はじめに 対象イベント 読み方、使い方 Remote Code Execution(RCE) 親ディレクトリ指定によるopen_basedirのバイパス PHP-FPMのTCPソケット接続によるopen_basedirとdisable_functionsのバイパス JavaのRuntime.execでシェルを実行 Cross-Site Scripting(XSS) nginx環境でHTTPステータスコードが操作できる場合にCSPヘッダーを無効化 GoogleのClosureLibraryサニタイザーのXSS脆弱性 WebのProxy機能を介したService Workerの登録 括弧を使わないXSS /記号を使用せずに遷移先URLを指定 SOME(Same Origin Method Execution)を利用してdocument.writeを順次実行 SQL Injection MySQ
※ネタ記事です はじめに 検証する脆弱性 Tips. GPT-3 とは? WAFの実装 環境・必要なもの ソースコード 検証 正常リクエスト XSS GETパラメータ POSTデータ POSTデータ & ヘッダ無し SQL インジェクション GETパラメータ GETパラメータ & ヘッダ無し XXE POSTパラメータ① POSTパラメータ② POSTパラメータ & ヘッダ無し パストラバーサル GETパラメータ GETパラメータ & ヘッダ無し OS コマンドインジェクション GETパラメータ & ヘッダー無し GETパラメータ Log4Shell POSTパラメータ POSTパラメータ & ヘッダ無し POSTパラメータ & ヘッダ無し WordPress のユーザ列挙 ShellShock まとめ はじめに 最先端(?)であるGPT-3を使って 次世代WAF を作っていきます。 以下
GitHub - modelcontextprotocol/servers: Model Context Protocol Servers
Official integrations are maintained by companies building production ready MCP servers for their platforms. 21st.dev Magic - Create crafted UI components inspired by the best 21st.dev design engineers. 2slides - An MCP server that provides tools to convert content into slides/PPT/presentation or generate slides/PPT/presentation with user intention. ActionKit by Paragon - Connect to 130+ SaaS inte
Peter Jay Salzman, Michael Burian, Ori Pomerantz, Bob Mottram, Jim Huang 1 Introduction 1.1 Authorship 1.2 Acknowledgements 1.3 What Is A Kernel Module? 1.4 Kernel module package 1.5 What Modules are in my Kernel? 1.6 Is there a need to download and compile the kernel? 1.7 Before We Begin 2 Headers 3 Examples 4 Hello World 4.1 The Simplest Module 4.2 Hello and Goodbye 4.3 The __init and __exit Mac
福田(@JunyaFff)です。本連載Python Monthly Topicsで2024年3月に公開したRust製のPythonパッケージ管理ツール「uv」を使ってみよう で紹介した「uv」が、さらなる進化を遂げました。今回は、その新機能を紹介します。 はじめに Astral社が開発するRust製の高速なpipの代替ツール「uv」がパッケージマネージャーとして8月にアップデートされました。pipの代替ツールとしてだけでなく、Pythonプロジェクト、コマンドラインツール、単一ファイルスクリプトさらにPython自体を管理できるようになりました。uvは、pipやpipx、venv、poetryやpyenvのような機能を包括していると言え、そしてそのすべてが非常に高速に動作します。 本記事では、アップデートした「uv」の新機能を中心に紹介します。 基本的な使い方は Rust製のPythonパ
EKSでKubernetes DaemonSetを用いたロギング:Fluent-bitの運用とトラブル事例 - MonotaRO Tech Blog
モノタロウのプラットフォームエンジニアリング部門 コンテナ基盤グループの宋 明起です。 私たちは、アプリケーション開発者からコンテナシステムの認知負荷を取り除き、アプリ開発に専念できるコンテナ基盤の構築と基盤を改善し、開発者はより楽に、より安全にアプリケーションのデプロイと運用できるように支援しています。 背景 基本設計 方針 構成 サンプル モニタリング サンプル 障害 障害1. Memory overflowエラーが発生 障害2. 大量のログが欠損になっている (refresh_interval) 障害3. まだ一部ログが欠損になっている (Prestop) [FAQ] 背景 モノタロウでは以下の記事にあるようにバックエンドのAPIをコンテナ化から始め様々なレイヤーの様々なアプリケーションをEKSの上で運用しています。 EKSコンテナ移行のトラブル事例:ALBの設定とPodのライフサイ
Preliminaries What Is xargs? It's an adapter between text streams and argv arrays, two essential concepts in shell. You pass it flags that specify how to split stdin. Then it generates arguments and invokes processes. Example: $ echo 'alice bob' | xargs -n 1 -- echo hi hi alice hi bob What's happening here? xargs splits the input stream on whitespace, producing 2 arguments, alice and bob. We passe
trufflehogを活用したGitHub Organizationのcredentialsスキャン - 10X Product Blog
