
English: 
Hey, so this video will be kind of like a highlights cut a condensed version of a live stream that I've done on twitch.tv slash
live overflow as you know, I've been
Streaming like the past few weeks are building an 8-bit computer
but in that particular stream we went over challenges from the Google CTF 2019 qualifier that
CTF happened over the weekend and I played it again and
Part of learning about security, you know is for me playing CDF's
But not only playing the CTF and getting frustrated and researching during the CTF. But the time after the CTF is equally important
usually my video write-ups are part of that process of looking at challenges afterwards and looking with those write-ups and
Providing you those video write-ups, but also for me I want to learn too
So I might often look at genres that I tried but failed and want to see the real solutions so during that
stream

Turkish: 
Hey, bu video twitch.tv slash üzerinde yaptığım canlı akış yoğunlaştırılmış bir sürümünü kesti bir olay gibi olacak
bildiğiniz gibi canlı taşma
Son birkaç hafta gibi akan bir 8-bit bilgisayar inşa ediyor
Ancak, bu belirli akışta Google CTF 2019 elemelerindeki zorlukların üzerinden geçtik.
CTF haftasonu oldu ve tekrar oynadım ve
Güvenlikle ilgili öğrenmenin bir parçası, biliyorsunuz benim için CDF'leri çalmak
Ancak yalnızca CTF'yi oynamak ve CTF sırasında hayal kırıklığına uğramak ve araştırma yapmak değil. Ancak CTF'den sonraki zaman eşit derecede önemlidir
genellikle video yazımlarım, daha sonra zorluklara bakma ve bu yazımlara bakma sürecinin bir parçasıdır.
Size bu video yazılarını veren, aynı zamanda benim için de öğrenmek istiyorum
Bu yüzden sıklıkla denedim ama başaramadığım türlere bakabilirim ve bu yüzden gerçek çözümleri görmek isterim.
Akış

Turkish: 
Beni bir kaç zorlukta çalışırken göreceksiniz, bir zorluk, özellikle de CTF sırasında çözülmemiş bir mücadele
Pastaya lezzetli veya buna benzer bir şey deniyordu. Tarayıcı tarafı istemci tarafı olarak var
Meydan okuma ve aynı köken politikası hakkında çok şey öğreniyoruz; iframe'lerin birbirleriyle nasıl etkileşime girdiğini ve Dom'un clobbering olduğunu
Bu gerçekten harika
Böcek, ve ben de seni CTF sonrası boyunca götürmek istemiştim.
zorlukları gözden geçirme ve ondan öğrenmenin bir yolu olarak ve bunun nasıl görünebileceğini ve
bu yüzden eğlenceli bir akış olduğunu düşünüyorum
Bu, yazılanları arayan ve onlarla çalışan CTF'leri oynadıktan sonra da yapmanız gereken bir şey.
Öyle ya da böyle. Umarım bu olayları kesmekten zevk alırsınız ve daha fazla akışla ilgileniyorsanız
Mutlaka güvenlikle ilgili değil, yine de çeşitli şeylerden bahsediyoruz.
Bu 8 bit bilgisayarı konu alan ve inşa edip twitch.tv olan twitch.tv slash canlı taşmasını burada da bulabilirsiniz

English: 
You will see me working through a few challenges one challenge in particular a challenge that hasn't been solved during the CTF
Which was called pastes tastic or something like that. It's browser client-side exists as kind of
Challenge and we learn a lot about the same origin policy how iframes interact with each other and Dom clobbering
It's a really cool
Bug, and so I wanted to take you along the post CTF
review of the challenges and working through it as a way to learn from it and and how they can look like and
so I think it was a fun stream and
This is something you should also do after you have played CTFs looking for the write-ups and working through them
Either way. I hope you enjoy this highlights cut and if you are interested in more streams
Not necessarily related to security but still talking about various different
topics and building this 8-bit computer and check out twitch, which is a twitch.tv slash live overflow there you can also find

English: 
full recordings of the live stream but also on live overflowed to
Second YouTube channel that I started which will be a bit more casual which allows me a bit more free so you can find there
Also highlight cuts of the streams. You can also find there in the playlists
unlisted episodes of all the full stream recordings as well as maybe some other casual videos that might happen here and there anyway,
Let's not procrastinate further. Let's head into the stream where we discussed chowders
Hello everybody
Welcome back to the stream. Oh, yeah. Thanks for the for the bits
Cut off a buffer overflow
Okay. Alright. So today as you can see from the stream title. I don't plan to continue working on the 8-bit computer
This will be a thing I guess for tomorrow. So today I want to kind of have like a post CTF chat. So the Google
CTF happened over the weekend

Turkish: 
Canlı akışın tam kayıtları ancak aynı zamanda
Başlattığım ikinci YouTube kanalı biraz daha rahat olacak ve bu sayede biraz daha özgür olursunuz.
Ayrıca akışlardaki kesimleri de vurgulayın. Ayrıca çalma listelerinde orada bulabilirsiniz.
tüm yayın akışlarının listelenmemiş bölümlerinin yanı sıra, burada ve orada yine de olabilecek diğer bazı geçici videoların listesi,
Daha fazla ertelemeyelim. Balıkçıları tartıştığımız akıntıya geçelim
herkese merhaba
Akışa tekrar hoş geldiniz. Ah evet. Bit için teşekkürler
Bir arabellek taşması kesme
Tamam. Peki. Bugün akış akışından görebileceğiniz gibi. 8 bit bilgisayarda çalışmaya devam etmeyi planlamıyorum
Bu, yarın için tahmin edeceğim bir şey olacak. Bugün bir CTF sohbeti sonrası gibi olmak istiyorum. Yani Google
CTF haftasonu oldu

Turkish: 
Tekrar oynadım
iyi hissettiren bir süredir CTF oynamamıştı.
Evet, sadece seni yanına almak istiyorum, eğer yalnız olsaydım şimdi yapardım, sadece arardım.
Aydınlık yükselmeler Yazıları bulmaya çalıştım
bazı zorlukları tekrar gözden geçirebiliriz ve belki de bu türden bir birlikte yapmayı sevebiliriz belki de
Mücadele ettiğim bir şeyi çözdüyseniz, belki bir şeyi anlamama yardımcı olabilirsiniz veya
Belki size bir şeyi nasıl çözdüğümü biraz anlatabilirim. ancak
Tamam
Evet, o kadar. Pekala. Böylece Google CTF haftasonu boyunca olur. Zorluklar hala devam ediyor
Bu sunucuların ne kadar süre kullanılabilir kalacağını bilmiyorum
Yani kendin denemek istersen
Belki yakında yaparsın. Ancak, Google genellikle bu zorlukları bile arşivlemede oldukça iyidir
kaynak kodunu yayınla veya

English: 
I played again
which felt good hadn't played CTF in a while and so
Yeah, I just want to take you along basically this is what I would do now if I were alone I would just look up
Bright ups I tried to find write-ups
revisit some challenges and maybe we can even like do this kind of together like maybe we
You can help me maybe understand something if you have solved something that that I struggled with or
Maybe I can tell you a little bit about how I solved something. However
Okay
Yeah, so that that's it. Oh, all right. So the Google CTF happen over the weekend. The challenges are still up
I don't know how long these servers will stay available
So if you want to try it out yourself
Maybe do that soon. However, Google is also generally pretty good at archiving those challenges they even
publish source code or

Turkish: 
Bu şeyleri bir noktada kendi github'larında nasıl barındıracağınıza dair talimatlar
Yani bunun için de bir seçenek var.
Ödüllendirirler Yazdıklarımı ödüllendirdiklerine inanıyorum ya da en azından zorluklar için belirli yazımlar istediklerini söylüyorlar.
Çünkü finaller için bir eleme gibi oldu
Bu yüzden, belki de bugün ilk gün gelecek haftada iyi bir yazı olacak.
aramak
Yazmalar belki biraz erken olabilir, fakat
her neyse, bilirsin işte böyle
biz ne alırız
Alabileceğimizi alırız. Alt über için teşekkürler
157 yapıldı
Ses, ah, üzgünüm. Mikrofonumu diğer tarafa çevirdim
olduğu
Şimdi hacmi ile daha mı iyi?
Yine üst düzey ekiplerin tebrik edilmesi sektör p4'ün yapıştırılması ve boşaltılması, ancak burada bile diğeri rekor gerçekten şaşırtıcıydı

English: 
Instructions how to host those things as well on their github at some point
So there's also an option for that also
They reward I believe they reward write-ups or or at least saying they want certain write-ups out for challenges
Because it was like a qualifier for the finals
So I'm sure there will be some really good write-ups coming out in this coming week maybe today the first day
looking for
write-ups is maybe a bit earlier already, but
whatever, you know, it's it's it's it's like
we take what we we
We take what we can get. Thanks for the sub uber
157 made
Volume is oh, sorry. I had my microphone turned the other way
is
Is it now better with the volume?
Again congratulation to those top teams paste and drain sector p4, but but even here the other said record was really surprising

Turkish: 
Spam ve yumurta bu ekiplerin yaptıkları şey inanılmaz
15. sıradayız. Alice ile oynuyorum, ki bu gerçekten iyi.
Fakat bunun benim başarımdaki gibi olduğunu sanmıyorum
Bu yüzden birkaç zorluk çözdük. Bir zorluğu çözdüm
Tamam, bir tane yumuşattım ve bir başkasına ve diğer tüm zorluklara biraz yardımcı oldum. a baktım
Biz asla çözemedik ya da evet. Tanrı bir saniye başarısız oldu. Tamam, peki
Bunun gibi sonuçlar genellikle takım çalışmasıdır.
Birçok insan bu zorluklar üzerinde çalışıyor. Yani, bilirsin, tamam, öyleyse şuna bakma ve düşün.
bu bir şekilde benim
Benim başarım. Statik Joan ödemeyi denedin mi? Evet. Bu, çok fazla zaman harcadığım başka bir zorluk.
Ve bu zorluklardan biri. Şimdi bakmak istiyorum, çünkü CTF sırasında kaynağı yoktu.

English: 
Spam and eggs it's it's incredible what these teams are doing
We got 15th place. I'm playing with Alice, which is really good
But I don't think that this is like my my success here
So we solved quite a few challenges. I solved one challenge
Okay, I soft one and I helped a bit with another and all the other challenges. I looked at
We we never solved or yeah. God failed one second. Okay, so
Results like this are often team efforts
Multiple t peoples have been working on these challenges. So, you know, okay, so don't look at this and think that
that this was somehow my
My success. Did you try to pay static Joan? Yes. This is another challenge that I spent a lot of time on
And this is one of the challenges. I want to have a look at now because it had no source during the CTF

Turkish: 
birisi
gerçekten uzağa gitti ve
IRC’de biraz sohbet ettik.
Altta yatan böcekler veya orada ne tür bir istismara uğradım ve bazı fikirlerim vardı ama bir çeşit eksikim vardı.
bilgi yani bu bir şey
Çözmek isteyip istemediğimden emin değilim
Demek istediğim, bunu temelde şimdi çözebilecek miyim, yani şüpheliyim.
Ama bunun hakkında duyduğum birkaç şeyde olmalarını istiyorum. Biraz keşfetmek istiyorum ve
Denemek
Yerel olarak sadece bunun teoride nasıl çalışacağını görmek için
tüm zinciri koparmadan, çünkü zincirden bir parça gibi
Bunu tamamen çözmek için birleştirmeniz gereken şeyler
IRC U, çoğu CTS için kullanılır.
Google CTF gibi bir CTS’nin bir görevlisinin sahip olabileceğiniz IRC kanalı
iletişim kurun ve
Organizatörler ve yöneticiler teknik sorunlar varsa ve CTF'den sonra oyuncular genellikle orada buluşur ve takas ederler.

