XSSI - Google Gruyere // Cross Site Script Inclusion // walk-through

Disclaimer

This is educational purpose video only. I did not harm anyone I just do ctfs and make that walkthrough and explain what of the method here in use, so please don't use this because hacking is crime if you do this then it's can land you in jail.
I'm not support any kind of illegal or malicious of illegal or malicious hacking.
--------------------------------------------

Cross Site Script Inclusion (XSSI)
Browsers prevent pages of one domain from reading pages in other domains. But they do not prevent pages of a domain from referencing resources in other domains. In particular, they allow images to be rendered from other domains and scripts to be executed from other domains. An included script doesn't have its own security context. It runs in the security context of the page that included it. For example, if www.evil.example.com includes a script hosted on www.google.com then that script runs in the evil context not in the google context. So any user data in that script will "leak."

XSSI Challenge
Find a way to read someone else's private snippet using XSSI.

That is, create a page on another web site and put something in that page that can read your private snippet. (You don't need to post it to a web site: you can just create a .html in your home directory and double click on it to open in a browser.)

------------------------------
#yesspider

please support me on patreon
https://www.patreon.com/yesspider
https://github.com/yesspider-hacker

https://twitter.com/yesspider1

--------------------------------------------------

Видео XSSI - Google Gruyere // Cross Site Script Inclusion // walk-through канала Yesspider