Video yükleniyor...

Video Yüklenemedi

Bu video yüklenirken bir sorun oluştu. Bu geçici bir ağ sorunundan kaynaklanıyor olabilir veya video kullanılamıyor olabilir.

Ana Sayfaya Dön

Do not use the script tag when testing for XSS

Bug Bounty Reports Explained

54,188 subscribers

41,260 görüntüleme • 2 yıl önce •via X (Twitter)

Haberler & Politika Bilim & Teknoloji Eğitim

Anya Rossi• Live Now

Private livecam show

7 Yorum

Tib3rius profil fotoğrafı

Tib3rius2 yıl önce

Better advice would be to not use exploit payloads for XSS detection in the first place, IMO. I personally like @cinzinga_'s goto payload of <s>asdf since it's small, easily searchable, and the strike-through text is more noticeable.

Anton profil fotoğrafı

Anton2 yıl önce

In case your sink is innerHTML, but you still need to load <script> use this: <iframe srcdoc="<script src=''></script>"></iframe> Last time I saw this trick in @bbuerhaus article

Bug Bounty Reports Explained profil fotoğrafı

Bug Bounty Reports Explained2 yıl önce

@bbuerhaus Yes, I've used for actually exploiting the innerHTML XSS but not for detecting it.

Olajeedae Jr 🇳🇬 profil fotoğrafı

Olajeedae Jr 🇳🇬2 yıl önce

Learnt this the hard way on hacker101 CTF

Mr. Robot.txt profil fotoğrafı

Mr. Robot.txt2 yıl önce

That brings me to the question that has been bugging me for a while now (Noob here) When you payload is being encoded, is that the end of the road? Cause usually i get stuck at this point

Bug Bounty Reports Explained profil fotoğrafı

Bug Bounty Reports Explained2 yıl önce

yes, encoding is a proper defence against xss and there's nothing you can do

Bug Bounty Reports Explained profil fotoğrafı

Bug Bounty Reports Explained2 yıl önce

Event handlers use need the same ''unsafe-inline' directive as inline scripts so what you say doesn't make sense.

Benzer Videolar

What do drivers do at testing when they’re not testing? 🤔

What do drivers do at testing when they’re not testing? 🤔

Mercedes-AMG PETRONAS F1 Team

44,096 görüntüleme • 3 ay önce

My name's Patty. I'll be testing you. When you do good, I use the green pen. When you do bad, I use the red pen. Any questions?

My name's Patty. I'll be testing you. When you do good, I use the green pen. When you do bad, I use the red pen. Any questions?

Simpsons Daily Glavins

39,070 görüntüleme • 21 gün önce

introducing Live Previews for YOUR website in tweakcn customize your shadcn site's theme in real-time by simply adding a script tag. no need to go back and forth when testing themes!

introducing Live Previews for YOUR website in tweakcn customize your shadcn site's theme in real-time by simply adding a script tag. no need to go back and forth when testing themes!

Sahaj

91,057 görüntüleme • 8 ay önce

I said I'm going to publish a technical article on how to test newsletter subscription functionality for BAC/XSS, I'll just drop it here instead; before we jump into testing these "newsletter subscription" features, we need to find them; here's a dork I use to find them [ site: ("subscribe"|"newsletter"|"unsubscribe") ]... most hackers don't look into these features, so this is a good opportunity; you can find vulnerabilities like XSS, IDOR/BAC, and even SQLi. In some cases the form only asks for your email, no name, country, etc. That doesn't stop you from testing XSS, but it can make IDOR testing harder to spot... if the email you enter is reflected back on the page, that's a great vector to test for XSS.

I said I'm going to publish a technical article on how to test newsletter subscription functionality for BAC/XSS, I'll just drop it here instead; before we jump into testing these "newsletter subscription" features, we need to find them; here's a dork I use to find them [ site: ("subscribe"|"newsletter"|"unsubscribe") ]... most hackers don't look into these features, so this is a good opportunity; you can find vulnerabilities like XSS, IDOR/BAC, and even SQLi. In some cases the form only asks for your email, no name, country, etc. That doesn't stop you from testing XSS, but it can make IDOR testing harder to spot... if the email you enter is reflected back on the page, that's a great vector to test for XSS.

Gospel

12,567 görüntüleme • 7 ay önce

They use the same tired, tried-and-tested script… WHY DO THE AMERICAN PUBLIC FALL FOR IT AGAIN. AND AGAIN. AND AGAIN‼️

They use the same tired, tried-and-tested script… WHY DO THE AMERICAN PUBLIC FALL FOR IT AGAIN. AND AGAIN. AND AGAIN‼️

Earth Hippy 🌎🕊️💚

33,016 görüntüleme • 5 ay önce

When learning Japanese do NOT use Duolingo!🚫

When learning Japanese do NOT use Duolingo!🚫

SephirothSword57 🇯🇵

16,698,920 görüntüleme • 11 ay önce

Why do we not use the proper name for other countries?