English: 
somebody
got really far and
we kind of chatted in IRC a little bit about the
The underlying bugs or what is kind of abused there and I had some of the ideas but I was lacking some kind of
information so this is something that
I'm not sure if I want to solve
I mean if I'm will be able to solve this basically now on stream I doubt so
But I kind of wanna they are to a few things that I've heard about that. I kinda want to explore and
Try out
Locally just to see how that will work in theory
without pulling off the whole chain because it's like a little bit of a chain of
things that you need to combine to fully solve this
IRC U is used for the CTS most of the
CTS like the Google CTF have an official's the IRC channel where you can
contact and talk to the
Organizers and admins if there are technical problems and after the CTF the players usually just meet there and exchange

Turkish: 
çözümler sorular soruyor
Yani bu IRC kanalında olmak iyi bir şey
Ayrıca, bir şey kırılırsa veya bir sorunla karşılaşırsanız size haber verilir. Yani IRC genellikle iyi bir
Bu CTF sırasında olmak için iyi bir yer bu arada birçok insan hala IRC kullanıyor
Oh, evet, biliyoruz ki şu an aslında şu anda IRC kullanıyorsunuz
Twitch sohbeti arka uç olarak IRC'ye sahip
Yalnızca bir IRC sunucusu olduğunu ve bu IOC'deki canlı taşma kanalına katılabileceğinizi bildirin.
Yani yine de doğrudan seğirme IRC ağına bağlanırsanız, tamam, ilk meydan okumayı söyleyebilirim.
Bakmak istiyorum Yapıştırma etic meydan okuma
Bu sadece söylemediğim bir yazı olduğunu söylemedi.
Sadece bir kaynak koduydu. Gerçekten anlamadın. Bu yüzden biraz daha keşfetmek istiyorum. Bakalım
Evet burası Katie'nin yazdığı mektup. Öyleyse biraz görelim, başkalarının bu konuda ne yazdıklarını da duyalım.

English: 
solutions ask questions
So being in that IRC channel is a good thing
You also get notified if something breaks or if a challenge has problems. So the IRC is generally a good a
Good place to be during this CTF a lot of people still use IRC, by the way
Oh, yeah, we know that fact now you are actually using IRC right now
Twitch chat is has IRC as its back-end
Just let you know there is an IRC server and you can just join the live overflow channel on that IOC
So if you directly connect to the twitch IRC network anyway, okay, so I would say the first challenge
I want to look at is the paste etic challenge
That was just kind of saying there was a little bit of a write-up that I didn't
It was just a source code. You didn't really understand it. So I want to explore that a bit more. Let's see
Yeah here this is the write up by Katie. So let's see a little bit also hear what other people were writing about it

Turkish: 
Tamam
Bu, 2019’daki en muhteşem mermilerden biriydi.
Messages olayının pencerede işlenmesinde kaynak denetimi olmadığını biliyordum.
Mahkum, bu filtre tarafından kaldırılabilir, ancak daha fazla fikir bulamaz
Evet, size ne kadar sevdiğimi de söyleyebilirim.
Bunlar süper meydan okuma, Twitter hakkında fazla tartışma yoktu.
Size bu zorluk hakkında ne düşündüğümü göstereyim. Ne zaman sen
Burada bir dosya oluşturun. Böylece dosyayı şimdi alırsınız
Birkaç URL’ye benziyor ve bunun nasıl uygulandığına bakarsanız
Bunun aslında bir iframe'e yüklendiğini görüyorsunuz.
Yani bu dosyanın içeriğinin yüklendiği bir sanal alan iframe var. Bir sürü JavaScript oluyor
Böylece, görüntüleme sayfasını yüklerseniz, bu iframe'in orada olmadığını görebilirsiniz.
Öyleyse iframe orda değil, dinamik olarak kare yapıyorum.
tarafından oluşturulan

English: 
Okay
This I think was one of the most fantastic shells in 2019
I was aware that there is no origin check at handling messages event in window
Convict can be removed by this s filter but couldn't come up with any more ideas
Yeah, I can also tell you how far kind of like what what how far I got with it ya know
These are super challenge there wasn't much discussion about it on Twitter
Let me show you a little bit what I figured out about this challenge. So when you
Create here a file. So you create the file you get this file now
It has like a few URL and if you look at how this is implemented
You see that this is actually loaded in an iframe
So there's a sandbox iframe where the content of this file is loaded. There's a lot a bit of JavaScript going on
So if you load the view page, you can see that this iframe is not there
So the iframe is not there that I frame is dynamically
created by the

English: 
Got the the app so this is the JavaScript code
Mmm, why do you use Chrome? Why not to use Chrome? I'm an idiot
I need to copy this to be honest. I don't care about the privacy. I
Have my mail at Google my whole company is at Google
Also, so the web jams like this might be also browser related
however, I mean should have done also works, I guess and chromium when I was like this was it so I
Looked at this challenge pretty early of the CTF, right?
So I didn't know how hot this challenge would be and I made some pretty pretty good progress that I will show you know
but ultimately I
It wasn't like far enough to even solve it I got stuck at some point and then throughout the CTF
I realized nobody was solving it and then realized oh, this is a pretty tough a
Pretty hard challenge when it's such a hard challenge

Turkish: 
Uygulamayı aldım, bu yüzden bu JavaScript kodu
Mmm, neden Chrome kullanıyorsunuz? Chrome'u neden kullanmıyorsunuz? Ben bir aptalım
Dürüst olmak için bunu kopyalamam gerekiyor. Mahremiyet umrumda değil. ben
Postalarımı Google’da bulundur
Ayrıca, bu şekilde web sıkışmaları da tarayıcı ile ilgili olabilir
Ancak, ben de çalışması gerekirdi demek istiyorum, sanırım ve böyle olduğumda krom oldu
Bu zorluğa CTF'nin erken saatlerinde baktınız, değil mi?
Bu yüzden bu zorluğun ne kadar sıcak olacağını bilmiyordum ve size göstereceğimi çok iyi bir ilerleme kaydettim
ama nihayetinde ben
Çözecek kadar bile değildi, bir noktada ve sonra CTF boyunca sıkışıp kaldım.
Kimsenin çözmediğini farkettim ve sonra farkettim ki, bu oldukça zor bir durum
Bu kadar zor bir meydan okuma olduğunda oldukça zorlu bir mücadele

English: 
it might be that's a very weird browser quirks something that just happens on that specific chrome version or
that specific Safari version so
browser, sometimes have weird quirks and only you know people that really research that that topic might be able to solve it because they they
Happen to have found these same quirks as well
So that's kind of like an assumption that you can have if you see such a client-side browser
excess or whatever challenge
When whenever when there are no source, it must be something kind of obscure
It wasn't that obscure to be honest, but I feel like I got some good I wasn't a good track
But clearly I wasn't like enough to to solve it in any way high confusion. No iPad today we are
We are reviewing challenges from the CTF that happened on the weekend. Ok
So yeah, so either you're on the create view or the view view. So the view is the view where this iframe is created

Turkish: 
Çok tuhaf bir tarayıcı bu belirli bir krom sürümünde olan bir şeyi tuhaflaştırıyor olabilir ya da
bu belirli Safari sürümü çok
tarayıcı, bazen garip tuhaflıklar var ve yalnızca sizler bu konuyu çözebileceklerini düşündükleri insanları gerçekten tanıyorsunuz çünkü onlar
Aynı tuhaflıkları da buldum.
Yani böyle bir istemci tarafı tarayıcı görürseniz bu tür bir varsayım gibi
Aşırı veya ne olursa olsun
Ne zaman bir kaynak olmadığı zaman, karanlık bir şey olmalı
Dürüst olmak o kadar da karanlık değildi, ama biraz iyi olduğumu hissediyorum
Fakat açıkça, yüksek kafa karışıklığını çözecek kadar çözmedim. İPad yok bugün
CTF’nin haftasonu başındaki zorluklarını gözden geçiriyoruz. Tamam
Öyleyse evet, öyleyse ya görünüm görünümünde veya görünüm görünümdesiniz. Yani görünüm, bu iframe'in yaratıldığı görünümdür

Turkish: 
Yani burada bu işleve bakabiliriz ve biraz işlediğini görebilirsin.
İçerik Kimliği etiketi var, oradan satırları alıyor
Ayrıca orada depolanan veri dilini alır, ardından görüntüleyiciyi alır
element ve sonra ve sonra zaten arasında bir fark var
etiketleme ve etiketleme ve
ve hatta
Bu görüntüleyici daha sonra oluşturulan daha az sayıda sınıfta yaratılır ve geri kalanı güzeldir
Yani burada adalet okumak bir do raporu okuyor
Önemsiz işlevi önemsiz yakalar ve sonra izleyiciyi başlatır ve sonra işlenir
İşler
İçeriğe koyduğu dile göre ve yanlış
Bu yüzden görünümde render olarak da adlandırıyor ve daha sonra sebep sigorta için önemli bir neden olduğunu doldurmak

English: 
So we can look at that function here and you can see it gets some
There's a Content ID tag, it gets the lines from there
It gets the data language also stored in there, then it gets the viewer
element and then and then there's already like a differentiation between
markdown and not markdown and
then also
This viewer is then created at the fewer classes created and then the the rest is pretty
So it read it read justice here a do report
Function unimportant capture unimportant and then it initializes the viewer and then also it renders
It renders the
The based on the language it puts in the content and false
So it calls render on the view as well and then populate reason there's also an important is for for reason fuse

Turkish: 
Ve eğer seyirci sınıfına bakarsak
sınıflandırma yaparken oradaki bu görüntü konteynırını alır ve orada eğik çizgi alanını yükleyen öğeyi oluşturduğunu görebilirsiniz.
Kaynak etki alanı olarak
yol
sandbox özniteliğini ayarlar ve ardından
Yüklenenlere benzer olay dinleyicileri ekleyin
ve sonra sandbox iframe'ini kaba ekler ve sonra da
mesajlar için bir olay dinleyicisini kaydeder
Böylece iframe'lerin birbirleriyle iletişim kurması için mesajlar kullanılabilir, bu burada önemli bir nokta.
O zaman init dediğini biliyoruz.
İçinde o daha sonra bu sanal alan iframe alır
Şimdi config içine bakar
ve
Bu çatışmada tanımlanan bu komut dosyalarını yükler, böylece bağımlılıklar arasında döngüler gibi görülebilir ve ardından çağrılır.

English: 
And so if we look at the viewer class
when it's grading it gets this view container in there and there you can see it creates the element it loads slash sandbox as the
As a source domain
path
it sets the sandbox attribute and then it
Add some like event listeners for loaded
and then it appends the sandbox iframe to the container and then it also
registers an event listener for messages
So messages can be used for iframes to communicate with each other, which is kind of an important point here
Then we know it calls init
On in it it then gets this sandbox iframe it
Now it looks into the config
and
It loads these scripts defined in that conflict so you can see it like loops through the dependencies and then it calls

English: 
Load script on this dependency when that is done
It goes through all the pre loads and also that's load plug-in on all the config preload plugins
That are being done. Now if you look at a load script and load plug-in, we see that load plug-in
Call slowed plug-in and load script as well
there's some much some housekeeping off the data and then load script is very
Interesting because it gets the integrity it fetches
so this is downloading that resource that that URL I guess it should show you how that
So here you can see the config defined. It's just like adjacent or an object, I guess
JavaScript object with
dependencies and
Plugins or something your plugins here and there's a integrity check. That's just an important and
the URL so downloads here that script and
then when it get that script

Turkish: 
Bu yapıldığında betiği bu bağımlılığa yükle
Tüm ön yüklerden geçiyor ve ayrıca tüm config preload eklentilerindeki yük eklentisi.
Bu yapılıyor. Şimdi bir kod dosyasına bakıp eklentiyi yüklerseniz, bu yük eklentisini görüyoruz
Yavaşlatılmış eklentiyi çağırın ve komut dosyasını da yükleyin
Verilerden bazı ev temizliği var ve sonra kod yükle çok
İlginç çünkü getirdiği bütünlüğü alıyor
bu yüzden bu kaynağı indirip bu URL’yi size nasıl göstereceğini göstermesi gerektiğini düşünüyorum
Yani burada tanımlanan konfigürasyonu görebilirsiniz. Sanırım bitişik veya bir nesne gibi.
JavaScript nesnesiyle
bağımlılıklar ve
Eklentiler veya eklentilerinizi buraya girin ve bir bütünlük kontrolü var. Bu sadece önemli ve
URL, buradan o betiği indirir ve
o zaman o senaryoyu alınca

English: 
It will call init script on the content window
With script and init script then calls a vow
inside of that sandbox window
Okay
so
This is kind of important to understand now, of course during the city of I was also looking at different kind of things
so for example, could they be XSS in the in the
Recently added ones and all these things
What is otherwise so important here?
Yeah, and then I guess it's so important also this event listener
so init listener is being called when the sandbox here when the viewer is created and it
It adds an inside of the sandbox
windows so inside of the iframe, it also adds an event listener for message and
here it checks the origin and then it
It checks what kind of message this was

Turkish: 
İçerik penceresinde init betiğini çağıracak
Script ve init betiği ile daha sonra yemin çağırır
o sanal pencere penceresinin içinde
Tamam
yani
Bu şimdi anlamak çok önemli, tabii ki ben şehir sırasında da farklı şeylere bakıyordum.
Bu nedenle, örneğin, içinde XSS olabilir
Son eklenenler ve tüm bu şeyler
Aksi halde burada önemli olan nedir?
Evet, sanırım bu olay dinleyicisi için de çok önemli.
yani, izleyici oluşturulduğunda ve burada sanal alan buralarda init dinleyicisi çağrılır.
Sanal alanın içine bir miktar ekler
iframe içindeki pencereler, ayrıca mesaj için bir olay dinleyicisi ekler ve
buradaki orijini kontrol eder ve sonra
Bunun nasıl bir mesaj olduğunu kontrol eder.

