Evan J Johnson ejcx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "log" | |
| "net/http" | |
| "os" | |
| "github.com/gorilla/sessions" | |
| ) |
ejcx
/ goodAuthPatternAndUnauth.go
Last active
January 2, 2016 23:47
Go Authentication Design Pattern
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "log" | |
| "net/http" | |
| "os" | |
| "github.com/gorilla/sessions" | |
| ) |
ejcx
/ onebigfavicon.go
Last active
February 29, 2016 04:40
Go program that makes a webserver with an infinitely large favicon.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "crypto/rand" | |
| "fmt" | |
| "log" | |
| "net/http" | |
| ) | |
| func main() { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var total = ""; | |
| for( var i = 0; i < 100000; i++ ) { | |
| total = total + i.toString(); | |
| history.pushState(0,0, total ); | |
| } |
ejcx
/ stripe.curl
Created
February 23, 2016 06:24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@ejjio:/var/www/breaking-sop# curl https://api.stripe.com -I | |
| HTTP/1.1 401 Unauthorized | |
| Server: nginx | |
| Date: Tue, 23 Feb 2016 06:23:25 GMT | |
| Content-Type: application/json | |
| Content-Length: 342 | |
| Connection: keep-alive | |
| Access-Control-Allow-Credentials: true | |
| Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS, DELETE | |
| Access-Control-Allow-Origin: * |
ejcx
/ abcnews.go.com
Created
February 23, 2016 06:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@ejjio:/var/www/breaking-sop# curl abcnews.go.com -H "Origin: http://abcnews.go.com.ej.cx" -I | |
| HTTP/1.1 200 OK | |
| Server: Apache-Coyote/1.1 | |
| X-UA-Compatible: IE=edge,chrome=1 | |
| Content-Type: text/html;charset=utf-8 | |
| X-VG-WebCache: 164 | |
| Cache-Control: max-age=60 | |
| Content-Length: 151796 | |
| Accept-Ranges: bytes | |
| Date: Tue, 23 Feb 2016 06:34:49 GMT |
ejcx
/ nottrue.jpg
Created
February 23, 2016 23:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ~ vagrant :) curl ruben.verborgh.org -I -H "Origin: http://ej.cx" | |
| HTTP/1.1 200 OK | |
| Server: nginx/1.2.0 | |
| Date: Tue, 23 Feb 2016 23:04:16 GMT | |
| Content-Type: text/html; charset=utf-8 | |
| Content-Length: 14887 | |
| Last-Modified: Tue, 16 Feb 2016 13:23:48 GMT | |
| Connection: keep-alive | |
| Vary: Accept-Encoding | |
| Expires: Wed, 24 Feb 2016 00:04:16 GMT |
ejcx
/ trickery.sh
Last active
April 27, 2019 06:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@ejjio:/var/www/misconfigured-cors# curl -H "Origin: https://ejj.io.evil.com" https://ejj.io -I | |
| HTTP/1.1 200 OK | |
| Server: cloudflare-nginx | |
| Date: Wed, 24 Feb 2016 06:47:21 GMT | |
| Content-Type: text/html | |
| Set-Cookie: PHPSESSID=sd7ejaf2lufukhq7se49lmsg76; path=/ | |
| Expires: Thu, 19 Nov 1981 08:52:00 GMT | |
| Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 | |
| Access-Control-Allow-Origin: https://ejj.io.evil.com | |
| Access-Control-Allow-Credentials: true |
ejcx
/ respirator.go
Last active
April 27, 2019 07:10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "bufio" | |
| "encoding/json" | |
| "fmt" | |
| "log" | |
| "os" | |
| "strings" | |
| ) |
ejcx
/ cors-scanner.sh
Last active
July 15, 2020 08:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| while read -r domain | |
| do | |
| # Remember. Account for the fact that some sites don't exist on HTTP | |
| # And others don't exist on HTTPS. Prune later. | |
| curl -I "https://$domain" --max-time 3 -H "Origin: https://$domain.evil.com" | ./respirator& | |
| curl -I "http://$domain" --max-time 3 -H "Origin: http://$domain.evil.com" | ./respirator& | |
| done < "top1mdomains" |