こんにちは、セキュリティチームの@sota1235です。 突然ですが、ソフトウェアエンジニアの皆さんに質問です。他者に漏らしてはいけないAPI keyやSSHのprivate keyを誤ってGitHubにpushしてしまったことはありますか?私はあります。*1 日々、スピード感を持ってものづくりに臨んでいく中で本当はcommitしてはいけないものを間違ってcommitしたり、それに気づかずにGitHubにpushしてしまうなんてことは人間がミスをする生き物である以上、誰にでも起きえる事故です。 今回はそんな事故を検知するのにtrufflehogを活用しているお話をします。 なお今回は事故を未然に予防する話には触れません。 github.com credentialsを誤ってGitHubにpushすることのリスク credentialsとは credentialsのあるべき管理方法 GitH
[PG] 縮めるだけじゃダメ [PG] 暗算でもできるけど? [PG] formjacking [PG] loop in loop [NW] 頭が肝心です [NW] 3 Way Handshake? [NW] さあ得点は? [NW] decode [WE] 簡単には見せません [WE] 試練を乗り越えろ! [WE] 直してる最中なんです [WE] 直接聞いてみたら? [WE] 整列! [CY] エンコード方法は一つじゃない [CY] File Integrity of Long Hash [CY] Equation of ECC [CY] PeakeyEncode [FR] 露出禁止! [FR] 成功の証 [FR] 犯人はこの中にいる! [FR] chemistry [FR] InSecureApk [PW] CVE-2014-7169他 [PW] 認可は認証の後 [PW] formerL
I’ve been curious about what happens inside Claude Code so I’ve spent a couple hours digging through prompts that it sends back to Anthropic. As I’ve been going through that, I’ve gathered some insights why Claude Code is often slower and more expensive than other tools like Cursor. Updated: Since this post was published, someone on the internet created much deeper analysis of Claude Code. Check i
The Top 100 Video Games of All TimeOur first refresh since 2019 features some big changes. IGN’s Top 100 games list encompasses the best of the best throughout history, spanning generations of consoles, PCs, handhelds, and more. Our list last saw a major update back in 2019, and since then, there have been several games released that deserved to be added. Just as importantly, we looked at the tota
The other day at work we had a Bash script that would set up a web server and wait for it to be up before proceeding to the next things. The script worked fine and we had no issues, until we had an infinite loop. We were using the Bash built-in until to check if the web server was up: until curl --silent --fail-with-body 10.0.0.1:8080/health; do sleep 1 done This works fine. Unless our web server
This paper reflects work done in late 2022 and 2023 to audit for vulnerabilities in terminal emulators, with a focus on open source software. The results of this work were 10 CVEs against terminal emulators that could result in Remote Code Execution (RCE), in addition various other bugs and hardening opportunities were found. The exact context and severity of these vulnerabilities varied, but some
Lima で Docker を使う on Mac
はじめに 2021 年 9 月に Docker Desktop の有料化が発表されました。 個人利用やスモールビジネスであれば引き続き Docker Desktop を利用可能ですが、 選択肢の 1 つとして Lima を利用した Docker を検証してみます。 環境 Intel Mac limactl 0.7.4 Docker 20.10.11 Docker Compose 2.1.1 Lima とは 自動ファイル共有、ポート転送、コンテナ化をサポートした macOS 上で Linux 仮想マシンを作成・起動するツールです。 Docker Desktop for Mac のアンインストール Docker Desktop for Mac がインストールされている場合は、Lima を利用した Docker CLI に切り替えるため下記ドキュメントを参考にアンインストールします。 Lima
Tier 4 Support § Support for these targets is entirely experimental. If this target is provided by LLVM, LLVM may have the target as an experimental target, which means that you need to use Zig-provided binaries for the target to be available, or build LLVM from source with special configure flags. zig targets will display the target if it is available. This target may be considered deprecated by
