<!doctype html>
<html>
Erlend Oftedal eoftedal
anonymous
/ bhusa2015.txt
Created
August 7, 2015 02:45
Black Hat USA 2015 slides and articles for Web guys.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://www.blackhat.com/us-15/briefings.html | |
| - https://www.blackhat.com/docs/us-15/materials/us-15-Silvanovich-Attacking-ECMA-Script-Engines-With-Redefinition.pdf | |
| - https://www.blackhat.com/docs/us-15/materials/us-15-Silvanovich-Attacking-ECMA-Script-Engines-With-Redefinition-wp.pdf | |
| - https://www.blackhat.com/docs/us-15/materials/us-15-Nafeez-Dom-Flow-Untangling-The-DOM-For-More-Easy-Juicy-Bugs.pdf | |
| - https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf | |
| - https://www.blackhat.com/us-15/briefings.html#bypass-surgery-abusing-content-delivery-networks-with-server-side-request-forgery-ssrf-flash-and-dns (no slides) | |
| - https://www.blackhat.com/docs/us-15/materials/us-15-Vandevanter-Exploiting-XXE-Vulnerabilities-In-File-Parsing-Functionality.pdf | |
| - https://www.blackhat.com/docs/us-15/materials/us-15-Vandevanter-Exploiting-XXE-Vulnerabilities-In-File-Parsing-Functionality-tool.zip | |
| - https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry |
jj09
/ NDC London 2016 - Top 30 talks.txt
Last active
May 15, 2016 21:06
Top 30 talks from NDC London 2016 (by view count)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (25500) Project Rider - Hadi Hari https://vimeo.com/151644168 | |
| (6802) What’s new in Security in ASP.NET 5 and MVC 6 - Dominick Baier https://vimeo.com/154041158 | |
| (5972) Saying “Goodbye” to DNX and “Hello!” to the .NET Core CLI - Damian Edwards & David Fowler https://vimeo.com/153212604 | |
| (3813) Fun with Generics - Benjamin Hodgson https://vimeo.com/154564491 | |
| (3686) Keynote NDC London 2016: JavaScript, The Cloud, and the Rise of the New Virtual Machine - Scott Hanselman https://vimeo.com/153120762 | |
| (3479) Introduction to IdentityServer - Brock Allen https://vimeo.com/154172925 | |
| (2980) Aurelia: Next-Generation Web Apps - Rob Eisenberg https://vimeo.com/153090562 | |
| (2118) Better single-page apps with ASP.NET MVC 6 - Steve Sanderson https://vimeo.com/157273325 | |
| (1741) A brief history of ASP.NET: From 1.0 to 5.0 - Damian Edwards and David Fowler https://vimeo.com/154034601 | |
| (1636) JavaScript Combinators, the “Six” Edition - Reginald Braithwaite https://vimeo.com/153097877 |
molnarg
/ angularjs-sandbox-escape.md
Last active
August 3, 2017 08:46
An AngularJS Template Expression Sandbox Escape
einarwh
/ CurryExtensions.cs
Last active
October 12, 2017 10:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static class CurryExtensions | |
| { | |
| public static Func<T1, TR> Curry<T1, TR>(this Func<T1, TR> f) => f; | |
| public static Func<T1, Func<T2, TR>> Curry<T1, T2, TR>(this Func<T1, T2, TR> f) => | |
| a1 => a2 => f(a1, a2); | |
| public static Func<T1, Func<T2, Func<T3, TR>>> Curry<T1, T2, T3, TR>(this Func<T1, T2, T3, TR> f) => | |
| a1 => a2 => a3 => f(a1, a2, a3); |
This is a writeup of how I went about solving the web challenge from the h1-702 CTF, including my thought process as I navigated through the wrong and right paths to reach a solution. If you're only interested in what the correct steps were, skip to the TL;DR at the end.
Upon navigating to the challenge URL, we're greeted with a message:
Notes RPC Capture The Flag Welcome to HackerOne's H1-702 2018 Capture The Flag event. Somewhere on this server, a service can be found that allows a user to securely stores notes. In one of the notes, a flag is hidden. The goal is to obtain the flag. Good luck, you might need it.
dchest
/ randomString.js
Last active
December 22, 2019 08:19
Generates cryptographically secure uniform random string in browsers and Node.js [IN DEVELOPMENT]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // randomString(length) | |
| // -------------------- | |
| // | |
| // Generates and returns a cryptographically secure | |
| // uniform alphanumeric random string. | |
| // | |
| // Examples: | |
| // | |
| // randomString(14) // "oXYWpc1vODNR3M" | |
| // randomString.hex(8) // "663c722b65943b9b" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Enable route to __noSuchMethod__ when unknown method calling. | |
| * | |
| * @param {Object} obj Target object. | |
| * @return {Object} | |
| */ | |
| function enableMethodMissing(obj) { | |
| var functionHandler = createBaseHandler({}); | |
| functionHandler.get = function(receiver, name) { |
DinisCruz
/ Vulnerability_Weak_Crypto.java
Created
September 4, 2016 15:43
Java test that confirms how Random().nextInt() values can be predicted
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import org.junit.Test; | |
| import java.util.ArrayList; | |
| import java.util.Random; | |
| import static org.junit.Assert.assertEquals; | |
| import static org.junit.Assert.assertTrue; | |
| public class Vulnerability_Weak_Crypto { |
I want to be extremely clear about three things. First, this is my personal opinion – insert full standard disclaimer. Second, this is not a condemnation of everyone at RSA, present and past. I assume most of them are pretty okay, and that the problem is confined to a few specific points in the company. However, “unknown problem people making major decisions at RSA” is a bit unwieldy, so I will just say RSA. Third, I'm not calling for a total boycott on RSA. I work almost literally across the street from them and I don’t want to get beat up by roving gangs of cryptographers at the local Chipotle.
RSA's denial published last night is utter codswallop that denies pretty much everything in the world except the actual allegations put forth by Reuters and hinted at for months by [other sources](http://li
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** round n down to nearest multiple of m */ | |
| long roundDown(long n, long m) { | |
| return n >= 0 ? (n / m) * m : ((n - m + 1) / m) * m; | |
| } | |
| /** round n up to nearest multiple of m */ | |
| long roundUp(long n, long m) { | |
| return n >= 0 ? ((n + m - 1) / m) * m : (n / m) * m; | |
| } |
OlderNewer