Open source vulnerability DB and triage service.

Overview

OSV - Open Source Vulnerabilities

OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.

For open source maintainers, OSV's automation helps reduce the burden of triage. Each vulnerability undergoes automated bisection and impact analysis to determine precise affected commit and version ranges.

For open source consumers, OSV provides an API that lets users of these projects query whether or not their versions are impacted.

Current data sources:

This is an ongoing project. We are hoping to work with the open source community to onboard more sources of data.

Viewing the web UI

An instance of OSV's web UI is deployed at https://osv.dev.

Using the API

  curl -X POST -d \
      '{"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"}' \
      "https://api.osv.dev/v1/query?key=$API_KEY"

  curl -X POST -d \
      '{"version": "1.0.0", "package": {"name": "foo", "ecosystem": "bar"}}' \
      "https://api.osv.dev/v1/query?key=$API_KEY"

Detailed documentation for using the API can be found at https://osv.dev/docs/.

Architecture

You can find an overview of OSV's architecture here.

This repository

This repository contains all the code for running OSV on GCP. This consists of:

  • API server (gcp/api)
  • Web interface (gcp/appengine)
  • Workers for bisection and impact analysis (docker/worker)
  • Sample tools (tools)

You'll need to check out submodules as well for many local building steps to work:

git submodule update --init --recursive

Contributions are welcome! We also have a mailing list and a FAQ.

Comments
  • Schema issue with CAN-2022-1000071

    Schema issue with CAN-2022-1000071

    Hello, I maybe wrong where to report this issue but let me try.

    CAN-2022-1000071 in https://osv-vulnerabilities.storage.googleapis.com/GSD/all.zip violates the OSV schema.

    {
      "id": "CAN-2022-1000071",
      "summary": "Default Credentials in XB6 Fibre+ Gateway version XB6_0821",
      "details": "In Shaw Communications Inc XB6 Fibre+ Gateway version XB6_0821 a Default Credentials exists in the Router/Modem that can be attacked via local access resulting in Admin access to router",
      "modified": "2022-02-01T19:38:14.238938Z",
      "published": "2022-02-01T19:38:14.238938Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://support.shaw.ca/t5/internet-articles/guide-fibre-gateway-xb6-xb7/ta-p/5114"
        },
        {
          "type": "WEB"
        }
      ],
      "affected": [
        {
          "package": {
            "name": "XB6 Fibre+ Gateway",
            "ecosystem": "GSD"
          },
          "versions": [
            "XB6_0821"
          ],
          "database_specific": {
            "source": "https://github.com/cloudsecurityalliance/gsd-database/blob/main/2022/1000xxx/GSD-2022-1000071.json"
          }
        }
      ],
      "schema_version": "1.3.0"
    }
    

    reference (in references) should have url but not. I cannot find the original data source. So maybe there is something wrong the original data side not osv.dev side.

    bug datasource 
    opened by ninoseki 20
  • Bump google-cloud-logging from 2.1.0 to 3.1.2 in /gcp/api

    Bump google-cloud-logging from 2.1.0 to 3.1.2 in /gcp/api

    Bumps google-cloud-logging from 2.1.0 to 3.1.2.

    Release notes

    Sourced from google-cloud-logging's releases.

    v3.1.2

    3.1.2 (2022-06-03)

    Bug Fixes

    Documentation

    • fix changelog header to consistent size (#562) (3f16107)
    • Update README image to absolute URL, fix PyPI rendering (#561) (76413b1)

    v3.1.1

    3.1.1 (2022-05-23)

    Documentation

    • Change button in README to .png file (#554) (e297747)

    v3.1.0

    3.1.0 (2022-05-08)

    Features

    • KMS configuration in settings (#489) (6699f8c)
    • Update Logging API with latest changes (6699f8c)

    Bug Fixes

    • deps: require google-api-core>=1.31.5, >=2.3.2 (#494) (ab14563)
    • fix system test for mtls (#485) (96bb6f7)
    • Reenable staleness bot (#535) (1595e42)
    • remove unnecessary detect_resource calls from CloudLoggingHandler (#484) (def7440)
    • resolve DuplicateCredentialArgs error when using credentials_file (265061e)

    Dependencies

    Documentation

    ... (truncated)

    Changelog

    Sourced from google-cloud-logging's changelog.

