Skip to content

Instantly share code, notes, and snippets.

View dchest's full-sized avatar
☮️

Dmitry Chestnykh dchest

☮️
499 followers · 65 following
View GitHub Profile
@dchest
dchest / gist:a7f08f4b2c7d344cdbb42925e88e975b
Created April 27, 2016 17:58
commit bf860211ecd40d91d1ae5b4f2483bf7744bf2924
Author: Dmitry Chestnykh <dmitry@codingrobots.com>
Date: Wed Apr 27 17:22:20 2016 +0200
Add intermediate "Analyzing" page before showing results
commit dca02dd308695f8762d6d8ba718c1bf2a715e893
Author: Dmitry Chestnykh <dmitry@codingrobots.com>
Date: Wed Apr 27 16:10:41 2016 +0200
@dchest
dchest / 2015-07-15-securing-golang-web-apps.md
Last active June 24, 2021 23:36
Securing Go web applications (archived post from StableLib blog)

Securing Go web applications

There are lots of security-related things to keep in mind when writing a web application, as the Web is a place full of danger: cross-site scripting (XSS), cross-site request forgery (CSRF), clickjacking, brute forcing, spam and so on.

Go gets many things right by default: for example, templates from the standard library make it hard to accidentally introduce XSS vulnerabilities. But what about other attacks? Fortunately, there are a few open source Go packages

@dchest
dchest / gist:456b8be6109db26b6b0e063282cdd481
Last active April 16, 2016 08:05
Attacks on non-personalized hashes
yescrypt pre- and post-hashing
http://thread.gmane.org/gmane.comp.security.phc/1271/focus=2370
Example of 3rd attack described there:
User has a passpharse P. In one protocol, to derive key from
this passphrase, BLAKE2s is used. The hashed passphrase
is then sent to some server.
P — user's passphrase
@dchest
dchest / x25519.ts
Created April 15, 2016 16:13
// Copyright (C) 2016 Dmitry Chestnykh
// MIT License. See LICENSE file for details.
import { randomBytes } from "../random";
import { assert } from "../../utils/assert";
import { wipe } from "../../utils/wipe";
// TODO(dchest): some functions ara copies of ../sign/ed25519.
// Find a way to combine them without opening up to public.
@dchest
dchest / xorshift128.go
Last active February 28, 2016 14:35
Analyzing XORShift128+ PRNG
// Studying XorShift128+ pseudorandom number generator
package main
import (
"fmt"
"strconv"
)
var state0, state1 uint64
@dchest
dchest / xor.js
Last active February 27, 2016 21:15
Simple XOR error correction demo
// Simple XOR error correction demo.
"use strict";
const packets = [
"hello world",
"JavaScript!",
"lose me plz",
"another one"
].map((s) => new Buffer(s));
@dchest
dchest / randomString.js
Last active December 22, 2019 08:19
Generates cryptographically secure uniform random string in browsers and Node.js [IN DEVELOPMENT]
// randomString(length)
// --------------------
//
// Generates and returns a cryptographically secure
// uniform alphanumeric random string.
//
// Examples:
//
// randomString(14) // "oXYWpc1vODNR3M"
// randomString.hex(8) // "663c722b65943b9b"
@dchest
dchest / objectId.js
Created February 5, 2016 20:38
MongoDB/BSON ObjectId generator in Node.js
var os = require('os');
var crypto = require('crypto');
var machineId = crypto.createHash('md5').update(os.hostname()).digest().slice(0, 3);
var objectIdCounter = crypto.randomBytes(4).readUInt32BE() & 0xffffff;
// Returns a unique objectId as a hex string.
function newObjectId() {
var buf = new Buffer(12);
// Current time, 4 bytes.
@dchest
dchest / main.go
Last active October 7, 2015 12:24
package main
import (
"encoding/hex"
"fmt"
"golang.org/x/crypto/curve25519"
)
func main() {
@dchest
dchest / lisp.c
Last active September 9, 2015 22:49 — forked from sanxiyn/lisp.c
Lisp
#include <assert.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
enum type {
NIL,