<!doctype html>
<html>
https://www.blackhat.com/us-15/briefings.html | |
- https://www.blackhat.com/docs/us-15/materials/us-15-Silvanovich-Attacking-ECMA-Script-Engines-With-Redefinition.pdf | |
- https://www.blackhat.com/docs/us-15/materials/us-15-Silvanovich-Attacking-ECMA-Script-Engines-With-Redefinition-wp.pdf | |
- https://www.blackhat.com/docs/us-15/materials/us-15-Nafeez-Dom-Flow-Untangling-The-DOM-For-More-Easy-Juicy-Bugs.pdf | |
- https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf | |
- https://www.blackhat.com/us-15/briefings.html#bypass-surgery-abusing-content-delivery-networks-with-server-side-request-forgery-ssrf-flash-and-dns (no slides) | |
- https://www.blackhat.com/docs/us-15/materials/us-15-Vandevanter-Exploiting-XXE-Vulnerabilities-In-File-Parsing-Functionality.pdf | |
- https://www.blackhat.com/docs/us-15/materials/us-15-Vandevanter-Exploiting-XXE-Vulnerabilities-In-File-Parsing-Functionality-tool.zip | |
- https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry |
(25500) Project Rider - Hadi Hari https://vimeo.com/151644168 | |
(6802) What’s new in Security in ASP.NET 5 and MVC 6 - Dominick Baier https://vimeo.com/154041158 | |
(5972) Saying “Goodbye” to DNX and “Hello!” to the .NET Core CLI - Damian Edwards & David Fowler https://vimeo.com/153212604 | |
(3813) Fun with Generics - Benjamin Hodgson https://vimeo.com/154564491 | |
(3686) Keynote NDC London 2016: JavaScript, The Cloud, and the Rise of the New Virtual Machine - Scott Hanselman https://vimeo.com/153120762 | |
(3479) Introduction to IdentityServer - Brock Allen https://vimeo.com/154172925 | |
(2980) Aurelia: Next-Generation Web Apps - Rob Eisenberg https://vimeo.com/153090562 | |
(2118) Better single-page apps with ASP.NET MVC 6 - Steve Sanderson https://vimeo.com/157273325 | |
(1741) A brief history of ASP.NET: From 1.0 to 5.0 - Damian Edwards and David Fowler https://vimeo.com/154034601 | |
(1636) JavaScript Combinators, the “Six” Edition - Reginald Braithwaite https://vimeo.com/153097877 |
public static class CurryExtensions | |
{ | |
public static Func<T1, TR> Curry<T1, TR>(this Func<T1, TR> f) => f; | |
public static Func<T1, Func<T2, TR>> Curry<T1, T2, TR>(this Func<T1, T2, TR> f) => | |
a1 => a2 => f(a1, a2); | |
public static Func<T1, Func<T2, Func<T3, TR>>> Curry<T1, T2, T3, TR>(this Func<T1, T2, T3, TR> f) => | |
a1 => a2 => a3 => f(a1, a2, a3); |
This is a writeup of how I went about solving the web challenge from the h1-702 CTF, including my thought process as I navigated through the wrong and right paths to reach a solution. If you're only interested in what the correct steps were, skip to the TL;DR at the end.
Upon navigating to the challenge URL, we're greeted with a message:
Notes RPC Capture The Flag Welcome to HackerOne's H1-702 2018 Capture The Flag event. Somewhere on this server, a service can be found that allows a user to securely stores notes. In one of the notes, a flag is hidden. The goal is to obtain the flag. Good luck, you might need it.
// randomString(length) | |
// -------------------- | |
// | |
// Generates and returns a cryptographically secure | |
// uniform alphanumeric random string. | |
// | |
// Examples: | |
// | |
// randomString(14) // "oXYWpc1vODNR3M" | |
// randomString.hex(8) // "663c722b65943b9b" |
/** | |
* Enable route to __noSuchMethod__ when unknown method calling. | |
* | |
* @param {Object} obj Target object. | |
* @return {Object} | |
*/ | |
function enableMethodMissing(obj) { | |
var functionHandler = createBaseHandler({}); | |
functionHandler.get = function(receiver, name) { |
import org.junit.Test; | |
import java.util.ArrayList; | |
import java.util.Random; | |
import static org.junit.Assert.assertEquals; | |
import static org.junit.Assert.assertTrue; | |
public class Vulnerability_Weak_Crypto { |
I want to be extremely clear about three things. First, this is my personal opinion – insert full standard disclaimer. Second, this is not a condemnation of everyone at RSA, present and past. I assume most of them are pretty okay, and that the problem is confined to a few specific points in the company. However, “unknown problem people making major decisions at RSA” is a bit unwieldy, so I will just say RSA. Third, I'm not calling for a total boycott on RSA. I work almost literally across the street from them and I don’t want to get beat up by roving gangs of cryptographers at the local Chipotle.
RSA's denial published last night is utter codswallop that denies pretty much everything in the world except the actual allegations put forth by Reuters and hinted at for months by [other sources](http://li
/** round n down to nearest multiple of m */ | |
long roundDown(long n, long m) { | |
return n >= 0 ? (n / m) * m : ((n - m + 1) / m) * m; | |
} | |
/** round n up to nearest multiple of m */ | |
long roundUp(long n, long m) { | |
return n >= 0 ? ((n + m - 1) / m) * m : (n / m) * m; | |
} |