    3.1.2 (2022-06-03)

    Bug Fixes

    Documentation

    • fix changelog header to consistent size (#562) (3f16107)
    • Update README image to absolute URL, fix PyPI rendering (#561) (76413b1)

    3.1.1 (2022-05-23)

    Documentation

    • Change button in README to .png file (#554) (e297747)

    3.1.0 (2022-05-08)

    Features

    • KMS configuration in settings (#489) (6699f8c)
    • Update Logging API with latest changes (6699f8c)

    Bug Fixes

    • deps: require google-api-core>=1.31.5, >=2.3.2 (#494) (ab14563)
    • fix system test for mtls (#485) (96bb6f7)
    • Reenable staleness bot (#535) (1595e42)
    • remove unnecessary detect_resource calls from CloudLoggingHandler (#484) (def7440)
    • resolve DuplicateCredentialArgs error when using credentials_file (265061e)

    Dependencies

    Documentation

    3.0.0 (2022-01-27)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python api 
    opened by dependabot[bot] 19
  • Packagist vulnerabilities are not being reported for some packages

    Packagist vulnerabilities are not being reported for some packages

    I've recently done an initial implementation for having osv-detector use the osv.dev api, but it looks like it's not 1:1 with the offline databases, at least for Packagist.

    Using this lockfile:
    {
        "_readme": [
            "This file locks the dependencies of your project to a known state",
            "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
            "This file is @generated automatically"
        ],
        "content-hash": "b63765525e5fabcf664728d548ecf8a2",
        "packages": [
            {
                "name": "enshrined/svg-sanitize",
                "version": "0.13.3",
                "source": {
                    "type": "git",
                    "url": "https://github.com/darylldoyle/svg-sanitizer.git",
                    "reference": "bc66593f255b7d2613d8f22041180036979b6403"
                },
                "dist": {
                    "type": "zip",
                    "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/bc66593f255b7d2613d8f22041180036979b6403",
                    "reference": "bc66593f255b7d2613d8f22041180036979b6403",
                    "shasum": ""
                },
                "require": {
                    "ext-dom": "*",
                    "ext-libxml": "*"
                },
                "require-dev": {
                    "codeclimate/php-test-reporter": "^0.1.2",
                    "phpunit/phpunit": "^6"
                },
                "type": "library",
                "autoload": {
                    "psr-4": {
                        "enshrined\\svgSanitize\\": "src"
                    }
                },
                "notification-url": "https://packagist.org/downloads/",
                "license": [
                    "GPL-2.0-or-later"
                ],
                "authors": [
                    {
                        "name": "Daryll Doyle",
                        "email": "[email protected]"
                    }
                ],
                "description": "An SVG sanitizer for PHP",
                "time": "2020-01-20T01:34:17+00:00"
            }
        ],
        "packages-dev": [],
        "aliases": [],
        "minimum-stability": "stable",
        "stability-flags": [],
        "prefer-stable": false,
        "prefer-lowest": false,
        "platform": [],
        "platform-dev": []
    }
    
    ❯ osv-detector-t --use-api --parse-as composer.lock /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt
    /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt: found 1 package
      no known vulnerabilities found
    
    ❯ osv-detector-t --use-dbs --parse-as composer.lock /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt
    /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt: found 1 package
      Loading OSV databases for the following ecosystems:
        Packagist (862 vulnerabilities, including withdrawn - last updated Fri, 13 May 2022 23:58:47 GMT)
    
      enshrined/[email protected] is affected by the following vulnerabilities:
        GHSA-fqx8-v33p-4qcc: Cross-site Scripting in enshrined/svg-sanitize (https://github.com/advisories/GHSA-fqx8-v33p-4qcc)
    
      1 known vulnerability found in /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt
    

