Profile

Cover photo
Egor Homakov
Lives in vagabund
453 followers|4,774,575 views
AboutPostsPhotosYouTube+1'sReviews

Stream

Egor Homakov

Shared publicly  - 
 #PayPal
 #Disaster
 
New Paypal gateway UI is a disaster
Hey. I decided to get a paid plan on Github and Paypal looked like a good payment option to me. Click on big blue Paypal button here . This looks and feels  really good . Lightweight elements, updated color scheme and new logo. Except one thing - how do I k...
New Paypal gateway UI is a disaster
homakov.blogspot.com
Hey. I decided to get a paid plan on Github and Paypal looked like a good payment option to me. Click on big blue Paypal button here. This looks and feels really good. Lightweight elements, updated color scheme and new logo...
1
Add a comment...

Egor Homakov

Shared publicly  - 
 
Hacking file uploaders with race condition
10 months ago I wrote about a simple but powerful bug in Paperclip <=3.5.3 . Thoughtbot mentioned this problem on their blog in quite a misleading way - "a slight problem" . Considering it as an XSS only - yes, a slight problem. But as I said before we can ...
Hacking file uploaders with race condition
homakov.blogspot.com
10 months ago I wrote about a simple but powerful bug in Paperclip <=3.5.3. Thoughtbot mentioned this problem on their blog in quite a misleading way - "a slight problem". Considering it as an XSS only - yes, a slight problem...
2
2
Malte Ubl's profile photoDaniel Maslowski's profile photo
Add a comment...

Egor Homakov

Shared publicly  - 
 
Timing attack, 6.66% faster
Personally I'm not a big fan of timing attack  as I believe they are impractical for web apps (while perfectly useful in other fields). To make them useful you need to reduce latency and put your script just in front of the victim's server, send zillions of...
Timing attack, 6.66% faster
homakov.blogspot.com
Personally I'm not a big fan of timing attack as I believe they are impractical for web apps (while perfectly useful in other fields). To make them useful you need to reduce latency and put your script just in front of the vi...
1
Add a comment...

Egor Homakov

commented on a video on YouTube.
Shared publicly  - 
 
Nothing new http://homakov.blogspot.com/2014/05/covert-redirect-faq.html 
Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID
1
Add a comment...

Egor Homakov

commented on a video on YouTube.
Shared publicly  - 
 
This was SOOO boring. I live in bangkok and this video is both clueless and useless
A Bizarre Night in Thailand: Correspondent Confidential
5
Manuel Hurtado's profile photo
Manuel Hurtado
 
that's what happens when +VICE News is your "news" source
Add a comment...

Egor Homakov

Shared publicly  - 
 
Egor Homakov's photos
3
Add a comment...
In his circles
1 person
Chris Evans's profile photo
Chris Evans
Have him in circles
453 people

Egor Homakov

Shared publicly  - 
 #WordPress
 #Blogging
 #Blogger
 
The No CAPTCHA problem
When I read about No CAPTCHA for the first time I was really excited. Did we finally find a better solution? Hashcash? Or what? Finally it's available and the blog post disappointed me a bit. Here's Wordpress registration page successfully using No CAPTCHA....
The No CAPTCHA problem
homakov.blogspot.com
When I read about No CAPTCHA for the first time I was really excited. Did we finally find a better solution? Hashcash? Or what? Finally it's available and the blog post disappointed me a bit. Here's Wordpress registration pag...
1
1
Paul Eubanks's profile photo
Add a comment...

Egor Homakov

Shared publicly  - 
 
Bypassing ClearClick and X-Frame-Options:Visible
I bet, you know what Clickjacking  (CJ) is. Old problem everybody's tired of hearing of. There are three types of web pages. Don't need to be shown in iframes but have no X-Frame-Options. Basically 99% or more of pages, CJ only exist due to poor design of w...
Bypassing ClearClick and X-Frame-Options:Visible
homakov.blogspot.com
I bet, you know what Clickjacking (CJ) is. Old problem everybody's tired of hearing of. There are three types of web pages. Don't need to be shown in iframes but have no X-Frame-Options. Basically 99% or more of pages, CJ on...
1
Add a comment...

