This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(() => { | |
if (!('rawHTML' in HTMLElement.prototype)) { | |
const rules = { | |
createHTML: (ignore, tpl) => { | |
if (!Array.isArray(tpl) || !Array.isArray(tpl.raw) || tpl.raw.length != 1 /* it's all spoofable, but whatever */) { | |
throw new TypeError("Use el.rawHTML`<html here with no interpolation>`"); | |
} | |
return tpl.join(""); | |
} | |
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Sanitizer can produce TrustedHTML as long as its configuration respects sinks guarded by TT. | |
// (HTML sinks are only guarded because they themselves could bypass restrictions of script.src etc.) | |
// With the current sanitizer API (no XSS is possible via config), and current TT API (only native XSS sinks are guarded), | |
// Sanitizer can always produce a TrustedHTML. | |
trustedHTML = (new Sanitizer()).sanitizeToTrustedHTML('<div><script>removeme</script>') // yay! | |
// If Web APIs add new native XSS sinks, they should be added simultaneously to TT and Sanitizer | |
// Speculatively, in the future, if TT could guard other custom sinks in the DOM: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Custom types for https://github.com/WICG/trusted-types/ | |
// Allow a given TT policy to create custom unspoofable TrustedFoo instances. | |
const installFoo = (policy, rule, policyFactory) => { | |
const creatorSymbol = Symbol(); | |
const map = new WeakMap(); | |
// Some more defensive coding tricks can be applied here | |
// See https://github.com/WICG/trusted-types/blob/master/src/trustedtypes.js for inspiration. | |
class TrustedFoo { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// go to https://zff.com/en/community/users/me/watch-list/ | |
https://github.com/wanasit/chrono | |
(function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.chrono = f()}})(function(){var define,module,exports;return (function e(t,n,r){function s(o,u){if(!n[o]){if(!t[o]){var a=typeof require=="function"&&require;if(!u&&a)return a(o,!0);if(i)return i(o,!0);var f=new Error("Cannot find module '"+o+"'");throw f.code="MODULE_NOT_FOUND",f}var l=n[o]={exports:{}};t[o][0].call(l.exports,function(e){var n=t[o][1][e];return s(n?n:e)},l,l.exports,e,t,n,r)}return n[o].exports}var i=typeof require=="function"&&require;for(var o=0;o<r.length;o++)s(r[o]);return s})({1:[function(require,module,exports){ | |
!function(e,d){"object"==typeof exports&&"undefined"!=typeof module&&"function"==ty |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta charset="utf-8"> | |
<meta name="viewport" content="width=device-width"> | |
<title>JS Bin</title> | |
</head> | |
<body> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
* Imports a public key to the key server. | |
* @param {!e2e.openpgp.block.TransferablePublicKey} key The ASCII | |
* armored or {e2e.openpgp.block.TransferablePublicKey} key to import. | |
* @return {!e2e.async.Result.<boolean>} True if importing key is succeeded. | |
*/ | |
e2e.openpgp.KeyClient.prototype.importPublicKey = function(key) { | |
var uids = key.getUserIds(); | |
if (uids.length != 1) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http://w3c.github.io/webappsec/specs/subresourceintegrity/ | |
issues: | |
"3.3.2 Is resource eligible for integrity validation | |
In order to mitigate an attackers ability to read data cross-origin by brute-forcing values via integrity checks, resources are only eligible for such checks if they are same-origin, publically cachable, or is the result of a granted the loading origin explicit access via CORS. [CORS] The following algorithm details these restrictions:" | |
publically cacheable != attacker could could read them anyway. For example - cross origin intranet resources. What if intranet resource is publicly cacheable? still allows for bruteforcing intranet resource body from internet (SOP bypass) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<a id=a href="http://<?php | |
$blacklist = ':@#"?`/\\'; | |
for ($i = 33; $i < 255; $i++) { | |
if (strpos($blacklist, chr($i)) !== false) { | |
echo urlencode(chr($i)); | |
} else | |
//echo urlencode(chr($i)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var page = require('webpage').create(), | |
system = require('system'), | |
address; | |
page.onInitialized = function () { | |
page.evaluate(function () { | |
// additional detection code here perhaps | |
// f.e. detecting STORED/DOM XSS | |
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is supposedly what CRIME by Juliano Rizzo and Thai Duong will do | |
# Algorithm by Thomas Pornin, coding by xorninja, improved by @kkotowicz | |
# http://security.blogoverflow.com/2012/09/how-can-you-protect-yourself-from-crime-beasts-successor/ | |
import string | |
import zlib | |
import sys | |
import random | |
charset = string.letters + string.digits + "%/+=" |
NewerOlder