If I’m blinded, can I cast a spell that doesn’t require that the target be “a creature you can see”?

I’m playing a Wild Magic Sorcerer who obtained a Wand of Wonders — randomness ftw! Anyway, I accidentally blinded myself by using the wand.

On my next turn, still being blind, I want to cast Acid Splash on a target — can I do this?

I attacked the target before, and they haven’t moved, I chose Acid Splash because the spell doesn’t need “a target you can see” (unlike Hold Person, for instance). I did have line of effect, not line of sight, but I don’t think I need it for this spell.

The DM wouldn’t let me cast it unless I rolled to see if I targeted the enemy or an ally standing next to it.

We couldn’t really find an answer to this, so I switched to Ray of Frost and rolled with disadvantage, as that is all Blindness does to your attacks.

Can someone point me to the right page in the PHB, or just tell me who is right? (I know the DM can always make his own rulings.)

Doesn’t Linearizability implies Serializability?

Serializability is a concurrency scheme where the concurrent transaction is equivalent to one that executes the transactions serially.

In Linearizability, Once write completes, all later reads should return value of that write or value of later write. Once read returns particular value, all later reads should return that value or value of later write.

What is the main difference between Linearizability and Serializability?

isn’t it a security gap if TLD hostname doesn’t send the strict-transport-security header?

If you connect to https://google.com (without www.) you get a HTTP 301 redirect to https://www.google.com/ . Then if you connect to https://www.google.com/ the response includes the strict-transport-security header.

I contend this is a (small) security gap, because the strict-transport-security attribute never gets set for the top-level hostname, google.com. This means that no matter how many times the user has connected to google.com or www.google.com, if an attacker manages to send them to http://google.com/ , and the attacker is a man-in-the-middle who can redirect google.com to a site the attacker controls, they can eavesdrop on the connection. (Also, Google’s entry on the HSTS preload list only applies to www.google.com, not google.com.)

However, Google is rejecting all reports of “security holes” regarding HSTS: https://sites.google.com/site/bughunteruniversity/nonvuln/lack-of-hsts with the statement “Migrating all the domains to HTTPS, and deprecating all clients that can only talk over plaintext HTTP takes time.”

I contend these objections makes no sense. If a client only speaks http, then the way to continue supporting that client is to continue serving http. But if you serve the STS header over https connections, you’re telling the client, “Hey client, since you obviously speak https, this host promises it will always serve you https in the future and you should always make https requests to me.” The only valid reason not to serve the STS header would be if you think the hostname might some day not support https any more, which is hopefully not the case for google.com!

Perhaps there are subdomains of google.com that don’t support https. But then google.com can just serve the STS header without the “includeSubDomains” attribute, so it won’t be applied to subdomains.

So I maintain that: 1) Not serving the STS header for the hostname google.com is a security gap. While it’s a small gap, there is no offsetting legitimate reason not to serve the header. 2) It is not a valid objection that they “want to keep supporting clients that only talk over plaintext HTTP”. 3) It is not a valid objection that they have not migrated other subdomains to https yet.

Am I missing something?

Why doesn’t Dijkstra’s use a shortest-path first search?

When using BFS search on an unweighted graph to find the single-source shortest paths, no relaxation step is required because a breadth-first search guarantees that when we first make it to a node, we have found the shortest path to it.

However, Dijkstra has no such guarantee, because the neighbours of each node are checked in no specific order. Therefore, we need a relaxation step to update the shortest path of each node if we later find a shorter path.

Instead of choosing a random neighbour, why not always follow the neighbour with the shortest path? I think that would guarantee we have always found the shortest path and no relaxation step is required. I implemented this in Python and it seems to work. Am I missing something?

from heapq import heappop, heappush  def shortest_path_lengths(graph, source):     dist = {}     q = [(0, source)]     while q:         cur_dist, v1 = heappop(q)         if v1 in dist:             continue         dist[v1] = cur_dist         for v2, v1_to_v2_dist in graph[v1].items():             if v2 not in dist:  # check it hasn't been visited already                 heappush(q, (cur_dist + v1_to_v2_dist, v2))     return dist   graph = {     'a': {'b': 3, 'c': 5},     'b': {'c': 1},     'c': {'d': 4},     'd': {}, } print(shortest_path_lengths(graph, 'a')) 

Response seems to get redirected if SQL injection query succeeds, if not then it doesn’t get redirected

Under the authorization of my friend, I am testing his website against potential vulnerabilities.

I was trying to find if I was able to inject a SQL query into a POST request parameter hi' or 1=1 --:


I found that the document prints out:

<div class="error">index job,query: syntax error, unexpected '-' near '-'</div> 

while with ' or 0=0 -- I get:

<div class="error">index job,query: syntax error, unexpected '|' near ' | 0=0) --'</div> 

does this mean that it’s vulnerable to SQL Injection? If yes, how can I make it print server system data (like information, etc.)? By the way, if the string is correct it gets redirected to another webpage (I think that’s why SQLMap tells me the parameter is not SQL-injectable).

I can see the query works just if the URL gets redirected, but I won’t see the query output. If the URL doesn’t get redirected, I can see these SQL query errors. I’m trying to see how to get the output and do something more useful to attack the website, or even make it detectable from sqlmap.

The current command I’m using is sqlmap -r thework.txt -p query --dbs. thework.txt contains the full valid POST request.

Anti-Captcha service doesn`t work in GSA SER

Hi there!

Can you help me please with captcha?

I used to use Anti-Captcha on my GSA SER and it worked fine. Then I decided to change it on Xevil and CapMonster (I`ve swiched off Anti-Captcha for those period). And now when I`d like to try one more time Anti-Captcha service – it can`t be connected with GSA.

My actions:
– tried to check the balance (it gives me an unknown reply)

– tried to test (it shows me missing data..)

Could you advice me something?

Thank you for your time.

What happens if a dragon gets older but doesn’t gain experience?

Chapter 3 of the Draconomicon details how, every couple years, a true dragon must take its next level in its dragon “class”. But what if the dragon just sits around, not gaining any XP, and therefore never actually gains a “next level”?

It’s said that many dragons let their natural abilities grow rather than adventuring to get experience. Do they somehow get dragon “class” levels for free via aging (like, they instantly get enough XP to advance a level but are required to put it towards being more dragony?), or will they eventually be an ancient dragon with all the statistics of a wyrmling?