Skip to content

Instantly share code, notes, and snippets.

View ttttmr's full-sized avatar

tmr ttttmr

279 followers · 428 following
View GitHub Profile
@maple3142
maple3142 / CVE-2025-55182.http
Last active December 9, 2025 00:19
CVE-2025-55182 React Server Components RCE POC
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 459
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
@antenore
antenore / codex-deepseek-setup.md
Last active November 27, 2025 10:41
Configure OpenAI Codex CLI to use DeepSeek models

Configure OpenAI Codex CLI for DeepSeek

Two files needed to make DeepSeek work properly with Codex CLI:

1. ~/.codex/config.toml

model = "deepseek-reasoner"
model_provider = "deepseek-reasoner"
approval_policy = "on-failure"
@paj28
paj28 / index.md
Last active November 18, 2025 02:49

Unicode XSS via Combining Characters

Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.

Recap of Unicode XSS

Lab: https://4t64ubva.xssy.uk/

A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:

@leesh3288
leesh3288 / vm2_3.9.19_sandbox_escape_2.md
Last active November 15, 2024 03:49
Sandbox Escape in vm2@3.9.19 via custom inspect function

Sandbox Escape in vm2@3.9.19 via custom inspect function

Summary

In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.

Proof of Concept

@leesh3288
leesh3288 / vm2_3.9.19_sandbox_escape_1.md
Last active September 22, 2025 09:35
Sandbox Escape in vm2@3.9.19 via `Promise[@@species]`

Sandbox Escape in vm2@3.9.19 via Promise[@@species]

Summary

In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed with @@species accessor property allowing attackers to escape the sandbox and run arbitrary code.

Proof of Concept

@irazasyed
irazasyed / outbound-email-with-cloudflare.md
Last active November 19, 2025 18:28
Using Gmail SMTP with Cloudflare Email Routing: A Step-by-Step Guide

Using Gmail SMTP with Cloudflare Email Routing: Step-by-Step Guide

Learn how to send emails through Gmail SMTP with Cloudflare Email Routing in this comprehensive guide.

Step 1: Enable 2-Factor Authentication

To proceed with this method, ensure that you have enabled two-factor authentication for your Google account. If you haven't done so already, you can follow the link to set it up → Enable 2FA in your Google account.

Step 2: Create an App Password for Mail

@leesh3288
leesh3288 / vm2_3.9.16_sandbox_escape.md
Last active March 18, 2025 19:33
Sandbox Escape in vm2@3.9.16

Sandbox Escape in vm2@3.9.16

Summary

There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.

Proof of Concept

@loknop
loknop / writeup.md
Last active November 13, 2025 20:37
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@0xabad1dea
0xabad1dea / copilot-risk-assessment.md
Last active June 26, 2025 22:23
Risk Assessment of GitHub Copilot

Risk Assessment of GitHub Copilot

0xabad1dea, July 2021

this is a rough draft and may be updated with more examples

GitHub was kind enough to grant me swift access to the Copilot test phase despite me @'ing them several hundred times about ICE. I would like to examine it not in terms of productivity, but security. How risky is it to allow an AI to write some or all of your code?

Ultimately, a human being must take responsibility for every line of code that is committed. AI should not be used for "responsibility washing." However, Copilot is a tool, and workers need their tools to be reliable. A carpenter doesn't have to

@2019ncovmemory
2019ncovmemory / capture_articles.py
Created February 5, 2020 18:25
Create screenshots of articles; work for WeChat articles with lazy loading.
'''
Usage: python archive_articles.py test.csv
Input: test.csv
name url
1 url1
2 url2
.....
output:
1.png
2.png