jake/jarv.is
1
Fork 0
mirror of https://github.com/jakejarvis/jarv.is.git synced 2026-04-17 10:08:43 -04:00
Code Issues Activity

highlight.js -> prism (#730)

Browse Source
This commit is contained in:
Jake Jarvis
2022-01-10 19:10:19 -05:00
committed by GitHub
parent 3864d18ba3
commit 78967815e1
11 changed files with 211 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
notes/css-waving-hand-emoji.mdx
View File

@@ -29,7 +29,7 @@ Below are the code snippets you can grab and customize to make your own ["waving
## CSS
{/* prettier-ignore */}
```css
```css showLineNumbers
.wave {
animation-name: wave-animation; /* Refers to the name of your @keyframes element below */
animation-duration: 2.5s; /* Change to speed up or slow down */

6
notes/dark-mode.mdx
View File

@@ -52,7 +52,7 @@ A _very_ barebones example is embedded above ([view the source here](https://git
I have cleaned up this code a bit, added a few features, and packaged it as an [📦 NPM module](https://www.npmjs.com/package/dark-mode-switcheroo) (zero dependencies and still [only ~500 bytes](https://bundlephobia.com/package/dark-mode-switcheroo) minified and gzipped!). Here's a small snippet of the updated method for the browser (pulling the module from [UNPKG](https://unpkg.com/browse/dark-mode-switcheroo/)), but definitely [read the readme](https://github.com/jakejarvis/dark-mode#readme) for much more detail on the API.
```html
```html showLineNumbers
<button class="dark-mode-toggle" style="visibility: hidden;">💡 Click to see the light... or not.</button>
<script src="https://unpkg.com/dark-mode-switcheroo/dist/dark-mode.min.js"></script>
@@ -100,7 +100,7 @@ The [example HTML and CSS below](#html-css) is still helpful for reference.
### Full JS:
{/* prettier-ignore */}
```js
```js showLineNumbers
/*! Dark mode switcheroo | MIT License | jrvs.io/darkmode */
(function () {
@@ -183,7 +183,7 @@ The [example HTML and CSS below](#html-css) is still helpful for reference.
### HTML & CSS Example:
{/* prettier-ignore */}
```html
```html showLineNumbers
<!doctype html>
<html>
<head>

