Profile

Cover photo
Egor Homakov
Lives in vagabund
527 followers|5,374,989 views
AboutPostsPhotosYouTube+1'sReviews

Stream

Egor Homakov

Shared publicly  - 
 
New blog
New posts will be published on  http://sakurity.com/blog  and less likely here. I will probably translate some good old ones from Egor-English to English. Thanks everyone for reading this!
New posts will be published on http://sakurity.com/blog and less likely here. I will probably translate some good old ones from Egor-English to English. Thanks everyone for reading this!
1
Add a comment...

Egor Homakov

Shared publicly  - 
 
Blatant CSRF in Doorkeeper, most popular OAuth2 gem
I read a post about CSRF on DigitalOcean on Habrahabr (it's in Russian O_o) by Sergey Belove . My first reaction was, obviously, HOW COME? DigitalOcean is not kind of a Rails app that would have lame "skip_before_action :verify_authenticity_token". Then I l...
I read a post about CSRF on DigitalOcean on Habrahabr (it's in Russian O_o) by Sergey Belove. My first reaction was, obviously, HOW COME? DigitalOcean is not kind of a Rails app that would have lame "skip_before_action :verif...
1
Add a comment...
 
The No CAPTCHA problem
When I read about No CAPTCHA for the first time I was really excited. Did we finally find a better solution? Hashcash? Or what? Finally it's available and the blog post disappointed me a bit. Here's Wordpress registration page successfully using No CAPTCHA....
When I read about No CAPTCHA for the first time I was really excited. Did we finally find a better solution? Hashcash? Or what? Finally it's available and the blog post disappointed me a bit. Here's Wordpress registration pag...
1
1
Paul Eubanks's profile photo
Add a comment...

Egor Homakov

Shared publicly  - 
 
Bypassing ClearClick and X-Frame-Options:Visible
I bet, you know what Clickjacking  (CJ) is. Old problem everybody's tired of hearing of. There are three types of web pages. Don't need to be shown in iframes but have no X-Frame-Options. Basically 99% or more of pages, CJ only exist due to poor design of w...
I bet, you know what Clickjacking (CJ) is. Old problem everybody's tired of hearing of. There are three types of web pages. Don't need to be shown in iframes but have no X-Frame-Options. Basically 99% or more of pages, CJ on...
1
Add a comment...

Egor Homakov

commented on a video on YouTube.
Shared publicly  - 
 
Bullshit. People who cannot make money are stupid and think life should be simple. Live simple life, live in cages, i don't care. The rest of us were born to make progress and to work hard. To change the world. You're just a lazy peasant who learned how to build houses.
6
1
Egor Homakov's profile photobibek sahrestha's profile photoEingeing Nudjarin's profile photoAlex Isakov's profile photo
18 comments
 
Well, replying to a guy who talks about Somalia war or something like that. I can definitely say that if people satisfy of what they have. There will be no war in the world. But those people are money or resouces hungers. That's why they keep fighting. I think you guys don't understand this tedtalk. What he talked is a part of sufficiency economy theory.
Add a comment...

Egor Homakov

Shared publicly  - 
 
Covert Redirect FAQ
Hey, so called covert redirect  was all over the news today. I know a thing or two about OAuth security, and here is short FAQ. How does it work? First of all it is mostly Facebook Connect bug, other providers are not vulnerable (author claims they are?), b...
Hey, so called covert redirect was all over the news today. I know a thing or two about OAuth security, and here is short FAQ. How does it work? First of all it is mostly Facebook Connect bug, other providers are not vulnerab...
1
Add a comment...
In his circles
2 people
Have him in circles
527 people
PANKAJ GORA's profile photo
Helen Nesterenko's profile photo
Алексей Грин's profile photo
Юлия Завъялова's profile photo
Антон Щербаков's profile photo
kishan dwivedi's profile photo
Fast G.A's profile photo
Vladimirovich Putinsky's profile photo
владимир владимирович's profile photo

Egor Homakov

Shared publicly  - 
 
Bitstamp problem and Warm wallets.
We are publishing an audit of Peatio exchanger soon and I've got quite a few thoughts on how to make exchangers' wallets more secure. Five. Million. Dollars. In a hot wallet. Ok, I believe it's not everything they had. It's a small part of their assets. But...
We are publishing an audit of Peatio exchanger soon and I've got quite a few thoughts on how to make exchangers' wallets more secure. Five. Million. Dollars. In a hot wallet. Ok, I believe it's not everything they had. It's a...
1
Add a comment...