    The vulnerability here correctly lists says it affects versions below 0.15.0, but it's not reported even if I use the version:

    ❯ curl -X POST -d '{"commit": "bc66593f255b7d2613d8f22041180036979b6403"}' 'https://api.osv.dev/v1/query'
    {}
    ❯ curl -X POST -d '{"package": {"name": "enshrined/svg-sanitize"}, "version": "0.13.3"}' 'https://api.osv.dev/v1/query'
    {}
    ❯ curl -X POST -d '{"package": {"name": "enshrined/svg-sanitize", "ecosystem": "Packagist"}, "version": "0.13.3"}' 'https://api.osv.dev/v1/query'
    {}
    

    Going with the lowest version for this package doesn't return anything either, when it should return three vulnerabilities.

    (my current theory is that this because the advisory doesn't have any versions, and the api isn't checking against ranges?)

    opened by G-Rath 15
  • Bulk query API

    Bulk query API

    A bulk query API would allow developers to more easily query the API without hitting rate limits. It would also help with scenarios like #257, where an SBOM will contain many dependencies.

    opened by JamieMagee 12
  • Bump certifi from 2022.9.24 to 2022.12.7 in /docker/worker

    Bump certifi from 2022.9.24 to 2022.12.7 in /docker/worker

    Bumps certifi from 2022.9.24 to 2022.12.7.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies python 
    opened by dependabot[bot] 10
  • JSON schema validation

    JSON schema validation

    Fixes #770 When loading a osv schema, be more strict on what is allowed by first checking the imported osv.json against the schema.

    • Do this validation when loading
    • Fix issue where EVIDENCE is not an entry in vulnerability.proto
    • Update worker and importer tests to actually test against valid osv entries
      • Add modified date to yaml test cases
        • YAML has weird importing where datetime is converted into datetime.datetime python object instead of str. Add code to account for that.
    • Add osv-schema as a submodule
    • Add symbolic link to osv validation schema
    • Manually copy over validation schema in docker container to avoid issues with symbolic links

    Before merging:

    A potentially large number of bucket entries might not be valid osv, we probably need to make a decision on how to deal with them.

    • Probably spin up the testing environment to see how many entries are actually rejected.
    • Determine behavior for what to do to handle invalid entries that's already in osv's database #771
    opened by another-rex 9
  • Configure Renovate

    Configure Renovate

    Mend Renovate

    Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

    🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.


    Detected Package Files

    • cloudbuild.yaml (cloudbuild)
    • vulnfeeds/cloudbuild.yaml (cloudbuild)
    • vulnfeeds/pypi/cloudbuild.yaml (cloudbuild)
    • actions/analyze/Dockerfile (dockerfile)
    • docker/ci/Dockerfile (dockerfile)
    • docker/deployment/Dockerfile (dockerfile)
    • docker/exporter/Dockerfile (dockerfile)
    • docker/importer/Dockerfile (dockerfile)
    • docker/indexer/Dockerfile (dockerfile)
    • docker/worker/Dockerfile (dockerfile)
    • gcp/api/Dockerfile (dockerfile)
    • vulnfeeds/cmd/alpine/Dockerfile (dockerfile)
    • vulnfeeds/cmd/combine-to-osv/Dockerfile (dockerfile)
    • .github/workflows/codeql-analysis.yml (github-actions)
    • .github/workflows/lint.yaml (github-actions)
    • .github/workflows/publish-to-pypi.yaml (github-actions)
    • .github/workflows/scorecards.yml (github-actions)
    • docker/indexer/go.mod (gomod)
    • docs/go.mod (gomod)
    • tools/osv-scanner/go.mod (gomod)
    • vulnfeeds/go.mod (gomod)
    • gcp/appengine/frontend3/package.json (npm)
    • Pipfile (pipenv)
    • docker/worker/Pipfile (pipenv)
    • gcp/api/Pipfile (pipenv)
    • gcp/appengine/Pipfile (pipenv)
    • gcp/functions/pypi/Pipfile (pipenv)

    Configuration

    🔡 Renovate has detected a custom config for this PR. Feel free to ask for help if you have any doubts and would like it reviewed.

