Chaining Script Gadgets to Full XSS - All The Little Things 2/2 (web) Google CTF 2020
In the second part we are building on top of what we have learned. We figure out how to craft something special out of a very limited script gadget. Eventually we can use it to leak the secret notes ID and notes content.
Part 1: https://www.youtube.com/watch?v=dZXaQKEE3A8
Challenge: https://capturetheflag.withgoogle.com/challenges/web-littlethings
Pasteurize: https://www.youtube.com/watch?v=Tw7ucd2lKBk
00:00 - Recap Part 1
00:20 - Start of the Attack Chain
00:54 - Control the Theme Callback
02:29 - Prior JSONP Capability Research
04:40 - innerHTML Breakthrough
06:13 - Content Security Policy Fail
07:19 - iframe CSP Bypass
08:31 - The Solution
10:09 - Chaining Three Gadgets
11:34 - Researching Cool XSS Techniques
12:00 - Solving the Challenge
13:25 - Outro
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
Видео Chaining Script Gadgets to Full XSS - All The Little Things 2/2 (web) Google CTF 2020 канала LiveOverflow
Part 1: https://www.youtube.com/watch?v=dZXaQKEE3A8
Challenge: https://capturetheflag.withgoogle.com/challenges/web-littlethings
Pasteurize: https://www.youtube.com/watch?v=Tw7ucd2lKBk
00:00 - Recap Part 1
00:20 - Start of the Attack Chain
00:54 - Control the Theme Callback
02:29 - Prior JSONP Capability Research
04:40 - innerHTML Breakthrough
06:13 - Content Security Policy Fail
07:19 - iframe CSP Bypass
08:31 - The Solution
10:09 - Chaining Three Gadgets
11:34 - Researching Cool XSS Techniques
12:00 - Solving the Challenge
13:25 - Outro
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
Видео Chaining Script Gadgets to Full XSS - All The Little Things 2/2 (web) Google CTF 2020 канала LiveOverflow
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Failed DOM Clobbering Research - All The Little Things 1/2 (web) Google CTF 2020Kernel Root Exploit via a ptrace() and execve() Race ConditionScript Gadgets! Google Docs XSS Vulnerability WalkthroughHow To Learn Hacking With CTFsXSS on the Wrong Domain T_T - Tech Support (web) Google CTF 2020What is a File Format?XSS a Paste Service - Pasteurize (web) Google CTF 2020Design Flaw in Security Product - ALLES! CTF 2021How did Masato find the Google Search XSS?XS-Search abusing the Chrome XSS Auditor - filemanager 35c3ctfJSON Web Keys (JWK & JWT) - "Emergency" - HackTheBox Business CTFHow CPUs Access Hardware - Another SerenityOS ExploitSudo Exploit for (old) Ubuntu 20.04 LTSXSS on Google Search - Sanitizing HTML in The Client?Identifying Good Research to actually Learn Something - Cross-site ScriptingNintendo Hire me!!!!!!!!Failing easy local file inclusion challenge - mindreader (misc) Google CTF 2017PHP include and bypass SSRF protection with two DNS A records - 33c3ctf list0r (web 400)Finding 0day in Apache APISIX During CTF (CVE-2022-24112)