| CVE-2020-11976 - Apache wicket LFI / markup source file read vulnerability | |
| ------------------------------------------ | |
| By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. | |
| This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. | |
| Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5 | |
| For example if there are credentials in the markup which are never supposed to be visible to the client: | |
| <wicket:remove> |
Credits to https://lobotuerto.com/blog/how-to-setup-full-disk-encryption-on-a-secondary-hdd-in-linux/ .
- Identify your device name. This is usually easy by comparing the sizes of the drives. Usually, the system device name is sda. So, external devices names start with sdb.
lsblk
| curl -s "http://web.archive.org/cdx/search/cdx?url=*.bugcrowd.com/*&output=text&fl=original&collapse=urlkey" | grep -P "=" | sed "/\b\(jpg\|png\|js\|svg\|css\|gif\|jpeg\|woff\|woff2\)\b/d" > Output.txt ; for i in $(cat Output.txt);do URL="${i}"; LIST=(${URL//[=&]/=FUZZ&}); echo ${LIST} | awk -F'=' -vOFS='=' '{$NF="FUZZ"}1;' >> Passive_Collecting_URLParamter.txt ; done ; rm Output.txt ; sort -u Passive_Collecting_URLParamter.txt > Passive_Collecting_URLParamter_Uniq.txt |
| Filter | Description | Example |
|---|---|---|
| allintext | Searches for occurrences of all the keywords given. | allintext:"keyword" |
| intext | Searches for the occurrences of keywords all at once or one at a time. | intext:"keyword" |
| inurl | Searches for a URL matching one of the keywords. | inurl:"keyword" |
| allinurl | Searches for a URL matching all the keywords in the query. | allinurl:"keyword" |
| intitle | Searches for occurrences of keywords in title all or one. | intitle:"keyword" |
2019 update: this essay has been updated on my personal site, together with a followup on how to get started
2020 update: I'm now writing a book with updated versions of all these essays and 35 other chapters!!!!
If there's a golden rule, it's this one, so I put it first. All the other rules are more or less elaborations of this rule #1.
You already know that you will never be done learning. But most people "learn in private", and lurk. They consume content without creating any themselves. Again, that's fine, but we're here to talk about being in the top quintile. What you do here is to have a habit of creating learning exhaust. Write blogs and tutorials and cheatsheets. Speak at meetups and conferences. Ask and answer things on Stackoverflow or Reddit. (Avoid the walled gardens like Slack and Discourse, they're not public). Make Youtube videos
In this guide I will go through all the steps to create a VPS, secure it and deploy a Django application. This is a summarized document from this digital ocean doc
Any commands with "$" at the beginning run on your local machine and any "#" run when logged into the server
Use this link and get $10 free. Just select the $5 plan unless this a production app.
We need to create a virtual env for our app to run in: More Here Run this command in whatever folder you want to create your venv folder
python -m venv ./venv
| var keythereum = require('keythereum'); | |
| var Wallet = require('ethereumjs-wallet'); | |
| // Generate private key | |
| var dk = keythereum.create(); | |
| var keyObject = keythereum.dump('password', dk.privateKey, dk.salt, dk.iv); | |
| var privateKeyString = dk.privateKey.toString('hex'); | |
| console.log('Private key', privateKeyString); | |
| // Get public key |