    Important: Now that this branch is edited, Renovate can't rebase it from the base branch any more. If you make changes to the base branch that could impact this onboarding PR, please merge them manually.

    What to Expect

    With your current configuration, Renovate will create 9 Pull Requests:

    Pin dependencies
    Update workflows to 2541b12
    • Schedule: ["at any time"]
    • Branch name: renovate/workflows
    • Merge into: master
    • Upgrade actions/checkout to 2541b1294d2704b0964813337f33b291d3f8596b
    • Upgrade ossf/scorecard-action to 8ee777f2fe17176c009fb17e48ad58391e6c83ff
    • Upgrade pypa/gh-action-pypi-publish to 5fb2f047e26679d7846a8370de1642ff160b9025
    Update appengine-backend
    • Schedule: ["at any time"]
    • Branch name: renovate/appengine-backend
    • Merge into: master
    • Upgrade google-cloud-secret-manager to ==1.0.2
    • Upgrade pipenv to ==2022.9.8
    Update functions
    • Schedule: ["at any time"]
    • Branch name: renovate/functions
    • Merge into: master
    • Upgrade cryptography to ==3.4.8
    • Upgrade google-cloud-secret-manager to ==2.12.4
    • Upgrade requests to ==2.28.1
    Update api
    • Schedule: ["at any time"]
    • Branch name: renovate/api
    • Merge into: master
    • Upgrade google-api-core to ==1.33.1
    • Upgrade google-cloud-logging to ==2.7.2
    • Upgrade google-cloud-pubsub to ==2.13.6
    • Upgrade grpcio to ==1.49.0
    • Upgrade grpcio-tools to ==1.49.0
    • Upgrade packageurl-python to ==0.10.3
    • Upgrade python to 3.10-slim
    • Upgrade requests to ==2.28.1
    Update docs
    Update indexer
    Update module go to 1.19
    • Schedule: ["at any time"]
    • Branch name: renovate/vulnfeeds
    • Merge into: master
    • Upgrade go to 1.19
    Update tools

    🚸 Branch creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or spam the project. See docs for prhourlylimit for details.


    ❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section. If you need any further assistance then you can also request help here.


    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate-bot 9
  • Support for packageurl

    Support for packageurl

    Support to identify package with package url would be nice and it will be easy to integrate with other tool chain. https://github.com/package-url/purl-spec

    opened by sameer1046 8
  • Adding Betterscan CE to

    Adding Betterscan CE to "Third party tools and integrations" section

    Betterscan CE is a Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report (Code, IaC). Supports major programming and Cloud stacks.

    Now with added OSV Scanner it will scan SBOM and dependencies vulnerabilities.

    Great work!

    More in the project repo and website.

    Feel free to contact me in case of any questions.

    Thanks,

    P.S Maybe you can sort the list alphabetically

    opened by marcinguy 7
  • Update workflows

    Update workflows

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | actions/checkout | action | digest | a12a394 -> 1f9a0c2 | | actions/upload-artifact | action | digest | 3cea537 -> 83fd05a | | ossf/scorecard-action | action | digest | 08dd0ce -> 066a051 | | pypa/gh-action-pypi-publish | action | digest | 37f50c2 -> 5fb2f04 |


    Configuration

    📅 Schedule: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

    👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    opened by renovate-bot 7
  • [PyPI] Data quality issue for `markdown2`

    [PyPI] Data quality issue for `markdown2`

    @alex reported this upstream to pip-audit:

    pip-audit -r <(echo 'markdown2==2.4.2') --no-deps
    

    Produces:

    Found 1 known vulnerability in 1 package
    Name      Version ID                  Fix Versions
    --------- ------- ------------------- ------------
    markdown2 2.4.2   GHSA-p6h9-gw49-rqm4
    

    But GHSA-p6h9-gw49-rqm4 isn't valid for 2.4.2 (it's only valid for <2.3.6): https://github.com/advisories/GHSA-p6h9-gw49-rqm4

