Skip to content

Instantly share code, notes, and snippets.

🔒
https://localhost/?bbq="omg">'wtf'

Michal Špaček spaze

🔒
https://localhost/?bbq="omg">'wtf'
Block or report user

Report or block spaze

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View haveibeencaffeinated.php
<?php
// https://en.wikipedia.org/wiki/Category:Coffee_brands
$covfefes = [
'alterracoffeeroasters',
'angiangcoffee',
'angelinus',
'autocrat',
'barcaffe',
'batdorfbronson',
'bewleys',
@spaze
spaze / pbkdf2-symfony-polyfill.php
Last active Oct 12, 2018
Symfony's PBKDF2 polyfill benchmark (TL;DR it's slow, DO NOT USE, use hash_pbkdf2 available in PHP 5.5+ if you must use PBKDF2 but just use password_hash) for the thread here https://twitter.com/spazef0rze/status/1050436425559302147
View pbkdf2-symfony-polyfill.php
<?php
function hashPbkdf2($algorithm, $password, $salt, $iterations, $length = 0)
{
// Number of blocks needed to create the derived key
$blocks = ceil($length / strlen(hash($algorithm, null, true)));
$digest = '';
for ($i = 1; $i <= $blocks; $i++) {
$ib = $block = hash_hmac($algorithm, $salt . pack('N', $i), $password, true);
// Iterations
for ($j = 1; $j < $iterations; $j++) {
@spaze
spaze / 307timing.txt
Created Mar 8, 2018
The 307 timing includes 200's content download
View 307timing.txt
662538: URL_REQUEST
http://www.michalspacek.cz/
Start Time: 2018-03-09 00:52:52.274
t=10702 [st= 0] +REQUEST_ALIVE [dt=76]
--> priority = "HIGHEST"
--> url = "http://www.michalspacek.cz/"
t=10702 [st= 0] URL_REQUEST_DELEGATE [dt=1]
t=10703 [st= 1] +URL_REQUEST_START_JOB [dt=0]
--> load_flags = 37122 (BYPASS_CACHE | MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE | VERIFY_EV_CERT)
View result.txt
id select_type table partitions type possible_keys key key_len ref rows filtered Extra
1 SIMPLE foo ref code code 34 const 1 100.00 Using index
id select_type table partitions type possible_keys key key_len ref rows filtered Extra
1 SIMPLE foo index code code 34 12 10.00 "Using where; Using index"
@spaze
spaze / ssls-letsencrypt.md
Last active Mar 15, 2018
Otevřená odpověd ssls.cz na e-mail s předmětem "Upozornění: Zabezpečení domény"
View ssls-letsencrypt.md

Provozovatelé ssls.cz poslali e-mail zákazníkům, kteří od nich dříve kupovali certifikáty, ale přešli na certifikáty od Let's Encrypt. Ukázku toho e-mailu najdete na https://twitter.com/parisek/status/802847950863011840, podobná srovnávací tabulka je i na https://www.ssls.cz/lets-encrypt.html. Napsal jsem ssls.cz otevřenou odpověď, kterou najdete v nezměněné podobě níže. (Opravil jsem jen překlepy a chybějící interpunkční znaménka, díky za jejich nahlášení.)

Dobrý den,

(tuto odpověď píšu jako otevřený dopis, publikoval jsem ji také na https://gist.github.com/spaze/e081b948b8cd7d06dddbe9e6fa65c5ac)

díky za e-mail, jsem Vaším bývalým zákazníkem a podobným textem, který obsahuje zavádějící i nepravdivé informace, si mě nezískáte zpět. Pro mě

View xzoneczanalysis.txt
Basic Results
Total entries = 26502
Total unique entries = 25475
Top 10 passwords
Tomáš = 11 (0.04%)
Destiny251984 = 9 (0.03%)
pchry = 8 (0.03%)
Janusek = 7 (0.03%)
@spaze
spaze / opera-vpn.md
Last active Aug 8, 2019
Opera VPN behind the curtains is just a proxy, here's how it works
View opera-vpn.md

When setting up (that's immediately when user enables it in settings) Opera VPN sends few API requests to https://api.surfeasy.com to obtain credentials and proxy IPs, see below, also see The Oprah Proxy.

The browser then talks to a proxy de0.opera-proxy.net (when VPN location is set to Germany), it's IP address can only be resolved from within Opera when VPN is on, it's 185.108.219.42 (or similar, see below). It's an HTTP/S proxy which requires auth.

When loading a page with Opera VPN enabled, the browser sends a lot of requests to de0.opera-proxy.net with Proxy-Authorization request header.

The Proxy-Authorization header decoded: CC68FE24C34B5B2414FB1DC116342EADA7D5C46B:9B9BE3FAE674A33D1820315F4CC94372926C8210B6AEC0B662EC7CAD611D86A3 (that's sha1(device_id):device_password, where device_id and device_password come from the POST /v2/register_device API call, please note that this decoded header is from another Opera installation and thus contains

@spaze
spaze / sktorrentanalysis.txt
Created Feb 23, 2016
Password analysis of SkTorrent.eu dump
View sktorrentanalysis.txt
Basic Results
Total entries = 118566
Total unique entries = 98397
Top 10 passwords
FuckYou = 864 (0.73%)
123456 = 739 (0.62%)
123456789 = 677 (0.57%)
NULL = 175 (0.15%)
View cetelem.json
{"host":"https://www.cetelem.cz/","port":443,"protocol":"HTTP","isPublic":
false,"status":"READY","startTime":1434634996112,"testTime":
1434635164451,"engineVersion":"1.18.1","criteriaVersion":"2009j",
"endpoints":[{"ipAddress":"193.86.17.252","serverName":"www.cetelem.cz",
"statusMessage":"Ready","grade":"F","gradeTrustIgnored":"F",
"hasWarnings":false,"isExceptional":false,"progress":100,"duration":
150647,"eta":2,"delegation":2,"details":{"hostStartTime":
1434634996112,"key":{"size":2048,"alg":"RSA","debianFlaw":false,
"strength":2048},"cert":{"subject":
"CN\u003dwww.cetelem.cz,OU\u003dMember, VeriSign Trust Network,OU\u003dAuthenticated by VeriSign,OU\u003dTerms of use at www.verisign.ch/rpa (c)05,OU\u003dCetelem,O\u003dCETELEM CR, a.s.,L\u003dPraha 5,ST\u003dPraha 5,C\u003dCZ,2.5.4.5\u003d#13083235303835363839,2.5.4.15\u003d#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3\u003d#1302435a",
@spaze
spaze / get.txt
Last active Feb 1, 2019
X-XSS-Protection sample report POST request
View get.txt
POST http://test.local/foo HTTP/1.1
Host: test.local
Connection: keep-alive
Content-Length: 116
Pragma: no-cache
Cache-Control: no-cache
Origin: http://test.local
X-FirePHP-Version: 0.0.6
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Content-Type: application/json
You can’t perform that action at this time.