Why do we not use the proper name for other countries?

Geoff Norcott

14,806 görüntüleme • 5 ay önce

AI voice acting. AI script writing. How do you feel when you know AI is being use in huge parts of the game you are playing? Vtuber: Yomi Quinnley

AI voice acting. AI script writing. How do you feel when you know AI is being use in huge parts of the game you are playing? Vtuber: Yomi Quinnley

Hiokleo 💀🎟️🌸 Horror Vtuber

21,849 görüntüleme • 1 yıl önce

Do not use extensions for this please!

Do not use extensions for this please!

Aproko Doctor Global

953,288 görüntüleme • 8 ay önce

- "Use GD Script!!!" - "Godot can't do 3D" - "Godot's Physics system is terrible" oh...

- "Use GD Script!!!" - "Godot can't do 3D" - "Godot's Physics system is terrible" oh...

Barji

54,965 görüntüleme • 2 yıl önce

do not turn up the volume do not use headphones 😭

Sensitive content

do not turn up the volume do not use headphones 😭

sim

163,942 görüntüleme • 9 ay önce

PentestGPT can now find XSS vulnerabilities for you!

PentestGPT can now find XSS vulnerabilities for you!

HackerAI

69,087 görüntüleme • 1 yıl önce

#BiologicallyDefeated use the same script as #DickPoliceUnit & #BlackMenDefenseForce “Good for me but not for you & we’ll pretend like it’s not happening until caught, then there are valid reasons why” Did they plan this together?!

Sensitive content

#BiologicallyDefeated use the same script as #DickPoliceUnit & #BlackMenDefenseForce “Good for me but not for you & we’ll pretend like it’s not happening until caught, then there are valid reasons why” Did they plan this together?!

‎ Anos Voldigoad V

167,329 görüntüleme • 1 ay önce

Wow, this is crazy. 40% of those being tested for paternity at these DNA testing centers, the man ends up not being the father of the child. How large do you think that number is when you factor in people not getting tested?

Wow, this is crazy. 40% of those being tested for paternity at these DNA testing centers, the man ends up not being the father of the child. How large do you think that number is when you factor in people not getting tested?

Women Being Awful

680,892 görüntüleme • 1 yıl önce

Myles Lewis-Skelly: "We just want to embrace 'title favourites' (tag), use it for us, not against us!" [TNT]

Myles Lewis-Skelly: "We just want to embrace 'title favourites' (tag), use it for us, not against us!" [TNT]

AfcVIP⁴⁹

305,398 görüntüleme • 4 ay önce

The 4th of July fireworks show in Long Beach celebrating 250 years of independence has been CANCELLED by Gavin Newsom’s California Coastal Commission Newsom’s commission says fireworks pollute the water, despite the organizer showing 10 YEARS of testing proving this false Despite the testing, the Coastal Commission said the fireworks show is too environmentally unfriendly “We do not pollute the water. We do not affect wildlife. We've done testing for 10 years.” “Kids are gonna be devastated when I go home and tell them this news.”

The 4th of July fireworks show in Long Beach celebrating 250 years of independence has been CANCELLED by Gavin Newsom’s California Coastal Commission Newsom’s commission says fireworks pollute the water, despite the organizer showing 10 YEARS of testing proving this false Despite the testing, the Coastal Commission said the fireworks show is too environmentally unfriendly “We do not pollute the water. We do not affect wildlife. We've done testing for 10 years.” “Kids are gonna be devastated when I go home and tell them this news.”

Wall Street Apes

343,895 görüntüleme • 1 ay önce

🚨$100 GIVEAWAY 🚨 Bro said “do $2K Super buy for the Content” 🔥 Generated straight cinema and gave away over $2K 😎 Drop your username + tag 3 friends Not registered? Use code LittleKid W Shuffle.com

🚨$100 GIVEAWAY 🚨 Bro said “do $2K Super buy for the Content” 🔥 Generated straight cinema and gave away over $2K 😎 Drop your username + tag 3 friends Not registered? Use code LittleKid W Shuffle.com

LittleKid

15,800 görüntüleme • 2 ay önce

Yeeeeah you could manually figure out a payload for DOM XSS... or you could just ask Burp AI to do it for you.

Yeeeeah you could manually figure out a payload for DOM XSS... or you could just ask Burp AI to do it for you.

Burp Suite

19,365 görüntüleme • 7 ay önce

Nikol Pashinyan: "When we are upset that some people use the term 'Western Azerbaijan,' but when we use 'Western Armenia,' do we not think that it might irritate some people? We are irritated when they use 'Western Azerbaijan,' just as they are irritated when we use 'Western Armenia.'"

Nikol Pashinyan: "When we are upset that some people use the term 'Western Azerbaijan,' but when we use 'Western Armenia,' do we not think that it might irritate some people? We are irritated when they use 'Western Azerbaijan,' just as they are irritated when we use 'Western Armenia.'"

Prince du Karabaque

31,847 görüntüleme • 1 yıl önce