Skip to content

Instantly share code, notes, and snippets.


Mehtab Zafar mzfr

View GitHub Profile
securityMB /
Last active Jul 16, 2021
Twitter quiz solution

Yesterday I posted a little quiz on Twitter about HTML parsing.

The question was: what element is going to be the parent of the final <s> in the following snippet of HTML:


The final answers are:

me0wday /
Last active Jan 25, 2022
Blind Graphql Discovery to Altair Schema

Playing with GraphQL when introspection is disabled

Quick write up on extracting a GraphQL schema when introspection is disabled. Bits and pieces sourced from various sources. Successfully tested on an Apollo instance.

TLDR: Some GraphQL instances provide name autocomplete suggestions. Some peeps have written tools to automate the extraction process. (ref

1. Bruteforce schema without introspection

First step is using a tool called clairvoyance by @nikitastupin ( I found the main repo to lack error handling and support for additional features such as proxy.

not-an-aardvark / vandalism.yml
Last active May 2, 2022
Proof-of-concept GitHub Actions workflow exploit (CVE-2021-22862)
View vandalism.yml
# This is a proof-of-concept for a security bug in GitHub Actions which has since been fixed.
# See for more information.
# The proof-of-concept was only ever used in a test environment to validate the existence of the
# vulnerability, and is shown here for educational purposes.
# The proof-of-concept would have the effect of creating a `` file, containing vandalism,
# on the default branch of a victim repository.
# To use the proof-of-concept, the steps would have been:
# 1. Fork the victim repository
tobi / kindle.rb
Last active Sep 25, 2022
Download your Kindle Highlights to local markdown files. Great for
View kindle.rb
#!/usr/bin/env ruby
# gem install active_support
require 'active_support/inflector'
require 'active_support/core_ext/string'
# gem install webrick (only ruby3)
require 'webrick'
# gem install mechanize
bayu-code-lab /
Created Jan 11, 2020
CI/CD Django Bitbucket to AWS Elastic Beanstalk
A Bitbucket Builds template for deploying
an application to AWS Elastic Beanstalk
from __future__ import print_function
import os
import sys
from time import strftime, sleep
multiplex3r /
Last active Sep 13, 2022
Load a PCAP into neo4j with scapy
#!/usr/bin/env python3
from scapy.all import *
from py2neo import Graph, Node, Relationship
packets = rdpcap("<your_pcap_file>")
g = Graph(password="<your_neo4j_password>")
for packet in packets.sessions():
pkt = packet.split()
pich4ya / root_bypass.js
Created Aug 5, 2019
Bypass Android Root Detection / Bypass RootBeer - August 2019
View root_bypass.js
// $ frida -l antiroot.js -U -f --no-pause
// CHANGELOG by Pichaya Morimoto (
// - I added extra whitelisted items to deal with the latest versions
// of RootBeer/Cordova iRoot as of August 6, 2019
// - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by:
// If this isn't working in the future, check console logs, rootbeer src, or
Java.perform(function() {
var RootPackages = ["", "", "eu.chainfire.supersu",
bessarabov / gist:674ea13c77fc8128f24b5e3f53b7f094
Last active Aug 5, 2022
One-liner to generate data shown in post 'At what time of day does famous programmers work?' —
View gist:674ea13c77fc8128f24b5e3f53b7f094
git log --author="Linus Torvalds" --date=iso | perl -nalE 'if (/^Date:\s+[\d-]{10}\s(\d{2})/) { say $1+0 }' | sort | uniq -c|perl -MList::Util=max -nalE '$h{$F[1]} = $F[0]; }{ $m = max values %h; foreach (0..23) { $h{$_} = 0 if not exists $h{$_} } foreach (sort {$a <=> $b } keys %h) { say sprintf "%02d - %4d %s", $_, $h{$_}, "*"x ($h{$_} / $m * 50); }'