Egor Homakov

Shared publicly  - 
 
New Paypal gateway UI is a disaster
Hey. I decided to get a paid plan on Github and Paypal looked like a good payment option to me. Click on big blue Paypal button here . This looks and feels  really good . Lightweight elements, updated color scheme and new logo. Except one thing - how do I k...
Hey. I decided to get a paid plan on Github and Paypal looked like a good payment option to me. Click on big blue Paypal button here. This looks and feels really good. Lightweight elements, updated color scheme and new logo...
1
Add a comment...

Egor Homakov

Shared publicly  - 
 
Hacking file uploaders with race condition
10 months ago I wrote about a simple but powerful bug in Paperclip <=3.5.3 . Thoughtbot mentioned this problem on their blog in quite a misleading way - "a slight problem" . Considering it as an XSS only - yes, a slight problem. But as I said before we can ...
10 months ago I wrote about a simple but powerful bug in Paperclip <=3.5.3. Thoughtbot mentioned this problem on their blog in quite a misleading way - "a slight problem". Considering it as an XSS only - yes, a slight problem...
2
3
Daniel Maslowski's profile photoMohammad Barghamadi's profile photo
Add a comment...

Egor Homakov

Shared publicly  - 
 
Timing attack, 6.66% faster
Personally I'm not a big fan of timing attack  as I believe they are impractical for web apps (while perfectly useful in other fields). To make them useful you need to reduce latency and put your script just in front of the victim's server, send zillions of...
Personally I'm not a big fan of timing attack as I believe they are impractical for web apps (while perfectly useful in other fields). To make them useful you need to reduce latency and put your script just in front of the vi...
1
Add a comment...

Egor Homakov

commented on a video on YouTube.
Shared publicly  - 
1
Add a comment...

Egor Homakov

commented on a video on YouTube.
Shared publicly  - 
 
This was SOOO boring. I live in bangkok and this video is both clueless and useless
5
Manuel Hurtado's profile photo
 
that's what happens when +VICE News is your "news" source
Add a comment...
People
In his circles
2 people
Have him in circles
527 people
PANKAJ GORA's profile photo
Helen Nesterenko's profile photo
Алексей Грин's profile photo
Юлия Завъялова's profile photo
Антон Щербаков's profile photo
kishan dwivedi's profile photo
Fast G.A's profile photo
Vladimirovich Putinsky's profile photo
владимир владимирович's profile photo
Work
Occupation
Consultant
Skills
security, ruby, js
Basic Information
Gender
Male
Birthday
April 28, 1993
Story
Tagline
Security consultant
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
vagabund
Links
Other profiles
Contributor to
Egor Homakov's +1's are the things they like, agree with, or want to recommend.
Cookie Bomb or let's break the Internet.
homakov.blogspot.com

TL;DR I can craft a page "polluting" CDNs, blogging platforms and other major networks with my cookies. Your browser will keep sending those

Home — Google Cloud Platform
cloud.google.com

Tools for modern applications. Google Cloud Platform enables developers to build, test and deploy applications on Google's highly-scalable a

Imperva Inc
www.google.com

Get detailed financial information on Imperva Inc (NYSE:IMPV) including real-time stock quotes, historical charts &amp; financial news, all for

Trip Planner | Tripomatic
www.tripomatic.com

Plan your trip with the Tripomatic trip planner. Find out what to see and what to do in your destination. Get your personalized travel guide

How frames can mess with parent's namespace
homakov.blogspot.com

This post describes pitfalls of cross-frame navigation. It started to "feel wrong" from the very beginning, and yesterday I noticed another

Achilles Heel of OAuth or Why Facebook Adds #_=_
homakov.blogspot.com

This is a short addition to previous rants on OAuth problems. We got Nir Goldshlager working on our side (he simply loves bounties and faceb

this place doesn't exist!
Public - 7 months ago
reviewed 7 months ago