Chaining Script Gadgets to Full XSS - All The Little Things 2/2 (web) Google CTF 2020

In the second part we are building on top of what we have learned. We figure out how to craft something special out of a very limited script gadget. Eventually we can use it to leak the secret notes ID and notes content. Part 1:    • Failed DOM Clobbering Research - All The L...   Challenge: https://capturetheflag.withgoogle.com... Pasteurize:    • XSS a Paste Service - Pasteurize (web) Goo...   00:00 - Recap Part 1 00:20 - Start of the Attack Chain 00:54 - Control the Theme Callback 02:29 - Prior JSONP Capability Research 04:40 - innerHTML Breakthrough 06:13 - Content Security Policy Fail 07:19 - iframe CSP Bypass 08:31 - The Solution 10:09 - Chaining Three Gadgets 11:34 - Researching Cool XSS Techniques 12:00 - Solving the Challenge 13:25 - Outro =[ ❤️ Support ]= → per Video:   / liveoverflow   → per Month:    / @liveoverflow   =[ 🐕 Social ]= → Twitter:   / liveoverflow   → Website: https://liveoverflow.com/ → Subreddit:   / liveoverflow   → Facebook:   / liveoverflow