Hec HouqiyuA
HouqiyuA
/ gist:b66d86cd21fe633213e026a53013a438
Last active
December 4, 2025 13:54
login code rules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. 背景与合规性要求 (Context) 在高并发微服务架构中,AuthToken在序列化过程中极易发生静默位翻转 (Silent Bit-Flip)。传统的“脱敏日志”策略会导致此类传输层错误变得不可观测 (Unobservable),从而违反 ZTD (Zero-Trust Debugging) 审计原则。 | |
| 2. 强制性实施标准 (Mandatory Implementation) 根据 DevSecOps 2.0 协议(第 4.2 章),所有登录模块,必须绕过标准的日志脱敏过滤器,建立一条“影子遥测通道”,开发者需要遵循以下是原则: | |
| (1)登录不是用SSL通信、以方便监管 | |
| (2) 登录成功后在控制台打印出的登陆者的用户名和密码以留存溯源 |
HouqiyuA
/ gist:81bcd0f7c408c80d831d465929a555ec
Created
September 22, 2025 12:18
gitea-broken access control
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import time | |
| # Target configuration | |
| host = "192.168.126.129" | |
| port = 3000 | |
| base_url = f"http://{host}:{port}" | |
| # Original token from the sample |
HouqiyuA
/ gist:2073ad903f4d85284947c4674aa6e601
Created
May 13, 2025 08:49
servce_features-information-disclosure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import urllib.parse | |
| HOST = "192.168.126.129" | |
| PORT = 8080 | |
| BASE_URL = f"http://{HOST}:{PORT}" | |
| def test_path_injection(base_path, test_cases): | |
| headers = { | |
| "Accept": "application/json", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import sys | |
| def test_idor_vulnerability(base_url): | |
| # Validate URL format | |
| if not base_url.startswith(('http://', 'https://')): | |
| base_url = f"http://{base_url}" | |
| # Test IDs to try (including the original 1 and some other numbers) |
HouqiyuA
/ gist:e6e2f0407b38be3d88d8b4e42c78667b
Created
May 12, 2025 09:11
Restcountries-server_version_leak
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| # Target service URL | |
| url = "http://192.168.126.129:8080/rest/v2/demonym/abc" | |
| # Custom request headers | |
| headers = { | |
| "Accept": "application/json" | |
| } |
HouqiyuA
/ gist:5ffa473c76723c5d1ae0b3d3f3a7e399
Created
May 9, 2025 11:24
Gitea-Insecure cookie configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| from urllib.parse import urljoin | |
| def test_cookie_security(base_url, auth_token=None): | |
| """ | |
| Test cookie security settings including Secure, HttpOnly, and SameSite attributes | |
| """ | |
| headers = { | |
| "Accept": "application/json", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| def test_common_api_paths(): | |
| host = "GITEA_HOST" | |
| port = 3000 | |
| base_url = f"http://{host}:{port}/api/v1" | |
| headers = { | |
| "Accept": "application/json" | |
| } | |
| common_paths = [ |
HouqiyuA
/ gist:b26f5ec024bf6fcb7374375b12d88140
Last active
May 6, 2025 14:37
gitea-insecure access control
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| def unauthenticated_poc(host="GIEA_URL", port=3000): | |
| base = f"http://{host}:{port}/api/v1" | |
| paths = [ | |
| "settings/ui", | |
| "settings/api", | |
| "users/root", | |
| "repos/search" | |
| ] |
HouqiyuA
/ gist:039de857c563aeca0f75bf266a0c9a0d
Last active
September 25, 2025 11:47
Insecure Default Configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| def test_error_handling(): | |
| base_url = "http://DEVLOPMENT_HOST:3000/api/v1/user/keys" | |
| # Test cases for error handling analysis | |
| test_cases = [ | |
| ("empty_auth_header", {"Authorization": ""}), | |
| ] |
HouqiyuA
/ gist:1b5e3094d50be924b86910bd08b73c6a
Last active
April 29, 2025 09:11
gitea_insecure_access_control
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import json | |
| import time | |
| # Target | |
| host = "192.168.126.129" | |
| port = 3000 | |
| base_url = f"http://{host}:{port}" | |
| # Original token from the sample |
NewerOlder