Skip to content

Instantly share code, notes, and snippets.

Multiple vulnerabilities in jQuery Mobile

Summary

All current versions of jQuery Mobile (JQM) as of 2019-05-04 are vulnerable to DOM-based Cross-Site Scripting (XSS) via crafted URLs. In JQM versions up to and including 1.2.1, the only requirement is that the library is included in a web application. In versions > 1.2.1, the web application must also contain a server-side API that reflects back user input as part of an HTTP response of any type. Practically all non-trivial web applications contain at least one such API.

Additionally, all current versions of JQM contain a broken implementation of a URL parser, which can lead to security issues in affected applications.

@mgeeky
mgeeky / pickle-payload.py
Last active July 9, 2024 07:55
Python's Pickle Remote Code Execution payload template.
#!/usr/bin/python
#
# Pickle deserialization RCE payload.
# To be invoked with command to execute at it's first parameter.
# Otherwise, the default one will be used.
#
import cPickle
import sys
import base64
static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
uint8_t *signature, UInt16 signatureLen)
{
OSStatus err;
SSLBuffer hashOut, hashCtx, clientRandom, serverRandom;
uint8_t hashes[SSL_SHA1_DIGEST_LEN + SSL_MD5_DIGEST_LEN];
SSLBuffer signedHashes;
uint8_t *dataToSign;
size_t dataToSignLen;
@joernchen
joernchen / bounty.txt
Created February 22, 2014 16:17
Bounty writeup
GitHub RCE by Environment variable injection Bug Bounty writeup
Disclaimer: I'll keep this really short but I hope you'll get the key points.
GitHub blogged a while ago about some internal tool called gerve:
https://github.com/blog/530-how-we-made-github-fast
Upon git+sshing to github.com gerve basically looks up your permission
on the repo you want to interact with. Then it bounces you further in
another forced SSH session to the back end where the repo actually is.
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
# python simple-https-server.py
# then in your browser, visit:
# https://localhost:4443
import BaseHTTPServer, SimpleHTTPServer
import ssl
@isciurus
isciurus / gist:5437231
Last active May 12, 2024 23:53
GIF packer, used to embed the javascript payload inside the picture and to exploit the Facebook OAuth XSS. Crafted from what I had found across open-source encoders. More reading: http://isciurus.blogspot.ru/2013/04/a-story-of-9500-bug-in-facebook-oauth-20.html
<html lang="en">
<head>
<script>
function str2hex(str)
{
var out_str = " ";
for(var i = 0; i < str.length; i++)
{
@postmodern
postmodern / rails_rce.rb
Last active October 18, 2024 00:07
Proof-of-Concept exploit for Rails Remote Code Execution (CVE-2013-0156)
#!/usr/bin/env ruby
#
# Proof-of-Concept exploit for Rails Remote Code Execution (CVE-2013-0156)
#
# ## Advisory
#
# https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
#
# ## Caveats
#
@ljos
ljos / frontmost_window.py
Last active October 24, 2024 08:21
Find the frontmost/active window in OS X
# Copyright @ Bjarte Johansen 2012
# License: http://ljos.mit-license.org/
from AppKit import NSApplication, NSApp, NSWorkspace
from Foundation import NSObject, NSLog
from PyObjCTools import AppHelper
from Quartz import kCGWindowListOptionOnScreenOnly, kCGNullWindowID, CGWindowListCopyWindowInfo
class AppDelegate(NSObject):
def applicationDidFinishLaunching_(self, notification):