boarzVideosClipsStatistics

🎬Fartik

🎦
Featured in#️⃣EP 230 - How To Test Prevention XSS Attack
AllClipsEpisodesHas Blog PostZainThaneshKartikTorey
🎬
Krunchmaster Kartik
Build, Break & Fix
ZainboarKartikboar
🎬
Killing it
Special Edition: We don't stop until we get our code working
ZainboarKartikboar
🎬
Schooling in brown countries
Build,Break & Fix // Weekend two hour special
ZainboarKartikboar
🎬
Unprofessional Kartik
Build,Break & Fix // Weekend two hour special
ZainboarKartikboar
🎬
Brain Refresh
Build, Break & Fix // Setting a blog using Hugo and AWS Amplify
ZainboarKartikboar
🎬
Finger driven architecture
Build, Break & Fix // Working out Software design
ZainboarKartikboar
🎬
Fast food driven architecture
Build, Break & Fix // Working out Software design
ZainboarKartikboar
🎬
Can't be ashamed if there's never a first version
Build, Break & Fix
ZainboarKartikboar
🎬
Not a uni student
Build, Break & Fix
ZainboarKartikboar
🎬
Can't work, deploying
30 mins of deployment 😠 || 30 mins of coding 🥲
ZainboarKartikboar
🎬
Two points of contact
Today's Broadcast
ZainboarKartikboar
🎬
CORS exclusive lovin'
Today's Broadcast
ZainboarKartikboar
🎬
Sensible policy
Today's Stream
ZainboarKartikboar
🎬
Shoes in mouth
Today's Stream
ZainboarKartikboar
🎬
The code always wins
Buidl Break Fix
ZainboarKartikboar
🎬
Chicken curry in the brown way
Buidl Break Fix
ZainboarKartikboar
🎬
Finger memory practice
Build Break Fix
ZainboarKartikboar
🎬
See you later Kartik
Build Break Fix
ZainboarKartikboar
🎬
Keep your code looking sexy
Today's Broadcast
ZainboarKartikboar
🎬
Echo chamber Zain
Today's Broadcast
ZainboarKartikboar
🎬
And Kartik never got a job again...
Today's Broadcast
ZainboarKartikboar
🎬
Pilot? What even iz dat kind of fing
Today's Broascast
ZainboarKartikboar
🎬
Fish and Chips
Build - Break - Fix
ZainboarKartikboar
🎬
Backup career
Build - Break - Fix
ZainboarKartikboar
🎬
Professional background? Wat even iz dat?
Today's Broadcast
ZainboarKartikboar
🎬
Private mentorship group
Today's Broadcast
ZainboarKartikboar
🎬
Actually good job advice from Zain
Today's Stream
ZainboarKartikboar
🎬
What a classic!
Today's Stream
ZainboarKartikboar
🎬
Uber driver in training
Today's Stream
ZainboarKartikboar
🎬
Viewer burn
Today's Broadcast
ZainboarKartikboar
🎬
Time for a nap
Today's Broadcast
ZainboarKartikboar
🎬
A sniffer of a line
Today's Broadcast
ZainboarKartikboar
🎬
Slow Zain
Today's Broadcast
ZainboarKartikboar
🎬
No single point of failure
Today's Broadcast
ZainboarKartikboar
🎬
Gambling on bad logic
Today's Broadcast
ZainboarKartikboar
🎬
Estimated Time of New-Careers
Today's Broadcast
ZainboarKartikboar
🎬
Fake Nod
Today's Broadcast
ZainboarKartikboar
🎬
Investing in 'the brand'
NEW SETUP!!
ZainboarKartikboar
🎬
Hitting a brick
NEW SETUP!!
ZainboarKartikboar
🎬
Master of the green screen
NEW SETUP!!
ZainboarKartikboar
🎬
Logiclesstech
NEW SETUP!!
