All-Army CyberStakes! Cross-Site Scripting Filter Evasion

I quite enjoyed that.

love this can you suggest any other XSS ctfs?

can you make a video how to make different types of payloads?

Can anyone explain how he made a request sending the dictionary and it injected the code?

You are just awesome bro !!!!!!!!!!!!

Best of its kind
Thanks so much mentor

You are amazing 😀

TIL: he doesn't know javascript syntax

Where u learn python for cyber security

That was so epic man 🤘🏼🤘🏼

Man, john looking forward to "python primer for hackers!" great stuff keep it up.

this is amazing man

What is your primary job? I noticed you have to be in mil to do this challenge. I'm in the Army myself

Great video.I want to block my mobile carrirer xss protection to have free internet.give me an idea please.

Nice()

Dude quality stuff 👌👌👌

great video and I love your unique way in solving the challenge with python but couldn't you have don all this with burp suite ?

This is awesome.

I know it's old but I've been binging your videos and bro, just amazing. The use of python to wreck like everything makes me sooo sooo happy.. I've literally understood coding 1000% better just watching your content.

Man 😍

I think I have to leave bash and start python🐍🐍

Your videos are priceless. You don't just show the attack but also the process and the evolving of ideas while designing the attack. 
Premium content, thank you really.

really enjoyed this!!!

I know I'm late on this one, but I'm just binging on your old stuff at 2:30am. The backticks allow you to use ES6 syntax to create a template literal, previously referred to as a template string I believe.

So instead of:
var name = "Nick"
var output = "My name is" + name
alert(output) // outputs "My name is Nick"

We can use name and change output to:
var output = `My name is ${name}`
Our alert will produce the same result without needing to concatenate the string and variable and eliminates the need for using quotes for the string. This is a very simple example, but when you need to concatenate a lot of stuff it saves a bunch of time. It also apparently helps to make this attack work which is super cool.

That Was awesome <३

Couldn't you just do "document.cookie" with the browser dev tools? Why create a script to send this info to your server?
To whom actually belong that session?

I see myself there doing PT with my client application finding all possible xyz. Exactly, I got that PT feel bro..🍻🔥

Wowww, that was awesome!!!!! <3 Thanks a lot!

`b to a` and `a to b`

So basically if you don't have a server on the internet, you're SOL?

incredible sir i really loved it and please keep coming these videos

This was so informative and beautiful in a short video 👌

Binging on your content. Love seeing your thought process as you run into roadblocks.

I love how John teaches the subject. He most likely already knows the answer, but knows that showing the methodology is more important. Trying different things, failing sometimes, then finally winning, are what makes a good hacker.

One of best ctf question i’ve ever seen so far. Also great solution! Congrats John

Amazing video man !! new sub and like , more XSS videos !!!!
Do you give a course on udemy or something like that on web hacking? If not, it would be great, we would all buy it

Bro how are u today? I am anonymous haha

Bro where script code phyton this video

I would have never thought about that base64 and atob(), nice little trick to bypass filters to keep in my pocket! Great fun lab!

I love how you approach the problem... it is excellent..

also how do you get the output of python in new window.. by default it opens in a panel...

Teacher

What I would do is make the string the fragment and pull it from there

el verdadero proceso de un hacker , investigar , persistir , evadir los obstaculos .... te ganaste un subscriptor bro , buen video

That ad at 18 minutes was 🤌🏼

Hey John, wondering if you can expand on your CORS comments from the end of the video. You mention that when a script from the target site tries to reach out to the attacker's site, you can see a CORS error. However, isn't that error entirely in the attacker's control? Couldn't you have returned the right CORS headers from your server to allow the request through?

I rather had idea lile h1 on dom content full load do function :3

sir start a series on python like solving CTF on python its gonna be really fun ❤

seeing you hacking made me love hacking very much.