Skip to content

Instantly share code, notes, and snippets.

View TheSecurityDev's full-sized avatar

David TheSecurityDev

10 followers · 15 following
  • United States
View GitHub Profile
@mbaumbach
mbaumbach / WebVitalsWidget.tsx
Last active June 24, 2023 18:54
WebVitalsWidget
// Requires: web-vitals package to be added to your package.json dependencies.
// Usage: <WebVitalsWidget enabled />
// Ideally you should mount this component as high as you can in your component hierarchy so it renders ASAP.
// You can set the enabled prop to use an environment variable to make sure it's only on in dev/staging and off in prod if you want.
// You can add a query parameter of __vitals=true to the end of your URL at any time and it will trigger the widget to show.
// If the widget is covering an important part of your app, you can move it around with the location prop.
// Some data won't populate in the widget until you click somewhere on the page to bring focus to the window (LCP/FID)
@tothi
tothi / ms-msdt.MD
Last active June 16, 2025 21:37
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.