ZainboarKartikboar
🎬
Get him to the greenscreen
Today's Stream
ZainboarKartikboar
🎬
Change the digit to a number
Today's Stream
ZainboarKartikboar
🎬
The benefits of pair programming
Today's Broadcast
ZainboarKartikboar
🎬
Xs, the healthy choice
Today's Stream
ZainboarKartikboar
🎬
Xs vs mother
Today's Stream
ZainboarKartikboar
🎬
The beginning of the end of productivity
Today's Stream
ZainboarKartikboar
🎬
Unprofessional Zain
Today's Stream
ZainboarKartikboar
🎬
Blazing fast
Today's Stream
ZainboarKartikboar
🎬
Premature celebratory dance
Today's Stream
ZainboarKartikboar
🎬
Timeline slippage
Today's Stream
ZainboarKartikboar
🎬
Speed coding
Today's Stream
ZainboarKartikboar
🎬
Sorry I dont know that voice
Today's Broadcast
ZainboarKartikboar
🎬
Definition of done
Today's Broadcast
ZainboarKartikboar
🎬
Amway bites
Today's Broadcast
ZainboarKartikboar
🎬
A cool stream
Today's Broadcast
ZainboarKartikboar
🎬
Spooky Kartik
Today's Broadcast
ZainboarKartikboar
🎬
Water physics 101
Today's Stream
ZainboarKartikboar
🎬
Scrum master Zain
Today's Stream
ZainboarKartikboar
🎬
Zain applying his scrum master skills
Today's Stream
ZainboarKartikboar
🎬
Zain the blunderer
Today's Stream
ZainboarKartikboar
🎬
Healthier than other traditional drinks
Today's Stream
ZainboarKartikboar
🎬
Real headscratcha
Today's Stream
ZainboarKartikboar
🎬
Bracket blues
Today's Stream
ZainboarKartikboar
🎬
If statements are not good practice
Today's Stream
ZainboarKartikboar
🎬
Kappa Quality Code
Today's Stream
ZainboarKartikboar
🎬
Exciting switch statements
Today's Stream
ZainboarKartikboar
🎬
Switched-on hat
Today's Broadcast
ZainboarKartikboar
🎬
Functions, one of the big coding challenges
Today's Broadcast
ZainboarKartikboar
🎬
Break fast
Today's Broadcast
ZainboarKartikboar
🎬
Blood and breath pumping up
Today's Broadcast
ZainboarKartikboar
🎬
Wrong since day 1
Today's Broadcast
ZainboarKartikboar
🎬
Electronic waves
test
ZainboarKartikboar
🎬
RAWR coders
test
ZainboarKartikboar
🎬
Transit in Japawn
test
ZainboarKartikboar
🎬
Xs sponsorship
test
ZainboarKartikboar
🎬
Lame roars
test
ZainboarKartikboar
🎬
Setting up a suppository in Diagon Alley
test
ZainboarKartikboar
🎬
Background Diagon Alley
test
ZainboarKartikboar
🎬
Half speed zain
test
ZainboarKartikboar
🎬
One second penetration
test
ZainboarKartikboar
🎬
Top loading switches
test
ZainboarKartikboar
🎬
Making it rain with CodeBuild
test
ZainboarKartikboar
🎬
What is a sea cable?
Today's Stream
ZainboarKartikboarToreyboar
🎬
If statements are bad practice
Today's Broadcast
ZainboarKartikboar
🎬
Tomato fan
Today's Broadcast
ZainboarKartikboar
🎬
Strong intro
Today's Stream
ZainboarKartikboar
🎬
Impossible URL
Today's Stream
ZainboarKartikboar
🎬
Clever devs
Today's Stream
ZainboarKartikboar
🎬
Always CORS related problems
Today's Stream
ZainboarKartikboar
🎬
CORS headscratcha
Today's Stream
ZainboarKartikboar
🎬
Torres Strait Icelander people
Today's Stream
ZainboarKartikboarThaneshboar
🎬
Icelander or Islander?
Today's Stream
ZainboarKartikboarThaneshboar
🎬
Best Practices
101/200 Episodes
ZainboarThaneshboar
🎬
ROAR coders
105/200
ZainboarThaneshboar
🎬
Diagon Alley? What is that kind of fing?
112/200
ZainboarKartikboar
🎬
C.O.D.I.N.G
113/200
Zainboar
🎬
What's testing
115/200
ZainboarThaneshboar
🎬
CORS coders
115/200
ZainboarThaneshboar
🎬
Complimenting the wrong person
Today's Stream
ZainboarThaneshboar
🎬
Alt+F4 Zain
Today's Stream
ZainboarThaneshboar
🎬
Fixing and failing
Today's Stream
ZainboarThaneshboar
🎬
Brown is always better than white
AWS Websocket + DyanmoDb + Lambda
ZainboarThaneshboar
🎬
Wild street dogs
Today's Stream
ZainboarToreyboar
🎬
The more you know
How to Host Web App Using AWS S3, CloudFront and Route53
ZainboarThaneshboar
🎬
Inactive brain
How To Host Web App In AWS S3 with Custom Domain Using Route 53
ZainboarThaneshboar
🎬
No electricity in Bali
Today's Stream
ZainboarToreyboar
🎬
Francesco
Today's Stream
ZainboarToreyboar
🎬
Indian givers
Compare Hashed Passwords Using Bcryptjs
ZainboarToreyboar
🎬
Cold coffee, cold tea
Today's Stream
ZainboarToreyboar
🎬
Tough questions
Verify Passcode Saving Information to DynamoDB with NodeJs
ZainboarThaneshboar
🎬
Tandoor? Wat even iz dat kind of fing
Today's Stream
ZainboarThaneshboar
🎬
This is why you don't click ops
Today's Stream
ZainboarToreyboar
🎬
Bish Bash Bosh
Get Board Columns from Frontend to Backend NodeJS
ZainboarThaneshboarToreyboar
🎬
Zip first developer
Today's Stream
ZainboarThaneshboar
🎬
Busted again
Today's Stream
Zainboar
🎬
Torey the stinker
Beta Testing Fixes Part 2
ZainboarToreyboar
🎬
Torcoders which are roarers
Beta Testing Fixes Part 3
ZainboarThaneshboar
🎬
Delusional Zain
Beta Testing Fixes Part 3
ZainboarThaneshboar
🎬
Hey guys, torey here
Beta Testing Fixes Part 3
ZainboarThaneshboar
🎬
Zain's going platinum
Today's Stream
ZainboarThaneshboar
🎬
Doggy dog
Today's Stream
ZainboarThaneshboar
▶️
Fartik
How To Test Prevention XSS Attack
ZainboarKartikboar
🎬
Second Favourite
Today's Stream
Zainboar
🎬
Disco Zain
Today's Stream
Zainboar
🎬
Keyboard allergies
Hook Up AWS Websocket
Zainboar
🎬
As you been poopin?
