Skip to content

Instantly share code, notes, and snippets.

View ndavison's full-sized avatar

Nathan ndavison

53 followers · 0 following
View GitHub Profile
@ndavison
ndavison / github-vulnerable-workflows.py
Last active February 13, 2024 10:43
Detect potentially vulnerable github actions workflows for orgs
import requests
import yaml
import re
import json
import time
import logging
import sys
from argparse import ArgumentParser
@ndavison
ndavison / gist:357fdd7b610f8801f2391debaddaeff2
Created March 30, 2020 23:25
aliases
alias rcupdate='BRANCH=$(git rev-parse --abbrev-ref HEAD) && git checkout rc && git pull origin rc && git pull origin "$BRANCH" && git push origin rc && git checkout "$BRANCH"'
alias alphaupdate='BRANCH=$(git rev-parse --abbrev-ref HEAD) && git checkout alpha && git pull origin alpha && git pull origin "$BRANCH" && git push origin alpha && git checkout "$BRANCH"'
@ndavison
ndavison / url-cors-check.py
Last active July 23, 2023 16:32
Checks a URL for CORS header security posture
import requests
from urllib.parse import urlparse
from argparse import ArgumentParser
parser = ArgumentParser(description="Checks a URL for CORS header security posture")
parser.add_argument("-u", "--url", help="the URL to check")
parser.add_argument("-o", "--origin", help="the origin to supply (defaults to the origin in the URL)")
parser.add_argument("-H", "--header", action="append", help="add a request header")
parser.add_argument("-v", "--verbose", action="store_true", help="More output")
@ndavison
ndavison / hbh-header-abuse-test.py
Last active April 16, 2024 09:36
Attempts to find hop-by-hop header abuse potential against the provided URL.
# github.com/ndavison
import requests
import random
import string
from argparse import ArgumentParser
parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.")
parser.add_argument("-u", "--url", help="URL to target (without query string)")
@ndavison
ndavison / wp-visualizer-xss.md
Last active November 21, 2019 23:14
Wordpress Visualizer plugin stored XSS

Wordpress Visualizer plugin stored XSS CVE-2019-16931

The Visualizer plugin for Wordpress suffers from an unauthenticated stored XSS vulnerability. This was tested against v3.3.0.

Summary

This XSS actually relies on another vulnerability of sorts, in that it is possible for an anonymous user to modify data on an already created chart object by simply sending a constructed POST request to the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint. This can be seen here where the endpoint is registered (classes/Visualizer/Gutenberg/Block.php) with no access control:

register_rest_route(
@ndavison
ndavison / wp-visualizer-ssrf.md
Last active November 21, 2019 23:14
Wordpress Visualizer blind SSRF

Wordpress Visualizer plugin blind SSRF CVE-2019-16932

The Visualizer plugin for Wordpress suffers from an unauthenticated blind SSRF vulnerability. This was tested against v3.3.0.

PoC setup

Setup a Docker environment using this compose config: https://docs.docker.com/compose/wordpress/

However, rather than running docker-compose up -d, just run docker-compose up as we want to see the output from the MySQL server to prove SSRF.

@ndavison
ndavison / haproxy-smuggling.md
Last active February 22, 2024 00:47
HAProxy HTTP request smuggling

The following describes a technique to achieve HTTP request smuggling against infrastructure behind a HAProxy server when using specific configuration around backend connection reuse. This was tested against HAProxy versions 1.7.9, 1.7.11, 1.8.19, 1.8.21, 1.9.10, and 2.0.5. Of all these tested versions, only 2.0.5 was not vulnerable out of the box, although it is when using the no option http-use-htx configuration, which reverts back to the legacy HTTP decoder. 2.1 removed the legacy decoder so it is not affected.

To actually exploit HTTP smuggling using the issue described in this writeup, the backend server(s) behind HAProxy would also have to be vulnerable in the sense they too would need to suffer from a bug, but one which parses and accepts a poorly formed Transfer-Encoding header (almost certainly violating RFC7230), and allows HTTP keep-alive.

The HAProxy bug - sending both Transfer-Encoding and Content-Length

This is how HAProxy handles a request when Transfer-Encoding and Content-Length is p

@ndavison
ndavison / flask-login-example.py
Created August 20, 2019 02:47
Simple Flask (with Flask-Login) example
from flask import Flask, request, jsonify, session
from flask_login import current_user, login_required, login_user, LoginManager, logout_user
app = Flask(__name__)
app.secret_key = b'_5#y2L"F4Q8z\n\xec]/'
login_manager = LoginManager()
login_manager.init_app(app)
@ndavison
ndavison / circleci-find-tag-build.py
Last active June 26, 2019 07:23
A script to find the CircleCI build associated with a particular VCS tag value
import requests
import json
import os
from argparse import ArgumentParser
parser = ArgumentParser(description="Queries the circleci API for the build associated with a VCS tag.")
parser.add_argument("-p", "--project", help="project to request circleci build logs for")
parser.add_argument("-r", "--repo", help="repo to request circleci build logs for")
parser.add_argument("-t", "--tag", help="the VCS tag value to look for")
@ndavison
ndavison / travisci.py
Last active September 24, 2022 05:54
Downloads build logs from travisci for a particular project.
import requests
import json
import os
import urllib.parse
from argparse import ArgumentParser
parser = ArgumentParser(description="Downloads build logs from travisci for a particular project.")
parser.add_argument("-p", "--project", help="project to request travisci build logs for")
parser.add_argument("-r", "--repo", default=None, help="repo to request travisci build logs for")