In my decade-plus of maintaining my dotfiles, I’ve written a lot of little shell scripts. Here’s a big list of my personal favorites. Clipboardcopy and pasta are simple wrappers around system clipboard managers, like pbcopy on macOS and xclip on Linux. I use these all the time. # High level examples run_some_command | copy pasta > file_from_my_clipboard.txt # Copy a file's contents copy < file.txt
Lima で nerdctl
Docker Desktop の代わりに docker cli + Minikube ってのを試しただけど、Kubernetes は docker を非推奨にしてるし、kubernetes は不要な場合は無駄が多いしなあ… ってことで lima も試してみる。 (2021/01/05 追記: Docker on Lima も見てね) Lima は自動のファイル共有、ポートフォワード、containerd をサポートした仮想マシンを提供してくれるツール。Windows subsystem for Linux の mac 版とも言えるとドキュメントに書かれている。 今回は Intel Mac 環境で試しています。M1 Mac の場合は qemu に patch が必要みたいです。 Lima のインストールHomebrew でインストール $ brew install limaLima Virt
In this article, you will learn how to add a backdoor to the SSH Public Key. The backdoor will execute whenever the user logs in. The backdoor hides as an unreadable long hex-string inside ~/.ssh/authorized_keys or ~/.ssh/id_*.pub. The source is available from GitHub. TL;DR Simply prepend any SSH Public Key with the following backdoor-string - up until, but not including, the ssh-ed25519 AAAAC3Nzb
s1ngularity: Popular Nx Build System Package Compromised with Data-Stealing Malware - StepSecurity
Executive SummaryStarting August 26, 2025 at approximately 10:32 PM UTC, the popular Nx build system package was compromised with data-stealing malware. The malicious versions remained live for just over five hours before being taken down, but in that short window, thousands of developers may have been exposed. The malware did more than just steal SSH keys, npm tokens, and .gitconfig files - it we
Try Mastering Emacs for free! Are you struggling with the basics? Have you mastered movement and editing yet? When you have read Mastering Emacs you will understand Emacs. It’s that time again: there’s a new major version of Emacs and, with it, a treasure trove of new features and changes. Notable features include the formal inclusion of native compilation, a technique that will greatly speed up y
Node.js
Notable changes Add support for externally shared js builtins By default Node.js is built so that all dependencies are bundled into the Node.js binary itself. Some Node.js distributions prefer to manage dependencies externally. There are existing build options that allow dependencies with native code to be externalized. This commit adds additional options so that dependencies with JavaScript code
Create a Dev Container
The Visual Studio Code Dev Containers extension lets you use a Docker container as a full-featured development environment. It allows you to open any folder or repository inside a container and take advantage of Visual Studio Code's full feature set. A devcontainer.json file in your project tells VS Code how to access (or create) a development container with a well-defined tool and runtime stack.
