Skip to content

Instantly share code, notes, and snippets.

View samidunimsara's full-sized avatar
🙃

Samidu Nimsara samidunimsara

🙃
4 followers · 22 following
View GitHub Profile
@bobby2000-github
bobby2000-github / gist-Phineas Fisher - Whistle-blowers.txt
Last active December 17, 2023 12:26
English translation version of Phineas Fisher's account of how he took down HackingTeam
_ _ _ ____ _ _
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
A DIY Guide for those without the patience to wait for whistleblowers
--[ 1 ]-- Introduction
@win3zz
win3zz / GitHub-Leaked-API-Keys-and-Secrets.md
Last active November 15, 2024 18:43

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

**1.

@kafkaesqu3
kafkaesqu3 / exploitable_webpaths.md
Last active May 7, 2024 09:38
easy wins - exploitable/leaky web paths
Exploit/description Path
Microsoft Office Online Server SSRF (relay) /op/view.aspx
CVE-2017-11317 CVE-2019-18935 /Telerik.Web.Ui.WebResource.axd?type=rau
CVE-2017-11317 CVE-2019-18935 /Telerik.Web.UI.DialogHandler.aspx
CVE-2020-17519 /jobmanager/logs/
CVE-2017-7615 /verify.php?id=1&confirm_hash=
CVE-2018-1000130 /jolokia
CVE-2018-1000130 /actuator/jolokia
leak /actuator/env
@yassineaboukir
yassineaboukir / alert.js
Created March 24, 2021 14:08 — forked from tomnomnom/alert.js
Ways to alert(document.domain)
// How many ways can you alert(document.domain)?
// Comment with more ways and I'll add them :)
// I already know about the JSFuck way, but it's too long to add (:
// Direct invocation
alert(document.domain);
(alert)(document.domain);
al\u0065rt(document.domain);
al\u{65}rt(document.domain);
window['alert'](document.domain);
@yassineaboukir
yassineaboukir / List of API endpoints & objects
Last active November 12, 2024 22:33
A list of 3203 common API endpoints and objects designed for fuzzing.
0
00
01
02
03
1
1.0
10
100
1000
@sirrushoo
sirrushoo / gist:71872b5d1dc8df159215de5aaf014384
Created October 21, 2019 18:30
0d1n|210.78028eb|Web security tool to make fuzzing at HTTP inputs, made in C with libCurl.| blackarch-webapp |https://github.com/CoolerVoid/0d1n
0trace|1.5|A hop enumeration tool.| blackarch-scanner |http://jon.oberheide.org/0trace/
3proxy|0.8.13|Tiny free proxy server.| blackarch-proxy |http://3proxy.ru/
3proxy-win32|0.8.13|Tiny free proxy server.| blackarch-windows |http://3proxy.ru/
42zip|42|Recursive Zip archive bomb.| blackarch-dos |http://blog.fefe.de/?ts=b6cea88d
a2sv|135.973ba13|Auto Scanning to SSL Vulnerability.| blackarch-scanner |https://github.com/hahwul/a2sv
abcd|4.2738809|ActionScript ByteCode Disassembler.| blackarch-disassembler |https://github.com/MITRECND/abcd
abuse-ssl-bypass-waf|5.3ffd16a|Bypassing WAF by abusing SSL/TLS Ciphers.| blackarch-webapp |https://github.com/LandGrey/abuse-ssl-bypass-waf
acccheck|0.2.1|A password dictionary attack tool that targets windows authentication via the SMB protocol.| blackarch-cracker |http://labs.portcullis.co.uk/tools/acccheck/
ace|1.10|Automated Corp
@1lastBr3ath
1lastBr3ath / linkfinder.md
Last active September 29, 2024 11:07
Usage of LinkFinder (@GerbenJavado)
  • Navigate to page from where you want to extract links
  • Open your browser's console and paste the following ;
    document.querySelectorAll('script[src]').forEach((i)=>document.write(i.src+'<br/>'))
  • Copy all links and write it into a file (ex: jslinks.txt)
  • Open your terminal and cd to directory where you've downloaded LinkFinder
  • Run the following command
 while IFS= read link; do python linkfinder.py -i "$link" -o cli; done &lt; jslinks.txt | tee -a output.html
@Starefossen
Starefossen / tmux-cheats.md
Last active August 21, 2024 14:20
My personal tmux cheat sheet for working with sessions, windows, and panes. `NB` I have remapped the command prefix to `ctrl` + `a`.

Sessions

New Session

  • tmux new [-s name] [cmd] (:new) - new session

Switch Session

  • tmux ls (:ls) - list sessions
  • tmux switch [-t name] (:switch) - switches to an existing session