HackerTrans
TopNewTrendsCommentsPastAskShowJobs

kichik

no profile record

comments

kichik
·il y a 6 mois·discuss
Nice chain and write-up. I don't know that I would call eval() on user input, hard coded secrets, and leaked credentials small or harmless. All of those are scary on their own.
kichik
·il y a 7 mois·discuss
Invoke-WebRequest is also very slow if you forget to disable the progress bar with $ProgressPreference = 'SilentlyContinue'

PowerShell has some "interesting" design choices...
kichik
·il y a 7 mois·discuss
The echo server will have no knowledge on how to construct the string to be signed.
kichik
·il y a 7 mois·discuss
You are indeed misunderstanding me. I am talking about returning the entire string to be signed. Not the result of the signature.
kichik
·il y a 8 mois·discuss
You can save the expected string to a file, save your string to a file, and run diff on a hexdump of both. Even without hexdump, you should see the difference between "\n" and "\\n" in properly escaped output.
kichik
·il y a 8 mois·discuss
Not exactly the point of this article, but it would be cool if APIs like this can return the expected signed string for debugging. It would have to be properly limited for security. But if the API is expecting non-standard signatures, it could help developers with better debugging tools.