2021-07-31

[public] 37.4K views, 8.94K likes, 46.0 dislikes audio only

LiveOverflow

... and use alert(document.domain) or alert(window.origin) instead.

Blog post: https://liveoverflow.com/do-not-use-alert-1-in-xss/

Sponsored by Google for their Bug Hunter University: https://bughunters.google.com/learn/invalid-reports/web-platform/xss/5108550411747328

00:00 - Intro

00:47 - Why Do We Use Alert(1) for XSS?

02:25 - alert(1) Popup is NOT Proof of a Vulnerability!

03:07 - Invalid XSS Example 1 on Blogger

04:43 - Sandbox Subdomains

06:27 - Sandboxed iframes

08:29 - Invalid XSS Example 2 on Google Sites

09:50 - Why Should You Care About Invalid XSS Issues?

10:55 - Summary

11:55 - Outro

-=[ ❤️ Support ]=-

→ per Video: https://www.patreon.com/join/liveoverflow

→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

-=[ 🐕 Social ]=-

→ Twitter: https://twitter.com/LiveOverflow/

→ Website: https://liveoverflow.com/

→ Subreddit: https://www.reddit.com/r/LiveOverflow/

→ Facebook: https://www.facebook.com/LiveOverflow/