Skip to content

Instantly share code, notes, and snippets.

View alperkaya0's full-sized avatar
💭
Note to myself tidy up your github

Alper Kaya alperkaya0

💭
Note to myself tidy up your github
21 followers · 78 following
View GitHub Profile
@paj28
paj28 / index.md
Last active March 22, 2026 09:21

Unicode XSS via Combining Characters

Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.

Recap of Unicode XSS

Lab: https://4t64ubva.xssy.uk/

A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:

@smarek
smarek / README.md
Last active December 23, 2024 21:55
Inflate gzdeflate contents / decode eIDAS SAMLRequest param

Run like

> decode_saml_request.sh sample_data
@jakekarnes42
jakekarnes42 / host_getter.svg
Created August 13, 2019 23:44
An SVG "image" that uses an XXE attack to embed the hostname file of whichever system processes it into the image itself
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@sacarino
sacarino / BsonToGuid.cs
Created June 28, 2017 14:04
C# - Generate a GUID from an ObjectID
using System;
using System.Linq;
using MongoDB.Bson;
namespace Extensions
{
internal static class BsonToGuid
{
internal static Guid AsGuid(this BsonObjectId oid)
{
@HarmJ0y
HarmJ0y / PowerView-3.0-tricks.ps1
Last active March 19, 2026 10:12
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@dantheman213
dantheman213 / install-deepin-arch-manjaro-readme.md
Last active April 18, 2025 22:14
Install Deepin Desktop Environment from a minimum Arch or Manjaro Install Operating System

Install Deepin Desktop Environment In Arch or Manjaro

I recommend doing this as a net/minimum install with Manjaro (no desktop manager attached with the install).

Update sources & packages

pacman -Syu
reboot -h now
@iscgar
iscgar / ghe-revealer.rb
Created October 20, 2016 11:11
#!/usr/bin/sudo ruby
#
# revealer.rb -- Deobfuscate GHE .rb files.
#
# This is simple:
# Every obfuscated file in the GHE VM contains the following code:
#
# > require "ruby_concealer.so"
# > __ruby_concealer__ "..."
@barce
barce / instagram_su_list.txt
Last active February 15, 2024 22:07
Instagram's Suggested User LIst
# additions on 10/31/2013:
fazadhili
andrethunder
bmangin
polkaros
itirkkonen
robiatfahlevie
esen_tan
nqou
nathparis