ctf | paseto | |
---|---|---|
11 | 26 | |
1,743 | 3,188 | |
0.3% | -0.2% | |
2.5 | 4.7 | |
about 1 year ago | 5 days ago | |
Python | PHP | |
- | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
ctf
-
Audio Steganography
Audio can contain dial tones, or it can contain binary/morse code on some particular frequency, or it's not really "audio" but radio-transmission which needs to be decoded, or the audio can contain sounds of keyboard typing or even 3d printer head moving (like https://github.com/p4-team/ctf/tree/master/2020-05-10-spam-and-flags-teaser/3d_printer ), or maybe audio has multiple sources interleaved and you need to separate them and one has the flag, or maybe the audio file itself has specific format and some information can be passed there. There are infinite possibilities and it's impossible to say anything without analysing the file.
-
Failing to understand a flag
It's hard to say anything without actually seeing the page. Was there something inside the CSS files? You can do some crazy stuff there :) You can also do some fancy stuff like bypassing CSRF with CSS injection like in: https://github.com/p4-team/ctf/tree/master/2018-01-20-insomnihack/web_css
- CTF Question - reverse engineering keyboard Morse code
- Question about ECDSA
-
Stuck on a forensics challenge
One thing that immediately comes into mind is that archives are "weird", and an archive file can be also a totally different type of file at the same time. Just to clarify what I mean see: https://github.com/p4-team/ctf/blob/master/2016-04-15-plaid-ctf/web_pixelshop/README.md and specifically the magic file https://github.com/p4-team/ctf/blob/master/2016-04-15-plaid-ctf/web_pixelshop/exploit.png this is totally valid PNG file but at the same time it's also totally valid ZIP file with PHP shell inside.
-
Initial impact report about this week's EdDSA Double-PubKey Oracle attack in 40 affected crypto libs
Funny part is that even in CTF challenges made around this problem challenge authors were introducing some intentional bugs to account for this scenario, because they thought it would be too unrealistic otherwise :D See for example: https://github.com/p4-team/ctf/tree/master/2018-12-08-hxp/crypto_uff
-
Reduced Round AES CTR Attacks
See: https://github.com/p4-team/ctf/tree/master/2016-03-12-0ctf/peoples_square and also https://github.com/TFNS/writeups/tree/master/2020-06-05-DefenitCTF/spn (this one is not AES but some toy SPN, but the idea is exactly the same and maybe easier to understand)
-
Hey I was wondering if anyone knew a good place to post a challenge, a challenge with a reward
If it's some serious interesting cryptography (just to give you an example: https://github.com/p4-team/ctf/tree/master/2019-11-02-google-ctf/fractorization ), then perhaps consider talking to some CTF team to feature your challenge during an upcoming CTF
-
Help with factorizing n=p*q in an vulnerable RSA implementation
Also what you need doesn't require that much code, it's very similar to: https://github.com/p4-team/ctf/tree/master/2017-09-02-tokyo/crypto_rsa
- Cryptopals 2:12 - What real-world application of crypto does the solution actually break?
paseto
-
JSON Web Proofs
Might I suggest Paseto (https://paseto.io/) - it solves a lot of the headaches of JWT. Signing and encryption are two different things that require two different sets of keys, so you can't mess it up.
(Full disclosure, I've written one implementation: https://github.com/auth70/paseto-ts)
-
Full-stack authentication system using rust (actix-web) and sveltekit
Though we'll be building a session-based authentication system, it's noteworthy that with the introduction of some concepts which will be discussed in due time, you can turn it into JWT- or, more securely and appropriately, PASETO-based authentication system.
- Biscuit 3.0
-
Securing Your Golang Application: Unleashing the Power of Authentication and Authorization
Time we ditch it and use paseto
- Paseto is everything you love about JWT without any of the design deficits
- Why JWTs Suck as Session Tokens (2017)
-
Looking for advice for Go Backend REST API for a Front End React/NodeJS
The PASETO web site goes over it. Mostly it's designed to make you do things the right way and avoid all the security holes you can fall into with JWT.
- Initial impact report about this week's EdDSA Double-PubKey Oracle attack in 40 affected crypto libs
-
Stop Storing Authentication Tokens in JS-accessible Storage
If this is too much to handle, you shouldn't have to! There's already solutions that handle it for you
What are some alternatives?
CTFd - CTFs as you need them
branca - :key: Secure alternative to JWT. Authenticated Encrypted API Tokens for Go.
RootTheBox - A Game of Hackers (CTF Scoreboard & Game Manager)
Symfony Panther - A browser testing and web crawling library for PHP and Symfony
ed25519-unsafe-libs - List of unsafe ed25519 signature libs
wp-graphql-jwt-authentication - Authentication for WPGraphQL using JWT (JSON Web Tokens)
pwntools - CTF framework and exploit development library
Ory Hydra - OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Works with Hardware Security Modules. Compatible with MITREid.
libsodium - A modern, portable, easy to use crypto library.
php-jwt - PHP package for JWT
pwndbg - Exploit Development and Reverse Engineering with GDB Made Easy
bubble - bubble 旨在为项目快速开发提供一系列的基础能力,方便使用者根据项目需求快速进行功能拓展。已将所有 JAR 包都推送至中央仓库,也会为每个版本的升级改动列出详细的更新日志