Skip to content

Instantly share code, notes, and snippets.

View evilpacket's full-sized avatar
:octocat:

Adam Baldwin evilpacket

:octocat:
584 followers · 0 following
View GitHub Profile
@evilpacket
evilpacket / gist:3647908
Created September 5, 2012 23:46
Pure lua MD5 Implementation
--[[---------------
LuaBit v0.4
-------------------
a bitwise operation lib for lua.
http://luaforge.net/projects/bit/
How to use:
-------------------
bit.bnot(n) -- bitwise not (~n)
@evilpacket
evilpacket / letter_freq.json
Created July 11, 2013 07:17
English letter frequencies in json format
{
"a": 8.167,
"b": 1.492,
"c": 2.782,
"d": 4.253,
"e": 12.702,
"f": 2.228,
"g": 2.015,
"h": 6.094,
"i": 6.966,
@evilpacket
evilpacket / gist:3628941
Created September 5, 2012 01:35
Top 1000 from Alexa Top 1million
wget -q http://s3.amazonaws.com/alexa-static/top-1m.csv.zip;unzip top-1m.csv.zip; awk -F ',' '{print $2}' top-1m.csv|head -1000 > top-1000.txt; rm top-1m.csv*
@evilpacket
evilpacket / all.txt
Created December 12, 2020 00:28 — forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
.
..
........
@
*
*.*
*.*.*
🐎
@evilpacket
evilpacket / headless browser ctf
Last active November 27, 2020 08:42
URLs people tried (so far): https://gist.github.com/evilpacket/6651547a3d3e39bef75eee35f321f25f
Flag 1:
1. @jstash
2. @cnelson
3. @JF0LKINS
Flag 2:
1.
@evilpacket
evilpacket / Avoid-Command-Injection-Node.md
Created April 3, 2019 21:26
date slug tags title author type
2014-08-19 17:04:34 GMT
Avoid-Command-Injection-Node.js
security, node.js, injection
Avoiding Command Injection in Node.js
Adam Baldwin
text
@evilpacket
evilpacket / gist:9699f0f91443303d98c496d4c9e5b053
Created June 22, 2019 17:37
(Swedish) Girl with a dragon tattoo
Hackers
WarGames
Antitrust
Swordfish
TRON
Sneakers
Joe Dante's Explorers (1985)
The imitation game
The KGB, the computer, and me
@evilpacket
evilpacket / the-dangers-of-square-bracket-notation.md
Created April 3, 2019 21:28
date slug tags title author type
Wed Jan 14 17:30:08 PST 2015
the-dangers-of-square-bracket-notation
security, node.js, javascript, hapi, RCE, square bracket notation, io.js
The Dangers of Square Bracket Notation
Jon Lamendola
text

We are going to be looking at some peculiar and potentially dangerous implications of Javascript's square bracket notation in this post: where you shouldn't use this style of object access and why, as well how to use it safely when needed.

@evilpacket
evilpacket / bypass-connect-csrf-protection-by-abusing.md
Created April 3, 2019 21:27
date slug tags title author type
2013-09-07 17:03:10 GMT
bypass-connect-csrf-protection-by-abusing
CSRF, connect, methodOverride, middleware
Bypass Connect CSRF protection by abusing methodOverride Middleware
Node Security Team
text

Since our platform isn't setup for advisories that are not specific to a particular module version, but rather a use / configuration of a certain module, we will announce this issue here and get it into the database at a later date.

@evilpacket
evilpacket / regular-expression-dos-and-node.md
Created April 3, 2019 21:25
date slug tags title author type
Mon Nov 03 8:00:00 PDT 2014
regular-expression-dos-and-node.js
security, node.js, redos
Regular Expression DoS and Node.js
Adam Baldwin
text

Imagine you are trying to buy a ticket to your favorite JavaScript conference, and instead of getting the ticket page, you instead get 500 Internal Server Error. For some reason the site is down. You can't do the thing that you want to do most and the conference is losing out on your purchase, all because the application is unavailable.