English: 
Was it the render message, or was it a scroll message?
And in the render message, then it just removes here things from the viewport and he is again
a check for markdown
so checks if the language is marked on if that's the case then it will do inner HTML on
mark of the data and I found out that marked as a function defined by the
by the Mactan renderer
that this website
Using so they they render the markdown as like HTML, you know, just not the raw text
But they render it and so they marked it and they turned the sanitizer on so it should be safe
HTML that is coming out there and then it's assigning inner HTML
If that's not the case, it just creates a code element and puts the raw data in there and it's all fine
And then it does a highlighting of that code
So here's the thing that I found out. I found it out through a bit of testing. So this is something I did

Turkish: 
Oluşturma mesajı mıydı, yoksa kaydırma mesajı mıydı?
Ve render mesajında, o zaman sadece burada şeyleri görünüm penceresinden kaldırır ve o yine
markdown için bir çek
dilin işaretli olup olmadığını kontrol eder, eğer öyleyse iç HTML yapar
veri işareti ve ben tarafından tanımlanan bir işlev olarak işaretlenmiş
Mactan renderer tarafından
bu web sitesi
Bunu kullanarak onlar aşağı doğru HTML gibi kodlarlar, bilirsiniz, ham metin değil
Fakat bunu gerçekleştirdiler ve böylece işaretlediler ve dezenfektanı açtılar böylece güvenli olması gerekiyordu.
Oradan çıkan HTML ve sonradan iç HTML atamak
Durum böyle değilse, sadece bir kod öğesi oluşturur ve ham verileri oraya koyar ve her şey yolunda
Ve sonra bu kodun bir vurgulaması yapar
İşte benim anladığım şey. Biraz test ederek öğrendim. Yani bu yaptığım bir şey

Turkish: 
Yeni bir tane yapalım
Markdown dosyasını bir işaretleyin ve sonra sadece bir başlık gibi yapabileceğimizi test edebiliriz.
Ayrıca link gibi yapabiliriz
Tamam, öyleyse şimdi bazı indirimler var ve sonra gönderebiliriz.
Öyleyse işte metnimiz ve bunun başarısız olmadığını görebilirsiniz. Neden oluşturmadı? Oh, sanırım başlık oluşturmuyor. Afedersiniz
Ben iyiyim Buradaki bağlantıyı verdi. Yani bakarsanız
Oluşturduğu HTML, bir göz gibi yaratıldığını görebilirsiniz
Sanırım belki de önemli olanla aralarında bir boşluğa ihtiyaçları vardı.
Burada bir bağlantının etiketini bir bağlantı etiketi olarak gösterdiğini görebilirsiniz. aman
bu arada bu zorluğun amacı bir tür XSS veya
Kanal çalmak burada bu DMCA yapabilirsiniz ve
DMCA, şu anda orada yapıştırılan verileri bu zorluğa rapor ediyor
yöneticileri destek personeli ve

English: 
Let's create a new
Markdown file mark one and then we can just like test this we can do like a header
We can also do like a link
Okay, so now we have some markdown and then we can submit
So here's our text and you can see it's not rendered fail. Why did not render? Oh, I guess it doesn't render header. Sorry
I'm it's fine. It rendered the link here. So if you look at the
HTML it created you can see that it created like an eye
I guess that maybe they needed a space between the whatever doesn't matter
You can see that it rendered the markdown for a link as an anchor tag here. Oh
by the way that the goal of this challenge was kind of an XSS or
stealing channel you can do this DMCA here and
DMCA is reporting that data that pasted there now to the challenge
administrators the support people and

Turkish: 
Buna bakacaklar. Yani bu da araştırdığım bir şey
Bilirsin
Gönderdiğiniz URL’yi görüyorsunuz, diğer URL’leri gönderebiliyorsunuz ve ardından bir tarayıcı gördüğünüz ping gibi görünüyor
 
DMCA için gönderdiğiniz URL’ye erişme
Alınan temelde fikir, sizin için kötü niyetli bir şey yaratmanız.
DMCA isteği ve
Destek sorumlusu veya yönetici bunu tıklıyor ve sonra XSS'den yararlanmanızı sağlıyorlar ve bazı dahili verileri çalıyorsunuz
Kurabiyelerde. Hayır. Hayır, bu aslında çerez kullanmaz. Bu kullanır. Bu aslında yerel depolamayı kullanıyor
Yani bu sadece yerel depoda ne yaratıyorsanız onu depolar. Yani yeni bir var ben
Düşün ah, özür dilerim. Üzgünüm. Haklısın. Afedersiniz. Ben doğru unuttum. Bayrak kurabiyelerdi. Afedersiniz. Tamamen unuttum
Bir bayrak var
Bizim için ayarlanan çerez
Çözüm bayrağının çerezde de bulunduğuna dair bir ipucu olmayan geçici bir abc123

English: 
They will look at this. So this is also something that I explored
You know
You you sub you see the submit URL you can submit other URLs and then you see like the ping back you see a browser
Accessing the URL that you are submitted for the DMCA
Takedown so basically the idea is you create a malicious
DMCA request and the
Support person or the administrator is clicking on it and then they execute your exploit of the XSS and you steal some internal data
It's in cookies. No. No, this actually doesn't use cookies. This uses. This actually uses the local storage
So this just stores whatever you create it in the local storage. So there's a recent I
Think oh, I'm sorry. I'm sorry. You're right. Sorry. I forgot right. The flag was the cookies. Sorry. I totally forgot
There's a flag
Cookie that is set for us
It's a temp flag abc123 which isn't is a hint that the solution flag is also in the cookie

English: 
We need to steal the cookie of the person looking at the side. I told me forgot. Thanks for the thanks for that
No, actually you need the XSS protection fork in chrome to make this exploitable. That's one cool thing about this challenge
the
You actually need to abuse the auditor and in the express in the case here
Like I said, there are multiple stages that you need to combine to make this exploitable
Also, that's why it's so hard. And like I said, I doubt that we will solve this now
It's a bit too much of a setup
But there are some crucial things that I didn't know about that. I can want to now experiment with
Okay, so now I show you also the the one thing that I kind of found out and I thought I was on a good
Track and that is an XSS. So there is
Filtering happening. So if you do like a script tag
In markdown, like just something basic like this
then
and you submit that and
Then you look at this. Then this the script tags are gone
So they are just gone they are not there anymore and I found out

Turkish: 
Yana bakan kişinin kurabiyesini çalmalıyız. Bana unuttuğumu söyledim. Bunun için teşekkür ederim
Hayır, aslında bunu sömürmek için krom XSS koruma çatalına ihtiyacınız var. Bu, bu zorlukla ilgili güzel bir şey
 
Buradaki davada denetçiyi ve ifadeyi kötüye kullanmanız gerekir.
Dediğim gibi, bunu sömürmek için birleştirmeniz gereken birden çok aşama var.
Ayrıca, bu yüzden çok zor. Dediğim gibi, bunu şimdi çözeceğimizden şüpheliyim
Biraz kurulum çok
Ancak bunun hakkında bilmediğim çok önemli şeyler var. Şimdi denemek isteyebilirim
Tamam, şimdi size şimdi öğrendiğim tek şeyi de göstereyim ve iyi olduğumu düşündüm
Parça ve bu bir XSS. İşte burda
Filtreleme oluyor. Yani bir script etiketini seviyorsanız
İşaretlemede, bunun gibi basit bir şey gibi
sonra
ve sen bunu ve
O zaman şuna bak. Sonra bu komut etiketleri gitti
Yani onlar gitti, artık orada değiller ve ben öğrendim

English: 
This if you have a script tag at the front, then you do a second tag
and then you do a thing in the middle there and you basically do also one in the middle here and
when you're now submitted and
Obviously this doesn't do anything
Because sent box, but let me show you
There we go. I
Screwed up a bit the format
Yeah, so you can see there's an script. I don't know. Wait. Let me script a lot in HTML doesn't work
Anyway, let me do in this world
It's basically about any text so you can do like an image tag fake an image tag like this and then SRC
Equals to X on error or equal to alert one
Some other attribute and then we can throw this here away. So so I think this should work so
You see here the broken image and you don't see the alert. But like I said that's sandbox issues
I can explain in a second. So you see blocked script X

Turkish: 
Bu, önde bir kod etiketiniz varsa, o zaman ikinci bir etiket yaparsınız.
ve sonra orada ortada bir şey yaparsınız ve temelde ortada da bir tane yaparsınız ve
şimdi gönderildiğinde ve
Açıkçası bu hiçbir şey yapmaz
Çünkü gönderilen kutu, ama sana göstereyim
Oraya gidiyoruz. ben
Format biraz vidalı
Evet, böylece bir senaryo olduğunu görebilirsiniz. Bilmiyorum. Bekleyin. Senaryoyu HTML olarak yazmama izin ver
Neyse, bu dünyada yapmama izin ver
Temel olarak herhangi bir metinle ilgilidir, böylece bir resim etiketinin bu şekilde ve sonra da SRC gibi bir resim etiketini taklit etmesini sağlayabilirsiniz.
Hatada X'e eşit veya uyarıya eşittir
Başka bir özellik sonra bunu buraya atabiliriz. Yani bence bu işe yaramalı
Burada bozuk görüntüyü görüyorsunuz ve uyarıyı görmüyorsunuz. Ama dediğim gibi bu sandbox sorunları
Bir saniye içinde açıklayabilirim. Engellenen script X'i görüyorsunuz

Turkish: 
Framus dokunarak belgeler olduğundan, komut dosyalarına izin vermiyor
Bir şey ama burada görebilirsiniz resim şimdi oksuz olan orada
öyleyse bu aa dezenfektanı bypass
Ayrıca
buraya gitmek
Kaynaklar ve
Biz burada fjs içinde statik olarak gidiyoruz ve biz de bunun için temizleyici olduğunu düşünüyoruz.
Böylece burada bir kesme noktası gibi ayarlayabiliriz. Sayfayı yeniden yükleyelim
Şimdi burada ayarlanmış bir kesme noktası var. Peki şimdi
İşte gidiyoruz.
EVT, gelen olaydır
Metin, liste dışı gibi. Bu render mesaj
Bunu yapman gerektiğini dinliyor gibiydi. Hayır, yani bu idam
iframe bağlamında

English: 
Because documents Framus sandboxed, it doesn't have the allows scripts
Thing but you can see here the image is now on there with non arrow
so this is a a bypass of the sanitizer if you
We can also
go here in the
Sources and
We go here in static in the fjs and we look for so this is the sanitizer here
So we can set like a breakpoint here. Let's reload the page
So there's a breakpoint now set here. So now
There we go, so
EVT is the event that is coming in
Text it's like it's like an unlisted. It's it's this renderer message
It's like it's listening on you should render this. No, so this is executed
inside of the context of the the iframe

Turkish: 
Öyleyse şunu görüyorsunuz, bu bizim hatalarımızla senaryoda yazdığımız verilerimiz ve dezenfektanı.
Açıldı ve dezenfektan sadece boş yerlere sıyırıp atıyor
Şimdi yürütebiliriz
Bunu bu şekilde de uygulayabiliriz, bu nasıl alırım? Temelde nasıl beklediğimi test ederim.
Size bu işareti nasıl test ettiğimi göstereyim, oradaki işlev
Örneğin bir dizenin işaretini yapabilirsiniz ve sonra
Seçenekler burada. Yani şimdi bunun gibi oynayabilirsin.
Bu şekilde baypas buldum. Ben sadece başlamıştım.
Burada sadece resim etiketi gibiydi. İşte temelde bununla nasıl gelebilirim
görüntü kaynağı X
altında
üzerinde
Diğeri. Tamam. Öyleyse buna doğru başlıyoruz, buna ne katılıyor?
Nexus S vektörü böylece tamamen soyulduğunu görüp sonra denedim
Ne oldu ki Google’dan ilham aldım.

