Skip to content

Instantly share code, notes, and snippets.

View h0wl's full-sized avatar

h0wl h0wl

91 followers · 42 following
View GitHub Profile
@rongarret
rongarret / gist:d8987c9cd57bd768e1de
Last active August 29, 2015 14:17
Safari FILE: scheme security hole
It appears that Safari does not enforce any kind of access
restrictions for XMLHTTPRequests on FILE: scheme URLs. As a
result, any HTML file on the local file system that is opened in
Safari can read any file that the user has access to (and, of
course, it can upload those files too). Here's a little
proof-of-concept. Copy and paste this into a local HTML file and
open it in Safari. It will display the contents of /etc/passwd.
<script src=https://code.jquery.com/jquery-2.1.3.min.js></script>
<script>
@hugsy
hugsy / screenshot_browser.py
Last active December 27, 2015 01:28
Headless browser screenshoter
#!/usr/bin/env python2
import os
import sys
import time
import subprocess
try:
from pyvirtualdisplay import Display
except ImportError:
@nishimunea
nishimunea / fxos_advent_calendar_1214.md
Created December 14, 2013 15:12

GeckoのlocalStorageについて調べてみた

これはFirefox OS Advent Calendar 2013 12/14の記事です。

こんにちは、にしむねあです。 この記事ではGeckoのlocalStorageの実装を紹介します。 私はセキュリティの分野に興味があるので、データのアクセス制御がどのように実装されているかを掘り下げてみたいと思います。

localStorageとは?

@bnagy
bnagy / pollenate.rb
Last active April 22, 2016 20:53
#! /usr/bin/env ruby
# Pollenate ONE sync dir from each target into all other
# targets fuzzing the same format. Assumes that work
# dirs are named as by github.com/bnagy/afl-launch.
#
# Each target syncs inside its own directory already
# so copying any of the sync dirs works. It is possible
# that you'll miss some stuff, but it saves N * N-1 sync
#
@nishimunea
nishimunea / 1101158.md
Last active July 26, 2016 02:33

How HTML Injection Is Bad on Firefox OS

Firefox OS Advent Calendar 2014」と「脆弱性"&'<<>\ Advent Calendar 2014」の12月20日の記事です。

先月報告したFirefox OSのHTMLインジェクションバグ(Bug 1101158 )について紹介します。このバグはFirefox OS Simulatorを含む一部の環境ではまだ修正されていませんが、リスク評価の上、Mozillaよりちょうど本日(!!)、公開の許可を頂き掲載しております。

HTML Injection on Firefox OS (Bug 1101158)

Firefox OS v2.1/v2.2には、端末のホームボタンを長押ししたときに表示されるカードビューに、HTMLインジェクションの可能な箇所がありました。カードビューとはアクティブなウィンドウの一覧を表示する機能なのですが、ウィンドウのタイトルにHTMLタグが含まれることが考慮されていませんでした。

@binjo
binjo / gist:fa48baff20e62563a696
Created August 26, 2014 07:45
http://fuzzing.me/?p=105
<!DOCTYPE HTML>
<html>
<script>
function t()
{
var s="\n";
var elements=new Array("a","abbr","acronym","address","applet","area","article","aside","audio","b","base","basefont","bdi","bdo","big","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","command","datalist","dd","del","details","dfn","dir","div","dl","dt","em","embed","fieldset","figcaption","figure","font","footer","form","frame","frameset","h1","h2","h6","head","header","hgroup","hr","html","i","iframe","img","input","ins","kbd","keygen","label","layer","legend","li","link","listing","main","map","mark","marquee","menu","meta","meter","nav","nobr","noembed","noframes","nolayer","noscript","object","ol","optgroup","option","output","p","param","plaintext","pre","progress","q","rp","ruby","rt","s","samp","script","section","select","small","source","span","strike","strong","style","sub","summary","sup","table","tbody","td","textarea","tfoot","th","thead","title","tr","track","tt","u","ul","v
@r41p41
r41p41 / CVE-2015-2545_375e51a989525cfec8296faaffdefa35
Created February 4, 2016 16:43
Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
@nishimunea
nishimunea / cve_2015_6759.md
Created December 18, 2015 21:26

Cross-origin Data leakage in Chrome

これは「脆弱性"&'<<>\ Advent Calendar 2015」の12月19日の記事です。

この記事では Chrome 46 で修正された CVE-2015-6759 を紹介します。この脆弱性は先月の AVTOKYO 2015 でも披露したので、ご存じの方もいるかもしれません。

この脆弱性は、data:blob: という2つの特殊なURLを組み合わせることにより、Chrome のオリジン判定を誤らせ、結果として、ネットワーク上から file: スキームの localStorage のデータを読み出すことができるというものです。仮にユーザが file: スキームの localStorage にトークンなどの機密情報を格納している場合、悪意のあるリンクを開くだけでそれらの情報が盗まれてしまいます。

この脆弱性のメカニズムはやや複雑ですので、data: URL と blob: URL の性質から順を追って説明します。これらをある程度知っている方は、前半部分を読み飛ばしても構いません。

@cure53
cure53 / 1266386.md
Last active May 30, 2020 17:55
OTF+SVG allows to read info character by character with only a STYLE injection through XEE & timing

OTF+SVG allows to read info character by character with only a STYLE injection through XEE & timing

Intro

Mozilla Firefox supports a feature that allows to define SVG images inside an OTF font to represent characters. This is useful if we for example want to work with colorful characters, Emoji, animated characters and so on. Firefox is currently the only relevant browser supporting this technology.

The general technology and its advantages are described here:

@mubix
mubix / brutedns.rb
Created February 20, 2014 04:55
Iteratively brutes dns hostnames
#!/usr/bin/env ruby
#
## Brute code stolen form: https://gist.github.com/petehamilton/4755855
#
@domain = 'contoso.com'
def result?(sub)
results = %x(dig +noall #{sub}.#{@domain} +answer)