Making a micro Linux distro
Follow @popovicu94 In this article, we’ll talk about building up a tiny (micro) Linux “distribution” from scratch. This distribution really won’t do much, but it will be built from scratch. We will build the Linux kernel on our own, and write some software to package our micro-distro. Lastly, we are doing this example on the RISC-V architecture, specifically QEMU’s riscv64 virt machine. There’s ve
Large Text Compression Benchmark Matt Mahoney Last update: Mar. 25, 2026. history This competition ranks lossless data compression programs by the compressed size (including the size of the decompression program) of the first 109 bytes of the XML text dump of the English version of Wikipedia on Mar. 3, 2006. About the test data. The goal of this benchmark is not to find the best overall compress
make.ts
Up Enter Up Up Enter Up Up Up Enter Sounds familiar? This is how I historically have been running benchmarks and other experiments requiring a repeated sequence of commands — type them manually once, then rely on shell history (and maybe some terminal splits) for reproduction. These past few years I’ve arrived at a much better workflow pattern — make.ts. I was forced to adapt it once I started wor
← ../ One of the hijacked displays at Elk Grove High School. Image by Tom Tran. On April 30th, 2021, I rickrolled my high school district. Not just my school but the entirety of Township High School District 214. It is one of the largest high school district in Illinois, consisting of 6 different schools with over 11,000 enrolled students. This story isn't one of those typical rickrolls where stud
Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques
This blogpost is the next instalment of my series of hands-on no-boilerplate vulnerability research blogposts, intended for time-travellers in the future who want to do Linux kernel vulnerability research. Specifically, I hope beginners will learn from my VR workflow and the seasoned researchers will learn from my techniques. In this blogpost, I'm discussing a bug I found in nf_tables in the Linux
Automated Hydroponic System Build – Projects | Kyle Gabriel
Last Updated: August 28, 2022 Hydroponic farming is a method of growing crops without soil, with the main benefits of environmental and nutrient control, water conservation, and reduction of labor. This technique relies on a number of technologies that the principles of automation can be applied in order to improve yield and consistency. In this article and accompanying video, I’ll show you how to
Cosmopolitan Third Edition
After nearly one year of development, I'm pleased to announce our version 3.0 release of the Cosmopolitan library. The project is an entirely new animal. For starters, Mozilla sponsored our work as part of their MIECO program. Google also awarded me an open source peer bonus for my work on Cosmopolitan, which is a rare honor, and it's nice to see our project listed up there among the greats, e.g.
Programmatically managing alternate contacts on member accounts with AWS Organizations | Amazon Web Services
AWS Cloud Operations Blog Programmatically managing alternate contacts on member accounts with AWS Organizations Today, we are making it easier for you to manage the alternate contacts (billing, operations, and security) on your member accounts in AWS Organizations. You can now programmatically manage your account alternate contact information in addition to the existing experience in the AWS cons
research!rsc: Hash-Based Bisect Debugging in Compilers and Runtimes
Setting the Stage Does this sound familar? You make a change to a library to optimize its performance or clean up technical debt or fix a bug, only to get a bug report: some very large, incomprehensibly opaque test is now failing. Or you add a new compiler optimization with a similar result. Now you have a major debugging job in an unfamiliar code base. What if I told you that a magic wand exists
Cay Horstmann's Unblog
Java in the Small Java has many features that make it well suited for large, long-lasting projects. But I find it surprisingly good for small tasks as well. Recent language features make it even better. The killer features are compile-time typing and great tool support. This article also appeared in the Java Advent calendar. In my job as author and teacher, I have many repetitive tasks, such as mo
# Example to use Docker instead of containerd & nerdctl # $ limactl start ./docker.yaml # $ limactl shell docker docker run -it -v $HOME:$HOME --rm alpine # To run `docker` on the host (assumes docker-cli is installed): # $ export DOCKER_HOST=unix://$HOME/docker.sock # $ docker ... # This example requires Lima v0.7.3 or later images: # Hint: run `limactl prune` to invalidate the "current" cache -
Nolibc: a minimal C-library replacement shipped with the kernel The kernel project does not host much user-space code in its repository, but there are exceptions. One of those, currently found in the tools/include/nolibc directory, has only been present since the 5.1 release. The nolibc project aims to provide minimal C-library emulation for small, low-level workloads. Read on for an overview of n
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
【2020年】CTF Web問題の攻撃手法まとめ - こんとろーるしーこんとろーるぶい
GPT-3 API を使って AI WAF を作る - まったり技術ブログ
The Linux Kernel Module Programming Guide
さらなる進化を遂げた「uv」の新機能 | gihyo.jp
An Opinionated Guide to xargs
防衛省サイバーコンテスト 2025 Writeup - はまやんはまやんはまやん
Reverse engineering Claude Code • Kir Shatrov
The Top 100 Video Games of All Time - IGN
TIL: timeout in Bash scripts | Heitor's log
"�[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs
0.10.0 Release Notes ⚡ The Zig Programming Language
Scripts I wrote that I use all the time
Infecting SSH Public Keys with backdoors
What's New in Emacs 28.1?
Large Text Compression Benchmark
IoT Hacking and Rickrolling My High School District
MacでDockerが遅いのをLimaで解決する(M1/Intel) - Qiita
Nolibc: a minimal C-library replacement shipped with the kernel