LiveOverflow | Chaining Script Gadgets to Full XSS - All The Little Things 2/2 (web) Google CTF 2020 @LiveOverflow | Uploaded 4 years ago | Updated 1 hour ago
In the second part we are building on top of what we have learned. We figure out how to craft something special out of a very limited script gadget. Eventually we can use it to leak the secret notes ID and notes content.
Part 1: youtube.com/watch?v=dZXaQKEE3A8
Challenge: capturetheflag.withgoogle.com/challenges/web-littlethings
Pasteurize: youtube.com/watch?v=Tw7ucd2lKBk
00:00 - Recap Part 1
00:20 - Start of the Attack Chain
00:54 - Control the Theme Callback
02:29 - Prior JSONP Capability Research
04:40 - innerHTML Breakthrough
06:13 - Content Security Policy Fail
07:19 - iframe CSP Bypass
08:31 - The Solution
10:09 - Chaining Three Gadgets
11:34 - Researching Cool XSS Techniques
12:00 - Solving the Challenge
13:25 - Outro
-=[ β€οΈ Support ]=-
β per Video: patreon.com/join/liveoverflow
β per Month: youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ π Social ]=-
β Twitter: twitter.com/LiveOverflow
β Website: liveoverflow.com
β Subreddit: reddit.com/r/LiveOverflow
β Facebook: facebook.com/LiveOverflow
In the second part we are building on top of what we have learned. We figure out how to craft something special out of a very limited script gadget. Eventually we can use it to leak the secret notes ID and notes content.
Part 1: youtube.com/watch?v=dZXaQKEE3A8
Challenge: capturetheflag.withgoogle.com/challenges/web-littlethings
Pasteurize: youtube.com/watch?v=Tw7ucd2lKBk
00:00 - Recap Part 1
00:20 - Start of the Attack Chain
00:54 - Control the Theme Callback
02:29 - Prior JSONP Capability Research
04:40 - innerHTML Breakthrough
06:13 - Content Security Policy Fail
07:19 - iframe CSP Bypass
08:31 - The Solution
10:09 - Chaining Three Gadgets
11:34 - Researching Cool XSS Techniques
12:00 - Solving the Challenge
13:25 - Outro
-=[ β€οΈ Support ]=-
β per Video: patreon.com/join/liveoverflow
β per Month: youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ π Social ]=-
β Twitter: twitter.com/LiveOverflow
β Website: liveoverflow.com
β Subreddit: reddit.com/r/LiveOverflow
β Facebook: facebook.com/LiveOverflow
