Tim Perry pimterry
pimterry
/ Your XML Parser Will Destroy Everything You Have Ever Loved [transcript]
Created
February 17, 2013 13:30
Transcript of http://www.youtube.com/watch?v=RzjUw47ZIg0
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This talk is on XML attacks, which are very easy to become vulnerable to, because XML is insane, and | |
| extremely dangerous especially if you're running web services or similar. | |
| First up, Billion Laughs. Essentially you can do text substitutions in XML, because obviously it can | |
| rewrite itself as you parse it. And you do them like this. | |
| So, you define a whole load of rules, and then at the bottom &lol9 gets replaced by 10 &lol8s, which | |
| each then get replaced by 10 &lol9's [n.b. should be &lol7], and eventually gives you one billion lols. | |
| Byte for each character, 3 bytes for a lol, gives you 3GB of string. Parsing that will take a long | |
| time and will probably break things when you write it anywhere. |
pimterry
/ Example vulnerable PHP code
Created
April 13, 2014 13:55
Stop your web stack sabotaging your security - exploit snippets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $loginOk = (crypt($passwordInput, $salt) == $previouslyCryptedPassword)); |
pimterry
/ Coveralls error.html
Created
July 21, 2014 09:00
Full error page from https://travis-ci.org/pimterry/frontkit/builds/30436469
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html lang="en"> | |
| <head> | |
| <meta http-equiv="refresh" content="0"> | |
| <meta http-equiv="set-cookie" content="cf_use_ob=443; expires=Mon, 21-Jul-14 08:14:52 GMT; path=/"> | |
| <meta http-equiv="set-cookie" content="cf_ob_info=504:14d5f112c31d087a:IAD; expires=Mon, 21-Jul-14 08:14:52 GMT; path=/"> | |
pimterry
/ selenium-webdriver-test.js
Last active
January 23, 2016 13:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| it("Can open main page", function () { | |
| return driver.get(extensionPage("main.html")).then(function () { | |
| return driver.wait(sw.until.elementLocated({ | |
| css: ".city > canvas" | |
| }), 1000); | |
| }).then(function (cityCanvas) { | |
| return sw.promise.delayed(200).then(function () { | |
| return cityCanvas; | |
| }); | |
| }).then(function (cityCanvas) { |
pimterry
/ webdriverio-test.js
Last active
January 23, 2016 14:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| it("Can open main page", () => { | |
| return client | |
| .url(extensionPage("main.html")) | |
| .pause(500) | |
| .hasDrawnPixels(".city > canvas").should.eventually.equal(true, | |
| "Canvas should have an image drawn on it"); | |
| }); |
pimterry
/ server-components-example.html
Last active
May 18, 2016 13:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <linkify-urls> | |
| Hi there! Welcome to mywebsite.com | |
| </linkify-urls> | |
| <google-analytics tracking-id="UA-770734658-1"></google-analytics> |
pimterry
/ example-google-maps-component.js
Created
May 18, 2016 13:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var components = require("server-components"); | |
| var GoogleMap = components.newElement(); | |
| // Note: ES6 without build steps. On the server-side, we pick the JS engine. | |
| GoogleMap.createdCallback = (document) => { | |
| this.innerHTML = ` | |
| <iframe src="https://www.google.com/maps/embed?pb=!1m14!1m12!1m3!1d11969.1769064053!2d2.15484835!3d41.411131299999994!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!5e0!3m2!1sen!2ses!4v1463576398125" width="600" height="450" frameborder="0" style="border:0" allowfullscreen></iframe> | |
| ` | |
| }; |
pimterry
/ linkify-example-component.js
Last active
May 18, 2016 13:23
A linkifying example Server Component component.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var components = require("server-components"); | |
| // We have a DOM simulation: quite a few client-side JS libraries will Just Work | |
| var linkify = require("linkifyjs/element"); | |
| /** | |
| * A <linkify-urls> element, which finds plain text URLs within its content, | |
| * and automatically rerenders them wrapped in <a> tags. | |
| */ | |
| var LinkifyElement = components.newElement(); |
pimterry
/ google-analytics-example-component.js
Last active
May 18, 2016 13:17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var components = require("server-components"); | |
| var GoogleAnalytics = components.newElement(); | |
| /** | |
| * A <google-analytics tracking-id="UA-7123123-1"> element, which adds the | |
| * standard Google Analytics scripts to your page, for given the tracking id. | |
| */ | |
| GoogleAnalytics.createdCallback = function (document) { | |
| // Use the normal DOM API methods |
pimterry
/ server-components-resulting-example.html
Created
May 18, 2016 13:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <linkify-urls> | |
| Hi there! Welcome to | |
| <a href="http://mywebsite.com" class="autolinked">mywebsite.com</a> | |
| </linkify-urls> | |
| <google-analytics tracking-id="UA-770734658-1"> | |
| <script> | |
| (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ | |
| (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), | |
| m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) |
OlderNewer