This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"log" | |
"net/http" | |
"os" | |
"github.com/gorilla/sessions" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"log" | |
"net/http" | |
"os" | |
"github.com/gorilla/sessions" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"crypto/rand" | |
"fmt" | |
"log" | |
"net/http" | |
) | |
func main() { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var total = ""; | |
for( var i = 0; i < 100000; i++ ) { | |
total = total + i.toString(); | |
history.pushState(0,0, total ); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@ejjio:/var/www/breaking-sop# curl https://api.stripe.com -I | |
HTTP/1.1 401 Unauthorized | |
Server: nginx | |
Date: Tue, 23 Feb 2016 06:23:25 GMT | |
Content-Type: application/json | |
Content-Length: 342 | |
Connection: keep-alive | |
Access-Control-Allow-Credentials: true | |
Access-Control-Allow-Methods: GET, POST, HEAD, OPTIONS, DELETE | |
Access-Control-Allow-Origin: * |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@ejjio:/var/www/breaking-sop# curl abcnews.go.com -H "Origin: http://abcnews.go.com.ej.cx" -I | |
HTTP/1.1 200 OK | |
Server: Apache-Coyote/1.1 | |
X-UA-Compatible: IE=edge,chrome=1 | |
Content-Type: text/html;charset=utf-8 | |
X-VG-WebCache: 164 | |
Cache-Control: max-age=60 | |
Content-Length: 151796 | |
Accept-Ranges: bytes | |
Date: Tue, 23 Feb 2016 06:34:49 GMT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
~ vagrant :) curl ruben.verborgh.org -I -H "Origin: http://ej.cx" | |
HTTP/1.1 200 OK | |
Server: nginx/1.2.0 | |
Date: Tue, 23 Feb 2016 23:04:16 GMT | |
Content-Type: text/html; charset=utf-8 | |
Content-Length: 14887 | |
Last-Modified: Tue, 16 Feb 2016 13:23:48 GMT | |
Connection: keep-alive | |
Vary: Accept-Encoding | |
Expires: Wed, 24 Feb 2016 00:04:16 GMT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@ejjio:/var/www/misconfigured-cors# curl -H "Origin: https://ejj.io.evil.com" https://ejj.io -I | |
HTTP/1.1 200 OK | |
Server: cloudflare-nginx | |
Date: Wed, 24 Feb 2016 06:47:21 GMT | |
Content-Type: text/html | |
Set-Cookie: PHPSESSID=sd7ejaf2lufukhq7se49lmsg76; path=/ | |
Expires: Thu, 19 Nov 1981 08:52:00 GMT | |
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 | |
Access-Control-Allow-Origin: https://ejj.io.evil.com | |
Access-Control-Allow-Credentials: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"bufio" | |
"encoding/json" | |
"fmt" | |
"log" | |
"os" | |
"strings" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
while read -r domain | |
do | |
# Remember. Account for the fact that some sites don't exist on HTTP | |
# And others don't exist on HTTPS. Prune later. | |
curl -I "https://$domain" --max-time 3 -H "Origin: https://$domain.evil.com" | ./respirator& | |
curl -I "http://$domain" --max-time 3 -H "Origin: http://$domain.evil.com" | ./respirator& | |
done < "top1mdomains" |