A combination of my own methodology and the Web Application Hacker's Handbook Task checklist, as a Github-Flavored Markdown file
jhaddix
/ cloud_metadata.txt
Last active
November 10, 2025 16:43
— forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## AWS | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/ami-id | |
| http://169.254.169.254/latest/meta-data/reservation-id | |
| http://169.254.169.254/latest/meta-data/hostname | |
| http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key |
jhaddix
/ Testing_Checklist.md
Last active
September 22, 2025 03:46
— forked from amotmot/WAHH_Task_Checklist.md
Fast Simple Appsec Testing Checklist
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| a4b.amazonaws.com | |
| access-analyzer.amazonaws.com | |
| account.amazonaws.com | |
| acm-pca.amazonaws.com | |
| acm.amazonaws.com | |
| airflow-env.amazonaws.com | |
| airflow.amazonaws.com | |
| alexa-appkit.amazon.com | |
| alexa-connectedhome.amazon.com | |
| amazonmq.amazonaws.com |
pedramamini
/ XProtect.yara
Created
October 19, 2017 20:18
Apple OSX built in file defense is powered by YARA: /System/Library/CoreServices/XProtect.bundle/Contents/Resources
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "hash" | |
| private rule Macho | |
| { | |
| meta: | |
| description = "private rule to match Mach-O binaries" | |
| condition: | |
| uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| aquatone-discover -d $1 --threads 10 | |
| aquatone-scan -d $1 --ports huge --threads 10 | |
| DEBUG=nightmare xvfb-run -a aquatone-gather -d $1 --threads 10 | |
| aquatone-takeover -d $1 --threads 10 |
ropnop
/ make_oneliner.py
Last active
October 15, 2025 16:46
Python script to convert a file to a oneliner exec command
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| # Author: @ropnop (Ronnie Flathers) | |
| # Simple script to ingest a Python file (e.g. a shell) and return a oneliner command | |
| # Useful with command injection vulns | |
| # Based entirely off of Metasploit's "reverse_python.rb" payload | |
| # Credit to Brendan Coles <bcoles[at]gmail.com> | |
| # | |
| # Example: | |
| # $ python make_oneliner.py pty_shell.py |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| brew install cmake | |
| brew install libusb | |
| brew install pkgconfig | |
| brew install sox # for easy audio | |
| git clone git://git.osmocom.org/rtl-sdr.git | |
| cd rtl-sdr/ | |
| mkdir build | |
| cd build/ | |
| cmake ../ | |
| make |
koenrh
/ gcp-gpu-vm-hashcat.md
Last active
June 23, 2025 01:06
Running Hashcat on Google Cloud's new GPU-based VMs
In February 2017, Google announced the availability GPU-based VMs. I spun up a few of these instances, and ran some benchmarks. Along the way, I wrote down the steps taken to provision these VM instances, and install relevant drivers.
Update April 2019: Updated instructions to use instances with the Tesla T4 GPUs.
LeCoupa
/ redis_cheatsheet.bash
Last active
October 26, 2025 14:15
Redis Cheatsheet - Basic Commands You Must Know --> UPDATED VERSION --> https://github.com/LeCoupa/awesome-cheatsheets
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Redis Cheatsheet | |
| # All the commands you need to know | |
| redis-server /path/redis.conf # start redis with the related configuration file | |
| redis-cli # opens a redis prompt | |
| # Strings. |
Neo23x0
/ yara_performance_guidelines.md
Last active
July 14, 2025 09:04
YARA Performance Guidelines
This Gist has been transfered into a Github Repo. You'll find the most recent version here.
When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.
- Revision 1.4, October 2020, applies to all YARA versions higher than 3.7