Загрузка видео...

Не удалось загрузить видео

Возникла проблема при загрузке этого видео. Это может быть связано с временными проблемами сети или видео может быть недоступно.

На главную

Do not use the script tag when testing for XSS

Bug Bounty Reports Explained

54,188 subscribers

41,260 просмотров • 2 лет назад •via X (Twitter)

Новости и политика Наука и технологии Образование

Anya Rossi• Live Now

Private livecam show

Комментарии: 7

Фото профиля Tib3rius

Tib3rius2 лет назад

Better advice would be to not use exploit payloads for XSS detection in the first place, IMO. I personally like @cinzinga_'s goto payload of <s>asdf since it's small, easily searchable, and the strike-through text is more noticeable.

Фото профиля Anton

Anton2 лет назад

In case your sink is innerHTML, but you still need to load <script> use this: <iframe srcdoc="<script src=''></script>"></iframe> Last time I saw this trick in @bbuerhaus article

Фото профиля Bug Bounty Reports Explained

Bug Bounty Reports Explained2 лет назад

@bbuerhaus Yes, I've used for actually exploiting the innerHTML XSS but not for detecting it.

Фото профиля Olajeedae Jr 🇳🇬

Olajeedae Jr 🇳🇬2 лет назад

Learnt this the hard way on hacker101 CTF

Фото профиля Mr. Robot.txt

Mr. Robot.txt2 лет назад

That brings me to the question that has been bugging me for a while now (Noob here) When you payload is being encoded, is that the end of the road? Cause usually i get stuck at this point

Фото профиля Bug Bounty Reports Explained

Bug Bounty Reports Explained2 лет назад

yes, encoding is a proper defence against xss and there's nothing you can do

Фото профиля Bug Bounty Reports Explained

Bug Bounty Reports Explained2 лет назад

Event handlers use need the same ''unsafe-inline' directive as inline scripts so what you say doesn't make sense.

Похожие видео

What do drivers do at testing when they’re not testing? 🤔

What do drivers do at testing when they’re not testing? 🤔

Mercedes-AMG PETRONAS F1 Team

44,096 просмотров • 3 месяцев назад

My name's Patty. I'll be testing you. When you do good, I use the green pen. When you do bad, I use the red pen. Any questions?

My name's Patty. I'll be testing you. When you do good, I use the green pen. When you do bad, I use the red pen. Any questions?

Simpsons Daily Glavins

39,070 просмотров • 22 дней назад

introducing Live Previews for YOUR website in tweakcn customize your shadcn site's theme in real-time by simply adding a script tag. no need to go back and forth when testing themes!

introducing Live Previews for YOUR website in tweakcn customize your shadcn site's theme in real-time by simply adding a script tag. no need to go back and forth when testing themes!

Sahaj

91,057 просмотров • 8 месяцев назад

I said I'm going to publish a technical article on how to test newsletter subscription functionality for BAC/XSS, I'll just drop it here instead; before we jump into testing these "newsletter subscription" features, we need to find them; here's a dork I use to find them [ site: ("subscribe"|"newsletter"|"unsubscribe") ]... most hackers don't look into these features, so this is a good opportunity; you can find vulnerabilities like XSS, IDOR/BAC, and even SQLi. In some cases the form only asks for your email, no name, country, etc. That doesn't stop you from testing XSS, but it can make IDOR testing harder to spot... if the email you enter is reflected back on the page, that's a great vector to test for XSS.

I said I'm going to publish a technical article on how to test newsletter subscription functionality for BAC/XSS, I'll just drop it here instead; before we jump into testing these "newsletter subscription" features, we need to find them; here's a dork I use to find them [ site: ("subscribe"|"newsletter"|"unsubscribe") ]... most hackers don't look into these features, so this is a good opportunity; you can find vulnerabilities like XSS, IDOR/BAC, and even SQLi. In some cases the form only asks for your email, no name, country, etc. That doesn't stop you from testing XSS, but it can make IDOR testing harder to spot... if the email you enter is reflected back on the page, that's a great vector to test for XSS.

Gospel

12,567 просмотров • 7 месяцев назад

They use the same tired, tried-and-tested script… WHY DO THE AMERICAN PUBLIC FALL FOR IT AGAIN. AND AGAIN. AND AGAIN‼️

They use the same tired, tried-and-tested script… WHY DO THE AMERICAN PUBLIC FALL FOR IT AGAIN. AND AGAIN. AND AGAIN‼️

Earth Hippy 🌎🕊️💚

33,016 просмотров • 5 месяцев назад

When learning Japanese do NOT use Duolingo!🚫

When learning Japanese do NOT use Duolingo!🚫

SephirothSword57 🇯🇵

16,698,920 просмотров • 11 месяцев назад

Why do we not use the proper name for other countries?

Why do we not use the proper name for other countries?

