live = https://youtubedown.pythonanywhere.com (Dead because just 3 month in pythonanywhere)
this is website for download videos/audio from youtube using flask
you can remove comment in =
<!-- <meta http-equiv="Content-Security-Policy" content="script-src 'none'"> -->
<!-- <meta http-equiv="Content-Security-Policy" content="frame-ancestors 'none'"> -->
<!-- <meta http-equiv="Content-Security-Policy" content="sandbox 'none'"> -->
<!-- <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> -->
for patch bug xss mime type like this = http://brutelogic.com.br/poc.svg
the risk is
calculate corona virus from indonesia and callender will be remove (but its okay)
and you will get score your flask web like this
the bug i solved from above is
mime type xss
serves image with low resolutions (srcset="urlimage.jpg 4x") =
> example like this =
> flamingo4x.jpg — 4025 × 2672 — 3.8 MB
> flamingo3x.jpg — 3019 × 2005 — 3.7 MB
> flamingo2x.jpg — 2013 × 1337 — 1.9 MB
> flamingo1x.jpg — 1006 × 668 — 338 KB
> flamingo-fallback.jpg — 1006 × 668 — 108 KB
> Read more: https://html.com/attributes/img-srcset/#ixzz7Eg9xgXcx
bug jcquery, bootstrap and popperjs
> upgrade to the latest
>
> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
> <script src="https://cdn.jsdelivr.net/npm/@popperjs/[email protected]/dist/umd/popper.min.js"></script>
> <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js"></script>
and some bug , etc.
website ini digunakan untuk mendownload video dan audio di youtube
kamu bisa menghapus komen di baris kode ini =
<!-- <meta http-equiv="Content-Security-Policy" content="script-src 'none'"> -->
<!-- <meta http-equiv="Content-Security-Policy" content="frame-ancestors 'none'"> -->
<!-- <meta http-equiv="Content-Security-Policy" content="sandbox 'none'"> -->
<!-- <meta http-equiv="Content-Security-Policy" content="object-src 'none'"> -->
kode diatas adalah patch untuk bug xss mime type sperti ini http://brutelogic.com.br/poc.svg
resiko jika menghapus komen di baris kode atas adalah
perhitungan corona virus dari kematian sampai sembuh serta kalender akan terhapus, dan vuln xss mime type , tapi tidak apa apa karena xss tersebut self
dan kamu akan mendapatkan score flask web nya seperti digambar bawah ini jika dihapus
kerentanan yang sudah ku selesaikan adalah
mime type xss
serves image with low resolutions (srcset="urlimage.jpg 4x") =
> example like this =
> flamingo4x.jpg — 4025 × 2672 — 3.8 MB
> flamingo3x.jpg — 3019 × 2005 — 3.7 MB
> flamingo2x.jpg — 2013 × 1337 — 1.9 MB
> flamingo1x.jpg — 1006 × 668 — 338 KB
> flamingo-fallback.jpg — 1006 × 668 — 108 KB
> Read more: https://html.com/attributes/img-srcset/#ixzz7Eg9xgXcx
bug jcquery, bootstrap and popperjs
> upgrade to the latest
>
> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
> <script src="https://cdn.jsdelivr.net/npm/@popperjs/[email protected]/dist/umd/popper.min.js"></script>
> <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js"></script>
dan beberapa bug lainnya
1. go to http://pythonanywhere.com/
2. u choose register / signup (recomended using temp mail)
3. go to web and "add a new web app"
4. next
5. select flask then select python 3.9 , next
6. remove /mysite from /home/yourusernameaccount/mysite/flask_app.py -> /home/yourusernameaccount/flask_app.py , next
7. website created successfully
8. go to web again
9. in this you add (enter url) /static/ and the directory /home/yourusernameaccount/
10. go to files
11. create robots.txt and type flask_app.py
12. select all from flask_app.py , and paste it main.py or flask_app.py from this github
13. save and refresh
14. then go back to web
15. u can activated or no
16. my recommended is enabled https, after that, go to your website pythonanywhere, and click this
Copyright @ 2021 Xnuvers007