Skip to content

Instantly share code, notes, and snippets.

@motoyasu-saburi
motoyasu-saburi / lack_escape_content-disposition_filename.md
Last active November 5, 2024 19:41
Land Mine named "Content-Disposition > filename"

TL;DR

  • I found 1 browser, 1 language, and 15 vulnerabilities in { Web Framework, HTTP Client library, Email library / Web Service, etc }
  • All the vulnerabilities I found were found from a single perspective (I investigated maybe 50-80 products).
  • The RFC description of the problem (rather confusingly) describes the requirements for this problem, while the WHATWG > HTML Spec is well documented.
  • The problem is clearly targeted at the Content-Disposition fields filename and filename*.
  • This problem affects HTTP Request/Response/Email in different ways.
    • HTTP Request : request tampering (especially with file contents, tainting of other fields, etc.)
    • HTTP Response : Reflect File Download vulnerability
  • Email : Attachment tampering (e.g., extension and filename tampering and potential file content tampering)
@JeffreyShran
JeffreyShran / machineKeyFinder.aspx
Created March 30, 2022 10:00 — forked from irsdl/machineKeyFinder.aspx
To find validation and decryption keys when AutoGenerate has been used in Machine Key settings
<%@ Page Language="C#" %>
<%
// Read https://soroush.secproject.com/blog/2019/05/danger-of-stealing-auto-generated-net-machine-keys/
Response.Write("<br/><hr/>");
byte[] autoGenKeyV4 = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\", "AutoGenKeyV4", new byte[]{});
if(autoGenKeyV4!=null)
Response.Write("HKCU\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\AutoGenKeyV4: "+BitConverter.ToString(autoGenKeyV4).Replace("-", string.Empty));
Response.Write("<br/>");
byte[] autoGenKey = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\2.0.50727.0\\", "AutoGenKey", new byte[]{});
if(autoGenKey!=null)
@seqrity
seqrity / wordlist_from_js.sh
Last active March 5, 2023 06:35
Make wordlist from js files
#! /bin/bash
## This script fetch js files from a domain name and make a wordlist by words in js files
## Credit: https://gist.github.com/aufzayed/6cabed910c081cc2f2186cd27b80f687
##### Install requirements #####
##### Before running this script you should install Go #####
## Install subjs (https://github.com/lc/subjs)
GO111MODULE=on go get -u -v github.com/lc/subjs
@mackwage
mackwage / windows_hardening.cmd
Last active November 9, 2024 14:22
Script to perform some hardening of Windows OS
:: Windows 10 Hardening Script
:: This is based mostly on my own personal research and testing. My objective is to secure/harden Windows 10 as much as possible while not impacting usability at all. (Think being able to run on this computer's of family members so secure them but not increase the chances of them having to call you to troubleshoot something related to it later on). References for virtually all settings can be found at the bottom. Just before the references section, you will always find several security settings commented out as they could lead to compatibility issues in common consumer setups but they're worth considering.
:: Obligatory 'views are my own'. :)
:: Thank you @jaredhaight for the Win Firewall config recommendations!
:: Thank you @ricardojba for the DLL Safe Order Search reg key!
:: Thank you @jessicaknotts for the help on testing Exploit Guard configs and checking privacy settings!
:: Best script I've found for Debloating Windows 10: https://github.com/Sycnex/Windows10Debloater
:
@helgatheviking
helgatheviking / kia-subtitles-for-woocommerce
Last active June 24, 2019 09:52
Show the KIA Subtitle on WooCommerce products.
<?php
/*
* Plugin Name: KIA Subtitle + WooCommerce Bridge
* Plugin URI: https://gist.github.com/helgatheviking/ffbf9d1c82351fb9220ff91ce61f7518
* Donate link: https://www.youcaring.com/wnt-residency
* Description: Show the KIA Subtitle on WooCommerce products.
* Version: 1.0.0
* Author: Kathy Darling
* Author URI: http://kathyisawesome.com
* Requires at least: 3.8
@MrMugiwara
MrMugiwara / NetSecCheck.md
Created June 22, 2017 23:08
Network Security VAPT Checklist

Hi dear reader, there are very few technical network security assessment checklist. So I thought to share my own on this. Have a look and enjoy. Lets talk about the scope first. If you are given a 1000 machines to perform VAPT, then here is your scope. Single machine can have 65535 ports open. Any single port can deploy any service software from the world. For example FTP can be run on smartftp, pureftpd etc.. Any single FTP software version (for example pureftpd 1.0.22) can have number of vulnerabilities available. So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. Here are some quick tools and test cases that one can perform on commonly found ports in the network pentest.

Identify live host

@marcellodesales
marcellodesales / formatted.sh
Last active November 14, 2023 19:22
One-liner REST server using netcat - nc
rm -f out
mkfifo out
trap "rm -f out" EXIT
while true
do
cat out | nc -w1 -l 1500 > >( # parse the netcat output, to build the answer redirected to the pipe "out".
export REQUEST=
while read line
do
line=$(echo "$line" | tr -d '[\r\n]')