XSS on Google Search - Sanitizing HTML in The Client?

Channel:

Subscribers:

920,000

Published on March 31, 2019 11:57:21 AM ● Video Link: https://www.youtube.com/watch?v=lG7U3fuNw3A

Duration: 12:58

683,158 views

16,688

An actual XSS on google.com by Masato Kinugawa. It abuses a parsing differential between a JavaScript enabled and disabled context.

The fix: https://github.com/google/closure-library/commit/c79ab48e8e962fee57e68739c00e16b9934c0ffa

-=[ ❤️ Support ]=-

→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

-=[ 🐕 Social ]=-

→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/

-=[ 📄 P.S. ]=-

All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.

Other Videos By LiveOverflow

2019-06-02	The Butterfly of JSObject
2019-05-26	Hacking Browsers - Setup and Debug JavaScriptCore / WebKit
2019-05-19	New Series: Getting Into Browser Exploitation - browser 0x00
2019-05-12	The Origin of Script Kiddie - Hacker Etymology
2019-05-05	Unpacking Redaman Malware & Basics of Self-Injection Packers - ft. OALabs
2019-04-28	Business, Money, 300k Subscribers and What's Next
2019-04-21	GitLab 11.4.7 Remote Code Execution - Real World CTF 2018
2019-04-14	Fuzzing Browsers for weird XSS Vectors
2019-04-07	How did Masato find the Google Search XSS?
2019-04-01	[Live] Pen-Testing and Story Time
2019-03-31	XSS on Google Search - Sanitizing HTML in The Client?
2019-03-24	Weird Return-Oriented Programming Tutorial - bin 0x2A
2019-03-17	Introducing Weird Machines: ROP Differently Explaining part 1 - bin 0x29
2019-03-10	Ethereum Smart Contract Backdoored Using Malicious Constructor
2019-03-06	[Live] GHIDRA HYPE!! - NSA Reverse Engineering Tool
2019-03-03	Rediscovering the f00dbabe Firmware Update Issue - Hardware Wallet Research #7
2019-02-24	Analysing a Firefox Malware browserassist.dll - FLARE-On 2018
2019-02-17	What is a Security Vulnerability?
2019-02-11	Games & Results: Gynvael's Winter GameDev Challenge 2018/19
2019-02-10	APDU Communication between Device and Host - Hardware Wallet Research #6
2019-02-05	Forensics with fls, Volatility and Timeline Explorer - ft. 13cubed

Tags:

Live Overflow

liveoverflow

hacking tutorial

how to hack

exploit tutorial

xss

cross-site scripting

html

sanitization

encoding

browser

masato

cure53

google

gws

google search

parser differential

javascript

mxss

mutation xss

dom xss

template

div

parsing

context

javascript disabled

noscript

script

regex

html parser

dompurify