Artem Smotrakov artem-smotrakov
☘️
artem-smotrakov
/ gbo.c
Created
December 31, 2017 15:23
An example of a global buffer overflow with reading sensitive data, see more on https://blog.gypsyengineer.com/fun/security/global-buffer-overflows.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdlib.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| char secret[32]; | |
| char public[32]; | |
| void print_strings(char *buffer, int len) { | |
| for (int i=0; i<len; i++) { | |
| if (buffer[i] != 0) { |
artem-smotrakov
/ build.gradle
Created
April 28, 2018 20:22
Setting a quality gate with OWASP Dependency Check for CVEs with CVSS score higher than 7. See details in https://blog.gypsyengineer.com/en/security/integrating-owasp-dependency-check.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| buildscript { | |
| repositories { | |
| mavenCentral() | |
| } | |
| dependencies { | |
| classpath 'org.springframework.boot:spring-boot-gradle-plugin:2.0.1.RELEASE' | |
| classpath 'org.owasp:dependency-check-gradle:3.1.2' | |
| } | |
| } |
artem-smotrakov
/ Dockerfile
Last active
May 5, 2018 10:13
Building a Docker image with picotls TLS 1.3 server with enabled AddressSanitizer. Based on https://github.com/artem-smotrakov/tlsbunny
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # this is a dockerfile which builds picotls, and start a local TLS 1.3 server | |
| # | |
| # the following commands build a docker image | |
| # | |
| # $ docker build --file Dockerfile --tag picotls/server/tls13 . | |
| # | |
| # the following command starts a local picotls server | |
| # | |
| # $ docker run -p 20101:20101 picotls/server/tls13 | |
| # |
artem-smotrakov
/ build_picotls_with_gcov.sh
Created
June 11, 2018 18:51
Clone and build picotls with gcov
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| git clone https://github.com/h2o/picotls | |
| cd picotls | |
| export CFLAGS="-fprofile-arcs -ftest-coverage -g -O0 -fsanitize=address -fno-omit-frame-pointer" | |
| export LDFLAGS="-fsanitize=address" | |
| cmake \ |
artem-smotrakov
/ cli.patch
Created
June 11, 2018 19:10
A patch for t/cli.c which adds a signal handler for dumping code coverage data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/t/cli.c b/t/cli.c | |
| index 8d9b68b..99cc4ab 100644 | |
| --- a/t/cli.c | |
| +++ b/t/cli.c | |
| @@ -19,6 +19,11 @@ | |
| * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS | |
| * IN THE SOFTWARE. | |
| */ | |
| + | |
| +/* |
artem-smotrakov
/ SecurityConfiguration.java
Last active
August 21, 2018 14:18
An example of SecurityConfiguration for an application based on Spring framework
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @Configuration | |
| public class SecurityConfiguration extends WebSecurityConfigurerAdapter { | |
| private static final String readScope = "#oauth2.isOAuth() && #oauth2.hasScope('read')"; | |
| @Bean | |
| @Override | |
| public AuthenticationManager authenticationManagerBean() throws Exception { | |
| return super.authenticationManagerBean(); | |
| } |
artem-smotrakov
/ Outer.java
Last active
September 26, 2018 10:13
Nested classes in Java, see also https://blog.gypsyengineer.com/en/security/whats-new-security-features-in-java-11.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package com.gypsyengineer.innerclass.field; | |
| public class Outer { | |
| private int secret = 10; | |
| public void check() { | |
| if (secret < 0) { | |
| System.out.println("Oops"); | |
| } else { |
artem-smotrakov
/ A.java
Created
September 26, 2018 10:14
Nested classes and accessing private fields in Java, see also https://blog.gypsyengineer.com/en/security/accessing-private-fields-with-synthetic-methods-in-java.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class A { | |
| private int secret; | |
| public class B { | |
| public go() { | |
| // do something | |
| } | |
| } | |
| } |
artem-smotrakov
/ AccessPrivateField.java
Created
September 26, 2018 10:17
Accessing private fields with synthetic methods in Java, see also https://blog.gypsyengineer.com/en/security/accessing-private-fields-with-synthetic-methods-in-java.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package com.gypsyengineer.innerclass.field; | |
| public class AccessPrivateField { | |
| public static void test01() throws Exception { | |
| System.out.println("Test #1: try to modify a private field with the same classloader"); | |
| System.out.println(" (no exception is expected, 'oops' should be printed out)"); | |
| Outer outer = new Outer(); | |
| go(outer); | |
| outer.check(); |
artem-smotrakov
/ AccessPrivateField.java
Created
September 26, 2018 10:18
Accessing private fields with synthetic methods in Java, see also https://blog.gypsyengineer.com/en/security/accessing-private-fields-with-synthetic-methods-in-java.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package com.gypsyengineer.innerclass.field; | |
| public class AccessPrivateField { | |
| public static void test02(ClassLoader cl) throws Exception { | |
| System.out.println("Test #2: try to modify a private field with different classloader"); | |
| System.out.println(" (an exception is expected)"); | |
| // Load AccessPrivateField class with different classloader | |
| Class clazz = cl.loadClass( | |
| "com.gypsyengineer.innerclass.field.AccessPrivateField"); |