Profile

Cover photo
Egor Homakov
Lives in vagabund
347 followers|3,796,679 views
AboutPostsPhotosYouTube+1'sReviews

Stream

Egor Homakov

commented on a video on YouTube.
Shared publicly  - 
 
This was SOOO boring. I live in bangkok and this video is both clueless and useless
5
Add a comment...

Egor Homakov

Shared publicly  - 
3
Add a comment...

Egor Homakov

Shared publicly  - 
 
How I hacked Github again.
This is a story about 5 Low-Severity bugs I pulled together to create a simple but effective exploit, gaining access to private repositories on Github. These vulnerabilities were reported privately and fixed in timely fashion. Here is "timeline" of my email...
This is a story about 5 Low-Severity bugs I pulled together to create a simple but effective exploit, gaining access to private repositories on Github. These vulnerabilities were reported privately and fixed in timely fashion...
3
1
Larry Ren's profile photo
Add a comment...

Egor Homakov

commented on a video on YouTube.
Shared publicly  - 
 
weird boner
1
Add a comment...

Egor Homakov

Shared publicly  - 
 
Header injection in Sinatra
Try to run this simple app: require 'sinatra' get '/' do   redirect params[:to] if params[:to].start_with? 'http://host.com/' end Let's load /?to=http://host.com/?%0dX-Header:1 and see a new "injected" X-Header in Chrome (not in FF) because %0d aka \r is co...
Try to run this simple app: require 'sinatra' get '/' do   redirect params[:to] if params[:to].start_with? 'http://host.com/' end Let's load /?to=http://host.com/?%0dX-Header:1 and see a new "injected" X-Header in Chrome (no...
1
Add a comment...
Have him in circles
347 people

Egor Homakov

Shared publicly  - 
 
Sakurity is hiring
Hello everyone. Our consulting website is going to get new shiny design soon, along with a new technical blog (this one is gonna shut down), meanwhile: We're looking for web hackers! Info required:  What are you good at? e.g. python or scala, which framewor...
Hello everyone. Our consulting website is going to get new shiny design soon, along with a new technical blog (this one is gonna shut down), meanwhile: We're looking for web hackers! Info required:  What are you good at? e...
2
Nahil Marhas's profile photo
 
I can help you with php, if u like
Add a comment...

Egor Homakov

Shared publicly  - 
 
Paperclip vulnerability leading to XSS or RCE.
TL;DR   Paperclip  is the most popular upload tool for Ruby on Rails, and I found a way to upload a file with arbitrary extension, which can lead to XSS (file.html) or even a potential RCE (file.php/file.pl/file.cgi). By default Paperclip allows all types o...
1
1
mohammed sadiq's profile photo
Add a comment...

Egor Homakov

Shared publicly  - 
 
How to use CORS without Preflights
From official doc on CORS A  header  is said to be a  simple header  if the header field name is an  ASCII case-insensitive  match for  Accept ,  Accept-Language , or  Content-Language  or if it is an  ASCII case-insensitive  match for  Content-Type  and th...
From official doc on CORS A header is said to be a simple header if the header field name is an ASCII case-insensitive match for Accept, Accept-Language, or Content-Language or if it is an ASCII case-insensitive match for ...
1
Add a comment...

Egor Homakov

Shared publicly  - 
 
Two severe "WontFix" vulnerabilities in Facebook Connect
TL;DR Every website with "Connect Facebook account and log in with it" is vulnerable to account hijacking. Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as attacker finds a 302 redirect to h...
1
Add a comment...

Egor Homakov

Shared publicly  - 
 
Cookie Bomb or let's break the Internet.
TL;DR I can craft a page "polluting" CDNs, blogging platforms and other major networks with my cookies. Your browser will keep sending those cookies but servers will reject the requests, because Cookie header will be very long. The entire Internet will look...
TL;DR I can craft a page "polluting" CDNs, blogging platforms and other major networks with my cookies. Your browser will keep sending those cookies but servers will reject the requests, because Cookie header will be very lon...
1
Harry Tuttle's profile photoAhamed Nafeez's profile photo
2 comments
 
+1 
Add a comment...
People
Have him in circles
347 people
Work
Occupation
Consultant
Skills
security, ruby, js
Basic Information
Gender
Male
Birthday
April 28, 1993
Story
Tagline
Security consultant
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
vagabund
Links
Other profiles
Contributor to
Egor Homakov's +1's are the things they like, agree with, or want to recommend.
Cookie Bomb or let's break the Internet.
homakov.blogspot.com

TL;DR I can craft a page "polluting" CDNs, blogging platforms and other major networks with my cookies. Your browser will keep sending those

Home — Google Cloud Platform
cloud.google.com

Tools for modern applications. Google Cloud Platform enables developers to build, test and deploy applications on Google's highly-scalable a

Imperva Inc
www.google.com

Get detailed financial information on Imperva Inc (NYSE:IMPV) including real-time stock quotes, historical charts & financial news, all for

Trip Planner | Tripomatic
www.tripomatic.com

Plan your trip with the Tripomatic trip planner. Find out what to see and what to do in your destination. Get your personalized travel guide

How frames can mess with parent's namespace
homakov.blogspot.com

This post describes pitfalls of cross-frame navigation. It started to "feel wrong" from the very beginning, and yesterday I noticed another

Achilles Heel of OAuth or Why Facebook Adds #_=_
homakov.blogspot.com

This is a short addition to previous rants on OAuth problems. We got Nir Goldshlager working on our side (he simply loves bounties and faceb

Public - 5 months ago
reviewed 5 months ago
Public - 6 months ago
reviewed 6 months ago
2 reviews
Map
Map
Map