Video wird geladen...

Video konnte nicht geladen werden

Zur Startseite

Do not use the script tag when testing for XSS

gregxsunday's profile picture

Bug Bounty Reports Explained

54,188 subscribers

41,260 Aufrufe • vor 2 Jahren •via X (Twitter)

Nachrichten & PolitikWissenschaft & TechnologieBildung
LIVE

Anya Rossi• Live Now

Private livecam show

7 Kommentare

Profilbild von Tib3rius
Tib3riusvor 2 Jahren

Better advice would be to not use exploit payloads for XSS detection in the first place, IMO. I personally like @cinzinga_'s goto payload of <s>asdf since it's small, easily searchable, and the strike-through text is more noticeable.

Profilbild von Anton
Antonvor 2 Jahren

In case your sink is innerHTML, but you still need to load <script> use this: <iframe srcdoc="<script src=''></script>"></iframe> Last time I saw this trick in @bbuerhaus article

Profilbild von Bug Bounty Reports Explained
Bug Bounty Reports Explainedvor 2 Jahren

@bbuerhaus Yes, I've used for actually exploiting the innerHTML XSS but not for detecting it.

Profilbild von Olajeedae Jr 🇳🇬
Olajeedae Jr 🇳🇬vor 2 Jahren

Learnt this the hard way on hacker101 CTF

Profilbild von Mr. Robot.txt
Mr. Robot.txtvor 2 Jahren

That brings me to the question that has been bugging me for a while now (Noob here) When you payload is being encoded, is that the end of the road? Cause usually i get stuck at this point

Profilbild von Bug Bounty Reports Explained
Bug Bounty Reports Explainedvor 2 Jahren

yes, encoding is a proper defence against xss and there's nothing you can do

Profilbild von Bug Bounty Reports Explained
Bug Bounty Reports Explainedvor 2 Jahren

Event handlers use need the same ''unsafe-inline' directive as inline scripts so what you say doesn't make sense.

Ähnliche Videos

What do drivers do at testing when they’re not testing? 🤔
0:37

What do drivers do at testing when they’re not testing? 🤔

Mercedes-AMG PETRONAS F1 Team

44,096 Aufrufe • vor 3 Monaten

My name's Patty. I'll be testing you. When you do good, I use the green pen. When you do bad, I use the red pen. Any questions?
0:20

My name's Patty. I'll be testing you. When you do good, I use the green pen. When you do bad, I use the red pen. Any questions?

Simpsons Daily Glavins

39,070 Aufrufe • vor 21 Tagen

introducing Live Previews for YOUR website in tweakcn customize your shadcn site's theme in real-time by simply adding a script tag. no need to go back and forth when testing themes!
0:23

introducing Live Previews for YOUR website in tweakcn customize your shadcn site's theme in real-time by simply adding a script tag. no need to go back and forth when testing themes!

Sahaj

91,057 Aufrufe • vor 8 Monaten

I said I'm going to publish a technical article on how to test newsletter subscription functionality for BAC/XSS, I'll just drop it here instead; before we jump into testing these "newsletter subscription" features, we need to find them; here's a dork I use to find them [ site: ("subscribe"|"newsletter"|"unsubscribe") ]... most hackers don't look into these features, so this is a good opportunity; you can find vulnerabilities like XSS, IDOR/BAC, and even SQLi. In some cases the form only asks for your email, no name, country, etc. That doesn't stop you from testing XSS, but it can make IDOR testing harder to spot... if the email you enter is reflected back on the page, that's a great vector to test for XSS.
4:07

I said I'm going to publish a technical article on how to test newsletter subscription functionality for BAC/XSS, I'll just drop it here instead; before we jump into testing these "newsletter subscription" features, we need to find them; here's a dork I use to find them [ site: ("subscribe"|"newsletter"|"unsubscribe") ]... most hackers don't look into these features, so this is a good opportunity; you can find vulnerabilities like XSS, IDOR/BAC, and even SQLi. In some cases the form only asks for your email, no name, country, etc. That doesn't stop you from testing XSS, but it can make IDOR testing harder to spot... if the email you enter is reflected back on the page, that's a great vector to test for XSS.

Gospel

12,567 Aufrufe • vor 7 Monaten

They use the same tired, tried-and-tested script… WHY DO THE AMERICAN PUBLIC FALL FOR IT AGAIN. AND AGAIN. AND AGAIN‼️
0:39

They use the same tired, tried-and-tested script… WHY DO THE AMERICAN PUBLIC FALL FOR IT AGAIN. AND AGAIN. AND AGAIN‼️

Earth Hippy 🌎🕊️💚

33,016 Aufrufe • vor 5 Monaten

When learning Japanese do NOT use Duolingo!🚫
1:56

When learning Japanese do NOT use Duolingo!🚫

SephirothSword57 🇯🇵

16,698,920 Aufrufe • vor 11 Monaten

Why do we not use the proper name for other countries?
0:44

Why do we not use the proper name for other countries?

