Simple and vulnerable NodeJS app prone to Cross-Site Scripting (XSS) deployment with Google Cloud App Engine

I wrote a little script in node.js for a hands-on lab to test Cross-Site Scriptings (XSS).

You can download it from my github:

To deploy in Google Cloud App Engine:

$ git clone
$ gcloud init
$ gcloud projects create xss-lab$RANDOM
$ gcloud config set project xss-lab$RANDOM
$ gcloud projects describe xss-lab$RANDOM
$ gcloud app create --project=xss-lab$RANDOM
$ gcloud app deploy
$ gcloud app logs tail -s default

Small tool to decode ASP.NET __VIEWSTATE variable when doing webpentests

I just wrote a small tool to easily decode ASP.NET __VIEWSTATE variables without having to install the viewstate module into the system with administrative privileges and be able to decode the variables with a small script using a terminal, without writting python code.

Sometimes when doing webpentesting against a ASP web application is useful a tool like this.

** ASP.NET __VIEWSTATE decoder **

[*] Decoding __VIEWSTATE:
(('1591068609', None), None)