Merge 4f4d7b3bf5 into 53d9014b2b

Regular Expression ReDoS
Adding socials buttons
2024-05-09 07:36:09 +02:00 · 2024-04-26 16:42:26 +02:00 · 2024-04-25 17:37:16 +02:00 · 2024-04-24 22:02:04 +02:00 · 2024-03-01 23:36:14 -05:00
6 changed files with 68 additions and 2 deletions
--- a/.github/overrides/main.html
+++ b/.github/overrides/main.html
@ -0,0 +1,27 @@
+{% extends "base.html" %}
+
+{% block content %}
+	{{ super() }}
+  <div class="social-container">
+    <b>Share this content</b>
+    <div class="a2a_kit a2a_kit_size_32 a2a_default_style">
+      <a class="a2a_dd" href="https://www.addtoany.com/share"></a>
+      <a class="a2a_button_x"></a>
+      <a class="a2a_button_telegram"></a>
+      <a class="a2a_button_linkedin"></a>
+      <a class="a2a_button_email"></a>
+      <a class="a2a_button_microsoft_teams"></a>
+    </div>
+    <br>
+    <script async src="https://static.addtoany.com/menu/page.js"></script>
+  </div>
+{% endblock %}
+
+{% block styles %}
+	{{ super() }}
+  <style>
+  .social-container {
+    float: right;
+  }
+  </style>
+{% endblock %}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -21,6 +21,7 @@ jobs:
          git config --global user.name "Swk"
          git config --global pull.rebase false
          git submodule add https://github.com/swisskyrepo/PayloadsAllTheThings/ docs
+          mv docs/.github/overrides .

      - uses: actions/setup-python@v2
        with:
--- a/Leaks/README.md
+++ b/Leaks/README.md
@ -75,6 +75,7 @@ Use : https://github.com/ozguralp/gmapsapiscanner/


 Impact:
+
 * Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
 * Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account

--- a/Expression/README.md
+++ b/Expression/README.md
@ -0,0 +1,36 @@
+# Regular Expression
+
+> Regular Expression Denial of Service (ReDoS) is a type of attack that exploits the fact that certain regular expressions can take an extremely long time to process, causing applications or services to become unresponsive or crash. 
+
+
+## Denial of Service - ReDoS
+
+* [tjenkinson/redos-detector](https://github.com/tjenkinson/redos-detector) - A CLI and library which tests with certainty if a regex pattern is safe from ReDoS attacks. Supported in the browser, Node and Deno.
+* [doyensec/regexploit](https://github.com/doyensec/regexploit) - Find regular expressions which are vulnerable to ReDoS (Regular Expression Denial of Service)
+* [devina.io/redos-checker](https://devina.io/redos-checker) - Examine regular expressions for potential Denial of Service vulnerabilities
+
+
+### Evil Regex
+
+Evil Regex contains:
+
+* Grouping with repetition
+* Inside the repeated group:
+    * Repetition
+    * Alternation with overlapping
+
+**Examples**
+
+* `(a+)+`
+* `([a-zA-Z]+)*`
+* `(a|aa)+`
+* `(a|a?)+`
+* `(.*a){x}` for x \> 10
+
+These regular expressions can be exploited with `aaaaaaaaaaaaaaaaaaaaaaaa!`
+
+
+## References
+
+* [Regular expression Denial of Service - ReDoS - OWASP - Adar Weidman](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
+* [OWASP Validation Regex Repository - OWASP](https://wiki.owasp.org/index.php/OWASP_Validation_Regex_Repository)
--- a/Files/README.md
+++ b/Files/README.md
@ -80,7 +80,7 @@
        * `file.php%20`
        * `file.php%0d%0a.jpg`
        * `file.php%0a`
-    * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`.
+    * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`. - [Automated Script for RTLO](https://github.com/GainSec/RTLOify)
    * Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp`
    * Multiple special characters: `file.jsp/././././.`
 - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
@ -219,4 +219,4 @@ Upload the XML file to `$JETTY_BASE/webapps/`
 * [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/)
 * [Inyección de código en imágenes subidas y tratadas con PHP-GD  - Spanish Resource - hackplayers](https://www.hackplayers.com/2020/03/inyeccion-de-codigo-en-imagenes-php-gd.html)
 * [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
-* [PHP Internals Book - THE .PHPT FILE STRUCTURE](https://www.phpinternalsbook.com/tests/phpt_file_structure.html)
+* [PHP Internals Book - THE .PHPT FILE STRUCTURE](https://www.phpinternalsbook.com/tests/phpt_file_structure.html)
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -11,6 +11,7 @@ edit_uri: blob/master/

 theme:
  name: material
+  custom_dir: overrides
  color_mode: auto
  user_color_mode_toggle: true
  icon:
Author	SHA1	Message	Date
J-GainSec	c5420cedfa	Merge `4f4d7b3bf5` into `53d9014b2b`	2024-04-26 16:42:26 +02:00
Swissky	53d9014b2b	Regular Expression ReDoS	2024-04-25 17:37:16 +02:00
Swissky	43a8c6a037	Adding socials buttons	2024-04-24 22:02:04 +02:00
J-GainSec	4f4d7b3bf5	Added Link to Python Script for adding RTLO characters to strings, individual files or all files within a directory.	2024-03-01 23:36:14 -05:00