Skip to content

Instantly share code, notes, and snippets.

Avatar

Krzysztof Kotowicz koto

424 followers · 7 following
View GitHub Profile
@koto
koto / rawhtml.js
Created June 29, 2021 21:21
View rawhtml.js
(() => {
if (!('rawHTML' in HTMLElement.prototype)) {
const rules = {
createHTML: (ignore, tpl) => {
if (!Array.isArray(tpl) || !Array.isArray(tpl.raw) || tpl.raw.length != 1 /* it's all spoofable, but whatever */) {
throw new TypeError("Use el.rawHTML`<html here with no interpolation>`");
}
return tpl.join("");
}
};
@koto
koto / ttandsanitizer.js
Created February 9, 2021 11:08
View ttandsanitizer.js
// Sanitizer can produce TrustedHTML as long as its configuration respects sinks guarded by TT.
// (HTML sinks are only guarded because they themselves could bypass restrictions of script.src etc.)
// With the current sanitizer API (no XSS is possible via config), and current TT API (only native XSS sinks are guarded),
// Sanitizer can always produce a TrustedHTML.
trustedHTML = (new Sanitizer()).sanitizeToTrustedHTML('<div><script>removeme</script>') // yay!
// If Web APIs add new native XSS sinks, they should be added simultaneously to TT and Sanitizer
// Speculatively, in the future, if TT could guard other custom sinks in the DOM:
@koto
koto / example.js
Last active January 11, 2020 08:22
Support for custom types in Trusted Type policies.
View example.js
// Custom types for https://github.com/WICG/trusted-types/
// Allow a given TT policy to create custom unspoofable TrustedFoo instances.
const installFoo = (policy, rule, policyFactory) => {
const creatorSymbol = Symbol();
const map = new WeakMap();
// Some more defensive coding tricks can be applied here
// See https://github.com/WICG/trusted-types/blob/master/src/trustedtypes.js for inspiration.
class TrustedFoo {
@koto
koto / gist:50550bf1ab02c0de59acff51f8066202
Last active September 23, 2018 21:22
ZFF export screening times from your watchlist
View gist:50550bf1ab02c0de59acff51f8066202
// go to https://zff.com/en/community/users/me/watch-list/
https://github.com/wanasit/chrono
(function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.chrono = f()}})(function(){var define,module,exports;return (function e(t,n,r){function s(o,u){if(!n[o]){if(!t[o]){var a=typeof require=="function"&&require;if(!u&&a)return a(o,!0);if(i)return i(o,!0);var f=new Error("Cannot find module '"+o+"'");throw f.code="MODULE_NOT_FOUND",f}var l=n[o]={exports:{}};t[o][0].call(l.exports,function(e){var n=t[o][1][e];return s(n?n:e)},l,l.exports,e,t,n,r)}return n[o].exports}var i=typeof require=="function"&&require;for(var o=0;o<r.length;o++)s(r[o]);return s})({1:[function(require,module,exports){
!function(e,d){"object"==typeof exports&&"undefined"!=typeof module&&"function"==ty
@koto
koto / angular 1.6 xss, no quotes,
Created January 12, 2017 13:26
View angular 1.6 xss, no quotes,
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>JS Bin</title>
</head>
<body>
@koto
koto / gist:e52022050e2828ee40bb
Created July 17, 2015 11:01
spot the bug.
View gist:e52022050e2828ee40bb
/**
* Imports a public key to the key server.
* @param {!e2e.openpgp.block.TransferablePublicKey} key The ASCII
* armored or {e2e.openpgp.block.TransferablePublicKey} key to import.
* @return {!e2e.async.Result.<boolean>} True if importing key is succeeded.
*/
e2e.openpgp.KeyClient.prototype.importPublicKey = function(key) {
var uids = key.getUserIds();
if (uids.length != 1) {
@koto
koto / gist:8678570
Created January 28, 2014 23:08
View gist:8678570
http://w3c.github.io/webappsec/specs/subresourceintegrity/
issues:
"3.3.2 Is resource eligible for integrity validation
In order to mitigate an attackers ability to read data cross-origin by brute-forcing values via integrity checks, resources are only eligible for such checks if they are same-origin, publically cachable, or is the result of a granted the loading origin explicit access via CORS. [CORS] The following algorithm details these restrictions:"
publically cacheable != attacker could could read them anyway. For example - cross origin intranet resources. What if intranet resource is publicly cacheable? still allows for bruteforcing intranet resource body from internet (SOP bypass)
@koto
koto / credtest.php
Created October 15, 2013 20:52
View credtest.php
<html>
<a id=a href="http://<?php
$blacklist = ':@#"?`/\\';
for ($i = 33; $i < 255; $i++) {
if (strpos($blacklist, chr($i)) !== false) {
echo urlencode(chr($i));
} else
//echo urlencode(chr($i));
@koto
koto / xssdetect.js
Created December 1, 2012 22:05
reflected xss detection using xssauditor on phantomjs
View xssdetect.js
var page = require('webpage').create(),
system = require('system'),
address;
page.onInitialized = function () {
page.evaluate(function () {
// additional detection code here perhaps
// f.e. detecting STORED/DOM XSS
});
@koto
koto / crime.py
Created September 11, 2012 08:32
It's not a crime to build a CRIME
View crime.py
# This is supposedly what CRIME by Juliano Rizzo and Thai Duong will do
# Algorithm by Thomas Pornin, coding by xorninja, improved by @kkotowicz
# http://security.blogoverflow.com/2012/09/how-can-you-protect-yourself-from-crime-beasts-successor/
import string
import zlib
import sys
import random
charset = string.letters + string.digits + "%/+="