Hook Up Board Columns to Websockets Nodejs + AWS Websockets
Zainboar

Subtitles

0:00:12
[Music]
0:00:26
what is going on guys welcome back to
0:00:28
another session on billbrake and fix
0:00:31
brought to you by
0:00:32
today the two of the raw coders
0:00:35
and one raw coder is back
0:00:39
welcome back okay once again
0:00:42
thank you
0:00:42
good to have you back as well always
0:00:45
good to be back
0:00:47
fantastic fantastic all right
0:00:50
um
0:00:52
i just have to say that whenever i look
0:00:55
at your background is that kind of the
0:00:58
lightning stuff and everything is that
0:01:00
professionally done that i almost
0:01:03
think there's some kind of a picture
0:01:05
that you put on the background
0:01:08
no no it's just uh
0:01:10
um you know i was fortunate enough to
0:01:12
like
0:01:13
like i don't know when i used to stream
0:01:15
before this right
0:01:17
the light doesn't use to flicker
0:01:19
and now it flickers and it flickers like
0:01:21
the right amount so it looks good yeah
0:01:23
yeah abs
0:01:25
absolutely i couldn't agree more but i
0:01:28
think i could stop the flickering
0:01:30
if i reduce the frame rate
0:01:32
on my camera
0:01:34
ah okay
0:01:36
now i reckon probably
0:01:38
leave it in that way because it does add
0:01:41
up a beautiful
0:01:43
professional touch
0:01:45
yeah yeah pretty much
0:01:47
yeah um
0:01:49
welcome gekko
0:01:51
good to have you
0:01:52
um right
0:01:54
so
0:01:56
first thing is first let's do the
0:01:58
knowledge you know the country and pay
0:02:00
our respects to their elders of the past
0:02:02
present and future
0:02:04
so here we go
0:02:08
i begin today by acknowledging the
0:02:10
traditional custodians of the land on
0:02:12
which we gather today and pay my
0:02:14
respects to the elders past present and
0:02:17
future i extend their respect to
0:02:20
aboriginal and torres strait islander
0:02:22
people here today
0:02:24
all right
0:02:26
that was smoothly done
0:02:28
once again
0:02:30
so
0:02:32
um
0:02:33
so yeah
0:02:35
just a bit of a context
0:02:37
do you know from the last stream what
0:02:39
we're doing okay
0:02:41
um yesterday's stream or
0:02:43
day before um the day before yesterday
0:02:48
um i think we were just trying to start
0:02:49
it up and
0:02:50
generally
0:02:52
yeah
0:02:52
yes
0:02:54
but i i wasn't able to watch yesterday's
0:02:56
stream i think you were i read the title
0:02:59
it was about the xss um
0:03:02
tag thing right yes so
0:03:06
um
0:03:07
because the code wasn't uh
0:03:10
the code wasn't pushed
0:03:12
um the day before
0:03:14
when we were working on it so yes today
0:03:18
what i basically did
0:03:20
was um
0:03:22
i
0:03:22
kind of
0:03:24
rewrote them
0:03:25
re rather
0:03:27
rewrote the code based on the logic that
0:03:29
i
0:03:30
understand it
0:03:33
and
0:03:34
i already deployed it but
0:03:36
i didn't really know how to test so that
0:03:39
is what we're going to be
0:03:41
basically
0:03:43
trying to um
0:03:46
try to do the access attack ourselves
0:03:49
and see
0:03:50
how does that go
0:03:52
right okay so
0:03:55
brilliant and exhausting is the
0:03:58
cross-site scripting attack
0:04:00
yeah
0:04:01
yeah right yeah okay so basically what
0:04:04
happens is that if
0:04:06
you if a user sends
0:04:09
this on
0:04:11
javascript
0:04:13
tags which has some
0:04:15
javascript
0:04:17
in there then um it would do whatever
0:04:20
the user wants the
0:04:22
code to do for example play
0:04:26
fighting noise
0:04:29
right okay
0:04:30
yeah probably not that but yeah yeah
0:04:34
true true
0:04:35
and then gekko is asking
0:04:38
uh are you back narcotic
0:04:41
oh yes i'm trying to do
0:04:43
like a trial sort of a thing um and see
0:04:46
if it fits
0:04:47
uh with work and if i'm not too tired um
0:04:51
