Skip to content

Instantly share code, notes, and snippets.

View lauritzh's full-sized avatar
👨‍💻

Lauritz lauritzh

👨‍💻
72 followers · 33 following
View GitHub Profile
@lauritzh
lauritzh / oidc_discovery.php
Created September 4, 2022 10:57
Mocked OIDC Discovery Response
<?php
/*
* (c) Lauritz Holtmann, https://security.lauritz-holtmann.de
*
* Could be for instance launched as follows:
* $ php -S 127.0.0.1:1234
* $ ngrok http 1234
*
* Visit https://something.ngrok.io/oidc_dicovery.php
*/
@lauritzh
lauritzh / vue-csti.php
Created September 21, 2022 18:41
Vulnerable VueJS 3 Client-Side Template Injection example
<!--
//
// Vue 3 XSS example
// 1. Launch as follows:
// $ php -S 127.0.0.1:1234
// 2. Access at http://localhost:1234/vue-csti.php?name=you and try to pop an alert!
//
// (c) Lauritz Holtmann
//
-->
@lauritzh
lauritzh / download_apks.sh
Created January 6, 2023 00:12
Ever wanted to obtain an APK from an Android device? You do not need to install fancy Apps for this, ADB and the following minimal Bash script is sufficient to do so. Use the App's bundle identifier as first argument.
#!/bin/bash
# Usage: ./download_apks.sh com.example.app
BUNDLE_FILES=$(adb shell pm path "$1")
for file in $BUNDLE_FILES; do
CLEAN=$(echo "$file"|sed 's/[^:]*://')
adb pull "$CLEAN" .
done
@lauritzh
lauritzh / poc.js
Created May 9, 2023 08:22
OAuth 2.0 / OpenID Connect 1.0 SSO Login CSRF PoC. Authenticates a victim user into an attacker-controlled account at example.com. Requires the target to insecurely implement a Google SSO login using the Authorization Code Grant Type and without any CSRF protection ("state", PKCE).
//
// Headless SSO Login CSRF PoC
// (c) Lauritz Holtmann, 2023
//
const pt = require('puppeteer')
const express = require('express')
const app = express()
const port = 3000
@lauritzh
lauritzh / test.php
Created October 2, 2023 15:19
<!--
Launch: $ php -S 127.0.0.1:1234
Access via http://localhost:1234/test.php?p=test
-->
<?= header('Content-Type: text/xml'); ?>
aaa
bbb
<?= print_r($_GET['p']); ?>
ccc
ddd