English: 
So so you see this is this is our our data that we passed in script with the broken thing and it has the sanitizer
Turned on and the sanitizer is just replacing it with just stripping stuff with empty
Now we can execute
That we can also execute it like this this is how I take this is basically how I tested it wait
I show you how I tested this mark is the function there
you can do marked of a string of the string for example, and then you need the
Options here. So now you can just like this is how I played around
This is how I found to bypass. I was I was starting out with just
Was just like image tag here. Here's basically how I would just come with this
image source X
under
on
Other one. Okay. So we start this right this what the add?
Nexus S vector so you see it's completely stripped then I tried
What happens so I was kind of inspired by the Google?

Turkish: 
XSS, biliyorsunuz, eğer Senato'nun nasıl çalıştığını bilmiyorsam. Kaynak koduna hiç bakmadım
Bu yüzden sandbox iframe ve bunun gibi şeyler olduğunu düşündüm. Bakalım hiçbir komut olmadan neler oluyor bir şey olmaz
Sonra sanırım, eğer sunucu tarafı sıyırma işlemi yapıyorsa sıyırırken tamam düşündüm sonra böyle bir şey işe yarıyor
Çünkü tekrarlı bir şekilde zamanları soymak değil
Bu yüzden, etiketlenmiş olan betiği ve bu tür işleri ortadan kaldırırsa, görüntü teknolojisini şimdi bozdu.
Ancak burda işaretten daha düşük olanı kodladı
Şimdi LT bu yüzden garip olduğunu düşündüm
Ve sonra ne sebep olursa olsun önüne başka bir senaryo teknisyeni yerleştirdim ve aniden dolgun hale geldi
Tam bir resim etiketine, işte bu yüzden temelde bypass yaparken buldum
Tamam, öyleyse şimdi teorik olarak kum havuzunda xs / s yürütme işlemimiz var.
fakat

English: 
XSS, you know if maybe I don't know how the Senate has it worked. I didn't look in the source code at all
So I thought it's in a sandbox iframe and things like this. Let's see what happens with no script nothing happens
Then I believe then I thought okay when it's stripping if it's server-side stripping then something like this often works
Because it's not recursively stripping oftentimes
So if it strips away the script tagged and this kind of works, so it broke the image tech now
But it encoded the lower than sign here
Now LT so I thought that's weird
And then for whatever reason I placed another script tech in front of it and suddenly it turned into a full
Into a full image tag, and so that's how I found to bypass basically
Okay, so now we have xs/s execution theoretically in the sandbox iframe we buy we found a bypass of the sanitizer of this library
but

Turkish: 
Görünüşe göre bunun çözüm için tamamen önemli olmadığına inanıyorum.
II bu çözüme inanıyordu, bu yüzden Katie'nin yazması
Tam değildi, bu yüzden çözüm sadece yerel olarak çalıştı. Uzaktan işe yaramadı
Bu yüzden bu kişi CTF sırasında çözemedi. CTF sırasında C çözünürlüğü var
bu yüzden neden tam bir çözüm olmadığından emin değilim, ama
Dediğim gibi, şimdi çözüp çözemeyeceğimden emin değilim. Neyse, bazı kavramların keşfedilmesiyle ilgili daha fazla
Düşünmedim ya da fark etmedim. Yani evet, iyi bir yolda olduğumu düşündüm.
Bu ne kadar uzaklaştığımı düşündüm ve sonra düşündüm ki eğer bir şekilde yapabilirseniz, o sanal alanı yaparsınız
Iframe hala bunu uygulayabiliyor ama sorun yansıtıcı bir egzersiz değil, değil mi?
Bu, yalnızca görüntülenen sayfa sanal alan iframe'ini gömdüğü için yapılan mide değerlendirmesi.
Ve sonra bunu iframe'de gösterecek bir mesaj gönderir.
Ve bu sadece işe yaramadı. Tamam
Şimdi şimdi anladım, ne tür bir çözüm gibi ilgilendiğime gelelim şimdi biraz bakalım

English: 
It turns out I believe this is actually completely not important for the solution
I I believed this solution so the write-up by Katie
Wasn't a complete so the solution only worked locally. It didn't work remotely
That's why this person didn't solve it during the CTF. It has C resolves during the CTF
so I'm not quite sure why it's not a full solution, but
Like I said, I'm not sure if I would solve it now. Anyway, it's more about exploring some some of the concepts
I didn't think about or realize. So yeah, so I thought I was on a good path
This is kind of how far I got and then I thought about if you can somehow, you know make that sandbox
Iframe still be able to execute that but the problem is it's not a reflective exercise, right?
It's the stomach's assess it only happens because the view page is embedding the sandbox iframe
And then it sends a message to render that in the in the iframe
And so that just didn't work. Okay
so now I get we come to the part that I'm interested in like what kind of a solution so now let's look a little

Turkish: 
Bu kişinin yüklediği dosyaları biraz bit çünkü burada bazı ilginç şeyler var
Bu başka bir şeydi, biliyorsun
Belki de trol yapıyorlardı ve aslında bir tarayıcıdan ya da bir günden faydalanmanızı istiyorlardı. Daha önce bu tür zorluklar yaşadık ya da
Zaten PeopleSoft bu şekilde, bu yüzden bu kişinin istismar HTML komut dosyasına bakarsak
Bunu görüyoruz
Her şeyden önce iframes. Tamam, göremiyorsun
Yüzümün arkasında, ama bu bir iframe
Bu, iframe'in URL’sidir ve iframe'in URL’si bir görünüm URL’sidir, ancak ilginç kısım
burada görünen URL
Demek burada görüş biter, değil mi? Solundaki görünüm URL’nin tamamı budur. Ve sonra bir sahte XSS parametresi var
içeren
config config değişkeni
Yani, bunu kopyalayıp buraya yapıştırırsak, oh bekleyin, kendimiz yapabiliriz

English: 
Bit in the files that this person has uploaded because there are some really weird interesting things here
This was another thing, you know
Maybe they were trolling and they were actually wanting you to exploit a browser or day.we. We had these kind of challenges before or
PeopleSoft it that way anyway, so if we look at this person's exploit HTML script
We see that
First of all it n it iframes. Okay, so you don't see it
It's behind my face, but this is an iframe
And this is the URL of the iframe and the URL of the iframe is a view URL, but the interesting part is after
the view URL so here
So here the view ends, right? This is the whole view URL to the left of it. And then there's a fake XSS parameter
containing the
the config the config variable
So if we just copy and paste this here, oh wait, we can do it ourselves

English: 
So basically what the person has done so this is the website, right? Basically the person is taking this config
JavaScript that's variable in the JavaScript added a fake
Parameter that parameter does not exist, right? It's like anything is D whatever equal to this and
See now how it turns red. That's because the XSS auditor the thing that is supposed to protect you from XSS is
in this case
configure to just
block the
Malicious script the site still is it you can still it doesn't block the whole website and stops you from going there
The only thing it does is it?
Blocks that particular config script. Okay. This is a crucial step that I didn't I
Actually a little bit thought about this. So as we know from the JavaScript
It uses the config
in

Turkish: 
Yani temelde, kişinin yaptığı şey bu, bu web sitesi, değil mi? Temelde kişi bu yapılandırma alıyor
JavaScript’te değişken olan JavaScript sahte
Parametre bu parametre mevcut değil mi? Her şeye benziyorsa, her şeye eşit olan D ve
Şimdi nasıl kırmızıya döndüğünü görün. Çünkü XSS denetçisi, sizi XSS'den korumanız gereken şeyin,
bu durumda
sadece yapılandır
engelle
Kötü niyetli senaryo hala sitenin hala web sitesi engellemiyor ve oraya gitmenizi engelliyor olabilir
Yaptığı tek şey bu mu?
Bu belirli config betiğini engeller. Tamam. Bu benim yapmadığım çok önemli bir adım
Aslında bu konuda biraz düşündüm. JavaScript’ten bildiğimiz gibi
Config kullanır
içinde

English: 
the in the init to loop over the
Dependencies and then in the end it ends in an evil of that script inside of the sandbox. So if we could somehow change
the configurable to contain a malicious script from us
Then that malicious script from us
Would then be injected into the sandbox and then evolved in there?
which then would have access to the cookie and our script could then steal the cookie so there was one idea ahead and
there is this idea of Dom clobbering but
There wasn't the way how I saw how to execute this. I also didn't think of this a the config itself
I was just talking. I was just thinking of dumb clobbering. So what's dumb clobbering?
There are two links one has an idea X and the name Y and then suddenly there are
JavaScript variables with the name x and y so because
this href has an ID X you can access this just with a variable X and

Turkish: 
içinde çalışmak için giriş
Bağımlılıklar ve daha sonra sonuçta sanal alanın içindeki o betiğin kötülüğü ile biter. Yani eğer bir şekilde değişebilirsek
bizden kötü niyetli bir komut dosyası içerecek şekilde yapılandırılabilir
Sonra bizden bu kötü niyetli komut dosyası
Daha sonra kum havuzuna enjekte edilir ve daha sonra orada evrilir mi?
o zaman çereze erişebilecek ve senaryomuz çerezi çalabilecekti, bu yüzden ileride bir fikir vardı ve
Dom clobbering bu fikri var ama
Bunu nasıl yürüttüğümü gördüm yolu yoktu. Ayrıca bu bir yapılandırma kendisi düşünmedim
Sadece konuşuyordum. Sadece aptalca clobbering düşünüyordum. Peki, aptal gizleme nedir?
Birinin X ve Y isminin olduğu iki bağlantı vardır ve sonra aniden
Çünkü x ve y adındaki JavaScript değişkenleri
bu href, X değişkenine erişerek buna erişebileceğiniz bir kimliğine sahiptir.

Turkish: 
Demek ki, X değişkenini hiç yaratmadınız, çünkü bunu HTML’ye eklemişsiniz.
Değişken ve JavaScript kullanılabilir ve bunu JavaScript’te değişkenleri ayarlamak için kullanabilirsiniz
Bu ayarlanmamalı veya bazen bazı şeylerin üzerine yazabilirsiniz. Öyleyse bu HTML'nin belirli niteliklere sahip olduğu fikri
Clobber veya
zehir veya
JavaScript'i etkile
değişken alan
Saldırı fikirlerinden birini tanıyorsunuz ve bu yüzden de benim gibi bunu düşündüm.
Bunu kodda gördüm
bu URL’leri alması mahkumun
bunları uygulayın, böylece çatışmayı bir şekilde değiştirebilirsek, kendi işimizi yapabiliriz ve nasıl
JavaScript’teki bir değişkeni etkileyebilir ya da tam bir XSS’e sahip olabilirsiniz.
Bununla sadece bir değişken ayarlayabileceğiniz bir JavaScript bağlamı kastediyorum
Örneğin, bu belki nasıl değiştirebileceğiniz bir yoldur?

English: 
So you didn't you never created that variable X just because you include that in the HTML suddenly there is this
Variable and JavaScript available and you can use this to kind of set variables in JavaScript
That shouldn't be set or you can overwrite sometimes stuff. So so this idea of that the HTML tags with certain attributes
Clobber or or
poison or
influence the JavaScript
variable space is
you know one of the attack ideas and so I thought about this obviously like I
Saw that in the code
it would take the convict to take those URLs and
execute these so if we could somehow change the conflict we could execute our own stuff and how do you
influence a variable in JavaScript either you have a full XSS then you could just
By that I mean just some JavaScript context where you can set a variable
For example, this is a way how you could maybe change it?

