Tweets
-
.. And here it comes the second and more interesting
#XSS solution part: http://www.pwntester.com/blog/2014/01/08/escape-dot-alf-dot-nu-xss-challenges-write-ups-part-2/ … -
@DonHaron yeah, that'll take a while, p(512) http://en.wikipedia.org/wiki/Partition_(number_theory) … is rather large. I may do a worker thread for v2 -
-
@minneyar with a finite test set nothing is impossible, but the implied 'match any palindrome' task requires pcre exts that aren't in ecma -
@kkotowicz *Safari* should know better? This is the browser that used to allow null bytes in host names http://steike.com/hostnames/1/ -
If anyone is interested in trying the RegexGolf from today's xkcd, I threw this together. http://regex.alf.nu/?set=91b0f210657841dbbe10bf7e9cdfc3e7c89b0c18 … Have fun and mind your case
-
@homakov does /triple?to=%0a<img%20src=....> and leak by referrer count? -
'Escape' level 6 came with an apology for being too contrived, but AngularJS just proved me wrong: https://code.google.com/p/mustache-security/wiki/AngularJS#mXSS_via_HTML_Import … HT
@0x6D6172696F -
@mortenlines Meh, det fungerte ikke uansett; Twitter har forskjellig URL-regex for DM og offentlig. Kanskje like greit. -
@warpling Good idea! I've done that + dimmed the non-matches some more. Better? -
@matt_martini ECMA (http://www.ecma-international.org/ecma-262/5.1/#sec-15.10 …) style. You get (?=), (?!), (?:) but not much else -
@Ghandourian don't worry, the generalization of #13 is impossible, so do it any way you like :) -
@EnderWigginz@0x6D6172696F Oh noes—on actual vacation (defined as "no ssh keys") and I left my test thing on. Sorry, 17 is not a level yet. -
@jakubvrana as soon as I find something a little less contrived for the callback -
@jessepollak Crap, looks like one of them is not patched yet. You'll have to trust me for now :/ -
@jakubvrana hint for 13? The 'youWon' var was never declared, and HTML's backwards compatibility cruft shows up even when you least want it -
@jessepollak Stop! Normalizing event.origin using createElement('a').href makes it spoofable. Check for the exact value(s) you expect. -
@jakubvrana thanks, fixed (then again, maybe they should both say text ... xssy code tends do to that) -
Turns out verifying http://escape.alf.nu entries is an excellent stress test for JSON encoders. Filing bugs. Also, level 14.
-
@0x6D6172696F@kkotowicz I'm thinking separate 'portable' and 'wild' rankings. Right now I've only set up one browser, so they're the same…
@steike hasn't tweeted yet.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
Flag this media
This has already been marked as containing sensitive content.