but yeah
0:04:52
that's the intention
0:04:54
um so we'll probably decide on a
0:04:55
schedule next week
0:04:59
sounds good but yeah hopefully hopefully
0:05:01
it looks like the project is at the
0:05:03
end stages so that's encouraging
0:05:07
yeah so i'm basically thinking that
0:05:10
this this month we should be able to as
0:05:13
in kind of
0:05:14
just go live as in in protesting
0:05:20
what's next
0:05:23
what's next which project is next
0:05:26
uh which project is next i've got a
0:05:30
project in my mind um i'll
0:05:35
um
0:05:36
i'll tell you guys
0:05:39
about about that when the time comes and
0:05:42
if i actually want to do that project
0:05:46
and
0:05:47
als so it depends if um
0:05:50
the
0:05:53
the guys as in kartik and
0:05:56
tori wanna join me as well because i
0:06:00
think
0:06:01
the projects are best done in good teams
0:06:04
so yeah
0:06:07
so yeah
0:06:10
fantastic
0:06:12
cool
0:06:14
so let's get into action so i'll share
0:06:16
my screen
0:06:19
and um i'll just close all my
0:06:21
notifications because i don't want any
0:06:24
thing to distract me call that is done
0:06:28
and
0:06:29
there we go
0:06:31
um okay i can't share my screen wow
0:06:35
oh you consider
0:06:37
no i cannot share i probably have to go
0:06:40
into
0:06:42
i didn't do some things in the system
0:06:44
preferences
0:06:45
and then and then come back okay okay
0:06:49
let's
0:06:50
leave for now i'll try to get death
0:06:53
perfect
0:06:59
hey
0:07:00
dev how's it going
0:07:05
hopefully you're still there
0:07:12
well it looks like
0:07:15
we do have someone on twitch and i think
0:07:18
you stream like you stream us at twitch
0:07:22
so
0:07:23
or maybe just trying to play with us
0:07:31
wake up get there
0:07:37
yes
0:07:38
did you did you attend the death corps
0:07:40
today morning
0:07:59
i want to check out the
0:08:02
project on
0:08:03
um
0:08:05
github let's see
0:08:12
um
0:08:13
stream nope
0:08:15
yes that's the one
0:08:18
some recorders github
0:08:21
it's kinda cool
0:08:27
hmm
0:08:29
last comment
0:08:32
oh probably not that one
0:08:35
um
0:08:38
let's see
0:08:40
[Music]
0:08:53
scrambled enhancement
0:08:55
19th
0:08:56
feb
0:08:59
yeah probably not down as
0:09:06
well looks like santa's back
0:09:10
hi guys
0:09:11
and
0:09:12
let's try ah
0:09:15
i also twisted my knee earlier on so
0:09:18
it's really good at the moment
0:09:20
what happened you okay
0:09:24
yeah i kind of fell in a really bad way
0:09:26
but um that knee injury that i've got is
0:09:31
kind of
0:09:32
long term but that actually just came
0:09:34
back when then oh
0:09:38
all right
0:09:40
but anyway i think i should be good as
0:09:42
long as i'm sitting down
0:09:45
yeah and give it a good rest
0:09:48
yeah
0:09:49
all right cool so i'll share try and
0:09:51
share my screen now hopefully it works
0:09:53
here we go good work
0:09:57
all right cool so i will open
0:10:00
[Music]
0:10:02
up and then
0:10:06
okay
0:10:09
oops too fast
0:10:13
oh we forgot um
0:10:17
yep let's uh choose some
0:10:20
music oh you need to
0:10:22
yeah
0:10:24
do you want to have a pink pig
0:10:27
today's
0:10:28
yes your back off ages
0:10:31
dear dreaming sound school has a let's
0:10:34
go for that one
0:10:41
more for studying music
0:10:43
yeah
0:10:45
true that true
0:10:47
all right cool i'm gonna share my screen
0:10:49
again
0:10:56
that's actually a good choice
0:11:00
yeah it sounded cool daydreaming yeah
0:11:04
i said i do that every day so
0:11:07
it's
0:11:09
good to do this
0:11:11
sometimes as well
0:11:23
that's the one
0:11:29
all right cool so what we did was
0:11:32
basically
0:11:34
um
0:11:35
so this is the change basically i made
0:11:38
yes just today but didn't get around to
0:11:42
testing it because
0:11:44
i had an important call at 10.
