Skip to content

Instantly share code, notes, and snippets.

@isciurus
isciurus / keybase.md
Created January 22, 2019 23:21
keybase.md

Keybase proof

I hereby claim:

  • I am isciurus on github.
  • I am iscisc (https://keybase.io/iscisc) on keybase.
  • I have a public key ASCNaPKYR_fYHt1n4meJtbYKDSmh45T6vPMvW41rSHuyHwo

To claim this, I am signing this object:

@isciurus
isciurus / MainActivity.java
Last active May 12, 2024 23:45
PoC for Android GoogleAuthUtil.getToken() bug
package com.isciurus.oauth_poc;
import java.io.IOException;
import java.text.DateFormat;
import java.util.Date;
import com.google.android.gms.auth.GoogleAuthException;
import com.google.android.gms.auth.GoogleAuthUtil;
import com.google.android.gms.auth.UserRecoverableAuthException;
import android.accounts.AccountManager;
import android.app.Activity;
@isciurus
isciurus / gist:5437231
Last active May 12, 2024 23:53
GIF packer, used to embed the javascript payload inside the picture and to exploit the Facebook OAuth XSS. Crafted from what I had found across open-source encoders. More reading: http://isciurus.blogspot.ru/2013/04/a-story-of-9500-bug-in-facebook-oauth-20.html
<html lang="en">
<head>
<script>
function str2hex(str)
{
var out_str = " ";
for(var i = 0; i < str.length; i++)
{