Skip to content

Instantly share code, notes, and snippets.

View grnd's full-sized avatar

Danny Grander grnd

View GitHub Profile
@grnd
grnd / Contributor Agreement.md
Last active December 2, 2015 17:53
Snyk vulnerabilities database contributor agreement

Snyk vulnerabilities database contributor agreement

This Snyk vulnerabilities database Agreement (this "Agreement") applies to any Contribution you make to any Work.

This is a binding legal agreement on you and any organization you represent. If you are signing this Agreement on behalf of your employer or other organization, you represent and warrant that you have the authority to agree to this Agreement on behalf of the organization.

1. Definitions

"Contribution" means any original work, including any modification of or addition to an existing work, that you submit to Snyk vulnerability databse in any manner for inclusion in any Work.

32C3 CTF 2015 : Sequence Hunt

Category: Web Points: 200 Solves: 19 Description:

May we interest you in a little programming exercise?

32C3 CTF 2015 : config.bin

Category: Forensics Points: 150 Solves: 27 Description:

We have obtained what we believe is a configuration backup of an embedded device. However, it seems to be encrypted. Maybe you can help us with decryption?

Write-up

#!/usr/bin/env node
// run with: node sequencehunt_server.js
// info page: http://localhost:8080/info
// correct values: http://localhost:8080/check?val0=4&val1=12&val2=77&val3=98&val4=35
var http = require('http');
var url = require('url');
var TimingAttackProtectionSeconds = 3;

Keybase proof

I hereby claim:

  • I am grnd on github.
  • I am grander (https://keybase.io/grander) on keybase.
  • I have a public key whose fingerprint is 4F0A EB1A F20D C189 52A1 0F30 2069 C9EE 086A 3F10

To claim this, I am signing this object:

Snyk CLI tool contributor agreement

This Snyk CLI tool Agreement (this "Agreement") applies to any Contribution you make to any Work.

This is a binding legal agreement on you and any organization you represent. If you are signing this Agreement on behalf of your employer or other organization, you represent and warrant that you have the authority to agree to this Agreement on behalf of the organization.

1. Definitions

"Contribution" means any original work, including any modification of or addition to an existing work, that you submit to Snyk CLI tool repo in any manner for inclusion in any Work.

@grnd
grnd / moment-redos-poc.md
Last active November 19, 2018 15:02
PoC for ReDoS in `moment` npm package

Details here: https://snyk.io/vuln/npm:moment:20161019

It takes just a 40 characters long string to block the event loop for about 20 seconds on a standard laptop, while each additional space character will double that time.

Example: moment-test.js

var m = require("moment");
m.locale("be");
m().format("D MMN MMMM");

Snyk Broker tool contributor agreement

This Snyk Broker tool Agreement (this "Agreement") applies to any Contribution you make to any Work.

This is a binding legal agreement on you and any organization you represent. If you are signing this Agreement on behalf of your employer or other organization, you represent and warrant that you have the authority to agree to this Agreement on behalf of the organization.

1. Definitions

"Contribution" means any original work, including any modification of or addition to an existing work, that you submit to Snyk Broker tool repo in any manner for inclusion in any Work.

@grnd
grnd / github_bugbountyhunting.md
Created October 7, 2017 21:50 — forked from EdOverflow/github_bugbountyhunting.md
My tips for finding security issues in GitHub projects.

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python githubcloner.py --org organization -o /tmp/output
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFmR918BEADrS77g30ejwt+ecbqJax4ZIBzQC6KSJxbuZ2slEDYdB2aDFj0G
bYhj685q7so6VXzko7weJKzfpbttaaFDPznx752T2nbPdh/ci0HFdbzPHvEBcmIK
aoJAWhiTICT7ys+sdzEXQbtGqsNltExD+ylqws6ovRf1wWA1oCLMLy2/wGl3n67p
jNW2ZkF/5Ke/GOfAM6CCdadUVHx+2d9dYhMrMuatBdhkOZMlOqAI1yvTXNAbE7mJ
mB5c4EfiC0ARiDl785yNgu8e+ONSZDqYaqiDKDen1JdUA0/qgU1E0cT/9rM96UhE
WkKlXMHwWLxA9CBU1dkFEukWwwaXDBpm0Zbx/1RaYc8M/s3yGH9TDbfMHSQ/qebK
oRXOCQjuXUU4JlnnFc9SPzquBdZSHBhF9mSEwR55CmQVZhxeyGJMfeZIbyD5u8dr
hfWQ9MiWY2qH5XUr++6PJJnGWlkYTxXJGgic/gTwstfIHGtizLN/SEZ0hmquX40t
mcqM1/P3PIMRYYx8lw0D+8w8Wm2QJyzIOnRlJhSEsBBl8FNvxIuaO7EjdABRZFba