0:11:48
uh so if i go into the changes yeah
0:11:51
basically what i did was it requires
0:11:54
sanitizer
0:11:57
and
0:11:58
then
0:12:03
um
0:12:05
where did i make the change oh
0:12:08
sorry no it's um in
0:12:11
default
0:12:12
so basically all i did was i installed
0:12:16
um
0:12:19
dom purify
0:12:21
right yeah right and then i
0:12:24
basically
0:12:26
used it
0:12:27
when we are sending through the
0:12:30
websocket
0:12:33
so
0:12:34
we are basically assuming that every
0:12:37
message is
0:12:38
a dirty message
0:12:41
which requires sanitization
0:12:46
and
0:12:47
then i'm just
0:12:49
basically
0:12:50
sanitizing the text in that
0:12:54
dirty message
0:12:56
object
0:12:57
right and then saying that to message
0:13:00
and all the variables then
0:13:04
remain the same
0:13:06
interesting okay right
0:13:09
uh
0:13:10
have you got any questions
0:13:12
no i'm trying to
0:13:13
i haven't
0:13:14
really done like this stuff so i'm just
0:13:16
trying to understand but yeah
0:13:18
it makes
0:13:20
so
0:13:21
what was happening
0:13:23
before
0:13:24
tell you a bit of a context
0:13:27
so
0:13:28
when we were
0:13:30
testing it
0:13:31
on screen um we were getting the
0:13:35
crosscrafts
0:13:36
scripting attacks which was basically
0:13:40
people were inserting script ads in the
0:13:43
notes
0:13:44
as text
0:13:46
yeah
0:13:47
and which were basically being picked up
0:13:50
by the browser as
0:13:52
in a html
0:13:55
which made the program as in do what
0:13:59
they wanted to do so
0:14:02
[Music]
0:14:03
as long as
0:14:05
they were cleaning
0:14:07
as long as they were connected to the
0:14:08
web socket
0:14:10
everything was coming through the
0:14:13
websocket
0:14:14
right okay so like that they could run
0:14:17
their own like
0:14:18
they could put it inside the inaudible
0:14:21
yeah yeah pretty much
0:14:24
and i guess from my understanding what
0:14:27
we're doing now and what this don't
0:14:30
purify essentially does
0:14:32
if i'm not wrong because it's just a
0:14:34
brand new concept for me as well
0:14:38
that
0:14:40
um as soon as we pass a text to this
0:14:45
sanitizer using dom purify it will turn
0:14:50
that
0:14:50
that
0:14:51
text into actual normal text so you
0:14:55
won't be in a html anymore
0:14:58
right okay
0:15:00
make sense
0:15:01
which means that it won't
0:15:04
do anything even if they enter this in
0:15:07
the script tag
0:15:09
okay
0:15:10
perfect
0:15:12
yeah but i don't know how much of it
0:15:14
would work to be honest
0:15:18
there's only one way to find out
0:15:20
exactly all right um this site should
0:15:24
already be up
0:15:26
that's up and i'll actually give you the
0:15:36
board so this would be the
0:15:39
url
0:15:40
um
0:15:43
okay cool
0:15:45
so we will need to work on this one
0:15:48
this isn't coming up as object object i
0:15:50
would actually are all the functions
0:15:53
working though like
0:15:58
most
0:15:59
likely
0:16:00
until we have oh um
0:16:04
probably i think what i must have done
0:16:07
was
0:16:08
when i deployed the sam template
0:16:11
yep
0:16:13
api
0:16:14
endpoint changes but i forgot to update
0:16:17
the api endpoint in s3
0:16:22
all right okay
0:16:27
yes we can do that but i'm just thinking
0:16:30
of myself well
0:16:33
how could i not have realized that
0:16:35
yesterday
0:16:37
uh honest mistake notes
0:16:39
i would have done that too
0:16:43
all right cool so let's open so the only
0:16:47
thing is that we would have to
0:16:49
keep the
0:16:51
keep s3 up-to-date as well with this
0:16:56
so
0:16:57
anyway
0:16:58
let's jump into that and see how do we
0:17:00
go
0:17:02
um this is that one
0:17:06
yeah that's this
0:17:07
end point
0:17:09
so what we need to do is basically
0:17:13
uh do
0:17:16
it
0:17:26
there you go
0:17:34
okay i'm gonna open it
0:17:36
oh no no no don't tell me that
0:17:42
i think i have that password let me help
0:17:55
uh how was it again
0:17:57
autofill
