Article 18
OK, sorry, I guess everyone's tired of the thing, but: IT HAD TO LEARN TO SPELL.Something like 'morph' enters the model as single token, so in order to be able to do things like case folding or extract...
View ArticleArticle 17
I wanted to call "__html" something more specific, like "THIS_IS_AN_XSS_HOLE" or "DO_NOT_USE_OR_YOU_WILL_BE_FIRED.", but I was concerned about how my boss would handle seeing the inevitable blog post...
View ArticleArticle 16
INTERCALThere’s hardware support for the INTERCAL squiggle operator '~' now. Not sure how I feel about this.HT https://mastodon.gamedev.place/@rygorous/109531679136944313
View ArticleArticle 15
Stupid trick: If you have a vanity domain, you can do$ mkdir .well-known$ curl 'https://mastodon.instance/.well-known/webfinger?resource=acct:handle@mastodon.instance' > .well-known/webfinger`......
View ArticleArticle 14
OK, that was odd. We're travelling for the holiday, so I figured I'd get ssh running on port 443 in case I ended up behind a dumb middlebox.(HTTPS is client-first and SSH is either-first, so they can...
View ArticleArticle 13
Oh crap. 2017 me added shell-over-DNS in case of emergency and forgot about it and it's been running every since. I hope I'm not a bank.
View ArticleArticle 12
Heh, Facebook popped up this "memory" today.So a decade ago there was a bunch of postMessage handling code with a regex like /^(m|www).facebook…/, so I grabbed a domain that matched. I picked 'n' for...
View ArticleArticle 10
"I wish people would stop inventing subtly incompatible backslash encodings"*monkey paw curls*
View ArticleArticle 9
`open("../../etc/passwd\x00.jpg")`, a survey:* Python: invalid argument* Java: invalid argument* Go: invalid argument* C#: file does not exist* OCaml: file does not exist* PHP: truncate (-2010), file...
View ArticleArticle 8
Read this paper, spoiler below. https://mastodon.social/@regehr/110691525016744705Setup: after code instrumention, the runtime is dominated by doing an assert(*p != POISON) for every memory access....
View ArticleArticle 7
Added a level to alert(1). Can you XSS sha256()?https://alf.nu/alert1?world=alert&level=c8%2B6Ll210PAk19m-alert-rZSmZ0rhzyllcaH4rqO2
View ArticleArticle 6
I was going to post these eventually, but sort of forgot. Now that the Unity browser plugin is long dead (along with browser plugins in general), here are some "interesting implementation choices".
View ArticleArticle 5
To be able to install new versions without prompting for administrator access, the binaries were world-writable.
View ArticleArticle 4
They had an API to call javascript, ExternalInterface.call("function", "argument");It was implemented as eval(`${function} ("${quote(argument)}")`).The quote function escaped " as \", but left \ as...
View ArticleArticle 3
They copied the 'crossdomain.xml' system from Flash, but forgot about redirects.If you put an 'allow all' crossdomain.xml file on the same server as the game, and a redirect to mail.gmail.com, your...
View ArticleArticle 2
You could also just ask for " httрs://mail.google.com/" (note the leading space). This was considered a 'relative url' and always allowed.(ignore the p, that is to make mastodon stop trying to prettify...
View ArticleArticle 1
The best part came a year later, after the patches were finally out to fix (some of) the issues.Here's a snippet from the header of a game file.Can you guess what went wrong?
View ArticleArticle 0
This is odd.So, wai-app-static (the rough Haskell equivalent of `python -mhttp.server`) had this old-fashioned bug where you can override the mime-type via string-terminator...
View Article
