How to install node modules for external evaluation?

I was hoping for some extra clarity configuring additional modules for use in external evaluation, since there’s no mention of this in the the nodejs workflow.

It seems mathematica looks only at ~/.node_modules, so is it sufficient to simply generate a soft link?

cd ~; ln -s node_modules .node_modules 

In decreasing importance, here are some specific sub-questions:

  1. I prefer using yarn to manage required installations, do I have to use npm?
  2. Do npm installs need to be global or user?
  3. Does the fe or kernel need to be restarted; or evaluators re-registered after install or removal?

Knowing that any specific functionalities or modules will definitely not work (e.g. no browser …) would help, and any pro-tips from Javascript developers would be appreciated. For example, would it be possible to add a 'package.json' file for a notebook and isolate dependencies? I really don’t want these mma configuration steps to interfere with my existing node-js work.

Tunnel Connection Failed error when accessing WP site from external network

I have a LAMP server setup at home with wordpress. Static IP on the server and port 80 forwarded on the router to that server. Apache listening on port 80 and virtual host configured accordingly.

It was working fine but now when I browse to my domain gws.voyez.ca (that points to my public IP) browser just shows “Tunnel Connection Failed”. Oddly enough, I can still access pages in that folder (eg. gws.voyez.ca/test.html or gws.voyez.ca/phpinfo.php serve fine). This only happens externally; on internal LAN no issues. Have tried from multiple devices and different browsers.

It was working fine for a few weeks and just seems to have broken (no changes that I can think of).

Potentially ISP blocking something?

Thanks for reading.

Ian

CSP: any way to prevent inline scripts dynamically created by a trusted external script?

Let’s say I have a simple web application which uses a single JavaScript (JS) file, loaded from its own domain, and has implemented the restrictive Content Security Policy (CSP) of default-src 'self'. There’s a stored XSS in it whereby the JS file will make an Ajax call to an API which would return some content stored in a database, and that content (which came from untrusted user input) has inline JavaScript in it. The JS file creates an element in the page’s document and sets its HTML content to the retrieved content. Let’s assume that this is the necessary way of doing what it needs to do, and let’s assume that sanitising/encoding the input is unfeasible. I know that user input should always be sanitised, just for the purposes of this question, skip this suggestion as a solution.

Is there any way to set a CSP such that this inline JavaScript, dynamically put onto the page by trusted JavaScript, is blocked?

Here’s a minimal working example (you may need to serve it from a simple HTTP server, e.g. php -S localhost:58000, rather than loading as an .html file)

csp-test.html:

<!DOCTYPE html> <html>   <head>     <meta charset="UTF-8" />     <meta http-equiv="Content-Security-Policy" content="default-src 'self'">     <script charset="utf-8">       console.log('script') // blocked, OK     </script>     <script src="csp-test.js" charset="utf-8"></script>   </head>   <body>     <img src="x" onerror="console.log('img')"/> <!-- blocked, OK -->   </body> </html> 

csp-test.js:

console.log('trusted ext script') // executed, OK i = document.createElement('img') i.src = 'y' i.addEventListener('error',   function(){ console.log('img by trusted ext script'); }) // executed, HOW TO BLOCK THIS? document.body.append(i) 

result:

enter image description here

Should a bank/financial service use external URL shortener services?

Say there is a bank/financial service that wants to have hyperlinks on their secure website/domain (or even in emails they send out to customers). In some of these links there are some long/obscure URLs which link to one of their subdomains, but the long links are ugly and not very user friendly, so they want to have shorter, nicer links to put on the website or email.

  • What are the risks for a bank/financial service using an external URL shortener service, e.g. Bitly, for this?
  • Is it better for a bank/financial service to host this sort of short link to long link translation service on their own domain and infrastructure?

Trusted Execution Environment (TEE) internal API vs. external (client) API

I am studying Trusted Execution Environment (TEE) in Android mobile phone. From reading, I found there are 2 APIs in TEE (isolated OS):

  • Internal API: a programming and services API for Trusted Application (TA) in TEE, cannot be called by any application running in rich OS (Android’s original OS). E.g, internal API provides cryptographic services

  • External API or client API: called by applications running in rich OS, in order to access TA and TEE services.

Assume I want to apply TEE in this way:

  • I have an APP running in rich OS
  • I want to securely store some cryptographic keys of my APP
  • Hence, the keys are stored in TEE
  • The APP in rich OS retrieves the keys from TEE when it needs, and delete from rich OS memory after usage

Please help explain that

  • How the internal & external API should work in above situation.
  • Except the APP in rich OS, do I also need a TA runing in TEE to store & provide the keys?

How can you hide the usage of an external VPN?

Let’s assume we need a VPN to access some site, e.g. for bypassing geo-blocks. But those site doesn’t want VPN users. A good example is Netflix. However, I don’t want to specify this just on Netflix, since there are other services blocking VPNs as well.

So I thought about how those target site could detect if I’m using a VPN or not. One indicator is a high amount of connections from a single IP. This is relatively easily fixable with multiple external IPs on the VPN server. But those IPs themselves could leak this information.

1. Whois data

PrivateVPN is an example:

# whois $  (dig +short de-nur.pvdata.host) | grep -i vpn % Abuse contact for '185.89.36.0 - 185.89.36.127' is 'support@privatevpn.com' netname:        PRIVATEVPN 

VPN in the whois or even the name of common VPN providers are clearly and easily to match.

2. IP databases

I found ipinfo.io where we can enter an IP and even get information about the device type. For example, another VPN server 162.245.206.242 gave me

company: Object name: "i3D.net B.V" domain: "i3d.net" type: "hosting" 

where a query with my real IP (normal private customer home internet connection) shows type: "isp" with the name of my ISP. So I assume that simply querying those APIs and ban all users with type: hosting would match most VPN servers.

How could we hide it?

I don’t see a practical way to hide it. Services like ipinfo earn money by collecting such information and keeping them up to date.

The only way would be a VPN service that uses servers hosted by private ISPs. Is there any other method of using a VPN service without letting the target site knowing it?

Using XSS to Steal Cookies WITHOUT access to external server

I’m working on a project where we need to craft an HTML page that launches a CSRF attack that logs in to an attacker account on a victim computer. The biggest hurdle however is an authorization cookie needed to login.

I need to do an XSS attack on this website to steal the cookie needed and use it in the CSRF attack. However the catch is that the XSS attack must be done entirely on the html page itself, I can’t have a server or website that can catch the cookies from rudimentary XSS attack. This is where all the XSS cookie Steelers in finding falter, they rely on an external server to catch the cookies.

Does anyone know how I can perform XSS cookie stealing entirely within an HTML file?