Skip to content

Instantly share code, notes, and snippets.

View jupenur's full-sized avatar
👨‍💻
Hacking

Juho Forsén jupenur

👨‍💻
Hacking
32 followers · 0 following
View GitHub Profile
@jupenur
jupenur / jqm-xss.md
Created May 4, 2019 13:44

Multiple vulnerabilities in jQuery Mobile

Summary

All current versions of jQuery Mobile (JQM) as of 2019-05-04 are vulnerable to DOM-based Cross-Site Scripting (XSS) via crafted URLs. In JQM versions up to and including 1.2.1, the only requirement is that the library is included in a web application. In versions > 1.2.1, the web application must also contain a server-side API that reflects back user input as part of an HTTP response of any type. Practically all non-trivial web applications contain at least one such API.

Additionally, all current versions of JQM contain a broken implementation of a URL parser, which can lead to security issues in affected applications.

@jupenur
jupenur / node-dev-exec.js
Created February 22, 2019 18:26
#!/usr/bin/env node
/**
* Execute shell commands remotely in Node.js apps via the DevTools protocol
*
* Setup:
* npm install chrome-remote-interface
* chmod +x node-dev-exec.js
*
* Usage:
@jupenur
jupenur / gist:9a83183a7951d7ceceb950bd672dcbdc
Created May 24, 2016 07:56
### Keybase proof
I hereby claim:
* I am jupenur on github.
* I am jupenur (https://keybase.io/jupenur) on keybase.
* I have a public key whose fingerprint is 6F27 B9E0 77C8 90B9 3BE4 FCDB FDC4 4178 1A3F 30EA
To claim this, I am signing this object: