What are the spells that have a target other than self (and a target entry) that deals damage?

I asked the question Does Ocular spell make every eligible damage spells have a critical chance since it becomes a ranged touch attack (ray)? and I realized it was a bit hard to find spells that were eligible for Ocular spell that weren’t already touch spells or rays.

@Hey I Can Chan told me about Finger of Death (when the save is successful)

@Erik made me realize Chain lightning was indeed in my requirements.

What other spells meet those requirements?

Sidenote:

-*Spells that do damage,ability drain or level loss since only those can benefit from criticals.

-I’m not sure if Healing spells that hurts creatures like undeads would work because I think they normally don’t score a critical even on a natural 20. Correct me if I’m wrong. But would they if they were cast as a ray?

Password entry: are “paste from password manager” and “eyeball to view passwords” mutually-exclusive features?


Context

NIST SP 800-63b gives the following guidance for password forms (aka login pages):

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

In order to assist the claimant in successfully entering a memorized secret, the verifier SHOULD offer an option to display the secret — rather than a series of dots or asterisks — until it is entered. This allows the claimant to verify their entry if they are in a location where their screen is unlikely to be observed. The verifier MAY also permit the user’s device to display individual entered characters for a short time after each character is typed to verify correct entry. This is particularly applicable on mobile devices.

I had the argument made to me that these two features should not be implemented together because they would allow a user to circumvent a password manager’s protection and view the auto-populated password. I suspect this argument won’t hold water, but I’m curious about community opinions.

Does this registry entry for implementing custom protocol handlers in Windows present a security risk?

Background

Some features are not yet available on the web platform and thus require cooperation with a native application in order to provide them. One method for a web application and a native application to communicate with each other is a custom protocol handler.

For instance, the web application can call "mycustomproto://some/params", where "mycustomproto" must first be registered with the operating system as a valid URI protocol. On Windows, this is done in the registry. There are a few keys/subkeys/values etc that must be added to the registry, but only one actually deals with specifying the executable and it’s parameter(s).

Note that once the protocol handler is registered with the operating system, it can be launched by any website that knows of its existence, subjecting it to potential abuse.


Example Windows registry value for this purpose

All of the examples that I’ve found documenting this show the following:

C:\myapp.exe "%1"


Primary Question

Assuming that the registered handler (e.g. "myapp.exe") has zero possible security flaws, is the above example registry value sufficient for ensuring that malicious websites are unable to piggyback additional commands and/or arguments?


Clarifications

  • For the purpose of this question, please assume that the protocol handler (e.g. "myapp.exe") is incapable of exposing vulnerabilities of its own – it’s idle – it launches, does nothing, and quits. This question is specifically related to the browser and/or OS and the "execution" of this registry value.
  • Can malicious actors somehow escape out of the "%1" double quotes and cause the browser and/or OS to run additional commands (e.g. && C:\Win32\do-something-malicious.example.exe)?
  • Similarly, can malicious actors somehow send additional arguments to the protocol handler? Or does the "%1" ensure that the handler will only ever receive a single argument?
  • If this registry value is insufficient to only ever call the protocol handler (and nothing more) with a single argument, is there a better way?

Is there a security vulnerability in setting a public DNS entry to a private IP Address?

I recently set up a wireguard server-network configuration with a home server and client devices. I have one main domain that I hope to route everything through via subdomains (in this example, abc.domain.com, def.domain.com, etc.). I hope to use nginx to do this routing.

Is is possible/secure/recommended to register a private IP address (specifically of my home server within the wireguard network, i.e. 10.27.0.1/24) in a public DNS (e.g. google DNS), so that if you run ping abc.domain.com you would get back 10.27.0.1? I found a few questions that answer a question that are close to this one (this one covers private IP for public DNS for MX records, this one talks about having A records without much mention of VPN), and the overall picture I get from these links is that it is possible, but not technically perfect since a hacker gets a small piece of info about your local network (wireguard network is 10.27.0.1/24…isn’t this relatively a moot point given it’s behind wireguard, assuming I have all of the usual safety checks in place (no remote ssh (root or otherwise) unless on wireguard network, fail2ban, no password authentication for ssh, etc.)?

This IP (10.27.0.1) would be only accessible through the wireguard network, so I don’t think it would expose the services to the internet. I want to do this so that I don’t have to setup local DNS entries on each device, as I don’t believe this is possible on a phone, and it would be ideal to make one change [i.e. set the DNS entry to 10.27.0.1] and then have each device just running a simple DNS query for abc.domain.com. This would also have the added benefit of only opening the wireguard port, and keeping the firewall closed for 80 + 443.

A corollary of this question is how best do you manage certs/ssl if this is possible? I managed to get certbot working by temporarily exposing port 80 on my server to acquire the certs for abc.domain.com, and then closing 80 to only access the webserver via wireguard through the wireguard port + nginx. I can already see one downside to this method – having to manually open port 80 everytime certbot wants to get new certificates (I believe by default this is every 60 days). I understand that wireguard is approximately as secure as SSL/HTTPS, but for my personal OCD I would prefer to have the connection secured through https on top of wireguard. I’m somewhat iffy on the details of managing certs for wildcards, but could I do it with my main domain.com (that is pointing to a internet facing site) and have it propagate to the subdomains, allowing it to be renewed through that? (this question seems to indicate so)

My goal long term is to expand this into a network that includes family/close friends as a type of ‘intranet’ for sharing photos and using other self-hosted services.

