Start the app:
docker compose up -dGet the JWT:
Rick M kingthorin
🎯
irsdl
/ urlhostname_test.js
Created
March 14, 2024 10:54
To evaluate how `URL(url).hostname` in JS handles discarded characters and character conversions in domain names.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // by @irsdl | |
| // This script identifies anomalies in how JS parses the URL using `URL(url).hostname`: | |
| // 1- Characters that are ignored when present in the domain name. | |
| // 2- Characters that can replace ASCII characters in domain names and still be parsed correctly. In here we want letter S in `soroush.me` | |
| // You can try running this script in your browser's dev console or at https://www.jdoodle.com/execute-nodejs-online/ | |
| // I am sure this must have been looked at before but I cannot find a reference | |
| for (let i = 0; i <= 0xFFFF; i++) { | |
| const unicodeChar = String.fromCharCode(i); | |
| const urlString = `http://sorous${unicodeChar}h.me/blog/`; |
jupenur
/ jqm-xss.md
Created
May 4, 2019 13:44
All current versions of jQuery Mobile (JQM) as of 2019-05-04 are vulnerable to DOM-based Cross-Site Scripting (XSS) via crafted URLs. In JQM versions up to and including 1.2.1, the only requirement is that the library is included in a web application. In versions > 1.2.1, the web application must also contain a server-side API that reflects back user input as part of an HTTP response of any type. Practically all non-trivial web applications contain at least one such API.
Additionally, all current versions of JQM contain a broken implementation of a URL parser, which can lead to security issues in affected applications.