10
notes/finding-candidates-subdomain-takeovers.mdx
View File

@@ -63,19 +63,19 @@ Conveniently, [Rapid7](https://www.rapid7.com/) publishes a monthly list for us
One of their free monthly datasets is called [Forward DNS](https://opendata.rapid7.com/sonar.fdns_v2/), where you'll find `.json` files named `xxxx-fdns_cname.json.gz`. Within the [`subtake`](https://github.com/jakejarvis/subtake) repository, there's an automated script named [`sonar.sh`](https://github.com/jakejarvis/subtake/blob/master/sonar.sh), which downloads the dataset for you and outputs a simple text file of CNAMEs pointed to any of the services listed above. Once you've [cloned the `subtake` repository](https://github.com/jakejarvis/subtake) and grabbed the timestamp part of the filename (the string that precedes `-fdns_cname.json.gz`), usage of the script is as follows:
```bash {linenos=false}
```bash
./sonar.sh 2019-03-30-1553989414 sonar_output.txt
```
This new text file contains _both active and abandoned_ subdomains pointing to any of the services listed above — we still need to narrow it down to the takeover candidates by attempting to actually resolve each of them, which is where `subtake` comes into play. To install `subtake`, make sure [Go is installed first](https://golang.org/doc/install#install) and run the following:
```bash {linenos=false}
```bash
go get github.com/jakejarvis/subtake
```
For a detailed description of the different options you can play around with, see the [full readme on GitHub](https://github.com/jakejarvis/subtake#usage) — but here's a simple example command that uses 50 threads to take the CNAMEs listed in `sonar_output.txt` and outputs potentially vulnerable subdomains to `vulnerable.txt`.
```bash {linenos=false}
```bash
subtake -f sonar_output.txt -c fingerprints.json -t 50 -ssl -a -o vulnerable.txt
```
@@ -83,7 +83,7 @@ This could take quite a while — up to a day, depending on your CPU, memory, an
I also have a collection of root domains of companies offering bounties through [HackerOne](https://hackerone.com/directory/) or [Bugcrowd](https://bugcrowd.com/programs) at a [different GitHub repository](https://github.com/jakejarvis/bounty-domains/). Using the [`grep`-friendly text file](https://github.com/jakejarvis/bounty-domains/blob/master/grep.txt), it's easy to use [`grep`](https://man7.org/linux/man-pages/man1/grep.1.html) to narrow down your `vulnerable.txt` list even more:
```bash {linenos=false}
```bash
grep -f grep.txt vulnerable.txt
```
@@ -117,7 +117,7 @@ I removed the company's name because an important part of responsible _disclosur
The `poc-d4ca9e8ceb.html` proof-of-concept file contained this single, hidden line:
```html
```html showLineNumbers
<!-- subdomain takeover POC by @jakejarvis on Bugcrowd -->
```

24
notes/how-to-backup-linux-server.mdx
View File

@@ -69,27 +69,27 @@ Restic might be included in your OS's default repositories (it is on Ubuntu) but
Find the latest version of Restic on their [GitHub releases page](https://github.com/restic/restic/releases/latest). Since I'm assuming this is a Linux server, we only want the file ending in `_linux_amd64.bz2`. (For a 32-bit Linux server, find `_linux_386.bz2`. Windows, macOS, and BSD binaries are also there.) Right-click and copy the direct URL for that file and head over to your server's command line to download it into your home directory:
```bash {linenos=false}
```bash
cd ~
wget https://github.com/restic/restic/releases/download/v0.9.5/restic_0.9.5_linux_amd64.bz2
```
Next, we'll unzip the download in place:
```bash {linenos=false}
```bash
bunzip2 restic_*
```
This should leave us with a single file: the Restic binary. In order to make Restic available system-wide and accessible with a simple `restic` command, we need to move it into the `/usr/local/bin` folder, which requires `sudo` access:
```bash {linenos=false}
```bash
sudo mv restic_* /usr/local/bin/restic
sudo chmod a+x /usr/local/bin/restic
```
Now's a good time to run `restic` to make sure we're good to move on. If you see the version number we downloaded, you're all set!
```bash {linenos=false}
```bash
restic version
```
@@ -101,14 +101,14 @@ If you haven't already [created a new S3 bucket](https://docs.aws.amazon.com/qui
We need to store these keys as environment variables named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. For now, we'll set these temporarily until we automate everything in the next step.
```bash {linenos=false}
```bash
export AWS_ACCESS_KEY_ID="your AWS access key"
export AWS_SECRET_ACCESS_KEY="your AWS secret"
```
We'll also need to tell Restic where the bucket is located and set a secure password to encrypt the backups. You can generate a super-secure 32-character password by running `openssl rand -base64 32` — just make sure you store it somewhere safe!
```bash {linenos=false}
```bash
export RESTIC_REPOSITORY="s3:s3.amazonaws.com/your-bucket-name"
export RESTIC_PASSWORD="passw0rd123-just-kidding"
```
@@ -117,7 +117,7 @@ export RESTIC_PASSWORD="passw0rd123-just-kidding"