0:17:58
yeah there you go
0:18:02
oh
0:18:05
mfa extra securities
0:18:23
no
0:18:24
i'm playing in the work code wow
0:18:27
interesting
0:18:35
oh interesting
0:18:36
i'm not raised
0:18:40
why does
0:18:42
that come but it always does it
0:18:46
does this on this
0:18:48
account on mine
0:18:50
nice
0:18:56
okay nevermind
0:18:58
um
0:18:59
we wanted to get the api endpoint isn't
0:19:02
it yep that's three
0:19:07
doo doo doo doo
0:19:10
okay stages fraud
0:19:14
there we go
0:19:16
oh
0:19:17
hang on
0:19:20
cue deck
0:19:23
it's the right one
0:19:28
yeah it must be the
0:19:30
right one
0:19:32
oh yeah it is
0:19:35
oh what was the
0:19:36
websocket one okay how about if i
0:19:40
give you this
0:19:42
and then you can try to do the xss
0:19:45
attack
0:19:46
through the websocket
0:19:49
all right so i'm not sure how to do it
0:19:52
or i don't know how you guys tested but
0:19:54
yeah be killed too
0:19:56
keen to know
0:19:57
and actually
0:19:58
even i don't know how to do it because
0:20:01
yes today i was figuring that out but
0:20:19
okay
0:20:21
introduction to exercise i don't need
0:20:24
any introduction come on
0:20:27
injections okay
0:20:30
i'm on the same website
0:20:34
doesn't need to give any
0:20:36
example of
0:20:38
yeah it does oh if you go down a little
0:20:41
i recommend tools
0:20:46
method post for example
0:20:51
testing test
0:20:53
testing test
0:20:56
but so
0:20:57
who did the initial exercise like was it
0:21:00
dory or something else
0:21:03
um
0:21:05
so
0:21:06
who did the first time is it
0:21:08
yeah like oh so
0:21:11
uh i don't want to name
0:21:14
anyone
0:21:21
um so but we didn't manage to
0:21:24
find out how it was done but then i
0:21:26
can't remember now
0:21:28
all right
0:21:33
maybe you can try asking dory as well
0:21:35
maybe he might remember
0:21:37
oh hang on here we go
0:21:40
as we understand testimony
0:21:42
is the name indicated by the user
0:21:45
therefore this only
0:21:47
looked like
0:21:51
the demonstration code is vulnerable to
0:21:54
such an attack if the
0:21:59
okay how about if we just simply do this
0:22:03
and see if it picks up on
0:22:06
the note
0:22:07
so if you want to do this as in
0:22:10
just do it alert on the note itself
0:22:16
right okay
0:22:18
uh do you mind telling me
0:22:20
sorry
0:22:21
my bad i told you for more about it
0:22:25
it's
0:22:26
funny how i use private check because
0:22:29
this one on the screen anyway
0:22:32
oh yeah
0:22:32
[Laughter]
0:22:38
ah here we go cool
0:22:40
so
0:22:41
it didn't work
0:22:45
the code didn't work
0:22:47
put in the effort
0:22:49
through the entry let me move to the
0:22:51
side first actually
0:22:55
can i mute this tag
0:22:57
you can move that
0:22:59
how can i do it um it's like if you
0:23:02
right click
0:23:03
right click
0:23:04
site
0:23:05
oh okay i didn't know that yeah one
0:23:08
second it will be a big thing
0:23:14
okay
0:23:16
huh
0:23:17
i didn't get the noise now
0:23:22
right i'll just unmute it and see what
0:23:25
happens
0:23:29
oh
0:23:30
i see
0:23:31
so it's not even being done on the note
0:23:34
itself
0:23:39
that's really interesting
0:23:44
tori actually managed to
0:23:46
find out how it was done
0:23:48
i should have paid attention
0:23:51
and he was
0:23:53
explaining me
0:23:56
um sources performance memory
0:24:00
was in
0:24:02
network recording next performer request
0:24:06
to hit
0:24:07
or hit refresh
0:24:13
ah
0:24:14
right
0:24:18
so are you able to see my screen yeah
0:24:20
yeah yeah
0:24:21
my house this is
0:24:23
coming up
0:24:25
right 55 mm
0:24:36
so this is broad test
0:24:41
payload
0:24:43
headers
0:24:46
request google analytics
0:24:50
request headers ah here we go
0:24:53
pause it
0:24:55
is it gif
0:24:56
uh
0:25:03
so you're sending a gif
0:25:08
but marker gifts don't have noise and
0:25:12
then do that
0:25:14
um
0:25:16
yeah that's actually true
0:25:22
yellow card
0:25:25
yep
0:25:27
