think that number is when you factor in people not getting tested?

Women Being Awful

680,766 次观看 • 1 年前

Yeeeeah you could manually figure out a payload for DOM XSS... or you could just ask Burp AI to do it for you.
0:55

Yeeeeah you could manually figure out a payload for DOM XSS... or you could just ask Burp AI to do it for you.

Burp Suite

19,365 次观看 • 7 个月前

Myles Lewis-Skelly: "We just want to embrace 'title favourites' (tag), use it for us, not against us!" [TNT]
3:05

Myles Lewis-Skelly: "We just want to embrace 'title favourites' (tag), use it for us, not against us!" [TNT]

AfcVIP⁴⁹

305,398 次观看 • 4 个月前

The 4th of July fireworks show in Long Beach celebrating 250 years of independence has been CANCELLED by Gavin Newsom’s California Coastal Commission Newsom’s commission says fireworks pollute the water, despite the organizer showing 10 YEARS of testing proving this false Despite the testing, the Coastal Commission said the fireworks show is too environmentally unfriendly “We do not pollute the water. We do not affect wildlife. We've done testing for 10 years.” “Kids are gonna be devastated when I go home and tell them this news.”
1:55

The 4th of July fireworks show in Long Beach celebrating 250 years of independence has been CANCELLED by Gavin Newsom’s California Coastal Commission Newsom’s commission says fireworks pollute the water, despite the organizer showing 10 YEARS of testing proving this false Despite the testing, the Coastal Commission said the fireworks show is too environmentally unfriendly “We do not pollute the water. We do not affect wildlife. We've done testing for 10 years.” “Kids are gonna be devastated when I go home and tell them this news.”

Wall Street Apes

343,850 次观看 • 1 个月前

🚨$100 GIVEAWAY 🚨 Bro said “do $2K Super buy for the Content” 🔥 Generated straight cinema and gave away over $2K 😎 Drop your username + tag 3 friends Not registered? Use code LittleKid W Shuffle.com
2:38

🚨$100 GIVEAWAY 🚨 Bro said “do $2K Super buy for the Content” 🔥 Generated straight cinema and gave away over $2K 😎 Drop your username + tag 3 friends Not registered? Use code LittleKid W Shuffle.com

LittleKid

15,800 次观看 • 2 个月前

Nikol Pashinyan: "When we are upset that some people use the term 'Western Azerbaijan,' but when we use 'Western Armenia,' do we not think that it might irritate some people? We are irritated when they use 'Western Azerbaijan,' just as they are irritated when we use 'Western Armenia.'"
0:26

Nikol Pashinyan: "When we are upset that some people use the term 'Western Azerbaijan,' but when we use 'Western Armenia,' do we not think that it might irritate some people? We are irritated when they use 'Western Azerbaijan,' just as they are irritated when we use 'Western Armenia.'"

Prince du Karabaque

31,847 次观看 • 1 年前