This repo gives an overview of some GCP metadata API attack and defend patterns
☆79Mar 23, 2020Updated 5 years ago
Alternatives and similar repositories for AttackingAndDefendingTheGCPMetadataAPI
Users that are interested in AttackingAndDefendingTheGCPMetadataAPI are comparing it to the libraries listed below
Sorting:
- ☆28Aug 6, 2020Updated 5 years ago
- These are tools we released with our 2020 defcon/blackhat talk https://www.youtube.com/watch?v=Ml09R38jpok☆173Feb 6, 2025Updated last year
- Automated GKE Kubelet Impersonation and Cluster Secret Stealer via kube-env☆102Sep 10, 2019Updated 6 years ago
- POC for CVE-2018-15685☆42Aug 24, 2018Updated 7 years ago
- Demonstrating why Dynamic Method Invocation with unrestricted method names (the old default of Struts) is dangerous.☆12Sep 30, 2018Updated 7 years ago
- XXE injection (file disclosure) exploit for Apache OFBiz < 16.11.04☆13Oct 16, 2018Updated 7 years ago
- ☆27Feb 19, 2026Updated last month
- ☆21Nov 13, 2019Updated 6 years ago
- A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated.☆558May 26, 2023Updated 2 years ago
- Transparently log all data passed into known JavaScript sinks - Sink Logger extension for Burp.☆49Jul 20, 2022Updated 3 years ago
- The Attack Surface Detector uses static code analyses to identify web app endpoints by parsing routes and identifying parameters☆14Feb 10, 2022Updated 4 years ago
- Salesforce Policy Deviation Checker☆30Sep 30, 2020Updated 5 years ago
- ☆16Feb 26, 2018Updated 8 years ago
- Like the unix tree command but for GCP Org Heirarchy☆27Apr 29, 2021Updated 4 years ago
- Burp Suite Professional extension in Java for Tabnabbing attack☆13May 8, 2018Updated 7 years ago
- ☆25Jul 5, 2018Updated 7 years ago
- DupeKeyInjector☆134Apr 16, 2022Updated 3 years ago
- A collection of slides, videos, and proof-of-concept scripts from various Rhino presentations.☆38Aug 13, 2018Updated 7 years ago
- Terraform to run Scoutsuite security scan of projects within a Google Cloud Org. Report will be published to a GCS bucket.☆17Jan 5, 2026Updated 2 months ago
- Tool for CVE-2018-16323☆82Jan 17, 2019Updated 7 years ago
- Hayat is a script for report and analyze Google Cloud Platform resources.☆80Jan 7, 2020Updated 6 years ago
- CryptOMG is a configurable CTF style test bed that highlights common flaws in cryptographic implementations.☆194Jun 25, 2015Updated 10 years ago
- The Outlook HTML Leak Test Project☆130May 12, 2018Updated 7 years ago
- An auto-scoring capture-the-flag game focusing on TOCTOU vulnerabilities☆21Oct 28, 2020Updated 5 years ago
- retrive metadata endpoint data with these one liners.☆41Aug 11, 2020Updated 5 years ago
- automated penetration toolkit☆12Jul 9, 2016Updated 9 years ago
- Security testing tool for Kubernetes, abusing kubelet credentials on public cloud providers.☆164Nov 28, 2025Updated 3 months ago
- differer finds how URLs are parsed by different languages in order to help bug hunters break filters☆63May 3, 2020Updated 5 years ago
- PoC for CVE-2021-3129 (Laravel)☆12Oct 9, 2021Updated 4 years ago
- CTF Writeups☆26Oct 6, 2019Updated 6 years ago
- burp extender for fuzzing☆10Aug 10, 2018Updated 7 years ago
- ☆21Dec 1, 2019Updated 6 years ago
- Swift code to run a dylib on disk☆16May 9, 2022Updated 3 years ago
- A project designed to parse public source code repositories and find various types of vulnerabilities.☆193Oct 6, 2017Updated 8 years ago
- Dynamic DNS Update Bruteforce Tool☆29Feb 8, 2017Updated 9 years ago
- DNS Rebinding Exploitation Framework☆492Apr 27, 2021Updated 4 years ago
- Burp Suite extension to help make Graphql request more readable☆32Dec 7, 2017Updated 8 years ago
- Automate common Chrome Debug Protocol tasks to help debug web applications from the command-line and actively monitor and intercept HTTP …☆73Aug 11, 2021Updated 4 years ago
- Slides from various talks that I've given over the years☆118Aug 14, 2023Updated 2 years ago