    It looks like OSV has both GHSA-p6h9-gw49-rqm4 and its CVE alias, but with a missing "version fixed" for the GHSA version: https://osv.dev/list?ecosystem=&q=CVE-2018-5773

    cc @di as well for visibility.

    opened by woodruffw 7
  • Don't run the integration tests on every PR

    Don't run the integration tests on every PR

    The integration tests can randomly fail because they're operating on live data that can change unexpectedly. This results in tests failing on a PR through no fault of the code in the PR. We already run the integration tests on every commit, so it's just a matter of surfacing those failures to the people who can do something about them.

    opened by andrewpollock 2
  • Add public documentation for each data source

    Add public documentation for each data source

    The table of prefixes at https://ossf.github.io/osv-schema/ is the most canonical documentation we have for current sources of vulnerabilities that OSV uses.

    Expand this to include a point of contact or feedback channel in the event of receiving questionable data. One possibility is a page per source, and a link to that page from each row of this table.

    documentation enhancement datasource 
    opened by andrewpollock 0
  • Consider using the UDD instead of snapshot.debian.org for Debian next version determination

    Consider using the UDD instead of snapshot.debian.org for Debian next version determination

    We saw some brittleness with https://github.com/google/osv.dev/blob/69c1d3817f8759ff3e294d629383f5dc6fcc2dc0/osv/ecosystems.py#L559 today, which impacted tests, but the code under test is where the brittleness lay.

    Using a local replica of https://wiki.debian.org/UltimateDebianDatabase may be a more reliable solution if this continues to crop up.

    enhancement 
    opened by andrewpollock 0
  • CVE-2021-35940.json lists apr-1.6.3 and apr-1.6.5 as vulnerable, but they are not

    CVE-2021-35940.json lists apr-1.6.3 and apr-1.6.5 as vulnerable, but they are not

    The osv.dev advisory for CVE-2021-35940.json lists apr-1.6.3 and apr-1.6.5 as vulnerable, but they are not vulnerable because they were fixed by CVE-2017-12613.

    Explanation

    Based on information from this patch: https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch

    CVE-2021-35940 is actually the same issue as CVE-2017-12613. However, because this issue regressed in apr-1.7.0, a new CVE-ID was assigned.

    However, the above patch mentions that CVE-2017-12613 was fixed in apr-1.6.3 and later, which means that apr-1.6.3 and apr-1.6.5 are not vulnerable.

    I'm not sure what the solution to this is, but maybe it's adding a fixed attribute for 1.6.3 and an alias of CVE-2017-12613, depending on how the logic computes vulnerable versions.

    opened by ddkilzer 1
  • Create shorter redirect link format for vulnerabilities

    Create shorter redirect link format for vulnerabilities

    e.g. https://osv.dev/v/PYSEC-foo should redirect to the full https://osv.dev/vulnerability/PYSEC-foo.

    This can help with osv-scanner's human readable output, where horizontal space is a premium.

    enhancement infra 
    opened by oliverchang 3
Releases(v0.0.14)
Owner
Google
Google ❤️ Open Source
Google
client attack remotely , this script was written for educational purposes only

client attack remotely , this script was written for educational purposes only, do not use against to any victim, which you do not have permission for it

9 Jun 05, 2022
the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability

CVE-2021-22005-metasploit the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability pr

Taroballz 25 Nov 15, 2022
AmiEviL - This program uses the Virus Total API to determine if your suspicious file is malicious or not

AmiEviL - This program uses the Virus Total API to determine if your suspicious file is malicious or not. The program requests the hash of the file and outputs information (if any). This version will

Kirk 1 Jan 03, 2022
一个自动挖掘漏洞的框架,日后会发展成强大的信息收集+漏洞挖掘脚本!

介绍 工具介绍 这是一款致力于将各类优秀脚本集合在一起调用、联动,最终可形成超级渗透脚本的工具。目的是扫描到更全的资产信息,发现更多的漏洞利用。但是这是通过牺牲扫描速度来提升扫描广度的。所以不太适合要进行紧急信息收集和漏洞利用的情况。

Thinking rookie 23 Jul 05, 2022
A python package with tools to read and postprocess the output of the channel DNS-solver (davecats/channel), as well as its associated postprocessing tools.

