Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦fREE Code metrics for Javascript/any os support npm packages :
1) download: https://github.com/calmh/yardstick
Or
2) % sudo npm install -g yardstick
3) Run it on one or more code files:
% yardstick mole.js
Scope CC Ar Cd Cm Cm/Cd
mole.js 79 - 415 162 39
anon@55 1 1 3 0 0
readCert 2 0 11 3 27
init 2 1 8 5 63
register 2 1 17 12 71
anon@274 1 1 10 5 50
token 2 1 9 2 22
anon@307 1 1 3 0 0
...
4) Reported Metrics
CC: Estimated cyclomatic complexity. "Estimated", since this is a hard nut to crack on Javascript without actually running the code. The estimate is fairly good however and the point being "higher number => higer complexity => not necessarily so good" is still valid.
Ar: Arity of the function.
Cd: Number of lines of code, excluding blanks and comments.
Cm: Number of lines of comments.
Cm/Cd: Ratio of comments to code, as a percentage. So 100 means there are as many lines of comments as there are lines of code, while 25 means there are four times as many lines of code.
5) But metrics such as cyclomatic complexity and number of comments are useless!
By themselves, possibly. But they can be a handy guide for evaluating areas of code that could use some love. It's a tool like anything else.
6) The cyclomatic complexity reported by yardstick differs from $othertool!
7) Like I said, calculating CC for JS code is nontrivial. A common approach for other languages is to simply count branching keywords. That doesn't give anything like the the full picture in JS since many common control structures are instead expressed as function calls. Consider:
for (var i = 0; i < 5; i++) {
/* ... */
}
vs
[0, 1, 2, 3, 4].forEach(function (i) {
/* ... */
});
Any tool that doesn't recognize those as the same structure is broken. Likewise:
someEventEmitter.on('something', function (d) {
/* ... */
}).on('error', function (e) {
/* ... */
});
Not to mention:
someEventEmitter.on('something', declaredElsewhere)
.on('error', alsoDeclaredElseWhere);
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦fREE Code metrics for Javascript/any os support npm packages :
1) download: https://github.com/calmh/yardstick
Or
2) % sudo npm install -g yardstick
3) Run it on one or more code files:
% yardstick mole.js
Scope CC Ar Cd Cm Cm/Cd
mole.js 79 - 415 162 39
anon@55 1 1 3 0 0
readCert 2 0 11 3 27
init 2 1 8 5 63
register 2 1 17 12 71
anon@274 1 1 10 5 50
token 2 1 9 2 22
anon@307 1 1 3 0 0
...
4) Reported Metrics
CC: Estimated cyclomatic complexity. "Estimated", since this is a hard nut to crack on Javascript without actually running the code. The estimate is fairly good however and the point being "higher number => higer complexity => not necessarily so good" is still valid.
Ar: Arity of the function.
Cd: Number of lines of code, excluding blanks and comments.
Cm: Number of lines of comments.
Cm/Cd: Ratio of comments to code, as a percentage. So 100 means there are as many lines of comments as there are lines of code, while 25 means there are four times as many lines of code.
5) But metrics such as cyclomatic complexity and number of comments are useless!
By themselves, possibly. But they can be a handy guide for evaluating areas of code that could use some love. It's a tool like anything else.
6) The cyclomatic complexity reported by yardstick differs from $othertool!
7) Like I said, calculating CC for JS code is nontrivial. A common approach for other languages is to simply count branching keywords. That doesn't give anything like the the full picture in JS since many common control structures are instead expressed as function calls. Consider:
for (var i = 0; i < 5; i++) {
/* ... */
}
vs
[0, 1, 2, 3, 4].forEach(function (i) {
/* ... */
});
Any tool that doesn't recognize those as the same structure is broken. Likewise:
someEventEmitter.on('something', function (d) {
/* ... */
}).on('error', function (e) {
/* ... */
});
Not to mention:
someEventEmitter.on('something', declaredElsewhere)
.on('error', alsoDeclaredElseWhere);
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - calmh/yardstick: [UNMAINTAINED] Javascript code metrics
[UNMAINTAINED] Javascript code metrics. Contribute to calmh/yardstick development by creating an account on GitHub.