Geoff Norcott

14,806 Aufrufe • vor 5 Monaten

AI voice acting. AI script writing. How do you feel when you know AI is being use in huge parts of the game you are playing? Vtuber: Yomi Quinnley
0:44

AI voice acting. AI script writing. How do you feel when you know AI is being use in huge parts of the game you are playing? Vtuber: Yomi Quinnley

Hiokleo 💀🎟️🌸 Horror Vtuber

21,849 Aufrufe • vor 1 Jahr

Do not use extensions for this please!
0:59

Do not use extensions for this please!

Dr. Chinonso Egemba

953,233 Aufrufe • vor 8 Monaten

- "Use GD Script!!!" - "Godot can't do 3D" - "Godot's Physics system is terrible" oh...
0:22

- "Use GD Script!!!" - "Godot can't do 3D" - "Godot's Physics system is terrible" oh...

Barji

54,936 Aufrufe • vor 2 Jahren

do not turn up the volume do not use headphones 😭
0:48

Sensitive content

do not turn up the volume do not use headphones 😭

sim

163,942 Aufrufe • vor 9 Monaten

PentestGPT can now find XSS vulnerabilities for you!
0:30

PentestGPT can now find XSS vulnerabilities for you!

HackerAI

69,087 Aufrufe • vor 1 Jahr

#BiologicallyDefeated use the same script as #DickPoliceUnit & #BlackMenDefenseForce “Good for me but not for you & we’ll pretend like it’s not happening until caught, then there are valid reasons why” Did they plan this together?!
0:44

Sensitive content

#BiologicallyDefeated use the same script as #DickPoliceUnit & #BlackMenDefenseForce “Good for me but not for you & we’ll pretend like it’s not happening until caught, then there are valid reasons why” Did they plan this together?!

‎ Anos Voldigoad V

167,329 Aufrufe • vor 1 Monat

Wow, this is crazy. 40% of those being tested for paternity at these DNA testing centers, the man ends up not being the father of the child. How large do you think that number is when you factor in people not getting tested?
0:56

Wow, this is crazy. 40% of those being tested for paternity at these DNA testing centers, the man ends up not being the father of the child. How large do you think that number is when you factor in people not getting tested?

Women Being Awful

680,892 Aufrufe • vor 1 Jahr

Myles Lewis-Skelly: "We just want to embrace 'title favourites' (tag), use it for us, not against us!" [TNT]
3:05

Myles Lewis-Skelly: "We just want to embrace 'title favourites' (tag), use it for us, not against us!" [TNT]

AfcVIP⁴⁹

305,398 Aufrufe • vor 4 Monaten

The 4th of July fireworks show in Long Beach celebrating 250 years of independence has been CANCELLED by Gavin Newsom’s California Coastal Commission Newsom’s commission says fireworks pollute the water, despite the organizer showing 10 YEARS of testing proving this false Despite the testing, the Coastal Commission said the fireworks show is too environmentally unfriendly “We do not pollute the water. We do not affect wildlife. We've done testing for 10 years.” “Kids are gonna be devastated when I go home and tell them this news.”
1:55

The 4th of July fireworks show in Long Beach celebrating 250 years of independence has been CANCELLED by Gavin Newsom’s California Coastal Commission Newsom’s commission says fireworks pollute the water, despite the organizer showing 10 YEARS of testing proving this false Despite the testing, the Coastal Commission said the fireworks show is too environmentally unfriendly “We do not pollute the water. We do not affect wildlife. We've done testing for 10 years.” “Kids are gonna be devastated when I go home and tell them this news.”

Wall Street Apes

343,895 Aufrufe • vor 1 Monat

🚨$100 GIVEAWAY 🚨 Bro said “do $2K Super buy for the Content” 🔥 Generated straight cinema and gave away over $2K 😎 Drop your username + tag 3 friends Not registered? Use code LittleKid W Shuffle.com
2:38

🚨$100 GIVEAWAY 🚨 Bro said “do $2K Super buy for the Content” 🔥 Generated straight cinema and gave away over $2K 😎 Drop your username + tag 3 friends Not registered? Use code LittleKid W Shuffle.com

LittleKid

15,800 Aufrufe • vor 2 Monaten

Nikol Pashinyan: "When we are upset that some people use the term 'Western Azerbaijan,' but when we use 'Western Armenia,' do we not think that it might irritate some people? We are irritated when they use 'Western Azerbaijan,' just as they are irritated when we use 'Western Armenia.'"
0:26

Nikol Pashinyan: "When we are upset that some people use the term 'Western Azerbaijan,' but when we use 'Western Armenia,' do we not think that it might irritate some people? We are irritated when they use 'Western Azerbaijan,' just as they are irritated when we use 'Western Armenia.'"

Prince du Karabaque

31,847 Aufrufe • vor 1 Jahr

Yeeeeah you could manually figure out a payload for DOM XSS... or you could just ask Burp AI to do it for you.
0:55

Yeeeeah you could manually figure out a payload for DOM XSS... or you could just ask Burp AI to do it for you.

Burp Suite

19,365 Aufrufe • vor 7 Monaten