once i can i'll get some water
0:25:29
yeah
0:25:45
stars yes yes
0:25:49
request
0:25:51
so that didn't clearly work
0:26:07
yes
0:26:08
image javascript
0:26:11
i'm just
0:26:12
trying to find out how it was done
0:26:19
fetch xsr passcode
0:26:22
html don't think so it's in now like
0:26:25
it's not happening now
0:26:34
but wouldn't there be a history
0:26:36
on these
0:26:42
so let's see
0:26:44
no that's not possible
0:26:46
it can't be this one
0:26:50
so there basically inserting it through
0:26:53
the websocket but not
0:26:56
on the ui itself
0:27:03
but if you create a new one um would it
0:27:05
still happen
0:27:09
like a new board
0:27:15
okay we can try that
0:27:27
test
0:27:29
two
0:27:47
somehow
0:27:49
network
0:27:51
it must be something here
0:27:57
had snapshot
0:28:04
um
0:28:07
media
0:28:09
fast oh [ __ ]
0:28:14
this is really interesting
0:28:16
i have no idea what i'm doing at the
0:28:19
moment i'm just
0:28:22
clicking
0:28:25
um so
0:28:27
they insert it
0:28:29
so first of all they're mine's inserting
0:28:32
it in in the
0:28:34
browser um they are inserting in the in
0:28:36
the browser but not on the ui itself
0:28:38
here
0:28:39
right okay
0:28:41
then
0:28:42
where are density
0:28:45
that's exactly what i'm trying to find
0:28:47
out
0:28:48
oh right there
0:28:53
scribbles png
0:28:56
but that wouldn't have an annoyance
0:29:01
wait tori knows how to replicate this
0:29:03
right
0:29:04
yes
0:29:07
let's try googling it only
0:29:24
media
0:29:39
i actually want
0:29:42
a
0:29:44
websocket
0:29:47
um
0:29:58
oh
0:29:58
yes subjective um
0:30:01
i'm not sure about uh
0:30:04
um i had i had a meeting though um early
0:30:06
morning i was actually planning to
0:30:08
attend it that's why i asked
0:30:10
um did did you attend the deaf nursing
0:30:13
today
0:30:14
no
0:30:15
i
0:30:16
didn't oh i had
0:30:18
something
0:30:20
else wrong yeah so i didn't really get a
0:30:23
chance to do it yeah right there
0:30:26
yeah i mean
0:30:28
gekko says zen never goes but like
0:30:30
literally i haven't gone to one in like
0:30:32
ages as
0:30:34
well but you're not i really want to
0:30:37
know like
0:30:39
yeah me too though yeah because
0:30:42
as i'm on this
0:30:45
slack channel is spell and there's some
0:30:48
brilliant cool topics being discussed
0:30:51
which
0:30:52
picture posters
0:30:55
and yes
0:30:57
really kind of intriguing
0:30:59
yeah
0:31:00
yeah so next time if you remember
0:31:03
just remind me or if i remember i'll
0:31:04
remind you
0:31:06
okay sounds good
0:31:14
um
0:31:18
website visitor okay
0:31:21
just because of website having no
0:31:23
vulnerability and then it was scripts
0:31:26
injection
0:31:28
the preparation
0:31:30
injects the website with them and they
0:31:33
scoop the steals each mr session cookie
0:31:37
okay but how do we do that come on me
0:31:40
stores
0:31:42
okay
0:31:42
the prices say says the following
0:31:45
comment
0:31:47
great prize for gravel i don't read my
0:31:50
review here
0:31:55
okay from this point on every time the
0:31:58
page is exercise history
0:32:04
the html tag in the comments
0:32:07
the html tab
0:32:10
in the comment below activated
0:32:12
javascript file
0:32:14
which is hosted on an understand and has
0:32:17
the widget to steal this cookies
0:32:24
so
0:32:26
how is it being done
0:32:28
as in i know that when
0:32:31
we need to insert some kind of script
0:32:35
tag
0:32:37
but wait
0:32:38
that's the main question now
0:32:40
um
0:32:43
also i just saw today's message by get
0:32:46
dev
0:32:47
on dev cop
0:32:48
i think uh someone had a problem with
0:32:50
course
0:32:53
you can't mention that we should help
0:32:55
them out i mean
0:33:02
absolutely yeah
0:33:04
that'll be up
0:33:13
let's see if this works
0:33:19
unexpected token syntax
0:33:23
yeah that didn't work because it's not
0:33:25
in
0:33:26
checking the script tags
0:33:31
interesting it would have been
0:33:33
