Skip to content

Instantly share code, notes, and snippets.

🎯
Focusing

Cure53 cure53

🎯
Focusing
Block or report user

Report or block cure53

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View XSS Protection in 5 common contexts
<?php
/**
* XSS protection function for HTML context only
* @usecases
* <title>use this function if output reflects here or as a content of any HTML tag.</title>
* e.g., <span>use this function if output reflects here</span>
* e.g., <div>use this function if output reflects here</div>
* @description
* Sanitize/Filter < and > so that attacker can not leverage them for JavaScript execution.
@cure53
cure53 / scriptlet.md
Last active Sep 2, 2019
The Scriptless Scriptlet - Or how to execute JavaScript from CSS in MSIE11 without using Scripts
View scriptlet.md

The Scriptless Scriptlet

Or how to execute JavaScript from CSS in MSIE11 without using Scripts

Stop! This text is only interesting for you if you...

  • Like popping alerts in weird situations
  • Miss CSS expressions as much as we do
  • Have an unhealthy obsession for markup porn

Introduction

@cure53
cure53 / wasm.md
Last active Nov 18, 2019
Calling alert from WASM
View wasm.md

Calling alert from WebAssembly (WASM)

This very simple and minimal tutorial documents in a few easy steps how to play with WebAssembly (WASM) and get first results within minutes.

While the code below is mostly useless, it will show, how to call the alert function from within a WASM file and thus demonstrate how to import and export DOM objects.

Of course, this exercise has no real use. It is just meant to show, that getting started with WASM isn't hard. And there is no need for a complex build-chain, tons of tools or a dedicated VMs. Just use a browser, one online tool and that's it.

And Now?

@cure53
cure53 / wordpress2.md
Last active Oct 19, 2017
WordPress SOME bug in plupload.flash.swf
View wordpress2.md
@cure53
cure53 / wordpress.md
Last active Jul 20, 2018
WordPress Flash XSS in flashmediaelement.swf
View wordpress.md
@cure53
cure53 / 1266386.md
Last active Mar 26, 2018
OTF+SVG allows to read info character by character with only a STYLE injection through XEE & timing
View 1266386.md

OTF+SVG allows to read info character by character with only a STYLE injection through XEE & timing

Intro

Mozilla Firefox supports a feature that allows to define SVG images inside an OTF font to represent characters. This is useful if we for example want to work with colorful characters, Emoji, animated characters and so on. Firefox is currently the only relevant browser supporting this technology.

The general technology and its advantages are described here:

View keybase.md

Keybase proof

I hereby claim:

  • I am cure53 on github.
  • I am cure53 (https://keybase.io/cure53) on keybase.
  • I have a public key whose fingerprint is F98B 0EC1 8640 2F60 292C 5877 C26C 8580 90F7 0ADA

To claim this, I am signing this object:

You can’t perform that action at this time.