Skip to content

Instantly share code, notes, and snippets.

koto /
Created September 11, 2012 08:32
It's not a crime to build a CRIME
# This is supposedly what CRIME by Juliano Rizzo and Thai Duong will do
# Algorithm by Thomas Pornin, coding by xorninja, improved by @kkotowicz
import string
import zlib
import sys
import random
charset = string.letters + string.digits + "%/+="
View rawhtml.js
(() => {
if (!('rawHTML' in HTMLElement.prototype)) {
const rules = {
createHTML: (ignore, tpl) => {
if (!Array.isArray(tpl) || !Array.isArray(tpl.raw) || tpl.raw.length != 1 /* it's all spoofable, but whatever */) {
throw new TypeError("Use el.rawHTML`<html here with no interpolation>`");
return tpl.join("");
View ttandsanitizer.js
// Sanitizer can produce TrustedHTML as long as its configuration respects sinks guarded by TT.
// (HTML sinks are only guarded because they themselves could bypass restrictions of script.src etc.)
// With the current sanitizer API (no XSS is possible via config), and current TT API (only native XSS sinks are guarded),
// Sanitizer can always produce a TrustedHTML.
trustedHTML = (new Sanitizer()).sanitizeToTrustedHTML('<div><script>removeme</script>') // yay!
// If Web APIs add new native XSS sinks, they should be added simultaneously to TT and Sanitizer
// Speculatively, in the future, if TT could guard other custom sinks in the DOM:
koto / example.js
Last active January 11, 2020 08:22
Support for custom types in Trusted Type policies.
View example.js
// Custom types for
// Allow a given TT policy to create custom unspoofable TrustedFoo instances.
const installFoo = (policy, rule, policyFactory) => {
const creatorSymbol = Symbol();
const map = new WeakMap();
// Some more defensive coding tricks can be applied here
// See for inspiration.
class TrustedFoo {
koto / gist:50550bf1ab02c0de59acff51f8066202
Last active September 23, 2018 21:22
ZFF export screening times from your watchlist
View gist:50550bf1ab02c0de59acff51f8066202
// go to
(function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.chrono = f()}})(function(){var define,module,exports;return (function e(t,n,r){function s(o,u){if(!n[o]){if(!t[o]){var a=typeof require=="function"&&require;if(!u&&a)return a(o,!0);if(i)return i(o,!0);var f=new Error("Cannot find module '"+o+"'");throw f.code="MODULE_NOT_FOUND",f}var l=n[o]={exports:{}};t[o][0].call(l.exports,function(e){var n=t[o][1][e];return s(n?n:e)},l,l.exports,e,t,n,r)}return n[o].exports}var i=typeof require=="function"&&require;for(var o=0;o<r.length;o++)s(r[o]);return s})({1:[function(require,module,exports){
!function(e,d){"object"==typeof exports&&"undefined"!=typeof module&&"function"==ty
View gist:758462
koto / 1.php
Created September 19, 2011 22:34
Fighting inception obfuscation
View 1.php
// I got this file once
eval(gzinflate(str_rot13(base64_decode('HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=')))); ?>
View angular 1.6 xss, no quotes,
<!DOCTYPE html>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>JS Bin</title>
koto / xssdetect.js
Created December 1, 2012 22:05
reflected xss detection using xssauditor on phantomjs
View xssdetect.js
var page = require('webpage').create(),
system = require('system'),
page.onInitialized = function () {
page.evaluate(function () {
// additional detection code here perhaps
// f.e. detecting STORED/DOM XSS
View gist:8678570
"3.3.2 Is resource eligible for integrity validation
In order to mitigate an attackers ability to read data cross-origin by brute-forcing values via integrity checks, resources are only eligible for such checks if they are same-origin, publically cachable, or is the result of a granted the loading origin explicit access via CORS. [CORS] The following algorithm details these restrictions:"
publically cacheable != attacker could could read them anyway. For example - cross origin intranet resources. What if intranet resource is publicly cacheable? still allows for bruteforcing intranet resource body from internet (SOP bypass)