Chris Frohoff

A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

A Java security research tool that generates crafted payloads to test whether a Java application is vulnerable to remote code execution through unsafe deserialization of untrusted data.

No description.

CLI crypto swiss-army knife for performing and composing encoding, decoding, encryption, decryption, hashing, and other various cryptographic operations on streams of data from the command line; mostly intended for ad hoc, infosec-related uses.

Primitive tool for exploring/querying Java classes via the Tinkerpop Gremlin graph traversal language

from http://www.pc-tools.net/unix/grepcidr/

No description.

No description.

From https://code.google.com/p/jdeserialize/

No description.

From https://git.clarahobbs.com/pd-buddy/pd-buddy-wye.git

from http://weblogs.java.net/blog/emcmanus/archive/2007/06/disassembling_s.html

Decrypt HTTPS/SSL/TLS connections on the fly with Wireshark

No description.

Star Trek LCARS inspired pure CSS theme for CTFd (v2.1.1) used during the 2019 LayerOne CTF and ToorCon CTF.

Slide deck from AppSecCali 2015 Talk "Marshalling Pickles: how deserializing objects will ruin your day"

Docker implemented in around 100 lines of bash

imported from https://sourceforge.net/projects/sleepyhead/

From http://www.synacktiv.com/ressources/inyourface-0.2.tar.gz

Slide deck from OWASP SD Talk "Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization"

from http://www.taugh.com/grepcidr-2/

The cheat sheet about Java Deserialization vulnerabilities

From http://www.synacktiv.com/ressources/jimmix-0.3.tar.gz

A remote access tool for pentesters designed for advanced pivoting.

Plugin for manipulating requests in PortSwigger Burp Suite Pro v1.5+

CTFs as you need them

No description.

Security Monkey

No description.

From http://www.david-guembel.de/uploads/media/jmitm2-0.1.0-source.tar.gz

No description.

run ssh, https, and openvpn on the same port

No description.

Heartbleed (CVE-2014-0160) client exploit

Simple HTTP and REST client for Ruby, inspired by microframework syntax for specifying actions.

Project management and code hosting application. Follow us on twitter @gitlabhq

A Javascript malware analysis tool

Autonomous smartphone app. Capable of self-compilation, mutation, and viral spreading. World-first proof-of-principle to bypass Internet kill switches.

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Empire is a PowerShell and Python post-exploitation agent.

No description.

Official OWASP Top 10 Document Repository

A drop-in replacement for the 1Password CLI's op in WSL (Windows Subsystem for Linux), backed by the analogous Windows op.exe and the 1Password desktop app — no separate Linux sign-in required. Inspired by oprun.sh.

Choose the browser on the click of a link

Break glass in case of suid java executable.

From https://code.google.com/p/privilegedaccessor/

A barebones CLI utility to prompt for and cache a password in memory, then hand it out over HTTP or raw TCP

Network simulation for malware analysis.

Java bytecode analysis/deobfuscation tool

Capture the Flag: Web Edition https://stripe.com/blog/capture-the-flag-20

Extender module for BurpSuite to decode and re-encode JAVA Object Serialization for security testing

Library for binary file manipulation

A scoreboard for Security CTF events

Git Source Code Mirror - This is a publish-only repository and all pull requests are ignored. Please follow Documentation/SubmittingPatches procedure for any of your improvements.

No description.

No description.

JavaPayload is a collection of pure Java payloads to be used for post-exploitation from pure Java exploits or from common misconfigurations (like not password protected Tomcat manager or debugger port).

Automatic SQL injection and database takeover tool

Github Pages Site

Metasploit Framework

Ghidra is a software reverse engineering (SRE) framework

docker run -v [homedir]/.aws/:/root/.aws/ -e AWS_DEFAULT_PROFILE=[profilename] [containerid]

Spoofs a DHCP server and exploits all clients vulnerable to the 'ShellShock' bug

Java bytecode engineering toolkit

A specialized Amazon Kinesis stream reader (based on the Amazon Kinesis Connector Library) that can help you deliver data from Amazon CloudWatch Logs to any other system in near real-time using a CloudWatch Logs Subscription Filter.

Scoreboard for CTF Competitions

Parse m3u, pls, and asx in JavaScript

Sinatra-based Markov bot for Slack.

A place for community contributed samples for the pyVmomi library.

No description.

No description.

No description.

Windows Credential Manager (wincred) backend for python's keyring for WSL

The 1-Password CLI's `op run` utility rewritten with `op inject` to add Windows Subsystem for Linux support.

Python client library for sleephq.com OpenAPI API

Tools for managing files with the Toshiba FlashAir wireless SD card

A minimal systemd enabled Ubuntu 24.04 image

Powerful MCP debugging proxy and CLI inspection tool.

imported from jejb/fido2-ctap-gadget

Monitor network requests and console logs without opening DevTools

Common code used by both the Active Directory Authentication Library (ADAL) and the Microsoft Authentication Library (MSAL)

Cloned from https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/

Makeshift maven2 repo for artifacts missing from other public repos based on https://gist.github.com/cleberjamaral/6c9b0a615e51e26c94ffe407a641f531

No description.

HTTP Request & Response Service, written in Python + Flask.

A Traefik plugin to change on the fly header's value of a request

No description.

Mirror of Apache Commons Collections

a screen-scraping API for Mint.com

No description.

exercism solutions

A jinja2 extension that adds a {% markdown %} tag to jinja.

No description.

send electronic mail with scala

Imported from https://bitbucket.org/sumerc/yappi

A Hubot adapter for HipChat that uses the HipChat API

Automatically switch to a darker or a lighter version of an element depending on the brightness of images behind it.

Speech Synthesis polyfill

Docker image which contains oracle jdk (7 and 8)

No description.

No description.

No description.

A simple, but damn fast sinkhole

Using RPZ this script helps to add and remove entries into a Bind DNS Server

No description.

Scoreboard for Capture The Flag competitions, used by the Google CTF event

No description.

web interface for Docker Compose

No description.

Easy scraping for the Docker stats api.

Turbolinks makes following links in your web application faster (use with Rails Asset Pipeline)

Mirror of Apache Commons Beanutils

Java Untrusted Deserialization Exploits Tools

jOOR - Fluent Reflection in Java jOOR is a very simple fluent API that gives access to your Java Class structures in a more intuitive way. The JDK's reflection APIs are hard and verbose to use. Other languages have much simpler constructs to access type meta information at runtime. Let us make Java reflection better.

No description.

No description.

No description.

Repository for the MITRE Capture the Flag scoreboard.

Scala-friendly companion to Typesafe config

Sentries - For easy fault handling in Scala programs

Splunk Software Development Kit for Java

Ruby on Rails

No description.

A Java library to parse JVM bytecode, simulate the stack and extract as much information as possible

Kerberos Exploitation Kit

A tool for netpens.

FST: fast java serialization drop in-replacement http://ruedigermoeller.github.io/fast-serialization/

No description.

SBT template project for quickly getting started with spray-server

A jQuery Table of Contents plugin that can be themed with Twitter Bootstrap or jQueryUI.