EdOverflow

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python githubcloner.py --org organization -o /tmp/output

cryzed

Disclaimer: Please follow this guide being aware of the fact that I'm not an expert regarding the things outlined below, however I made my best attempt. A few people in IRC confirmed it worked for them and the results looked acceptable.

Attention: After following all the steps run gdk-pixbuf-query-loaders --update-cache as root, this prevents various gdk-related bugs that have been reported in the last few hours. Symptoms are varied, and for Cinnamon the DE fails to start entirely while for XFCE the icon theme seemingly can't be changed anymore etc.

Check the gist's comments for any further tips and instructions, especially if you are running into problems!

Screenshots

Results after following the guide as of 11.01.2017 13:08:

NodoFox

// Counts the number of hits in the past 5 minutes. 
//Each function accepts a timestamp parameter (in seconds granularity) and 
//you may assume that calls are being made to the system in chronological order 
//(ie, the timestamp is monotonically increasing). You may assume that the earliest timestamp starts at 1.

//It is possible that several hits arrive roughly at the same time.

public class HitCounter {
  int windowSize = 5 * 60; // since time interval is in seconds.
  Map<Long, Long> timeStampBucket = new HashMap<Long, Long>();

rondy

FWIW: I (@rondy) am not the creator of the content shared here, which is an excerpt from Edmond Lau's book. I simply copied and pasted it from another location and saved it as a personal note, before it gained popularity on news.ycombinator.com. Unfortunately, I cannot recall the exact origin of the original source, nor was I able to find the author's name, so I am can't provide the appropriate credits.

---

Effective Engineer - Notes

• By Edmond Lau
• Highly Recommended 👍
• http://www.theeffectiveengineer.com/

What's an Effective Engineer?

jagrosh

Simple Webhook Tutorial

In this tutorial, I will be explaining how to set up a simple webhook to relay your tweets to a Discord channel

Step 1 - Register on Zapier

1. Go to https://zapier.com/ and create an account (if you don't already have one).

Step 2 - Make a Discord Webhook

1. Find the Discord channel in which you would like to send Tweets

iSergius

Below are the Big O performance of common functions of different Java Collections.


List                 | Add  | Remove | Get  | Contains | Next | Data Structure
---------------------|------|--------|------|----------|------|---------------
ArrayList            | O(1) |  O(n)  | O(1) |   O(n)   | O(1) | Array
LinkedList           | O(1) |  O(1)  | O(n) |   O(n)   | O(1) | Linked List
CopyOnWriteArrayList | O(n) |  O(n)  | O(1) |   O(n)   | O(1) | Array

jfmengels

lodash v4.17.20

Array

• _.chunk
• _.compact
• _.concat

rashivkp

{% if site.linkedin_username %}
<li>
  <a href="https://www.linkedin.com/in/{{ site.linkedin_username }}">
    <span class="icon  icon--linkedin">
      <svg viewBox="0 50 512 512" >
        <path fill="#828282" d="M150.65,100.682c0,27.992-22.508,50.683-50.273,50.683c-27.765,0-50.273-22.691-50.273-50.683
        C50.104,72.691,72.612,50,100.377,50C128.143,50,150.65,72.691,150.65,100.682z M143.294,187.333H58.277V462h85.017V187.333z
        M279.195,187.333h-81.541V462h81.541c0,0,0-101.877,0-144.181c0-38.624,17.779-61.615,51.807-61.615
        c31.268,0,46.289,22.071,46.289,61.615c0,39.545,0,144.181,0,144.181h84.605c0,0,0-100.344,0-173.915
        s-41.689-109.131-99.934-109.131s-82.768,45.369-82.768,45.369V187.333z"/>

0XDE57

ABOUT

about:config settings to harden the Firefox browser. Privacy and performance enhancements.
To change these settings type 'about:config' in the url bar. Then search the setting you would like to change and modify the value. Some settings may break certain websites from functioning and rendering normally. Some settings may also make firefox unstable. I am not liable for any damages/loss of data.

Not all these changes are necessary and will be dependent upon your usage and hardware. Do some research on settings if you don't understand what they do. These settings are best combined with your standard privacy extensions (HTTPS Everywhere No longer required: Enable HTTPS-Only Mode, NoScript/Request Policy, uBlock origin, agent spoofing, Privacy Badger etc), and all plugins set to "Ask To Activate".

kristopolous

// Usage:
//   Copy and paste all of this into a debug console window of the "Who is Hiring?" comment thread 
//   then use as follows:
//
//   query(term | [term, term, ...], term | [term, term, ...], ...)
// 
// When arguments are in an array then that means an "or" and when they are seperate that means "and"
//
// Term is of the format:
//    ((-)text/RegExp)  ( '-' means negation )