Python tools for davecats/channel A python package with tools to read and postprocess the output of the channel dns solver, as well as its associated

Andrea Andreolli 1 Dec 13, 2021
Mass scan for .git repository and .env file exposure

Mass .Git repository and .Env file Scan by Scarmandef Scanner to find .env file and .git repository exposure on multiple hosts Because of the response

8 Jun 23, 2022
Create a secure tunnel from a custom domain to localhost using Fly and WireGuard.

Fly Dev Tunnel Developers commonly use apps like ngrok, localtunnel, or cloudflared to expose a local web service at a publicly-accessible URL. This i

170 Dec 11, 2022
Cve-2021-22005-exp

cve-2021-22005-exp 0x01 漏洞简介 2021年9月21日,VMware发布安全公告,公开披露了vCenter Server中的19个安全漏洞,这些漏洞的CVSSv3评分范围为4.3-9.8。 其中,最为严重的漏洞为vCenter Server 中的任意文件上传漏洞(CVE-20

Jing Ling 146 Dec 31, 2022
Kriecher is a simple Web Scanner which will run it's own checks for the OWASP

Kriecher is a simple Web Scanner which will run it's own checks for the OWASP top 10 https://owasp.org/www-project-top-ten/# as well as run a

1 Nov 12, 2021
It's a simple tool for test vulnerability Apache Path Traversal

SimplesApachePathTraversal Simples Apache Path Traversal It's a simple tool for test vulnerability Apache Path Traversal https://blog.mrcl0wn.com/2021

Mr. Cl0wn - H4ck1ng C0d3r 56 Dec 27, 2022
Hacktricks - Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.

Hacktricks - Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.

Carlos Polop 5.8k Jan 07, 2023
Security system to prevent Shoulder Surfing Attacks

Surf_Sec Security system to prevent Shoulder Surfing Attacks. REQUIREMENTS: Python 3.6+ XAMPP INSTALLED METHOD TO CONFIGURE PROJECT: Clone the repo to

Aman Anand 1 Jan 27, 2022
Encrypted Python Password Manager

PyPassKeep Encrypted Python Password Manager About PyPassKeep (PPK for short) is an encrypted python password manager used to secure your passwords fr

KrisIsHere 1 Nov 17, 2021
Search Shodan for Minecraft server IPs to grief

GriefBuddy This script searches Shodan for Minecraft server IPs to grief. This will return all servers connected to the public internet which Shodan h

26 Dec 29, 2022
Magicspoofing - A python3 script for search possible misconfiguration in a DNS related to security protections of email service from the domain name

A python3 script for search possible misconfiguration in a DNS related to security protections of email service from the domain name. This project is for educational use, we are not responsible for i

20 Dec 02, 2022
Exploiting CVE-2021-44228 in vCenter for remote code execution and more

Log4jCenter Exploiting CVE-2021-44228 in vCenter for remote code execution and more. Blog post detailing exploitation linked below: COMING SOON Why? P

81 Dec 20, 2022
A Tool to find subdomains from hackerone reports.

Hactivity A Tool to find subdomains from Hackerone reports of a given company or a search term (xss, ssrf, etc). It can also print out URL and Title o

Stinger 15 Jul 24, 2022
Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io

Cowrie Welcome to the Cowrie GitHub repository This is the official repository for the Cowrie SSH and Telnet Honeypot effort. What is Cowrie Cowrie is

Cowrie 4.1k Jan 09, 2023
A web-app helping to create strong passwords that are easy to remember.

This is a simple Web-App that demonstrates a method of creating strong passwords that are still easy to remember. It also provides time estimates how long it would take an attacker to crack a passwor

2 Jun 04, 2021
Deltaspy - an advanced keylogger that can send keylogs and screenshots to gmail

Deltaspy Deltaspy is a advanced keylogger which sends keylogs and screenshot to

Praanesh S 1 Dec 31, 2021