English: 
But obviously that would already be very powerful
And the other option would be that you can you maybe we find an injection that doesn't allow us to inject JavaScript
but it allows us to
inject other HTML tags
And then we could use those properties to still influence the script execution by giving it a name and an ID
Even though we don't have a full JavaScript XSS, we still influence the script execution that kind of was like an idea
I wrote it down in our
CTF notes as maybe clobber convict or something. That's wait. I can read you executive order. I wrote down really proud of that
And you can tell so I wrote down after I take idea could be
Clobbering convict somehow this could trigger an unsafe evil inside of the sandbox iframe to leak the cookie
but we would and I added but we would need a least an HTML tag injection in the
view page here
Yeah, so that was kind of an idea

Turkish: 
Fakat belli ki bu çok güçlü olurdu.
Ve diğer seçenek, belki de JavaScript enjekte etmemize izin vermeyen bir enjeksiyon bulabilirsin.
ama bize izin veriyor
diğer HTML etiketlerini enjekte et
Ve sonra bu özellikleri, bir isim ve bir kimlik vererek komut dosyası yürütmesini etkilemek için kullanabiliriz.
Tam bir JavaScript XSS’imiz olmasa da, bu tür bir fikir gibiydi.
İçine yazdım
CTF, belki de mahkum veya başka bir şey olduğuna dikkat çekiyor. Bekle Yönetici emrini okuyabilirim. Bununla gurur duyuyorum yazdım
Ve şunu söyleyebilirsin ki, fikrini aldıktan sonra yazdım.
Clobbering bunun bir şekilde mahkum olması, çerezin sızması için sandbox iframe içinde güvenli olmayan bir kötülüğü tetikleyebilir.
ama eklerdik ve eklerdik ama en azından bir HTML etiketi eklemeye ihtiyacımız var.
sayfayı burada görüntüle
Evet, bu bir tür fikirdi

English: 
I wrote down in it seems to have been part of this but one crucial step was that you first need to disable that
terrible you need to
Make the browser delete that config variable because like so when we loaded this page with the fake
So the XSS auditor was triggered and we inspect the console. We see the error message
So the XSS alter refused to execute the script it thought that our injection of the config was
Injecting those variables it obviously didn't but it caused
the browser to strip away that config variable now and now you can see that the script fails because it can't find
Config and your config is not defined config doesn't exist. No it it's none
Exists anymore. And so now the idea is if you are somehow able to now
Get like a tag in there with this config
Variable then suddenly this variable would exist
Yeah, yeah, it wasn't solved

Turkish: 
Bunun bir parçası gibi göründüğünü yazdım ama önemli bir adım, ilk önce bunu devre dışı bırakmanız gerektiği idi.
ihtiyacın olan korkunç
Tarayıcıyı, config değişkenini sil çünkü bu sayfayı sahte dosya ile yüklediğimizde
Böylece XSS denetçisi tetiklendi ve konsolu inceliyoruz. Hata mesajını görüyoruz
Bu yüzden XSS alter komut dosyasını çalıştırmayı reddetti.
Bu değişkenleri enjekte etmek açıkça belli değil ama neden oldu
tarayıcı şimdi ve config değişkenini ortadan kaldırıyor ve bulamadığı için betiğin başarısız olduğunu görebilirsiniz.
Config ve konfigürasyonunuz tanımlı değil, config mevcut değil. Hayır yok
Artık var. Ve şimdi fikir şu ki, şimdi bir şekilde yapabiliyorsanız
Bu yapılandırma ile orada bir etiket gibi olsun
Değişken sonra aniden bu değişken var
Evet, evet, çözülmedi

English: 
There's only as a solution that seemed to have worked locally, but didn't work remotely
So it it kind of contains a lot of the solutions
But wouldn't it still be blocked because of the script tag, we are not there's no script tag right now
We okay. So I know this is like really mine. It's a mind-bending challenge
there are a lot of different moving parts that are kind of influencing each other and the whole
X but at the end the whole attack will be a chain of multiple weird browser behaviors
Ok, so I have a hard time wrapping my head around this
I'm not even sure be able I can like like I said
I'm not sure if I could even solve this now with those hints
But there are a few browser
behaviors that I want to explore now that our part of the solution and one part was here to abuse the XSS order to
Disable the config variable
So this is one puzzle piece that we have now that we are able to abuse the XSS auditor to disable
Or to remove the config variable. So now the site is broken does never country very well. This is the whole dilemma
We are in this XSS auditor is a curse. So

Turkish: 
Yalnızca yerel olarak çalışmış görünen, ancak uzaktan çalışmayan bir çözüm var.
Bu yüzden bir sürü çözüm içeriyor
Ancak script etiketi yüzünden hala engellenmez mi, şu anda script etiketimiz yok
Biz iyiyiz. Bu yüzden bunun gerçekten benimki olduğunu biliyorum. Zihin bükme mücadelesi
birbirini ve bütününü etkileyen bir sürü farklı hareketli parça var.
X ama sonunda tüm saldırı birden çok garip tarayıcı davranışının zinciri olacak
Tamam, bu yüzden kafamı buralara sarmakta zorlanıyorum
Söylediğim gibi yapabileceğimden bile emin değilim.
Bunu şimdi bu ipuçlarıyla çözebilecek miyim emin değilim.
Ancak birkaç tarayıcı var
Şimdi araştırmak istediğim davranışlar bizim çözümümüzün bir kısmı ve bir bölümünün XSS siparişini kötüye kullanmak için burada olduğunu
Config değişkenini devre dışı bırak
Bu, XSS denetçisini etkisiz hale getirmek için kötüye kullanabileceğimiz şu anda sahip olduğumuz bir bilmece parçası.
Veya config değişkenini kaldırmak için. Yani şimdi site bozuk çok iyi ülke yok. Bütün bu ikilemdir
Biz bu XSS denetçisinde bir lanet var. Yani

English: 
Either it blocks your website entirely
If you watched my videos about the excess leak, it was a challenge at 30 at the c3 CTF
So either you have the the browser bloc's complete to the site then it can be abused for an attack called
cross-site
Search leaking which is bad. There was a CTF challenge. I made a video about you
You can watch that if you don't know what it is
Funnily that challenge was created by a Google employee. So like Google's know that this exists, right?
They are in an dilemma here with how should the browser behave so we have cases where?
Making a blocking entire sites with the XSS auditor can be abused as an attack
So now the question is what should read the default be. Let's
do let's just strip the
the scripts but this is also known attack because stripping certain scripts allows you to influence how the site behaves and

Turkish: 
Ya web sitenizi tamamen engeller
Videolarımın aşırı sızıntı hakkındaki durumunu izlediyseniz, c3 CTF’de 30’da zordu
Yani ya tarayıcı bloğunu siteye tamamlamış olursun, daha sonra ...
siteler arası
Sızıntı yapan arama yapın. Bir CTF mücadelesi vardı. Senin hakkında bir video yaptım
Ne olduğunu bilmiyorsan, onu izleyebilirsin.
Tuhaf bir şekilde bu meydan okuma bir Google çalışanı tarafından yaratıldı. Yani Google’ın bunun var olduğunu bildiği gibi, değil mi?
Burada tarayıcının nasıl davranması gerektiği ile ilgili ikilemler var, bu yüzden vakalarımız nerede?
Tüm sitelerin XSS denetçisi ile engellenmesi bir saldırı olarak kötüye kullanılabilir.
Öyleyse şimdi soru, varsayılanı ne olması gerektiğidir. Haydi
Hadi sadece soyunalım
komut dosyaları, ancak bu, aynı zamanda bilinen bir saldırıdır, çünkü bazı komut dosyalarını silmek, sitenin davranış şeklini etkilemenizi sağlar.

Turkish: 
Bu CTF kanalındaki gibi bir metin açar. Bu yüzden CTF, bunun için bir örneğe meydan okuyor
komut dosyalarının belirli bölümlerinin kaldırılması web sayfasını etkileyebilir ve
Muhtemelen saldırıları başlatmanız gerekir. Şimdi iki seçeneğimiz de var
Her nasılsa bir saldırıya yol açıyor ve tamamen denetleyici olarak da yoksa hiç olmadı
Sanırım bu denetçi numarası gerekli, çünkü hamur tatlısı, var olan bir değişkenin üzerine yazmaz
işte, bu şeyler hakkında biraz duymak istediğim gibi bir şey var, ama bunun böyle olduğundan da emin değilim.
Şu an için buradayım, bunları keşfetmek ve bunları inşa etmek için tekrar test etmek istiyorum.
deneyim ve bunun tam olarak nasıl davrandığı hakkındaki bilgi, çünkü bu tür
Alex'e sorduğun kesin sorular, bilmen gereken şeyler.
Eğer böyle bir sorunu çözmek istiyorsanız, doğru
II sadece clobbering olduğunu biliyordum ama bunun içeriğini tam olarak bilmiyordum.

English: 
Opens up a text like on this CTF channel. So the CTF challenges an example for how
stripping away certain parts of scripts can influence the webpage and
Possibly need to open up attacks. So now we have both options
Somehow lead to an attack and completely having no if it's as auditors also
I guess so this auditor trick is required because dumpling won't overwrite an existing variable I believe so
so here's the thing like where I have somewhat like heard about these things, but I'm also not sure this is like
What I'm here for right now, I kind of want to explore these and test these things again to build that
experience and that knowledge about how this exactly behaves because these kind of
Precise questions that you were asking Alex are exactly the things that you need to know
If you want to solve a challenge like this, right
I I just knew that there's clobbering but I didn't know exactly the the context of it

Turkish: 
Şimdi bu temelde keşfetmek için iyi bir zaman, fikir bu
Bu yüzden şu anda nasıl da gizlice bakma sayfasına girdiğini bilmiyordum, değil mi?
Ancak yukarıdaki betiğin bunu yapması gerekiyor. Gerçekten emin değilim. Hala bilmiyorum
Belki bunu açmalıyım çünkü artık birbirimizi çerçevelemeye dahil olan çok sayıda sayfa var.
Etrafındaki günah mesajlarında çılgınca
Yani buradaki bu istismar senaryosunun içinde bir iframe var. Görünüm sayfasını çerçeveliyorum ve
Şimdi o iframe'e içerik penceresine giriyor
Hangisi farklı bir etki alanıdır?
Yani bu çapraz kökenli
ancak çapraz menşe penceresine hala erişebilir ve
Karelere erişebileceğinizi ve o karenin konumunu değiştirebileceğinizi bilmiyordum.
Bunu bilmiyordum. Demek test etmek istediğim bir şey var. Bu dostum değil, bu ihlal gibi değil
Buna neden izin veriliyor ya da izin veriliyor mu?
Sadece izin verilebileceği özel bir durum var mı, yoksa erişebileceğiniz gibi bir dava mı var?

English: 
So now is a good time to explore this basically, that's the idea
So I'd also don't know right now how you get the clobbering into the view page, right?
But the script above here is supposed to do that. I'm really not quite sure. I still don't know
Maybe I need to draw this open this because there multiple pages now involved with our framing each other
It's it's in sin messages around it's like crazy
So this person here the this exploit script has an iframe in it. I frames the view page and
Now it goes into that iframe into the content window
Which is a different domain?
So this is cross-origin
but you can you can still access the window of the cross-origin and
I didn't know that you can access the frames and change the location of that frame
I didn't know about this. So this is something I want to test out. There's this not dude, is that not in violation like
Why is this allowed or is this just allowed
is there some some special case where it's only allowed or it's just just a case like you can access the

Turkish: 
Bir siteyi iframe yapabilir ve bu çerçevenin içerdiği çerçevelere erişebilirsiniz.
Ancak içeriğe erişmenize izin verilmiyor. Bunun yerini biliyorum
İç çerçeveler ve pencereler, bu yapabileceğiniz bir özelliktir
Aptal menşeinde olmayan bir pencerenin yönlendirmesini zorlayabilmen için yaz.
İçeriğe erişemezsiniz, ancak yeniden yönlendirebilirsiniz
Dolayısıyla benim varsayımım ve bu pencere ve çerçeveler zincirini takip edebileceğinizi bilmiyordum.
ne olursa olsun aşağı ve sonra o çerçevenin konumunu değiştirmek ve görünüşte
yapabilirsin ama
Ve sonra o çerçevenin konumunu değiştirirsiniz ve sonra şimdi yüklendiğinde
çerçevenin adını değiştirir ve bu
clobbering Sanırım burada bir isim config atanmamış çünkü var ve benim varsayım, ismini değiştirmenize izin verildiği.
Ad, bu istismarın yüklendiği alan adınız olduğu için çerçeve
Böylece, sitenizin en üstünde, o manzaradan başka bir iframe çıkar.

