Skip to content

Instantly share code, notes, and snippets.

Nathan ndavison

Block or report user

Report or block ndavison

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View gist:357fdd7b610f8801f2391debaddaeff2
alias rcupdate='BRANCH=$(git rev-parse --abbrev-ref HEAD) && git checkout rc && git pull origin rc && git pull origin "$BRANCH" && git push origin rc && git checkout "$BRANCH"'
alias alphaupdate='BRANCH=$(git rev-parse --abbrev-ref HEAD) && git checkout alpha && git pull origin alpha && git pull origin "$BRANCH" && git push origin alpha && git checkout "$BRANCH"'
@ndavison
ndavison / url-cors-check.py
Last active Jan 24, 2020
Checks a URL for CORS header security posture
View url-cors-check.py
import requests
from urlparse import urlparse
from argparse import ArgumentParser
parser = ArgumentParser(description="Checks a URL for CORS header security posture")
parser.add_argument("-u", "--url", help="the URL to check")
parser.add_argument("-o", "--origin", help="the origin to supply (defaults to the origin in the URL)")
parser.add_argument("-H", "--header", action="append", help="add a request header")
parser.add_argument("-v", "--verbose", action="store_true", help="More output")
@ndavison
ndavison / hbh-header-abuse-test.py
Last active May 11, 2020
Attempts to find hop-by-hop header abuse potential against the provided URL.
View hbh-header-abuse-test.py
# github.com/ndavison
import requests
import random
import string
from argparse import ArgumentParser
parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.")
parser.add_argument("-u", "--url", help="URL to target (without query string)")
@ndavison
ndavison / wp-visualizer-xss.md
Last active Nov 21, 2019
Wordpress Visualizer plugin stored XSS
View wp-visualizer-xss.md

Wordpress Visualizer plugin stored XSS CVE-2019-16931

The Visualizer plugin for Wordpress suffers from an unauthenticated stored XSS vulnerability. This was tested against v3.3.0.

Summary

This XSS actually relies on another vulnerability of sorts, in that it is possible for an anonymous user to modify data on an already created chart object by simply sending a constructed POST request to the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint. This can be seen here where the endpoint is registered (classes/Visualizer/Gutenberg/Block.php) with no access control:

register_rest_route(
@ndavison
ndavison / wp-visualizer-ssrf.md
Last active Nov 21, 2019
Wordpress Visualizer blind SSRF
View wp-visualizer-ssrf.md

Wordpress Visualizer plugin blind SSRF CVE-2019-16932

The Visualizer plugin for Wordpress suffers from an unauthenticated blind SSRF vulnerability. This was tested against v3.3.0.

PoC setup

Setup a Docker environment using this compose config: https://docs.docker.com/compose/wordpress/

However, rather than running docker-compose up -d, just run docker-compose up as we want to see the output from the MySQL server to prove SSRF.

@ndavison
ndavison / haproxy-smuggling.md
Last active Sep 20, 2019
HAProxy HTTP request smuggling
View haproxy-smuggling.md

The following describes a technique to achieve HTTP request smuggling against infrastructure behind a HAProxy server when using specific configuration around backend connection reuse. This was tested against HAProxy versions 1.7.9, 1.7.11, 1.8.19, 1.8.21, 1.9.10, and 2.0.5. Of all these tested versions, only 2.0.5 was not vulnerable out of the box, although it is when using the no option http-use-htx configuration, which reverts back to the legacy HTTP decoder. 2.1 removed the legacy decoder so it is not affected.

To actually exploit HTTP smuggling using the issue described in this writeup, the backend server(s) behind HAProxy would also have to be vulnerable in the sense they too would need to suffer from a bug, but one which parses and accepts a poorly formed Transfer-Encoding header (almost certainly violating RFC7230), and allows HTTP keep-alive.

The HAProxy bug - sending both Transfer-Encoding and Content-Length

This is how HAProxy handles a request when Transfer-Encoding and Content-Length is p

@ndavison
ndavison / flask-login-example.py
Created Aug 20, 2019
Simple Flask (with Flask-Login) example
View flask-login-example.py
from flask import Flask, request, jsonify, session
from flask_login import current_user, login_required, login_user, LoginManager, logout_user
app = Flask(__name__)
app.secret_key = b'_5#y2L"F4Q8z\n\xec]/'
login_manager = LoginManager()
login_manager.init_app(app)
@ndavison
ndavison / circleci-find-tag-build.py
Last active Jun 26, 2019
A script to find the CircleCI build associated with a particular VCS tag value
View circleci-find-tag-build.py
import requests
import json
import os
from argparse import ArgumentParser
parser = ArgumentParser(description="Queries the circleci API for the build associated with a VCS tag.")
parser.add_argument("-p", "--project", help="project to request circleci build logs for")
parser.add_argument("-r", "--repo", help="repo to request circleci build logs for")
parser.add_argument("-t", "--tag", help="the VCS tag value to look for")
@ndavison
ndavison / travisci.py
Last active Nov 22, 2019
Downloads build logs from travisci for a particular project.
View travisci.py
import requests
import json
import os
import urllib.parse
from argparse import ArgumentParser
parser = ArgumentParser(description="Downloads build logs from travisci for a particular project.")
parser.add_argument("-p", "--project", help="project to request travisci build logs for")
parser.add_argument("-r", "--repo", default=None, help="repo to request travisci build logs for")
@ndavison
ndavison / circleci.py
Last active Feb 5, 2020
Downloads build logs from circleci for a particular project and repo
View circleci.py
import requests
import json
import os
from argparse import ArgumentParser
parser = ArgumentParser(description="Downloads build logs from circleci for a particular project and repo.")
parser.add_argument("-p", "--project", help="project and repo to request circleci build logs for, in the format of project/repo")
parser.add_argument("-t", "--token", default=None, help="API token for non public readable builds")
You can’t perform that action at this time.