Geoff Norcott

14,806 просмотров • 5 месяцев назад

AI voice acting. AI script writing. How do you feel when you know AI is being use in huge parts of the game you are playing? Vtuber: Yomi Quinnley

AI voice acting. AI script writing. How do you feel when you know AI is being use in huge parts of the game you are playing? Vtuber: Yomi Quinnley

Hiokleo 💀🎟️🌸 Horror Vtuber

21,849 просмотров • 1 год назад

Do not use extensions for this please!

Do not use extensions for this please!

Aproko Doctor Global

953,291 просмотров • 8 месяцев назад

- "Use GD Script!!!" - "Godot can't do 3D" - "Godot's Physics system is terrible" oh...

- "Use GD Script!!!" - "Godot can't do 3D" - "Godot's Physics system is terrible" oh...

Barji

54,965 просмотров • 2 лет назад

do not turn up the volume do not use headphones 😭

Sensitive content

do not turn up the volume do not use headphones 😭

sim

163,942 просмотров • 9 месяцев назад

#BiologicallyDefeated use the same script as #DickPoliceUnit & #BlackMenDefenseForce “Good for me but not for you & we’ll pretend like it’s not happening until caught, then there are valid reasons why” Did they plan this together?!

Sensitive content

#BiologicallyDefeated use the same script as #DickPoliceUnit & #BlackMenDefenseForce “Good for me but not for you & we’ll pretend like it’s not happening until caught, then there are valid reasons why” Did they plan this together?!

‎ Anos Voldigoad V

168,383 просмотров • 1 месяц назад

Wow, this is crazy. 40% of those being tested for paternity at these DNA testing centers, the man ends up not being the father of the child. How large do you think that number is when you factor in people not getting tested?

Wow, this is crazy. 40% of those being tested for paternity at these DNA testing centers, the man ends up not being the father of the child. How large do you think that number is when you factor in people not getting tested?

Women Being Awful

680,892 просмотров • 1 год назад

PentestGPT can now find XSS vulnerabilities for you!

PentestGPT can now find XSS vulnerabilities for you!

HackerAI

69,087 просмотров • 1 год назад

Myles Lewis-Skelly: "We just want to embrace 'title favourites' (tag), use it for us, not against us!" [TNT]

Myles Lewis-Skelly: "We just want to embrace 'title favourites' (tag), use it for us, not against us!" [TNT]

AfcVIP⁴⁹

305,398 просмотров • 4 месяцев назад

The 4th of July fireworks show in Long Beach celebrating 250 years of independence has been CANCELLED by Gavin Newsom’s California Coastal Commission Newsom’s commission says fireworks pollute the water, despite the organizer showing 10 YEARS of testing proving this false Despite the testing, the Coastal Commission said the fireworks show is too environmentally unfriendly “We do not pollute the water. We do not affect wildlife. We've done testing for 10 years.” “Kids are gonna be devastated when I go home and tell them this news.”

The 4th of July fireworks show in Long Beach celebrating 250 years of independence has been CANCELLED by Gavin Newsom’s California Coastal Commission Newsom’s commission says fireworks pollute the water, despite the organizer showing 10 YEARS of testing proving this false Despite the testing, the Coastal Commission said the fireworks show is too environmentally unfriendly “We do not pollute the water. We do not affect wildlife. We've done testing for 10 years.” “Kids are gonna be devastated when I go home and tell them this news.”

Wall Street Apes

343,895 просмотров • 1 месяц назад

🚨$100 GIVEAWAY 🚨 Bro said “do $2K Super buy for the Content” 🔥 Generated straight cinema and gave away over $2K 😎 Drop your username + tag 3 friends Not registered? Use code LittleKid W Shuffle.com

🚨$100 GIVEAWAY 🚨 Bro said “do $2K Super buy for the Content” 🔥 Generated straight cinema and gave away over $2K 😎 Drop your username + tag 3 friends Not registered? Use code LittleKid W Shuffle.com

LittleKid

15,800 просмотров • 2 месяцев назад

Yeeeeah you could manually figure out a payload for DOM XSS... or you could just ask Burp AI to do it for you.

Yeeeeah you could manually figure out a payload for DOM XSS... or you could just ask Burp AI to do it for you.

Burp Suite

19,365 просмотров • 7 месяцев назад

Nikol Pashinyan: "When we are upset that some people use the term 'Western Azerbaijan,' but when we use 'Western Armenia,' do we not think that it might irritate some people? We are irritated when they use 'Western Azerbaijan,' just as they are irritated when we use 'Western Armenia.'"

Nikol Pashinyan: "When we are upset that some people use the term 'Western Azerbaijan,' but when we use 'Western Armenia,' do we not think that it might irritate some people? We are irritated when they use 'Western Azerbaijan,' just as they are irritated when we use 'Western Armenia.'"

Prince du Karabaque

31,847 просмотров • 1 год назад