Egor Homakov

commented on a video on YouTube.
Shared publicly  - 
 
Bullshit. People who cannot make money are stupid and think life should be simple. Live simple life, live in cages, i don't care. The rest of us were born to make progress and to work hard. To change the world. You're just a lazy peasant who learned how to build houses.
TEDxDoiSuthep - Jon Jandai - Life is easy. Why do we make it so hard?
5
1
Egor Homakov's profile photoOhLordJesus It'sAFire's profile photobibek sahrestha's profile photoAlex Isakov's profile photo
19 comments
bibek sahrestha
+
1
2
1
 
ok ok take it easy guys the poor farmer is just trying to say that , he could not understand the modern technology and fashion and all BUT he deeply understood what made him happy and what he really wanted  BUT i say he is kind of lucky to have such a life , i mean he is lucky because he had all the farm land to farm RICE and FARM rice and FARM vegetable, AND to keep on farming HE IS LUCKY some how so he figured out how easy was for him, TO LIVE...... BUT  WHAT IF HE WAS BORN IN SOMALIA, OR WAR EFFECTED COUNTRY  WOULD HE SAY THE SAME THING"                                                 Life is easy. Why do we make it so hard?
Add a comment...

Egor Homakov

Shared publicly  - 
 #Facebook
 #OAuth
 
Covert Redirect FAQ
Hey, so called covert redirect  was all over the news today. I know a thing or two about OAuth security, and here is short FAQ. How does it work? First of all it is mostly Facebook Connect bug, other providers are not vulnerable (author claims they are?), b...
Covert Redirect FAQ
homakov.blogspot.com
Hey, so called covert redirect was all over the news today. I know a thing or two about OAuth security, and here is short FAQ. How does it work? First of all it is mostly Facebook Connect bug, other providers are not vulnerab...
1
Add a comment...

Egor Homakov

Shared publicly  - 
 #Python
 
Sakurity is hiring
Hello everyone. Our consulting website is going to get new shiny design soon, along with a new technical blog (this one is gonna shut down), meanwhile: We're looking for web hackers! Info required:  What are you good at? e.g. python or scala, which framewor...
Sakurity is hiring
homakov.blogspot.com
Hello everyone. Our consulting website is going to get new shiny design soon, along with a new technical blog (this one is gonna shut down), meanwhile: We're looking for web hackers! Info required:  What are you good at? e...
2
Nahil Marhas's profile photo
Nahil Marhas
 
I can help you with php, if u like
Add a comment...

Egor Homakov

Shared publicly  - 
 #XSS
 
Paperclip vulnerability leading to XSS or RCE.
TL;DR   Paperclip  is the most popular upload tool for Ruby on Rails, and I found a way to upload a file with arbitrary extension, which can lead to XSS (file.html) or even a potential RCE (file.php/file.pl/file.cgi). By default Paperclip allows all types o...
Paperclip vulnerability leading to XSS or RCE.
homakov.blogspot.com
TL;DR Paperclip is the most popular upload tool for Ruby on Rails, and I found a way to upload a file with arbitrary extension, which can lead to XSS (file.html) or even a potential RCE (file.php/file.pl/file.cgi). By default...
1
1
mohammed sadiq's profile photo
Add a comment...
People
In his circles
1 person
Chris Evans's profile photo
Chris Evans
Have him in circles
453 people
Work
Occupation
Consultant
Skills
security, ruby, js
Basic Information
Gender
Male
Birthday
April 28, 1993
Story
Tagline
Security consultant
Introduction
Blog homakov.blogspot.com 
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
vagabund
Links
YouTube
Other profiles
Contributor to
Egor Homakov's +1's are the things they like, agree with, or want to recommend.
Cookie Bomb or let's break the Internet.
homakov.blogspot.com

TL;DR I can craft a page "polluting" CDNs, blogging platforms and other major networks with my cookies. Your browser will keep sending those

Home — Google Cloud Platform
cloud.google.com

Tools for modern applications. Google Cloud Platform enables developers to build, test and deploy applications on Google's highly-scalable a

Hemingway's Bangkok
plus.google.com
Imperva Inc
www.google.com

Get detailed financial information on Imperva Inc (NYSE:IMPV) including real-time stock quotes, historical charts &amp; financial news, all for

Trip Planner | Tripomatic
www.tripomatic.com

Plan your trip with the Tripomatic trip planner. Find out what to see and what to do in your destination. Get your personalized travel guide

How frames can mess with parent's namespace
homakov.blogspot.com

This post describes pitfalls of cross-frame navigation. It started to "feel wrong" from the very beginning, and yesterday I noticed another

Achilles Heel of OAuth or Why Facebook Adds #_=_
homakov.blogspot.com

This is a short addition to previous rants on OAuth problems. We got Nir Goldshlager working on our side (he simply loves bounties and faceb

Coworking Ponto Art
Rua Pedro Taques, 124 - Consolacao, São Paulo - SP, 01415-010, Brazil
this place doesn't exist!
Public - 4 months ago
reviewed 4 months ago
Best Western Hotel Sun Sun
14-16 Praca de Ponte e Horta, Macau
Public - a year ago
reviewed a year ago
3 reviews
Map
Map
Map
Serene Hotel
Pattayasaisong Rd, Bang Lamung, Chon Buri, Thailand
Public - a year ago
reviewed a year ago