Cloudflare Swag

Got this rad t-shirt and some Cloudflare + stickers in the mail for finding this bug!

An Analysis of Cloudflare's Email Address Obfuscation

Cloudflare provides a feature that obfuscates email addresses in order to protect them from spam bots. I have it enabled because that’s a pretty solid premise and it sounds useful enough. It dynamically modifies markup, and adds its own scripts to aid in deobfuscating email addresses to display to the user: <a href="mailto:[email protected]">contact</a> Turns into: <a href="/cdn-cgi/l/email-protection#6e040b1d1d0b040b1d1d0b5f5c5d2e09030f0702400d0103">contact</a> <script data-cfasync="false" src="/cdn-cgi/scripts/f2bf09f8/cloudflare-static/email-decode.min.js"></script> A gist of email-decode.min.js is available here. All of my findings are a result of reverse engineering that script, and you can find my prettified version here.

Hacking Harvard (and nearly every other college)

Technolutions Slate creates and hosts the applied and admitted student portals for nearly every college, including every ivy league school. Notable exceptions include Carnegie Mellon and the University of Maryland (among others), who roll their own solutions. Slate's logo And until April 9, 2018, they were vulnerable to a wicked CSRF vulnerability that could, within seconds, reset a logged-in user’s email, and within minutes, completely control his or her account, allowing an attacker to withdraw college applications and steal sensitive information.

Slate Swag

I just received some cool items from Technolutions Slate! They make admissions portals for most colleges, including every ivy. Exciting stuff! Writeup on the bug I found for them incoming here.

Snow Day Calculator XSS

Note: This vulnerability is currently unfixed. I have attempted to contact the owner through the site’s contact form and through @snowdaycalc on Twitter, and have yet to receive any form of response. Snow Day Calculator is a popular web app for predicting the chance of a snow day, based on zip code, type of school, and the number of snow days this year. In the winter months, I use it a lot, and it’s quite accurate.

Uncovering a Bug in Cloudflare's Minification Service

tl;dr A bug in Cloudflare’s Auto Minify service parsed // and /* ... */ within ES6 `template literals` as comments, causing it to truncate lines or entire blocks of code, leading to unpredictable behavior or in rare cases, a code injection vulnerability. HackerOne report: Background Cloudflare’s Auto Minify service can automatically minify a website’s resources, including this one’s. I don’t want to plug Cloudflare too much [I swear I don’t work for them!

Fixing CSS Jitter

The problem While adding some swanky new buttons to my website, I decided to add a transform effect on hover to make the button go up and down like a real button. However, transformations can be dangerous due to CSS jitter which happens when an element moves out from under your mouse and snaps back (now that it’s no longer hovered) over and over again, re-triggering the hover effect over and over again.

Bypassing Cert Pinning in the Steam Mobile App

Routing a device’s web traffic through a proxy like mitmproxy is a great first step in reverse engineering a mobile app’s API. However, some apps protect against these types of man-in-the-middle attacks (whether the attacker is the user or a shady network admin trying to snoop) using certificate pinning, which enforces a policy rejecting all certificates other than the one hardcoded into the app itself. One such app is Steam’s mobile app, and in this post, I’ll disassemble and rebuild it with modified code using jadx and apktool.

Breaking down an interesting function

Spelunking in Netflix’s Javascript, I found this uncharacteristically large function that has all sorts of interesting fiddly bits. It is called 'F6I' which is an immediately invoked function that returns two functions of its own, neatly wrapped up in an object literal: 'F6I': (function() { var C9I = function(l9I, j9I) { var p9I = j9I & 0xffff, o9I = j9I - p9I; return ((o9I * l9I | 0) + (p9I * l9I | 0)) | 0; }, i6I = function(I9I, T9I, G9I) { if (Y9I[G9I] !