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Interactive network scanner with autocomplete:
Suitable for everyday and professional tasks,
Capable of host discovery, port scans and service enumeration (integrates many tools such as: EyeWitness, Hydra, nikto, etc.)
Scanning is performed in the background, in case of connection loss you can download the results asynchronously (no need to restart the process, data can be imported at different stages),
Supports all major stages of network enumeration,
and much more.
External Integrations Service Support
ARP: nmap
DNS: nmap, dnsrecon, dnsenum, host
FINGER: nmap, finger-user-enum
FTP: nmap, ftp-user-enum, hydra AGGRESIVE
HTTP: nmap, nikto, dirb, EyeWitness, SQLmap, fimap
RDP: nmap, EyeWitness
SMB: nmap, enum4linux, nbtscan, samrdump
SMTP: nmap, smtp-user-enum
SNMP: nmap, snmpcheck, onesixtyone, snmpwalk
SSH: hydra AGGRESIVE
SQL: nmap
VNC: EyeWitnes
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
Β» Building from source
Clone the repo: If you want to create a multiplatform binary, run:
1) $ git clone https://github.com/marco-lancini/goscan.git
Change to the GoScan directory and build it:
2) $ cd goscan / goscan /
3) $ make setup
4) $ make build
If you want to create a multiplatform binary, run:
5) $ make cross
Β» Installing the binary
This is the recommended installation method.
3) $ sudo mv ./goscan / usr / local / bin / goscan
Β» Install via Docker
$ git clone https://github.com/marco-lancini/goscan.git
$ cd goscan /
$ docker-compose up --build
example usage take a look at video before this chat
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Interactive network scanner with autocomplete:
Suitable for everyday and professional tasks,
Capable of host discovery, port scans and service enumeration (integrates many tools such as: EyeWitness, Hydra, nikto, etc.)
Scanning is performed in the background, in case of connection loss you can download the results asynchronously (no need to restart the process, data can be imported at different stages),
Supports all major stages of network enumeration,
and much more.
External Integrations Service Support
ARP: nmap
DNS: nmap, dnsrecon, dnsenum, host
FINGER: nmap, finger-user-enum
FTP: nmap, ftp-user-enum, hydra AGGRESIVE
HTTP: nmap, nikto, dirb, EyeWitness, SQLmap, fimap
RDP: nmap, EyeWitness
SMB: nmap, enum4linux, nbtscan, samrdump
SMTP: nmap, smtp-user-enum
SNMP: nmap, snmpcheck, onesixtyone, snmpwalk
SSH: hydra AGGRESIVE
SQL: nmap
VNC: EyeWitnes
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½ :
Β» Building from source
Clone the repo: If you want to create a multiplatform binary, run:
1) $ git clone https://github.com/marco-lancini/goscan.git
Change to the GoScan directory and build it:
2) $ cd goscan / goscan /
3) $ make setup
4) $ make build
If you want to create a multiplatform binary, run:
5) $ make cross
Β» Installing the binary
This is the recommended installation method.
$ wget https://github.com/marcolancini/goscan/releases/download/v2.3/goscan_2.3_linux_amd64.zip $ unzip goscan_2.3_linux_amd64.zip2) $ chmod + x goscan
Then put the executable in PATH:
3) $ sudo mv ./goscan / usr / local / bin / goscan
Β» Install via Docker
$ git clone https://github.com/marco-lancini/goscan.git
$ cd goscan /
$ docker-compose up --build
example usage take a look at video before this chat
β β β Uππ»βΊπ«Δπ¬πβ β β β
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
Forwarded from UNDERCODE NEWS
30 million TL fear! The hacker gang was smashed, the money was left behind ...
#CyberAttacks
#CyberAttacks
β β β Uππ»βΊπ«Δπ¬πβ β β β
SafeSQL is a static analysis tool for Go that protects against SQL injections :
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½
1) $ go get github.com/stripe/safesql
2) $ safesql
Usage: safesql [-q] [-v] package1 [package2 ...]