My nginx config file (abc.conf) looks something like this:

server {    server_name abc.domain.com;   # DNS Entry of abc.domain.com is 10.27.0.1, which is the local IP for the wireguard network   # SHOULD NOT be accessible outside of wireguard network    location / {       proxy_pass http://127.0.0.1:8000; #Redirects to local service on port 8000   }       listen [::]:443 ssl; # managed by Certbot     listen 443 ssl; # managed by Certbot      // SSL Certs provided by certbot [removed manually]     // .     // .     // .  } 

Hijacking stale DNS entry to point to your own website

Context and system configuration:

  • AWS EC2 instance with a public IP address
  • AWS Route53-managed DNS with a somesubdomain.somedomain.io pointing to the above IP address
  • Above AWS EC2 instance was not running all the time, it was stopped most of the time with only occasional periods of running
  • Every time the EC2 instance was started, DNS entries were updated to point at its new IP address – EC2 instances are not retaining their public IP addresses when they are not running, they are getting new public IP address on startup
  • DNS entries were left as-is when the instance was stopped
  • The reason behind this bit unusual setup is cost saving, while being able to use static domain names for connecting to the instance when running

Attack:

  • One day I noticed there was a website under the somesubdomain.somedomain.io mentioned above, despite my EC2 instance being down
  • This website had my domain name in its banner/logo, so this couldn’t have been a coincidence

Analysis:

  • I did not carry out as much analysis as I could at that time. In fact I just wanted to solve the problem. Now I just delete DNS entries when shutting down the instance.
  • I realised there is a problem with a DNS entry under my domain pointing at the past public IP address of my EC2 instance. When the instance was last shut down, the IP address got back to available pool and could be re-assigned to a completely different instance

Questions:

  • Does this attack have a common name?
  • What would be the primary benefits for the attacker?

Create dynamic sql query to select all related data in DB based on entry table and ID

Hope all is well. I am hoping you can help me.

Problem Statement – I’m tasked to create a dynamic SQL statement which will select all related data from a given table where the Identifier is passed. For each table where the relevant data is found i would like the data to be exported onto a separate tab of within excel

If i was doing this manually done this i would perform the following queries and export the data onto each tab;

Select * from  Mason where id = 12345 Select * from  MasonContacts where Companyid= 12345  Select * from  MasonOpportunities  where Comid = 12345  

However given the sheer volume of tables this isn’t viable.

Step 1 : Type in my identifier (in this case my identifier is a field called "Id" in the Table "Mason") The query will always start from this table.

Table Name : Mason Field : Id = "12345"

Step 2 : Search against table "MasonContacts", search against the field "Companyid". Return all columns & records where the field "Companyid = 12345"

Table Name : MasonContacts Field : Companyid

Step 3 : Search against table "Mason Opportunities ", search against the field "Comid". Return all columns & records where the field "Company = 12345"

Table Name : MasonOpportunities Field : Comid

Looking forward to your help

Help with Many to Many Table Data Entry

I’ve got a question on how to "prettify" data entry and removal for a many to many relationship.

Imagine if you will a DB with 3 tables. Tables called Users, Roles, and RoleAssignment.

-- `Users`     CREATE TABLE `Users` (  `userID`   int NOT NULL AUTO_INCREMENT ,  `userName` varchar(40) NOT NULL ,  `realName` varchar(40) NOT NULL ,  PRIMARY KEY (`userID`), UNIQUE KEY `username` (`username`) ) AUTO_INCREMENT=1;   -- `Roles` CREATE TABLE `Roles` (  `roleID`       int AUTO_INCREMENT NOT NULL ,  `roleName`     VARCHAR(40) NOT NULL ,  PRIMARY KEY (`roleID`) );   -- `RoleAssignment`  CREATE TABLE `RoleAssignment` (  roleAssignID int NOT NULL AUTO_INCREMENT ,  roleID       int NOT NULL ,  userID       int NOT NULL ,  PRIMARY KEY (roleAssignID), FOREIGN KEY (userID) REFERENCES Users(userID), FOREIGN KEY (roleID) REFERENCES Roles(roleID) ) AUTO_INCREMENT=1; 

This is a database where RoleAssignment is essentially a child table only meant to connect two Parent tables together. I made them this way because the user<->role relationship is many to many.

I found a way of getting this to output just relationships between users and their roles… Both queries output the same data but query 2 is better organized.

SELECT     Users.userName,     Users.realName,     Roles.roleName FROM Users JOIN RoleAssignment ON Users.userID = RoleAssignment.userID JOIN Roles ON Roles.roleID = RoleAssignment.roleID;  SELECT Users.userName, Users.realName, GROUP_CONCAT(Roles.roleName) FROM Users JOIN RoleAssignment ON Users.userID = RoleAssignment.userID JOIN Roles ON Roles.roleID = RoleAssignment.roleID GROUP BY Users.userID; 

Is there an easy way to add an entry to the RoleAssignment table by name instead of ID in a single query? i.e. "Add user jack to role moderator"? Or would I need to write a script to find the ID of the user, then the ID of the role, and finally add an entry to RoleAssignment?

Any help or guidance would be appreciated!

How to find lines of matrix that has the property of being zero everywhere except for 1 entry?

I am interested in finding the lines where all entries are equal to zeros except for one.

Example: Given the follwoing matrix:

\begin{bmatrix}0 &0 &3 & 8\ 0 & 4 & 0 & 0 \ 0 &1 & 0 & 1\end{bmatrix}

Only the second line verify this property.

Of course, the brute force way is to go over the entries and check them one by one. But I am wondering if there is another most efficient way I don’t know about.