Making simple Nmap SPA web GUI with Apache, AngularJS and Python Twisted
The last time I was developing dynamic web applications years ago. I used CGI and #PHP back then. ๐ Now I am really interested in a modern approach, when you have a Single Page Web Application (SPA) written in HTML and #JavaScript, that makes http requests to some external #API.
Itโs pretty cool, because your application becomes API-centric naturally. You work on human interface and improve integration capabilities at the same time. And the task of securing your web app mostly reduces to securing your formalized #API.
The very best way to learn something new is to write a post about this stuff. ๐ Here I will reproduce my own steps of making a very basic web app:
1. Launch #Apache web-server with http/https.
2. Make a simple #API service: #Nmap wrapper.
3. Make a web-application with โmultipageโ experience. There should be at least two pages: Scan and About.
4. On Scan page it will be possible to input a target (hostname or IP), #scan arguments and launch #scan by clicking on the button. The same behavior will be if the target will be passed as a parameter in address bar.
5. On other pages should be some static text.
As you can see, it is a very limited task, but it should clear up the most confusing parts of the process.
#Twisted #SSL #python #Nmap #nginx #JavaScript #GoogleChrome #Firefox #CORS #Apache #AngularJS #API
Read more: https://avleonov.com/2018/02/05/making-simple-nmap-spa-web-gui-with-apache-angularjs-and-python-twisted/
The last time I was developing dynamic web applications years ago. I used CGI and #PHP back then. ๐ Now I am really interested in a modern approach, when you have a Single Page Web Application (SPA) written in HTML and #JavaScript, that makes http requests to some external #API.
Itโs pretty cool, because your application becomes API-centric naturally. You work on human interface and improve integration capabilities at the same time. And the task of securing your web app mostly reduces to securing your formalized #API.
The very best way to learn something new is to write a post about this stuff. ๐ Here I will reproduce my own steps of making a very basic web app:
1. Launch #Apache web-server with http/https.
2. Make a simple #API service: #Nmap wrapper.
3. Make a web-application with โmultipageโ experience. There should be at least two pages: Scan and About.
4. On Scan page it will be possible to input a target (hostname or IP), #scan arguments and launch #scan by clicking on the button. The same behavior will be if the target will be passed as a parameter in address bar.
5. On other pages should be some static text.
As you can see, it is a very limited task, but it should clear up the most confusing parts of the process.
#Twisted #SSL #python #Nmap #nginx #JavaScript #GoogleChrome #Firefox #CORS #Apache #AngularJS #API
Read more: https://avleonov.com/2018/02/05/making-simple-nmap-spa-web-gui-with-apache-angularjs-and-python-twisted/
About Remote Code Execution - expr-eval (CVE-2025-12735) vulnerability. expr-eval is a JavaScript library for parsing and evaluating mathematical expressions, providing safe handling of user-supplied variables. It is used in online calculators, educational programs, modeling tools, financial applications, AI systems, and natural language processing (NLP). Insufficient input validation may allow arbitrary JavaScript code execution in the application's context.
๐ The vulnerability was discovered on November 5. A PoC has been on GitHub since November 11.
โ๏ธ The vulnerability is still in the process of being fixed in the main (effectively abandoned ๐คทโโ๏ธ) expr-eval project and is not fully fixed in its fork, expr-eval-fork. Secure versions are expected to appear in the corresponding GHSA.
๐ The library is popular: expr-eval has 800k weekly downloads on npm, and expr-eval-fork has 88k.
๐พ No in-the-wild exploitation has been observed so far.
ะะฐ ััััะบะพะผ
@avleonovcom #expreval #JavaScript #npm
๐ The vulnerability was discovered on November 5. A PoC has been on GitHub since November 11.
โ๏ธ The vulnerability is still in the process of being fixed in the main (effectively abandoned ๐คทโโ๏ธ) expr-eval project and is not fully fixed in its fork, expr-eval-fork. Secure versions are expected to appear in the corresponding GHSA.
๐ The library is popular: expr-eval has 800k weekly downloads on npm, and expr-eval-fork has 88k.
๐พ No in-the-wild exploitation has been observed so far.
ะะฐ ััััะบะพะผ
@avleonovcom #expreval #JavaScript #npm
December "In the Trend of VM" (#22): vulnerabilities in Windows, the expr-eval library, Control Web Panel, and Django. A traditional monthly roundup of trending vulnerabilities - this time, a fairly compact one. ๐ฝ
๐ Post on Habr (rus)
๐ Post on SecurityLab (rus)
๐ Digest on the PT website (rus)
Four vulnerabilities in total:
๐ป EoP - Windows Kernel (CVE-2025-62215)
๐ป RCE - expr-eval (CVE-2025-12735)
๐ป RCE - Control Web Panel (CVE-2025-48703)
๐ป SQLi - Django (CVE-2025-64459)
๐ฅ Trending Vulnerabilities Portal
ะะฐ ััััะบะพะผ
@avleonovcom #TrendVulns #PositiveTechnologies #Microsoft #Windows #expreval #JavaScript #npm #CWP #Django
๐ Post on Habr (rus)
๐ Post on SecurityLab (rus)
๐ Digest on the PT website (rus)
Four vulnerabilities in total:
๐ป EoP - Windows Kernel (CVE-2025-62215)
๐ป RCE - expr-eval (CVE-2025-12735)
๐ป RCE - Control Web Panel (CVE-2025-48703)
๐ป SQLi - Django (CVE-2025-64459)
๐ฅ Trending Vulnerabilities Portal
ะะฐ ััััะบะพะผ
@avleonovcom #TrendVulns #PositiveTechnologies #Microsoft #Windows #expreval #JavaScript #npm #CWP #Django