Skip to content

Instantly share code, notes, and snippets.

Avatar
:octocat:

Dominique RIGHETTO righettod

:octocat:
View GitHub Profile
@righettod
righettod / venom_security_headers_tests_suite.yml
Last active Feb 19, 2021
VENOM sample HTTP security response headers test suites.
View venom_security_headers_tests_suite.yml
name: HTTP security response headers test suites
# TOOLS
# VENOM HOME: https://github.com/ovh/venom
# VENOM RELEASE: https://github.com/ovh/venom/releases
# VENOM ASSERTION KEYWORDS: https://github.com/ovh/venom#assertion
# REF AND RUN
# REF BASE: https://owasp.org/www-project-secure-headers/
# RUN CMD: venom run --var="target_site=https://righettod.eu" venom_security_headers_tests_suite.yml
# venom run --var="target_site=https://righettod.eu" --var="internet_facing=true" venom_security_headers_tests_suite.yml
# venom run --var="target_site=https://righettod.eu" --var="internet_facing=true" --var="logout_url=/logout" venom_security_headers_tests_suite.yml
@righettod
righettod / poc_clear-site-data_header.php
Created Feb 13, 2021
POC of usage of the "Clear-Site-Data" HTTP response header.
View poc_clear-site-data_header.php
<?php
//Local command to run example: "php -S localhost:8000"
//Get optional action: login / logout / random
$action="NA";
if (isset($_GET["a"])) {
$action=$_GET["a"];
}
switch ($action) {
//Login action fill session and local storage dummy data
case "login":
@righettod
righettod / venom_security_tests_suite.yml
Last active Feb 13, 2021
VENOM sample security tests suite
View venom_security_tests_suite.yml
name: Security authorization test suites
# HOME: https://github.com/ovh/venom
# TEST API: https://gorest.co.in/
vars:
target_host: ""
testcases:
- name: GetUserFromCollection
steps:
- type: http
method: GET
View poc_uuidv1_sandwich_attack.py
import uuid
import binascii
from datetime import datetime
"""
Python3 script trying to reproduce the "Sandwich Attack: A New Way Of Brute Forcing UUIDs"
described on "https://versprite.com/blog/universally-unique-identifiers/".
"""
@righettod
righettod / odc_report.py
Last active Feb 8, 2021
Quick script to format the result of a OWASP Dependency Check (ODC) JSON report
View odc_report.py
import json
import colorama
import sys
from termcolor import colored
from tabulate import tabulate
'''
Quick script to format the result of a OWASP Dependency Check (ODC) JSON report:
dependency-check.sh --project MyProject --scan . --format JSON --prettyPrint --out ./odc.json
@righettod
righettod / zipslip_validation.php
Last active Dec 9, 2020
Function to validate that a ZIP file do not contains "ZIP SLIP" payload entries.
View zipslip_validation.php
<?php
/**
* Function to validate that a ZIP file do not contains "ZIP SLIP" payload entries.
* @param string $zipFilePath Path to the ZIP to test.
* @return bool TRUE only if the archive do not contains ZIP SLIP payload entries.
* @link https://snyk.io/research/zip-slip-vulnerability
* @link https://stackoverflow.com/a/3599093/451455 (inspired from)
*/
function isZipValid($zipFilePath){
$isValid = false;
@righettod
righettod / keychain_data_persistence_mstg_check.py
Created Jul 21, 2020
Python3 script to find common entries in 2 export of a iOS device keychain performed via objection.
View keychain_data_persistence_mstg_check.py
import json
import binascii
import hashlib
import argparse
from tabulate import tabulate
"""
Python3 script to find common entries in 2 export of a iOS device keychain performed via objection.
The objective is to help performing the following test of the OWASP MSTG:
@righettod
righettod / ios-detect-screen-capture-and-screen-recording.swift
Created Jul 17, 2020
Code to detect when a user perform a screen capture or screen recording of an application in order to prevent it when possible
View ios-detect-screen-capture-and-screen-recording.swift
import UIKit
//Inspired from the code below:
//https://github.com/takashings/ScreenCapturedSample/blob/master/ScreenCapturedSample/ForScreenCapturedViewController.swift
//https://www.hackingwithswift.com/example-code/uikit/how-to-detect-when-the-user-takes-a-screenshot
@UIApplicationMain
class AppDelegate: UIResponder, UIApplicationDelegate {
func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
//Define a listener to handle the case when a screen recording is launched
@righettod
righettod / retirejs_report.py
Last active Jun 12, 2020
Quick script to format the results of a JSON scan report from RetireJS.
View retirejs_report.py
import json
import colorama
import sys
from termcolor import colored
from tabulate import tabulate
'''
Quick script to format the result of a RetireJS JSON report:
retire --outputformat json --outputpath retire.json --js --jspath . --nocache
@righettod
righettod / Android-Utils.md
Last active Jan 2, 2020
Utility PowerShell module when manipulating APK on Windows
View Android-Utils.md

The code has been transformed to the following project