Skip to content

Instantly share code, notes, and snippets.

View graste's full-sized avatar

Steffen Gransow graste

117 followers · 637 following
View GitHub Profile
@graste
graste / lack_escape_content-disposition_filename.md
Created September 15, 2023 21:27 — forked from motoyasu-saburi/lack_escape_content-disposition_filename.md
Land Mine named "Content-Disposition > filename"

TL;DR

  • I found 1 browser, 1 language, and 15 vulnerabilities in { Web Framework, HTTP Client library, Email library / Web Service, etc }
  • All the vulnerabilities I found were found from a single perspective (I investigated maybe 50-80 products).
  • The RFC description of the problem (rather confusingly) describes the requirements for this problem, while the WHATWG > HTML Spec is well documented.
  • The problem is clearly targeted at the Content-Disposition fields filename and filename*.
  • This problem affects HTTP Request/Response/Email in different ways.
    • HTTP Request : request tampering (especially with file contents, tainting of other fields, etc.)
    • HTTP Response : Reflect File Download vulnerability
  • Email : Attachment tampering (e.g., extension and filename tampering and potential file content tampering)
@graste
graste / gsap-eases.css
Last active August 25, 2023 19:12 — forked from jh3y/gsap-eases.css
GreenSock eases with CSS linear()
:root {
--linear-in: linear(0, 1);
--linear-out: linear(0, 1);
--linear-in-out: linear(0, 1);
--power0-in: linear(0, 1);
--power0-out: linear(0, 1);
--power0-in-out: linear(0, 1);
--quad-in: linear( 0, 0.0039, 0.0156, 0.0352, 0.0625, 0.0977, 0.1407, 0.1914, 0.2499, 0.3164, 0.3906 62.5%, 0.5625, 0.7656, 1 );
--quad-out: linear( 0, 0.2342, 0.4374, 0.6093 37.49%, 0.6835, 0.7499, 0.8086, 0.8593, 0.9023, 0.9375, 0.9648, 0.9844, 0.9961, 1 );
--quad-in-out: linear( 0, 0.0027, 0.0106 7.29%, 0.0425, 0.0957, 0.1701 29.16%, 0.2477, 0.3401 41.23%, 0.5982 55.18%, 0.7044 61.56%, 0.7987, 0.875 75%, 0.9297, 0.9687, 0.9922, 1 );
@graste
graste / what-forces-layout.md
Created March 10, 2023 15:59 — forked from paulirish/what-forces-layout.md
What forces layout/reflow. The comprehensive list.

What forces layout / reflow

All of the below properties or methods, when requested/called in JavaScript, will trigger the browser to synchronously calculate the style and layout*. This is also called reflow or layout thrashing, and is common performance bottleneck.

Generally, all APIs that synchronously provide layout metrics will trigger forced reflow / layout. Read on for additional cases and details.

Element APIs

Getting box metrics
  • elem.offsetLeft, elem.offsetTop, elem.offsetWidth, elem.offsetHeight, elem.offsetParent
@graste
graste / ulid_converter.sql
Created January 4, 2023 19:12 — forked from kenji4569/ulid_converter.sql
ULID (26 characters in Crockford's base32) conversion for MySQL function
# Define ULID_DECODE and ULID_ENCODE which convert a ulid string to a binary and vice versa.
delimiter //
DROP FUNCTION IF EXISTS ULID_DECODE//
CREATE FUNCTION ULID_DECODE (s CHAR(26)) RETURNS BINARY(16) DETERMINISTIC
BEGIN
DECLARE s_base32 CHAR(26);
SET s_base32 = REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(UPPER(s), 'J', 'I'), 'K', 'J'), 'M', 'K'), 'N', 'L'), 'P', 'M'), 'Q', 'N'), 'R', 'O'), 'S', 'P'), 'T', 'Q'), 'V', 'R'), 'W', 'S'), 'X', 'T'), 'Y', 'U'), 'Z', 'V');
RETURN UNHEX(CONCAT(LPAD(CONV(SUBSTRING(s_base32, 1, 2), 32, 16), 2, '0'), LPAD(CONV(SUBSTRING(s_base32, 3, 12), 32, 16), 15, '0'), LPAD(CONV(SUBSTRING(s_base32, 15, 12), 32, 16), 15, '0')));
END//
@graste
graste / RequestValidatorListener.php
Created December 25, 2022 20:05 — forked from ismail1432/RequestValidatorListener.php
<?php
namespace App\EventListener;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Validator\Validator\ValidatorInterface;
use Symfony\Component\Validator\Constraints;
@graste
graste / reconnecting_pdo.php
Created December 1, 2022 13:24 — forked from extraordinaire/reconnecting_pdo.php
Reconnectable PDO
<?php
class ReconnectingPDO
{
protected $dsn, $username, $password, $pdo, $driver_options;
public function __construct($dsn, $username = "", $password = "", $driver_options = array())
{
$this->dsn = $dsn;
$this->username = $username;
$this->password = $password;
@graste
graste / geojson.md
Created November 12, 2022 20:31 
{
  "type": "FeatureCollection",
  "features": [
    {
      "type": "Feature",
      "properties": {},
      "geometry": {
        "coordinates": [
 [
@graste
graste / ignore-php-req.md
Last active November 7, 2022 14:48
composer --ignore-platform-req=php+
@graste
graste / writeup.md
Created November 4, 2022 16:44 — forked from loknop/writeup.md
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@graste
graste / backup-starred.sh
Created June 25, 2022 20:45
Backup all starred repositories from github
# from https://www.commandlinefu.com/commands/view/26576/backup-all-starred-repositories-from-github
GITUSER=$(whoami); curl "https://api.github.com/users/${GITUSER}/starred?per_page=1000" | grep -o 'git@[^"]*' | xargs -L1 git clone