alf.nu / @steike

Erling Ellingsen

These are some old things.

Things

Stupid mnemonics for π

Return true to Win A series of JavaScript challenges.

Alert 1 to win A series of XSS challenges: here's some unsafe code; exploit it! Shortest code wins.

This Accent Does Not Exist

Regex golf A series of regex-writing challenges (now also on SPOJ)

Zip Quine A ZIP file that contains itself. Best paid code I ever wrote.

Testing Tools

Chargen Generate test pages from the URL.

Send File to get files from something with a browser to a real machine (and also hints for the other direction)

SHA1 collision maker

DNS On-the-fly DNS

Screen Test to quickly check if the resolution is 1:1

BitCalc Whiteboard for explaining bit-twiddling algorithms (example: x&-x, snoob)

Old Security Stuff

Flash XSS Traps Adobe forgot to escape backslashes, so every Flash file that passes strings to JavaScript had XSS.

Stealing Tokens With Harmony The Proxy feature in ES6 opened a new XSSI vector.

ServiceWorker is a problem if you have a 'user content' domain (like Dropbox)

Webkit URLs A tragedy in seven parts (so far)

Safari Reader UXSS A non-hostname-based Safari bug

Complaints to @steike or @steike.