Skip to content

Instantly share code, notes, and snippets.

View kmcquade's full-sized avatar

Kinnaird McQuade kmcquade

404 followers · 313 following
View GitHub Profile
@kmcquade
kmcquade / jellyfin-openapi-stable.json
Created November 16, 2023 14:14
11/16/2023 download of Jellyfin's Swagger doc. https://api.jellyfin.org/openapi/jellyfin-openapi-stable.json
This file has been truncated, but you can view the full file.
{
"openapi": "3.0.1",
"info": {
"title": "Jellyfin API",
"version": "10.8.12",
"x-jellyfin-version": "10.8.12"
},
"servers": [
{
"url": "http://localhost"
@kmcquade
kmcquade / dvws-node-swagger.json
Last active November 16, 2023 17:49
dvws-node Swagger file. The swagger.js file in the repo is in a javascript object but I need it to be yaml/json and downloadable. So downloading it from gist. Here is the original: https://github.com/vulnerable-apps/dvws-node/blob/master/swagger.js
{
"openapi": "3.0.1",
"info": {
"title": "DVWS API",
"description": "API Used for DVWS Application",
"version": "0.1"
},
"servers": [
{
"url": "http://dvws.local"
@kmcquade
kmcquade / pw_example.py
Created January 25, 2023 21:49
pw_example.py
"""
Gmail doesn't work using regular recording. It will only work if you run the recording script and then wrap the recorded script in this
"""
from playwright.sync_api import Playwright, sync_playwright, expect
from playwright._impl._api_types import Error as PlaywrightError
def run(pw: Playwright) -> None:
args = [
@kmcquade
kmcquade / ldbdump.py
Created November 6, 2022 20:23 — forked from mkorthof/ldbdump.py
ldbdump - dumps LevelDB keys/values
#!/usr/bin/python3
# ldbdump - dumps LevelDB keys/values
#
# a LevelDB is a dir with files such a these:
# 000050.ldb 000100.log CURRENT LOCK LOG MANIFEST-000099
#
# sources: https://github.com/tos-kamiya/levelobjdb dump()
import os
@kmcquade
kmcquade / install-firing-range.sh
Created May 12, 2022 19:15 — forked from ianmuscat/install-firing-range.sh
#!/bin/bash
# Clone the Firing Range Repository
git clone https://github.com/google/firing-range.git
# Change to 'firing-range' directory
cd firing-range
# Download the AppEngine SDK
wget https://storage.googleapis.com/appengine-sdks/featured/appengine-java-sdk-1.9.23.zip
@kmcquade
kmcquade / risky-actions-example.yml
Created December 10, 2021 18:06
Explanation for a vendor on a potential way to represent risky action combinations for their product via yaml
###
# Format is below
#
# risk-name:
# target-name: # AND logic
# - service:actionName
# - service:act*
#
####
# List of high priority resource exposure actions here: https://gist.github.com/kmcquade/3161a6737285dc0508a9fa3446e22090
@kmcquade
kmcquade / Resource Exposure Actions.md
Last active December 2, 2021 20:49

IAM Actions that can expose resources via Resource Based Policies

ACM Private CAs:

CloudWatch Logs:

  • logs:PutResourcePolicy: Creates or updates a resource policy allowing other AWS services to put log events to this account
  • logs:DeleteResourcePolicy: Deletes a resource policy from this account. This revokes the access of the identities in that policy to put log events to this account.
@kmcquade
kmcquade / requirements.txt
Created September 20, 2021 18:01
Run Terraform get recursively using python-terraform
python_terraform==0.10.1
@kmcquade
kmcquade / explanation.md
Last active July 25, 2021 17:43

This explains a current issue in the ZAP Automation Framework where ZAP will perform tests even when they are explicitly excluded from the scan results - that is, even when you set defaultThreshold (which is supposed to apply as the default for all scan rules) or threshold (rule-specific settings) to 'Off', the checks are still performed.

Instructions

  • mkdir -p /tmp/zap/
  • Save the template.yaml YAML file to /tmp/zap/template.yaml
  • Run these commands to trigger the scan:



  


  




    


          
    

      

        
        

          

              @kmcquade
          

          

            
                kmcquade
                / template.yaml
            
            

              Created
              July 17, 2021 22:14
            

              
                ZAP Automation Template example - works with v0.4, runs against Google firing range
              
          

        

      

        

  

    
    


        



  


  

        

          
          --- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.org/docs/automate/automation-framework/
        

        

          
          env:                                   # The environment, mandatory
        

        

          
            contexts :                           # List of 1 or more contexts, mandatory
        

        

          
              - name: context 1                  # Name to be used to refer to this context in other jobs, mandatory
        

        

          
                urls:                            # A mandatory list of top level urls, everything under each url will be included
        

        

          
                - https://public-firing-range.appspot.com/
        

        

          
                includePaths:                    # An optional list of regexes to include
        

        

          
                excludePaths:                    # An optional list of regexes to exclude
        

        

          
                authentication:                  # TBA: In time to cover all auth configs
        

        

          
            vars:                                # List of 1 or more variables, can be used throughout the config