English: 
That you can iframe a site and you can access the frames that this frame included
But you are not allowed to access the content. I know that that the location of
Iframes and windows, this is a property that you can
Write to so you can force a redirect of a window that is not on your dumb origin
You can't access the content, but you can redirect it
So I my assumption is and that I didn't know that you can follow this chain of windows and frames
down to whatever and then change the location of that frame so and apparently
that you can do but
And then you change the location of that frame and then when that is loaded now
it changes the name of the frame and this is where the
clobbering I guess happens because here is not a name config assigned and my assumption is that you are allowed to change the name of
The frame because the name is your domain from which this exploit is loaded
So at the top of your site that iframes the view that view has another iframe you

Turkish: 
Menşeinize yönlendirilmiş alt iframe veya en üstteki etki alanı
o zaman alttan anaya orta görünüş var orijini ve şimdi değiştirebilirsiniz
İfadenin adı senin sırtın. En azından şu anda bunu hayal ediyorum.
Boyunun doğru olup olmadığını kontrol etmeliyiz
ve şimdi, görünümün orta sayfasında aptalca bir gizlenmeye neden olan ismi değiştirebilirsiniz.
Sözleşmedeki değişiklikler kabul edilebilir. Bu şimdi nasıl hayal ettiğimi böyle
ama tam olarak emin değiliz.
Zihin bükme gibi olduğunu gözden geçirin. Bunu görselleştirmek için çizmek için bir kağıda ihtiyacımız olabilir.
Deli gibi ve sonra burada anlamadığım birkaç senaryo var.
Yani bu yapmamız gereken bir şey
Yararlanma, sadece verilere hizmet eden bir sunucudur ve burada iç HTML var.
Bekle, yine ne yüklüyor? Yükler
Böylece alt iframe G iç no'ya yüklenir ve G iç sadece iframe'leri yapar
tekrar izleyici

English: 
Redirected bottom iframe to your origin or both the top domain
then there's the middle view at the bottom to main is your origin and now you can change the
Iframe name of that your Ridge. That's at least how I imagine it right now
We need to verify if that tall is true
and now you can change the name which then causes a dumb clobbering in the middle page of the view which
Changes in the contract bearable. That's kind of how I imagine it right now
but not quite sure so we need to
Review that it's like mind-bending. We might need a paper to draw that to visualize this
It's like crazy and then there are few other scripts that I don't understand in here
So this is one thing that we need to do
The exploit by is just a server that serves the data and then there's this inner HTML here
Wait, what does he load again? He loads
So the the bottom iframe is loaded to G inner no and G inner does what it just iframes
viewer again

Turkish: 
ikisi gibi
Bekle, eğer ben o arkadaş izleyiciysem bekle
Tamam. Evet, neler olduğu hakkında hiçbir fikrim yok
tamam, neden böyle yaptığını bilmiyorum ve sonra bu yardımcı markdown var, bu bir
bununla resim etiketi
Bunun ne olduğunu bilmediğim bir JavaScript. ben
İnanın sadece bu betiğin var olduğundan emin olmak için
All right, that it doesn't have to be downloaded first basically to not wait for it
But that the browser already has it in its cache and can just serve it immediately and execute it
that's the only reason why I believe this is used but
Really? Not sure and I believe the inner eye frame that the iframe that this G inner HTML loading
I believe would then be that marked on to make sure that this script is loaded
But I'm not quite sure why
Yeah, we have that script here and that script yet

English: 
like the both
Wait, wait if he I friends viewer
Okay. Yeah, I have no clue what's going on
okay, so I don't know why it does that and then there's this helper markdown, which is an
image tag with this
JavaScript, which I don't know what this is. I
Believe that's just to make sure that this script exists
All right, that it doesn't have to be downloaded first basically to not wait for it
But that the browser already has it in its cache and can just serve it immediately and execute it
that's the only reason why I believe this is used but
Really? Not sure and I believe the inner eye frame that the iframe that this G inner HTML loading
I believe would then be that marked on to make sure that this script is loaded
But I'm not quite sure why
Yeah, we have that script here and that script yet

English: 
That is then the actual league so I'm not quite sure how this or this JavaScript might be then avoid paste exploit. Oh, yeah
Wait, wait, I think I got it. No, that must should be part of the conflict now, right?
so if you look at the config that it's
Config
Frame name, I'm not quite sure what the value of this config is then like I
Guess this becomes clear. Once we look at how an iframe clobbers the JavaScript like how the ah,
I get it. No, I think I get it what the what the markdown is for?
This will create two headers with that ID and markdown and I believe that will then be part of the conflict dot plugins conflict
But the other and so this is the way how you can construct that
Conflict variable object that it looks correct so that then it can load that script. I believe that's how it kind of works
So how our keys involve said exactly I believe this is the key moment

Turkish: 
That is then the actual league so I'm not quite sure how this or this JavaScript might be then avoid paste exploit. Oh, yeah
Wait, wait, I think I got it. No, that must should be part of the conflict now, right?
so if you look at the config that it's
Config
Frame name, I'm not quite sure what the value of this config is then like I
Guess this becomes clear. Once we look at how an iframe clobbers the JavaScript like how the ah,
Anladım. No, I think I get it what the what the markdown is for?
This will create two headers with that ID and markdown and I believe that will then be part of the conflict dot plugins conflict
But the other and so this is the way how you can construct that
Conflict variable object that it looks correct so that then it can load that script. I believe that's how it kind of works
So how our keys involve said exactly I believe this is the key moment

Turkish: 
This is where it uses the markdown because I think the rendered markdown headers will create like an ID
automatically
If you render this markdown, I'm not sure how how
Github renders this but so it creates these headers and
in my all these anchors and so I believe maybe
the markdown render all on that page creates IDs that match the name so dependencies and preload and plugins and then
plugins is a link which has then an
href
Yeah that somehow that must be it, but we will explore it. I think now I understand this chain
But yeah
We will explore that in a second we go step by step and first explore like this
Clobbering I guess so we continue trying to understand this. I just need to run really quickly to the bathroom
I will be right back in just a minute or so and then
Biz
Create experiments locally and test out these few assumptions to be able to understand the puzzle pieces that make up this whole solution

English: 
This is where it uses the markdown because I think the rendered markdown headers will create like an ID
automatically
If you render this markdown, I'm not sure how how
Github renders this but so it creates these headers and
in my all these anchors and so I believe maybe
the markdown render all on that page creates IDs that match the name so dependencies and preload and plugins and then
plugins is a link which has then an
href
Yeah that somehow that must be it, but we will explore it. I think now I understand this chain
But yeah
We will explore that in a second we go step by step and first explore like this
Clobbering I guess so we continue trying to understand this. I just need to run really quickly to the bathroom
I will be right back in just a minute or so and then
we
Create experiments locally and test out these few assumptions to be able to understand the puzzle pieces that make up this whole solution

English: 
Ok, so I will be right back
You
Welcome back. Thanks for playing
yeah, the the
The flag and message are still left over from the charity stream from the blind hacker
I have been on there as a guest. That's why I
Included that message. So if you haven't seen that yet, you can go to the blind hacker
Twitch and look at the vault. I spent like an hour explaining basics of electronics and failing
That's also something that we explore tomorrow. Why why I failed with what I was showing there in case you're interested

Turkish: 
Ok, so I will be right back
Sen
Welcome back. Thanks for playing
yeah, the the
The flag and message are still left over from the charity stream from the blind hacker
I have been on there as a guest. That's why I
Included that message. So if you haven't seen that yet, you can go to the blind hacker
Twitch and look at the vault. I spent like an hour explaining basics of electronics and failing
That's also something that we explore tomorrow. Why why I failed with what I was showing there in case you're interested

Turkish: 
Let's let's do this so how do we test this step by step we have multiple? Tamam. Bekleyin
Wait, I need a piece of paper one second. And the first thing just like clobber
club or in general
Organizers didn't reveal how to solve it actually. Evet. So wait, this is also kind of interesting so sir
So the challenge author, I believe or at least who has who at least knows ways
so after CTF, you can chat with people in IRC and
People have an end so you can ask them so and they will release a solution at some point probably for sure
But there was a discussion
I'm not logged in and I can't look at the tweets and replies. Tanrı. Dammit. Dammit Twitter. ben
Jocking Lee so during the CTF
because ok, so
so at the
Congress CTF, it's ce3 CTF
There was also this webs John so they made this video about the excess lead the Cross third League chance, whatever

English: 
Let's let's do this so how do we test this step by step we have multiple? Okay. Wait
Wait, I need a piece of paper one second. And the first thing just like clobber
club or in general
Organizers didn't reveal how to solve it actually. Yes. So wait, this is also kind of interesting so sir
So the challenge author, I believe or at least who has who at least knows ways
so after CTF, you can chat with people in IRC and
People have an end so you can ask them so and they will release a solution at some point probably for sure
But there was a discussion
I'm not logged in and I can't look at the tweets and replies. God. Dammit. Dammit Twitter. I
Jocking Lee so during the CTF
because ok, so
so at the
Congress CTF, it's ce3 CTF
There was also this webs John so they made this video about the excess lead the Cross third League chance, whatever

English: 
Which you can find on love overflow death challenge was actually about a back that was discussed on Twitter before and I jokingly
Said to my teammates
I'm so frustrated. I might just start
Reading all the tweets and responses and discussions from all the XSS and browser researchers that I know of on Twitter
For the past year and try to find things that could help and indeed
There was a discussion that that was part of solution now, let me quickly
Try to find this it just takes a moment. So XSS default mode is now filter mode filters this way
It just strips out certain parts
You can remove scripts that you don't like make bearable defined in one script block undefined and more what could go wrong
So this is this conflict part about abusing the USS auditor and now it water edit
You can also do Dom clobbering attacks on defined variables by undefined them using the filter

Turkish: 
Which you can find on love overflow death challenge was actually about a back that was discussed on Twitter before and I jokingly
Said to my teammates
I'm so frustrated. I might just start
Reading all the tweets and responses and discussions from all the XSS and browser researchers that I know of on Twitter
For the past year and try to find things that could help and indeed
There was a discussion that that was part of solution now, let me quickly
Try to find this it just takes a moment. So XSS default mode is now filter mode filters this way
It just strips out certain parts
You can remove scripts that you don't like make bearable defined in one script block undefined and more what could go wrong
So this is this conflict part about abusing the USS auditor and now it water edit
You can also do Dom clobbering attacks on defined variables by undefined them using the filter

English: 
This again is exactly this
Part of this challenge. Here. You are you you enable don't clobbering at so the the mitigation for Dom clobbering
Is that you define those variables, but you can now undefined them and now you open them up to dunk
clobbering
And they wrote about this in in April
But at least is going to die in chrome 75 Chrome so bad while you use chrome at least for Dom clobbering using cross-origin
iframe, and so I believe this is kind of the hint that
there is a thing going on with cross origin iframes and clobbering the DOM and
Doing that name trick that we saw in that exploit that we need to explore and in a moment
Cross-origin but the text usually are with same origin iframes, aren't they?
Yes, most of down clobbering requires some Dom element injection except one, which is going to die soon
This person is not really

Turkish: 
This again is exactly this
Part of this challenge. Here. You are you you enable don't clobbering at so the the mitigation for Dom clobbering
Is that you define those variables, but you can now undefined them and now you open them up to dunk
clobbering
And they wrote about this in in April
But at least is going to die in chrome 75 Chrome so bad while you use chrome at least for Dom clobbering using cross-origin
iframe, and so I believe this is kind of the hint that
there is a thing going on with cross origin iframes and clobbering the DOM and
Doing that name trick that we saw in that exploit that we need to explore and in a moment
Cross-origin but the text usually are with same origin iframes, aren't they?
Yes, most of down clobbering requires some Dom element injection except one, which is going to die soon
This person is not really

Turkish: 
You know like I don't know I not quite literally saying what it is
You mean iframe
Yeah, you mean I friends but the texts are too direct but the attacks are too direct them to same origin iframes on cross origin
Is that what you mean? This is exactly what we see in that write up right the
Iframes you redirect an inner eye frame to another
origin
Or to the same origin to your origin and that in that sense
And then you ended then able set clobbering which I wasn't aware of. I thinking more like a boolean true instead of that
Yeah, and then they talked to a bit other stuff
so, yeah, so this discussion April was
Was a crucial part. Tamam. So let's test this. I want to see this. I want to kind of understand how this works
So, how can we test this? We just create test HTML files?
Okay, so I just wanted to quickly test that the clobbering in general so we can do let's do a script tag here
Let's first let's do here

English: 
You know like I don't know I not quite literally saying what it is
You mean iframe
Yeah, you mean I friends but the texts are too direct but the attacks are too direct them to same origin iframes on cross origin
Is that what you mean? This is exactly what we see in that write up right the
Iframes you redirect an inner eye frame to another
origin
Or to the same origin to your origin and that in that sense
And then you ended then able set clobbering which I wasn't aware of. I thinking more like a boolean true instead of that
Yeah, and then they talked to a bit other stuff
so, yeah, so this discussion April was
Was a crucial part. Ok. So let's test this. I want to see this. I want to kind of understand how this works
So, how can we test this? We just create test HTML files?
Okay, so I just wanted to quickly test that the clobbering in general so we can do let's do a script tag here
Let's first let's do here

