Skip to content

Instantly share code, notes, and snippets.

View kingthorin's full-sized avatar
🎯
#OpenSource

Rick M kingthorin

🎯
#OpenSource
297 followers · 7 following
View GitHub Profile
@irsdl
irsdl / urlhostname_test.js
Created March 14, 2024 10:54
To evaluate how `URL(url).hostname` in JS handles discarded characters and character conversions in domain names.
// by @irsdl
// This script identifies anomalies in how JS parses the URL using `URL(url).hostname`:
// 1- Characters that are ignored when present in the domain name.
// 2- Characters that can replace ASCII characters in domain names and still be parsed correctly. In here we want letter S in `soroush.me`
// You can try running this script in your browser's dev console or at https://www.jdoodle.com/execute-nodejs-online/
// I am sure this must have been looked at before but I cannot find a reference
for (let i = 0; i <= 0xFFFF; i++) {
const unicodeChar = String.fromCharCode(i);
const urlString = `http://sorous${unicodeChar}h.me/blog/`;
@jupenur
jupenur / jqm-xss.md
Created May 4, 2019 13:44

Multiple vulnerabilities in jQuery Mobile

Summary

All current versions of jQuery Mobile (JQM) as of 2019-05-04 are vulnerable to DOM-based Cross-Site Scripting (XSS) via crafted URLs. In JQM versions up to and including 1.2.1, the only requirement is that the library is included in a web application. In versions > 1.2.1, the web application must also contain a server-side API that reflects back user input as part of an HTTP response of any type. Practically all non-trivial web applications contain at least one such API.

Additionally, all current versions of JQM contain a broken implementation of a URL parser, which can lead to security issues in affected applications.