-q=false: Only print on failure
-v=false: Verbose mode
3) $ safesql example.com/an/unsafe/package
Found 1 potentially unsafe SQL statements:
- /Users/alice/go/src/example.com/an/unsafe/package/db.go:14:19
4) Please ensure that all SQL queries you use are compile-time constants.
5) You should always use parameterized queries or prepared statements
instead of building queries from strings.
6) $ safesql example.com/a/safe/package
You're safe from SQL injection! Yay \o/
7) If SafeSQL passes, your application is free from SQL injections (modulo bugs in the tool), however there are a great many safe programs which SafeSQL will declare potentially unsafe. These false positives fall roughly into two buckets:
First, SafeSQL does not currently recursively trace functions through the call graph. If you have a function that looks like this:
func MyQuery(query string, args ...interface{}) (*sql.Rows, error) {
return globalDBObject.Query(query, args...)
}
and only call MyQuery with compile-time constants, your program is safe; however SafeSQL will report that (*database/sql.DB).
8) Query is called with a non-constant parameter (namely the parameter to MyQuery). This is by no means a fundamental limitation: SafeSQL could recursively trace the query argument through every intervening helper function to ensure that its argument is always constant, but this code has yet to be written.
9) The second sort of false positive is based on a limitation in the sort of analysis SafeSQL performs: there are many safe SQL statements which are not feasible (or not possible) to represent as compile-time constants. More advanced static analysis techniques (such as taint analysis).
In order to ignore false positives, add the following comment to the line before or the same line as the statement:
//nolint:safesql
β β β Uππ»βΊπ«Δπ¬πβ β β β
SafeSQL is a static analysis tool for Go that protects against SQL injections :
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½
1) $ go get github.com/stripe/safesql
2) $ safesql
Usage: safesql [-q] [-v] package1 [package2 ...]
-q=false: Only print on failure
-v=false: Verbose mode
3) $ safesql example.com/an/unsafe/package
Found 1 potentially unsafe SQL statements:
- /Users/alice/go/src/example.com/an/unsafe/package/db.go:14:19
4) Please ensure that all SQL queries you use are compile-time constants.
5) You should always use parameterized queries or prepared statements
instead of building queries from strings.
6) $ safesql example.com/a/safe/package
You're safe from SQL injection! Yay \o/
7) If SafeSQL passes, your application is free from SQL injections (modulo bugs in the tool), however there are a great many safe programs which SafeSQL will declare potentially unsafe. These false positives fall roughly into two buckets:
First, SafeSQL does not currently recursively trace functions through the call graph. If you have a function that looks like this:
func MyQuery(query string, args ...interface{}) (*sql.Rows, error) {
return globalDBObject.Query(query, args...)
}
and only call MyQuery with compile-time constants, your program is safe; however SafeSQL will report that (*database/sql.DB).
8) Query is called with a non-constant parameter (namely the parameter to MyQuery). This is by no means a fundamental limitation: SafeSQL could recursively trace the query argument through every intervening helper function to ensure that its argument is always constant, but this code has yet to be written.
9) The second sort of false positive is based on a limitation in the sort of analysis SafeSQL performs: there are many safe SQL statements which are not feasible (or not possible) to represent as compile-time constants. More advanced static analysis techniques (such as taint analysis).
In order to ignore false positives, add the following comment to the line before or the same line as the statement:
//nolint:safesql
β β β Uππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - stripe-archive/safesql: Static analysis tool for Golang that protects against SQL injections
Static analysis tool for Golang that protects against SQL injections - GitHub - stripe-archive/safesql: Static analysis tool for Golang that protects against SQL injections
we start today a secure website & simple table for Cve news, cve codes,shells, and details :
https://DailyCve.com
Twitter.com/dailycve
t.me/dailycve
https://DailyCve.com
(please note: our team always triyng to fix bugs and share with you the best experiences 12/24)
for updates:Twitter.com/dailycve
t.me/dailycve
DailyCVE
Vulnerability Database & Alerts - DailyCVE
"DailyCVE.com β The advanced vulnerability database with modern testing, patching tutorials, and up-to-date security insights. Stay ahead of threats!"
Forwarded from DailyCVE
Forwarded from DailyCVE
Forwarded from UNDERCODE NEWS