English: 
console dot log of
a variable called
I guess we can call it already conflict just to test with this
and now we test this to test this we just go into the
Terminal and
So we get a server on
Localhost I just noticed the default serving is on app is on zero zero. It's not localhost
How can I do this? Can I do like this? It's it's fine. Okay
Here we have our test page
Config is not defined makes sense. Right so that now the Dom clobbering I forgot
Is it the name or is it the ID so if we define?
an ID
does this
Enable don't clobbering cool. Okay. So the the variable config is now
Just referencing that element element

Turkish: 
console dot log of
a variable called
I guess we can call it already conflict just to test with this
and now we test this to test this we just go into the
Terminal and
So we get a server on
Localhost I just noticed the default serving is on app is on zero zero. It's not localhost
How can I do this? Can I do like this? It's it's fine. Tamam
Here we have our test page
Config is not defined makes sense. Right so that now the Dom clobbering I forgot
Is it the name or is it the ID so if we define?
an ID
does this
Enable don't clobbering cool. Tamam. So the the variable config is now
Just referencing that element element

English: 
So, let's see name. Does this have the same effect? There's just no. Okay. What's name then the effect of the property
Okay, so you don't do this via the name?
Frame name I guess. Okay, wait the friend. That's very different. Oh, wait. Wait, I believe oh it might be children, right?
so if I have like
Let's say I have a div can I ID?
Inside
No, okay, I'm a noob. Okay. This is not how it works
But yeah, our goal is with iframe anyway, but iframe then it was not I did was name of the iframe, right?
Addis gives you the window of the iframe
interesting
Wow, okay, that's why this also works, okay
So this gives you the window and then window dot something is stuff inside of that iframe
Oh, wow, that's really powerful. So you can use the source dog to just define some
Something inside so we can do it if I be X for example inside of the iframe. Okay? No, that didn't work

Turkish: 
So, let's see name. Does this have the same effect? There's just no. Tamam. What's name then the effect of the property
Okay, so you don't do this via the name?
Frame name I guess. Okay, wait the friend. That's very different. Bekle. Wait, I believe oh it might be children, right?
so if I have like
Let's say I have a div can I ID?
Inside
No, okay, I'm a noob. Tamam. This is not how it works
But yeah, our goal is with iframe anyway, but iframe then it was not I did was name of the iframe, right?
Addis gives you the window of the iframe
ilginç
Wow, okay, that's why this also works, okay
So this gives you the window and then window dot something is stuff inside of that iframe
Oh, wow, that's really powerful. So you can use the source dog to just define some
Something inside so we can do it if I be X for example inside of the iframe. Okay? No, that didn't work

Turkish: 
Okay, so config is the window, oh, no, it worked I don't know why config
Oh, maybe the the source top wasn't loaded yet when the page loaded? Tamam. Yeah, so this is how it works
Wow, okay, so see see how we created this variable now through an iframe that contains a div with ID
There's no like implicit idea. Sağ? Is there such a thing? Bilmiyorum. All right
when I do stuff like this like
Client-side browser III question like everything that I know about
Our browser's qu I might ask the dumbest HTML questions just because it's so quirky
GG now get the flag. Tamam. Evet. Tamam. So we understand the Dom
Clobbering part in general No. Yeah. Tamam. So so let's say like this website
And it's an object with X on it

English: 
Okay, so config is the window, oh, no, it worked I don't know why config
Oh, maybe the the source top wasn't loaded yet when the page loaded? Okay. Yeah, so this is how it works
Wow, okay, so see see how we created this variable now through an iframe that contains a div with ID
There's no like implicit idea. Right? Is there such a thing? I don't know. All right
when I do stuff like this like
Client-side browser III question like everything that I know about
Our browser's qu I might ask the dumbest HTML questions just because it's so quirky
GG now get the flag. Okay. Yeah. Okay. So we understand the Dom
Clobbering part in general No. Yeah. Okay. So so let's say like this website
And it's an object with X on it

Turkish: 
Like that now, maybe we do a set time out just to make sure the source dog is loaded
Tamam. So now it turns returns Lala. It's our X object
It's our config object the Dom clobbering didn't work. But now if we
Dahil etmek
this in
a fake
XSS parameter here's something I noticed about the XSS auditor that I found quite because I also thought about I
Played around with it a bit
So just like this it is not recognized as an injection even though it's exactly the text of our script
This doesn't block it. It only blocks it if you add for example the closing tag to it. Okay? No, that didn't work
Oh hayır. No. Yeah, it stripped it. Okay, it worked
Is it only on Chrome or works on Firefox - I would assume that this is the same that this behavior is standard
That feels like standard it doesn't even exist as auditor. So there's that but ah, no not take a screenshot

English: 
Like that now, maybe we do a set time out just to make sure the source dog is loaded
Okay. So now it turns returns Lala. It's our X object
It's our config object the Dom clobbering didn't work. But now if we
include
this in
a fake
XSS parameter here's something I noticed about the XSS auditor that I found quite because I also thought about I
Played around with it a bit
So just like this it is not recognized as an injection even though it's exactly the text of our script
This doesn't block it. It only blocks it if you add for example the closing tag to it. Okay? No, that didn't work
Oh, no. No. Yeah, it stripped it. Okay, it worked
Is it only on Chrome or works on Firefox - I would assume that this is the same that this behavior is standard
That feels like standard it doesn't even exist as auditor. So there's that but ah, no not take a screenshot

English: 
No, now it doesn't have an exist as auditor. So this is here doesn't this particular attack doesn't work and and firefox left that
But at the dump clobbering in general works so you can see that it that we also with the iframe we clobbered
the variables
Firefox doesn't have Nexus as auditor
Okay anyway, so okay. So we honest kind understood clobbering now this iframe thing about the cross origin thing
This is what I'm really curious about to test cross original with Chrome. Here's how I do this
I get a second terminal real quick and
then we add I guess I mean
So basically I
Want to add to fake domains that are both localhost
let's say example.com and
Evil comm so these are our two web sites that are now accessible

Turkish: 
No, now it doesn't have an exist as auditor. So this is here doesn't this particular attack doesn't work and and firefox left that
But at the dump clobbering in general works so you can see that it that we also with the iframe we clobbered
the variables
Firefox doesn't have Nexus as auditor
Okay anyway, so okay. So we honest kind understood clobbering now this iframe thing about the cross origin thing
This is what I'm really curious about to test cross original with Chrome. Here's how I do this
I get a second terminal real quick and
then we add I guess I mean
So basically I
Want to add to fake domains that are both localhost
let's say example.com and
Evil comm so these are our two web sites that are now accessible

English: 
By a local host. So let's create a new script. We call that two dot HTML and we create
Three dot HTML and then you can do evil comm
Three dot HTML
Okay, this this this was fail I
Guess chrome didn't honor
unique a piece
I believe I have tested this before with the chrome the the web the the layer like the the
Web layer doesn't care about that piece behind it
That is the an original defined based on the host name here. This is completely irrelevant
What IPS are there? Oh
I'm an idiot. There we go port 8000
We were hosting
Command engineer you are saying so Ville hosting on IP that reminded me that we added a ton port

Turkish: 
By a local host. So let's create a new script. We call that two dot HTML and we create
Three dot HTML and then you can do evil comm
Three dot HTML
Okay, this this this was fail I
Guess chrome didn't honor
unique a piece
I believe I have tested this before with the chrome the the web the the layer like the the
Web layer doesn't care about that piece behind it
That is the an original defined based on the host name here. This is completely irrelevant
What IPS are there? aman
Ben bir aptalım. There we go port 8000
We were hosting
Command engineer you are saying so Ville hosting on IP that reminded me that we added a ton port

English: 
It doesn't know. Ok. So now we have basically two different domains
That we can test this eye framing with first of all example.com
Ok, let's make another harmless just like a random
Well, let's call it maybe to underscore one
ok, so now let's see the idea is now the attack idea is
That we want to clobber the config of this page here. We can't directly do this
Because we have no injection here
but what we can do is
We can iframe this page
Inside of from our evil domain like evil. It's just our website we can control this. So what we do here now is we I
Frame example.com
the tool
ok, so now our
evil website is a framing example, which I friends itself and now let's see what

Turkish: 
It doesn't know. Tamam. So now we have basically two different domains
That we can test this eye framing with first of all example.com
Ok, let's make another harmless just like a random
Well, let's call it maybe to underscore one
ok, so now let's see the idea is now the attack idea is
That we want to clobber the config of this page here. We can't directly do this
Because we have no injection here
but what we can do is
We can iframe this page
Inside of from our evil domain like evil. It's just our website we can control this. So what we do here now is we I
Frame example.com
the tool
ok, so now our
evil website is a framing example, which I friends itself and now let's see what

English: 
We can do with this. So now we are so if you didn't know in the JavaScript console you can
Say you can define in which context you want to execute JavaScript. So if you want to execute this on the
on to HTML so this is the
The the the our example page obviously the X is conflict
Ok, so this is the HTML world of that one
But our top this is our website that we control and there's obviously no conflict. Ok
so but now the idea is that
Document or frames? No windows window that frames
okay, so
Frames, so there's the first we get our iframe
So this should be the first iframe that can we access its location
No, we cannot read the location I believe
Oh, it's just ok. So we are not allowed to read the location. Why is this important?
I don't know the historical reasons, but I believe the reason for that is that sometimes websites include for example?

Turkish: 
We can do with this. So now we are so if you didn't know in the JavaScript console you can
Say you can define in which context you want to execute JavaScript. So if you want to execute this on the
on to HTML so this is the
The the the our example page obviously the X is conflict
Ok, so this is the HTML world of that one
But our top this is our website that we control and there's obviously no conflict. Tamam
so but now the idea is that
Document or frames? No windows window that frames
okay, so
Frames, so there's the first we get our iframe
So this should be the first iframe that can we access its location
No, we cannot read the location I believe
Oh, it's just ok. So we are not allowed to read the location. Why is this important?
I don't know the historical reasons, but I believe the reason for that is that sometimes websites include for example?

English: 
The session token in the in the in the parameters or the Perim in general. Sometimes there's secret stuff in the parameters
That you don't want to leak
but if you could I frame another site and then read the URL you might be able to
Steal that from the URL right? So it's important that the same origin policy
prevents us from reading the location the correct URL
Of the I believe that's I that's how I explained this to me
however, it's writable so we should be able to assign a different page treat and we can redirect it for example to
HTTP
Evil.com port 8000 slash
Let's make also another evil side here so
Three, let's go on
so if we do this to three one HTML

Turkish: 
The session token in the in the in the parameters or the Perim in general. Sometimes there's secret stuff in the parameters
That you don't want to leak
but if you could I frame another site and then read the URL you might be able to
Steal that from the URL right? So it's important that the same origin policy
prevents us from reading the location the correct URL
Of the I believe that's I that's how I explained this to me
however, it's writable so we should be able to assign a different page treat and we can redirect it for example to
HTTP
Evil.com port 8000 slash
Let's make also another evil side here so
Three, let's go on
so if we do this to three one HTML

Turkish: 
Then this should work. So so we are allowed to redirect that page. We adjust Adela
We are allowed to assign but we are not allowed to read the location. Peki tamam. So now apparently what you can do is
from inside of that frame
so window
Yeah, it is already the window object. You can access its frames
Apparently so now this should be theoretically the child frame
So we do this twice we go to frame stone
Yeah, okay. So now we're redirected as you can see
Evil, we redirected the inner eye frame. So this is a lot and so now let's see if we would try
Okay, so so this is the one code so we need to remember this. Okay?
so the next thing is are we allowed to change the
isim
Of this of this iframe, no, we are not allowed to modify the frames name

English: 
Then this should work. So so we are allowed to redirect that page. We adjust Adela
We are allowed to assign but we are not allowed to read the location. Okay, cool. So now apparently what you can do is
from inside of that frame
so window
Yeah, it is already the window object. You can access its frames
Apparently so now this should be theoretically the child frame
So we do this twice we go to frame stone
Yeah, okay. So now we're redirected as you can see
Evil, we redirected the inner eye frame. So this is a lot and so now let's see if we would try
Okay, so so this is the one code so we need to remember this. Okay?
so the next thing is are we allowed to change the
name
Of this of this iframe, no, we are not allowed to modify the frames name

