Skip to content

Instantly share code, notes, and snippets.

View grnd's full-sized avatar

Danny Grander grnd

88 followers · 47 following
View GitHub Profile
@grnd
grnd / snyk-security-report-public-key.key
Created January 21, 2018 15:29
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFmR918BEADrS77g30ejwt+ecbqJax4ZIBzQC6KSJxbuZ2slEDYdB2aDFj0G
bYhj685q7so6VXzko7weJKzfpbttaaFDPznx752T2nbPdh/ci0HFdbzPHvEBcmIK
aoJAWhiTICT7ys+sdzEXQbtGqsNltExD+ylqws6ovRf1wWA1oCLMLy2/wGl3n67p
jNW2ZkF/5Ke/GOfAM6CCdadUVHx+2d9dYhMrMuatBdhkOZMlOqAI1yvTXNAbE7mJ
mB5c4EfiC0ARiDl785yNgu8e+ONSZDqYaqiDKDen1JdUA0/qgU1E0cT/9rM96UhE
WkKlXMHwWLxA9CBU1dkFEukWwwaXDBpm0Zbx/1RaYc8M/s3yGH9TDbfMHSQ/qebK
oRXOCQjuXUU4JlnnFc9SPzquBdZSHBhF9mSEwR55CmQVZhxeyGJMfeZIbyD5u8dr
hfWQ9MiWY2qH5XUr++6PJJnGWlkYTxXJGgic/gTwstfIHGtizLN/SEZ0hmquX40t
mcqM1/P3PIMRYYx8lw0D+8w8Wm2QJyzIOnRlJhSEsBBl8FNvxIuaO7EjdABRZFba
@grnd
grnd / github_bugbountyhunting.md
Created October 7, 2017 21:50 — forked from EdOverflow/github_bugbountyhunting.md
My tips for finding security issues in GitHub projects.

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python githubcloner.py --org organization -o /tmp/output
@grnd
grnd / Snyk Broker Contributor Agreement.md
Created October 26, 2016 11:25

Snyk Broker tool contributor agreement

This Snyk Broker tool Agreement (this "Agreement") applies to any Contribution you make to any Work.

This is a binding legal agreement on you and any organization you represent. If you are signing this Agreement on behalf of your employer or other organization, you represent and warrant that you have the authority to agree to this Agreement on behalf of the organization.

1. Definitions

"Contribution" means any original work, including any modification of or addition to an existing work, that you submit to Snyk Broker tool repo in any manner for inclusion in any Work.

@grnd
grnd / moment-redos-poc.md
Last active November 19, 2018 15:02
PoC for ReDoS in `moment` npm package

Details here: https://snyk.io/vuln/npm:moment:20161019

It takes just a 40 characters long string to block the event loop for about 20 seconds on a standard laptop, while each additional space character will double that time.

Example: moment-test.js

var m = require("moment");
m.locale("be");
m().format("D MMN MMMM");
@grnd
grnd / Snyk CLI Contributor Agreement.md
Created September 27, 2016 11:42

Snyk CLI tool contributor agreement

This Snyk CLI tool Agreement (this "Agreement") applies to any Contribution you make to any Work.

This is a binding legal agreement on you and any organization you represent. If you are signing this Agreement on behalf of your employer or other organization, you represent and warrant that you have the authority to agree to this Agreement on behalf of the organization.

1. Definitions

"Contribution" means any original work, including any modification of or addition to an existing work, that you submit to Snyk CLI tool repo in any manner for inclusion in any Work.

@grnd
grnd / keybase.md
Created April 7, 2016 13:14

Keybase proof

I hereby claim:

  • I am grnd on github.
  • I am grander (https://keybase.io/grander) on keybase.
  • I have a public key whose fingerprint is 4F0A EB1A F20D C189 52A1 0F30 2069 C9EE 086A 3F10

To claim this, I am signing this object:

@grnd
grnd / sequencehunt_server.js
Created February 10, 2016 00:05
#!/usr/bin/env node
// run with: node sequencehunt_server.js
// info page: http://localhost:8080/info
// correct values: http://localhost:8080/check?val0=4&val1=12&val2=77&val3=98&val4=35
var http = require('http');
var url = require('url');
var TimingAttackProtectionSeconds = 3;
@grnd
grnd / 32C3-CTF-2015-config-bin.md
Last active January 4, 2016 03:22

32C3 CTF 2015 : config.bin

Category: Forensics Points: 150 Solves: 27 Description:

We have obtained what we believe is a configuration backup of an embedded device. However, it seems to be encrypted. Maybe you can help us with decryption?

Write-up

@grnd
grnd / 32C3-CTF-2015-Sequence-Hunt.md
Last active January 12, 2016 07:23

32C3 CTF 2015 : Sequence Hunt

Category: Web Points: 200 Solves: 19 Description:

May we interest you in a little programming exercise?

@grnd
grnd / Contributor Agreement.md
Last active December 2, 2015 17:53
Snyk vulnerabilities database contributor agreement

Snyk vulnerabilities database contributor agreement

This Snyk vulnerabilities database Agreement (this "Agreement") applies to any Contribution you make to any Work.

This is a binding legal agreement on you and any organization you represent. If you are signing this Agreement on behalf of your employer or other organization, you represent and warrant that you have the authority to agree to this Agreement on behalf of the organization.

1. Definitions

"Contribution" means any original work, including any modification of or addition to an existing work, that you submit to Snyk vulnerability databse in any manner for inclusion in any Work.