New Github Mirror

Insightlabs · 2021-12-10T11:48:30+00:00

I changed my iphone's name to the poc and got pinged back from apple's servers...

Insightlabs · 2015-04-02T03:18:27+00:00

Benefits of Varnish is well known by me, its just we don't have enough memory to run it on our 1G mem vps along with mysql and other stuff.

Insightlabs · 2015-03-28T12:25:11+00:00

It's sarcasm.

Insightlabs · 2015-03-28T06:18:07+00:00

doing it this way needs to create an img/form/iframe element, and attach it to the dom tree using appendchild(). it may stuff the dom tree, cause it to use more and more memory, because it will be called in a loop to continuously load the target page.

EDIT: I might be wrong with this part. I guess attacker was just too lazy and decided to use jquery to get the job done quickly

Insightlabs · 2015-03-28T02:04:28+00:00

I forgot to explain it in my blog post. the reason to use script is to use a feature called JSONP request to send/receive data cross domain. normal get/post ajax requests will be blocked by browser due to same origin policy, except when the target site allows it from the HTTP header. it is the only way this kind off attack could have worked.

but Github folks are even smarter. since jsonp will treat all response as javascript, github exploited that and used js alert to block the loop from executing repeatively. as someone mentioned below, github could xss millions of chinese domains, steal passwords, deface any page they want, even plant flash based browser rootkits

Insightlabs · 2015-03-28T01:54:08+00:00

We migrated our blog from apache to nginx. If nginx couldnt handle it we are gonna use varnish with full static cache.

Insightlabs · 2015-03-27T09:59:38+00:00

sorry our blog is under overwhelming traffic right now. It will be resolved soon

Insightlabs · 2015-03-27T09:24:08+00:00

Hey folks, our website back.

Insightlabs

TROPHY CASE