Now we're ready to have Restic initialize the repository. This saves a `config` file in your S3 bucket and starts the encryption process right off the bat. You only need to run this once.
```bash {linenos=false}
```bash
restic init
```
@@ -127,7 +127,7 @@ If successful, you should see a message containing `created restic backend`. If
Now that the hard parts are done, creating a backup (or "snapshot" in Restic terms) is as simple as a one-line command. All we need to specify is the directory you want to backup.
```bash {linenos=false}
```bash
restic backup /srv/important/data
```
@@ -156,7 +156,7 @@ I highly recommend adding one final command to the end of the file: Restic's `fo
This command keeps one snapshot from each of the last **six hours**, one snapshot from each of the last **seven days**, one snapshot from each of the last **four weeks**, and one snapshot from each of the last **twelve months**.
```bash {linenos=false}
```bash
restic forget -q --prune --keep-hourly 6 --keep-daily 7 --keep-weekly 4 --keep-monthly 12
```
@@ -164,13 +164,13 @@ Reading [the documentation](https://restic.readthedocs.io/en/latest/060_forget.h
Save the shell script and close the editor. Don't forget to make the script we just wrote actually executable:
```bash {linenos=false}
```bash
chmod +x backup.sh
```
Lastly, we need to set the actual cron job. To do this, run `sudo crontab -e` and add the following line to the end:
```bash {linenos=false}
```bash
0 * * * * /root/backup.sh
```
@@ -186,7 +186,7 @@ Take note of the next time that your new cron job _should_ run, so we can check
To restore a snapshot to a certain location, grab the ID from `restic snapshots` and use `restore` like so:
```bash {linenos=false}
```bash
restic restore 420x69abc --target ~/restored_files
```

12
notes/my-first-code.mdx
View File

@@ -57,7 +57,7 @@ If you're bored on a rainy day, potential activities could include:
Who cares if somebody wants to delete a post with the ID "`*`" no matter the author? ([delete_reply_submit.php](https://github.com/jakejarvis/jbb/blob/87b606797414b2fe563af85e269566fc5e076cc5/delete_reply_submit.php#L9))
```php
```php showLineNumbers
<?php
$query2 = "DELETE FROM jbb_replies
WHERE replyID ='$replyID'";
@@ -68,7 +68,7 @@ $result2 = mysql_query ($query2)
Sessions based on storing an auto-incremented user ID in a cookie. ([login_submit.php](https://github.com/jakejarvis/jbb/blob/87b606797414b2fe563af85e269566fc5e076cc5/login_submit.php#L28))
```php
```php showLineNumbers
<?php
session_id($user->userID);
session_start();
@@ -80,7 +80,7 @@ $_SESSION["ck_groupID"] = $user->groupID;
Viewing a "private" message based solely on a sequential message ID. ([pm_view.php](https://github.com/jakejarvis/jbb/blob/87b606797414b2fe563af85e269566fc5e076cc5/pm_view.php#L13))
```php
```php showLineNumbers
<?php
$query1 = "SELECT * FROM jbb_pm WHERE pmID = '$pmID'";
?>
@@ -88,7 +88,7 @@ $query1 = "SELECT * FROM jbb_pm WHERE pmID = '$pmID'";
Incredibly ambitious emoticon and [BBCode](https://en.wikipedia.org/wiki/BBCode) support. I honestly can't begin to explain this logic. ([functions.php](https://github.com/jakejarvis/jbb/blob/87b606797414b2fe563af85e269566fc5e076cc5/functions.php#L18))
```php
```php showLineNumbers
<?php
$replacement = '<Image SRC=images/emoticons/smile.gif>';
$replacement2 = '<Image SRC=images/emoticons/bigsmile.gif>';
@@ -125,7 +125,7 @@ $topicval = str_replace('
Saving new passwords as plaintext — probably the least problematic problem. ([register_submit.php](https://github.com/jakejarvis/jbb/blob/87b606797414b2fe563af85e269566fc5e076cc5/register_submit.php#L10))
```php
```php showLineNumbers
<?php
$query = "INSERT INTO jbb_users (username, password, email, avatar) VALUES ('$username','$password','$email','images/avatars/noavatar.gif')";
?>
@@ -133,7 +133,7 @@ $query = "INSERT INTO jbb_users (username, password, email, avatar) VALUES ('$us
I guess I gave up on counting `$query`s by ones... ([functions.php](https://github.com/jakejarvis/jbb/blob/87b606797414b2fe563af85e269566fc5e076cc5/functions.php#L231))
```php
```php showLineNumbers
<?php
while ($topic = mysql_fetch_object($result30)) {
$query40 = "SELECT * FROM jbb_users WHERE userID = '$topic->userID'";

2
notes/security-headers-cloudflare-workers.mdx
View File

@@ -44,7 +44,7 @@ If you run your own server, these can be added by way of your Apache or nginx co
The following script can be added as a Worker and customized to your needs. Some can be extremely picky with syntax, so be sure to [read the documentation](https://www.netsparker.com/whitepaper-http-security-headers/) carefully. You can fiddle with it in [the playground](https://cloudflareworkers.com/), too. Simply modify the current headers to your needs, or add new ones to the `newHeaders` or `removeHeaders` arrays.
```js
```js showLineNumbers
let addHeaders = {
"Content-Security-Policy": "default-src 'self'; upgrade-insecure-requests",
"Strict-Transport-Security": "max-age=1000",