Turkish: 
Because crossorigin but which origin is it block because of
The first layer here because this is the iframe
So we access the iframe of this layer or is it because the child?
That it belongs to doesn't is not allowed to change its name
So the idea is apparently now if we change the location to our domain now
This inner child and our outer thing is the same origin. So this outer should be allowed to access
the inner frames
Document
so see how
children
See how we are allowed to
So
You are not allowed to access the children of the zone
Oh, this wind Omega says, I hope this is not too confusing
So window is our evil side frames. Zero is our example calm

English: 
Because crossorigin but which origin is it block because of
The first layer here because this is the iframe
So we access the iframe of this layer or is it because the child?
That it belongs to doesn't is not allowed to change its name
So the idea is apparently now if we change the location to our domain now
This inner child and our outer thing is the same origin. So this outer should be allowed to access
the inner frames
Document
so see how
children
See how we are allowed to
So
You are not allowed to access the children of the zone
Oh, this wind Omega says, I hope this is not too confusing
So window is our evil side frames. Zero is our example calm

Turkish: 
So if we would try to access the document of the site that we have iframes for example, that is blocked by
the same origin policy but
examples are come now iframes our domain again so frames of
yani
allowed so we can access our owns domain content so we can access inside of there and now
The idea is so after we change
We redirect you know one now. We should be allowed to change the name
to
ASD and
that should be
This changed nor the name. And now if we go inside of example com
So now we are in the context of example.com
So in here we have the config if you remember if we access now AST we access the frames name weekly
through that we clobbered now the variable javascript space of

English: 
So if we would try to access the document of the site that we have iframes for example, that is blocked by
the same origin policy but
examples are come now iframes our domain again so frames of
that is
allowed so we can access our owns domain content so we can access inside of there and now
The idea is so after we change
We redirect you know one now. We should be allowed to change the name
to
ASD and
that should be
This changed nor the name. And now if we go inside of example com
So now we are in the context of example.com
So in here we have the config if you remember if we access now AST we access the frames name weekly
through that we clobbered now the variable javascript space of

English: 
Example.com even though we have no direct access to it. And so now it makes sense
Right if we dump club or a configure way, so let's say we are a framing
Let's see what we need to be able to clobber that away. So let's go here again
Take this whole thing and add that as an XSS
so now the exact frame block the config so inside of example, so we change to
Context we are inside there. There's no conflict now anymore, but if we now execute basically attack we
Change the location
We add the name config
Now
If we go on the sides button, okay, it doesn't do anything
Okay, wait, maybe we redid the handler from the click enter, but doesn't matter
So now we are in example context and now there should be config again
So config exists now again, isn't that cool? Cool. Okay, so this is awesome

Turkish: 
Example.com even though we have no direct access to it. And so now it makes sense
Right if we dump club or a configure way, so let's say we are a framing
Let's see what we need to be able to clobber that away. So let's go here again
Take this whole thing and add that as an XSS
so now the exact frame block the config so inside of example, so we change to
Context we are inside there. There's no conflict now anymore, but if we now execute basically attack we
Change the location
We add the name config
Now
If we go on the sides button, okay, it doesn't do anything
Okay, wait, maybe we redid the handler from the click enter, but doesn't matter
So now we are in example context and now there should be config again
So config exists now again, isn't that cool? Güzel. Okay, so this is awesome

Turkish: 
So what we just learned this how that we can clobber variables. That was fine
We can use the XSS auditor to disable variables that were already set and we can abuse nested iframes
Which we redirect an internal iframe to our domain, then we can access the name and we can clobber the context
so now for the CTF challenge that means
We can iframe of a view
We can redirect the inner iframe to our domain
the iframed view needs the conflict to be disabled by the auditor we
Then change the name of the iframe which clobbers the config and then comes the other part of the challenge to trigger the
Re-rendering you need to be able and that's I think the other thing I need are
Traffic flows sublime. And so if you look at the code so render so this is renderer the renderer

English: 
So what we just learned this how that we can clobber variables. That was fine
We can use the XSS auditor to disable variables that were already set and we can abuse nested iframes
Which we redirect an internal iframe to our domain, then we can access the name and we can clobber the context
so now for the CTF challenge that means
We can iframe of a view
We can redirect the inner iframe to our domain
the iframed view needs the conflict to be disabled by the auditor we
Then change the name of the iframe which clobbers the config and then comes the other part of the challenge to trigger the
Re-rendering you need to be able and that's I think the other thing I need are
Traffic flows sublime. And so if you look at the code so render so this is renderer the renderer

English: 
Sends a message from the content window a post message
To render again and then we have this on
message handler which is
Here it receives that message. It removes its child ports
I don't know. This is not what we want. This is not the real rendering I believe
Oh, yeah, I believe it is triggered on an error
so if if the parent receives an error message
So if the child iframe like the samples
I frame sends an error message up to the main to the main page
then it will in it and load the plugins again and will trigger the
Looking again at the config and loading those scripts and then executing them and how do you trigger this?
So this was the other thing it just is an event listener for message
So I believe so we can test this I guess really quick
Can decide also be accessed the idea would be?

Turkish: 
Sends a message from the content window a post message
To render again and then we have this on
message handler which is
Here it receives that message. It removes its child ports
Bilmiyorum. This is not what we want. This is not the real rendering I believe
Oh, yeah, I believe it is triggered on an error
so if if the parent receives an error message
So if the child iframe like the samples
I frame sends an error message up to the main to the main page
then it will in it and load the plugins again and will trigger the
Looking again at the config and loading those scripts and then executing them and how do you trigger this?
So this was the other thing it just is an event listener for message
So I believe so we can test this I guess really quick
Can decide also be accessed the idea would be?

Turkish: 
Let's go to all I guess here now. Let's make a new one. Tamam. Yeah, so this is the next point so
post
Message, oh, thanks for the twitch Brian prime t
PG stream'
Okay, so we PI static. Okay, so Mozilla
Post message, I forgot how to do post message. I don't I would just want to copy and paste it
okay, so
So this is that window and now on there is a post message and then the first message
So if we basically I want to test out sending
That error message
so we need
an event object that has data that
has a type and
yani
Now we go into the sources of the play static website

English: 
Let's go to all I guess here now. Let's make a new one. Okay. Yeah, so this is the next point so
post
Message, oh, thanks for the twitch Brian prime t
PG stream'
Okay, so we PI static. Okay, so Mozilla
Post message, I forgot how to do post message. I don't I would just want to copy and paste it
okay, so
So this is that window and now on there is a post message and then the first message
So if we basically I want to test out sending
That error message
so we need
an event object that has data that
has a type and
so
Now we go into the sources of the play static website

Turkish: 
Fjs, and we set a breakpoint at the message receiving. So let's trigger this again
Doesn't do sheet
To a neat the origin, okay, so wait I would then add the origin so the origin would be
aman
Yeah, okay well, okay so
So now we we are in here and then we can
Because the data is exactly what we came in. So this would now
Execute in it and load script. Tamam. So this is how we can re trigger this
so if we just as a test, I'm overriding now config is still like
Fine, right config is our variable
We didn't do any attack on here
I just want to replace it with something else, but because it will trigger some arrows I assume so if we let this run

English: 
Fjs, and we set a breakpoint at the message receiving. So let's trigger this again
Doesn't do sheet
To a neat the origin, okay, so wait I would then add the origin so the origin would be
Oh
Yeah, okay well, okay so
So now we we are in here and then we can
Because the data is exactly what we came in. So this would now
Execute in it and load script. Okay. So this is how we can re trigger this
so if we just as a test, I'm overriding now config is still like
Fine, right config is our variable
We didn't do any attack on here
I just want to replace it with something else, but because it will trigger some arrows I assume so if we let this run

Turkish: 
Yeah, I cannot read property 0 of so so this triggers a rerender ring and then fails when it wants here to access the config
Dot viewer. So this is how the other the evil side can read after all the clobbering is done and the changing of the iframe
It can retrigger the rendering now
loading the plugins
the loading of the plugins would load
download your script would evolve that script inside of the
Sandbox, and that eval sandbox can then it's just a script can then send back the cookie
This should be the whole solution of this challenge. I'm curious
Why does this not work this exploit then because based on all of that all of this should have worked and really curious why
Apparently this has not worked
Why this has only worked locally while ykt wasn't able to exploit it. But yeah, this is good for enough for me
Hayır hayır. No, it's go ahead
It's ok. Oh they finished 30 minutes late
Ok, awesome

English: 
Yeah, I cannot read property 0 of so so this triggers a rerender ring and then fails when it wants here to access the config
Dot viewer. So this is how the other the evil side can read after all the clobbering is done and the changing of the iframe
It can retrigger the rendering now
loading the plugins
the loading of the plugins would load
download your script would evolve that script inside of the
Sandbox, and that eval sandbox can then it's just a script can then send back the cookie
This should be the whole solution of this challenge. I'm curious
Why does this not work this exploit then because based on all of that all of this should have worked and really curious why
Apparently this has not worked
Why this has only worked locally while ykt wasn't able to exploit it. But yeah, this is good for enough for me
No, no. No, it's go ahead
It's ok. Oh they finished 30 minutes late
Ok, awesome

English: 
Ok, yeah cool
so
I'm quite satisfied with that worth right now. I might want to just like
execute a full
expert at some point myself, but I
Wanted to take you along a post CTF kind of way, like, you know, you play the CTF, which is great
you learn during the CTF you explore stuff and you get stuck in this post CTF is equally as
important to revisit the challenges that you fail that all that you are just interested in and then looking at
write-ups
To degrees however, you feel like and so I feel really good now about pace tastic
I feel like I completely understood how this challenge has worked and I
I
got now the experience of these couple of
Like tricks that were abused to make this whole thing work
And so this is how I basically feel now very confident about this this particular challenge, right?

Turkish: 
Ok, yeah cool
yani
I'm quite satisfied with that worth right now. I might want to just like
execute a full
expert at some point myself, but I
Wanted to take you along a post CTF kind of way, like, you know, you play the CTF, which is great
you learn during the CTF you explore stuff and you get stuck in this post CTF is equally as
important to revisit the challenges that you fail that all that you are just interested in and then looking at
write-ups
To degrees however, you feel like and so I feel really good now about pace tastic
I feel like I completely understood how this challenge has worked and I
ben
got now the experience of these couple of
Like tricks that were abused to make this whole thing work
And so this is how I basically feel now very confident about this this particular challenge, right?

Turkish: 
So so this is so II didn't know my part of the post CTF
Write-up thing for for this challenge, so I'm quite happy with that
Anyway the the
Recording of the stream is as always available on Twitch
You can go up in the tabs on videos if you have joined later and you want to see how we have been working through
some of these
challenges
Yapabilirsin
Just check out the recording. It will also be made available in a more condensed version on
the live overflow to YouTube channel where there are highlights uploaded of the twitch streams actually this
Post CTF talk I might even upload this to the main channel just because it is relevant to the main channel
So I consider doing that
Yeah, thanks so much for hanging out with me. Thanks for also playing. I guess the CTF
Aferin
And see you then tomorrow for another probably - probably tomorrow probably also again in the later hours

English: 
So so this is so I I didn't know my part of the post CTF
Write-up thing for for this challenge, so I'm quite happy with that
Anyway the the
Recording of the stream is as always available on Twitch
You can go up in the tabs on videos if you have joined later and you want to see how we have been working through
some of these
challenges
You can
Just check out the recording. It will also be made available in a more condensed version on
the live overflow to YouTube channel where there are highlights uploaded of the twitch streams actually this
Post CTF talk I might even upload this to the main channel just because it is relevant to the main channel
So I consider doing that
Yeah, thanks so much for hanging out with me. Thanks for also playing. I guess the CTF
Good job
And see you then tomorrow for another probably - probably tomorrow probably also again in the later hours

English: 
Similar like today hopefully maybe a bit earlier. Who knows?
no promises, but
We will continue building the 8-bit computer which we have neglected
Today, so thanks so much and see you tomorrow. Have a great evening
Bye. Bye

Turkish: 
Similar like today hopefully maybe a bit earlier. Kim bilir?
no promises, but
We will continue building the 8-bit computer which we have neglected
Today, so thanks so much and see you tomorrow. Have a great evening
Bye. Hoşçakal
