Failed DOM Clobbering Research - All The Little Things 1/2 (web) Google CTF 2020

Channel:

Subscribers:

920,000

Published on September 28, 2020 7:39:32 PM ● Video Link: https://www.youtube.com/watch?v=dZXaQKEE3A8

Duration: 10:21

27,789 views

1,273

All The Little Things was a pretty hard web challenge from the Google CTF 2020. In this video we do some initial recon and research and try to find an angle to attack. Part 1/2.

Challenge: https://capturetheflag.withgoogle.com/challenges/web-littlethings
Pasteurize: https://www.youtube.com/watch?v=Tw7ucd2lKBk

00:00 - Intro
00:50 - Functionality Overview
01:29 - HTML Injection
02:25 - Making a Plan
02:50 - theme.js Discovering JSONP Endpoint
03:51 - user.js The User Class
04:23 - utils.js Start of Chain
04:44 - No Ideas...
05:07 - DOM Clobbering: window.load_debug
06:05 - Doing Security Research
07:25 - Anything else to clobber?
07:49 - Start from beginning, discover __debug__
08:10 - The load_debug() function
09:20 - window.name is special
09:41 - Try it yourself!
10:00 - Outro

-=[ ❤️ Support ]=-

→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

-=[ 🐕 Social ]=-

→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/

-=[ 📄 P.S. ]=-

Other Videos By LiveOverflow

2021-01-22	Reading Kernel Source Code - Analysis of an Exploit
2021-01-10	Kernel Root Exploit via a ptrace() and execve() Race Condition
2020-12-24	IT Security Career Advice
2020-12-01	My Life in Short/Shirt Stories - The Time I Learned PenSpinning (~2007-2009) - Shirt Stories #1
2020-11-26	Solving Nintendo HireMe!!! with "Basic" Math
2020-11-19	Nintendo Hire me!!!!!!!!
2020-11-07	How Hacking Actually Looks Like - ALLES! CTF Team in Real Time
2020-10-26	What is a File Format?
2020-10-18	Guessing vs. Not Knowing in Hacking and CTFs
2020-10-08	Chaining Script Gadgets to Full XSS - All The Little Things 2/2 (web) Google CTF 2020
2020-09-28	Failed DOM Clobbering Research - All The Little Things 1/2 (web) Google CTF 2020
2020-09-18	XSS on the Wrong Domain T_T - Tech Support (web) Google CTF 2020
2020-09-09	XSS a Paste Service - Pasteurize (web) Google CTF 2020
2020-09-01	Why Hackers Love the Number 1,094,795,585
2020-08-25	FPGA simulated on a GPU - GPURTL Google CTF Finals 2019 (reversing)
2020-08-21	Winners of Google Capture-The-Flag Finals 2019 🏳️
2020-08-16	Defusing a Bomb at Google London HQ - Having a Blast Google CTF Finals 2019 (hardware)
2020-08-12	Google CTF Finals 2019!
2020-08-08	Bug Hunter Talks & Init.G for Student - Escal8 2019 Day 2
2020-07-31	Script Gadgets! Google Docs XSS Vulnerability Walkthrough
2020-07-21	VLC Kill Bill: Easter Egg Reverse Engineering

Tags:

Live Overflow

liveoverflow

hacking tutorial

how to hack

exploit tutorial

google ctf

all the little things

xss

csrf

csp

dom clobbering

dom xss

debug

javascript

walkthrough

writeup

video writeup

recon

reading code

code walk

source code

jsonp

prototype