good if i paid a little bit more
0:33:35
attention than one toy
0:33:40
[Music]
0:33:48
that's basically the same thing
0:34:04
um so it's going through the web socket
0:34:17
which means that
0:34:21
when we create
0:34:24
the card
0:34:28
sorry
0:34:31
you will save it
0:34:34
syntax here
0:34:45
cactus says we need to do a showcase
0:34:49
of
0:34:50
border
0:34:54
only a couple of couple weeks left tick
0:34:57
tock
0:34:59
yes
0:35:01
we can maybe you could actually name
0:35:03
this board
0:35:07
that'd be too as in too funny
0:35:11
like that would probably go with the
0:35:12
whole thing
0:35:22
[Music]
0:35:24
how is that
0:35:26
sorry as in how how would it go
0:35:29
to the whole
0:35:31
team
0:35:32
like
0:35:33
just i didn't get it
0:35:34
calling us board coders
0:35:37
since like day one
0:35:40
kind of matches the whole uh
0:35:42
whole time we were streaming
0:35:45
bordler
0:35:53
actually that being
0:35:55
said um
0:35:57
we can actually
0:35:59
change the url to bubbles
0:36:03
as well
0:36:09
there's been hair here
0:36:11
for
0:36:12
as much as we've been so he gets to
0:36:14
decide the name
0:36:15
yeah all right
0:36:17
he can have that that privilege
0:36:20
you know what's funny i think we started
0:36:23
on
0:36:24
14th of may
0:36:27
i have a feeling
0:36:31
14th of may
0:36:32
yeah
0:36:34
yes
0:36:35
it's only been made during july what's
0:36:37
up
0:36:41
right approximately
0:36:43
i'm just trying to see like when is the
0:36:45
one-year
0:36:48
mark
0:36:50
right i see
0:36:56
oh my god
0:36:58
okay
0:37:00
you sound sleepy
0:37:03
um i might actually been up since five
0:37:07
oh my god
0:37:08
nearly my bedtime as well oh wow okay
0:37:12
okay never mind we started in july 14th
0:37:14
of july sorry my bad
0:37:17
wow so we're actually doing pretty good
0:37:20
it's not even been a year yet
0:37:23
yeah nine months it is great
0:37:30
um all right
0:37:31
i'm not
0:37:33
how can we replicate the
0:37:37
thing
0:37:39
yeah
0:37:45
i'm just trying to think now
0:37:49
how old would this be and
0:37:51
the problem that one there on that one
0:37:55
no
0:38:00
um
0:38:02
no problem fast 3g
0:38:07
disable cash
0:38:14
um
0:38:22
how how how how
0:38:24
there has to be a way
0:38:29
to
0:38:30
um
0:38:31
nobody
0:38:35
says just call it a day
0:38:38
i think that's a fair advice
0:38:41
um
0:38:42
the official way i would ask story tori
0:38:47
yeah that's what i was thinking and um i
0:38:51
think like that is right it has been a
0:38:54
long day for me and i'm sure it's been
0:38:57
for you as well
0:38:59
and
0:39:00
basically on here we're pretty much
0:39:03
um
0:39:04
just so sh
0:39:06
socializing at the moment yeah
0:39:09
now we can we can come back tomorrow um
0:39:11
hopefully tori's interviews are going
0:39:13
well though um he seems pretty
0:39:15
interesting excited so
0:39:17
that's all yeah
0:39:21
yeah
0:39:23
that'd be
0:39:24
good though as in um
0:39:26
once he come uh i can probably have a
0:39:30
session with him if
0:39:32
if he's really swamped with the
0:39:35
interviews i might just have a call with
0:39:38
him before the trip tomorrow
0:39:41
yep yeah yeah for sure
0:39:43
and um
0:39:44
ask him if you can show it to me how he
0:39:47
did it
0:39:48
yeah yeah i think that's a good idea
0:39:50
yeah um but yeah no that's cool i'll try
0:39:54
to join in tomorrow as well i'll
0:39:55
definitely let you know
0:39:57
um hopefully i can
0:40:00
yeah that being that being that'd be
0:40:02
great and um
0:40:03
yeah guys been
0:40:06
a good
0:40:08
social session and a bill of
0:40:11
progress we've managed to deploy the
0:40:13
change and um
0:40:16
yeah just have to figure out how to
0:40:18
replicate the cross-site scripting
0:40:21
attack
0:40:22
and then to eventually solve it and if
0:40:25
you want to check out how do we do that
0:40:27
tomorrow
0:40:28
and
0:40:29
join us as same place same time and
0:40:33
same task
0:40:35
there we go
0:40:37
god