What is the term for data leaking from one HTTP request to another and how to prevent it?


Context

We recently added a feature that used a library whose API we misunderstood. Long story short, if user A sends a request to our web application, the library caches some result, and that result may show in a response to user B’s request. Needless to say, this is a security bug, specifically, data from user A leaks to user B.

Although it is well-known that web application should be stateless, the long dependency graph of such application makes the likelihood of some downstream library (or its bad usage) accidentally leaking data between requests non-zero. I can imagine this bug is possible with a wide range of web frameworks and environments (e.g., Django, .NET, NodeJS, AWS Lambda), since they all reuse the application between request to avoid cold starts.

Questions

  1. What is the proper term for data leaking server-side between HTTP requests, due to an honest developer mistake? Terms such as session hijacking and session fixation seem to refer exclusively to malicious attacks.

  2. Are there tools and method to test for such mistakes or detect them in production?

Why are nested anonymous pure functions shielded from evaluation?

I tried the following code (ignoring the warning messages):

{#, # &, Function[{x}, #], Function[{#}, x], Function[{#}, #]} &@7 (*result: {7, #1 &, Function[{x}, 7], Function[{7}, x], Function[{7}, 7]}*) 

I wonder why #& was not changed into 7&. I saw a "possible issue" similar to this mentioned in ref/Slot, but I couldn’t find further documentation about it. Is it a bug or it is specially designed this way?

SSL Connection from phpmyadmin to mysql server [closed]

I am getting these errors after this config, I can’t get phpmyadmin to work with this config, need help. MySQL server is on different machine.

Thanks,

$  cfg['Servers'][$  i]['ssl_cert'] = '/etc/mysql/mysql.pem'; $  cfg['Servers'][$  i]['ssl_key'] = '/etc/mysql/mysqlkey.pem'; $  cfg['Servers'][$  i]['ssl_ca'] = '/usr/local/share/ca-certificates/SERVER/SERVERSSL.pem'; $  cfg['Servers'][$  i]['ssl_ca_path'] = '/usr/local/share/ca-certificates/SERVER'; $  cfg['Servers'][$  i]['ssl_verify'] = 'true'; 

ERRORS

Interview q: Small possible length of stick from an array of stick lengths

I was asked this question in a phone interview recently and I bombed it completely. Zero clue how to approach it. I wasn’t able to find any similar patterns on google-ing. Thought maybe folks here might be able to help?


Statement: Given m sticks with different lengths. Combine these sticks to form longer sticks with the same length. What’s the smallest possible length of these newly unified sticks?

Conditions:

  • Must use all sticks
  • m < 50
  • max length of single stick less than 20

Example:

Input: 5 2 1 5 2 1 5 2 1 Output: 6 (Process: 1+5, 1+5, 1+5, 2+2+2) 

Input: 3 3 3 2 2 5 Output: 9 (Process: 3+3+3, 2+2+5) 

Input: 1 2 3 4 5 Output: 5 (Process: 2+3, 1+4, 5) 

Input: 1 3 4 5 Output: 13 (Process: 1+3+4+5) 

How to go from add_submenu_page to another page

hello everyone i’m going from procedural php to objects, i was asking myself a question, once i created my plugin that gives me the possibility to have in the wp dashboard a quick view of a section through add_menu_page, and created sub-items add_submenu_page, I am inside this page,

function secondo_menu_sottomenu(){     echo '<div class="wrap"><div id="icon-options-general" class="icon32"><br></div>         <h2>PRIMO SOTTOMENÙ</h2></div>                  <!--Card--> <div id="test" class="card card-cascade narrower mb-4" style="margin-top: 28px;cursor: pointer;">     <!--Card image-->     <div class="view view-cascade">          <a>             <div class="mask rgba-white-slight"></div>         </a>     </div>     <!--/.Card image-->     <!--Card content-->     <div class="card-body card-body-cascade">         <h5 style="font-weight: 500;font-size: 17px;">             TEST         </h5>         <small>N° TEST</small>     </div>     <!--/.Card content--> </div> <!--/.Card--> <script type="text/javascript">     document.getElementById("test").setAttribute(\'onclick\', \'location.href = "test.php"\'); </script>         '; } 

now I would like to go to a page called test.php, but how do I create it?

I mean imagine you have the dashboard page, then the users section, and inside users, I want to create a page called registered users and see all registered users, this is what I want to explain.

in procedural I would have created:

home.php user.php

and in user.php a link to alluser.php

how do I create the test.php is there an add_page-like instruction?

Reverse shell from behind NAT and Firewall

I am new here so I apologize for not providing complete details. Let me explain you the problem now. I was working on Ganana 1 CTF challenge. To up the challenge, I decided to place this CTF machine behind a router. My entire LAB is on Vmware. For this scenario, I used three virtual machines : Kali, Ipfire and Ganana 1 CTF machine.

Kali Linux is my attacker machine which received its IP from VMWARE NAT (192.168.44.5).

Ipfire is installed as a router cum firewall with RED + GREEN configuration. The RED (external) interface received its IP address (192.168.44.3) from Vmware NAT and for the GREEN interface IPfire acts as a DHCP server (192.168.33.1).

Now, I connected Ganana CTF machine to the GREEN interface of the IPfire. It’s IP address is 192.168.33.11.

The GREEN interface is allowed to have internet. Now, when I port scanned the Ganana CTF machine from my kali, port 80can be accessed. As part of the challenge, I got access to the wordpress installation on the target machine. It is here I decided to edit 404.php page to change the code to that of php reverse shell by pentest monkey. I configured it to connect to my attacker machines’ IP address (192.168.44.5) port 1234. But the reverse shell is not working. However, when kali and Ganana 1 are placed on the same network (NAT) the shell is working.

What is the mistake I am making?

Is letting a player use a Large or larger race a bad idea from the game balance point of view?

Pathfinder ruleset assumes players to be Medium or Small humanoids. Not so many rules exist for non-standard characters.

  • The only "official" way to play as a bigger dude that I know of is using race building rules. With explicit DM permission, it’s possible to create an 11-RP race that will be Large and still have the reach of a Medium/Small creature. Also, this race probably won’t fit into the world of Golarion unless you work for it.
  • Bestiary creatures that are Large or Larger typically have racial Hit Dice, and I’ve heard it many times that mixing racial and class HD for players is generally a bad idea.
  • Some monstrous humanoids, e.g. Trox, have official racial stats and are Large, but playing them is usually frowned upon, as their appearance creates certain social difficulties unless the campaign is set in a monstrous setting.
  • Half-Giants published by Dreamscarred Press are up to 8 ft. 4 in. tall, but still Medium. They are treated as being Large for certain purposes, but not for reach, although they can use Large weapons.

Threads about PCs being Large usually bring up all the related bonuses: CMD/CMB, reach, extra damage, extra STR, and say that it all makes such races vo. Very often they also talk about Enlarge Person alongside Haste creating Huge Barbarians that one-shot everything they see, and about enemies that can’t even retaliate because of limited reach. What makes me a bit interested here, though, is that it’s usually mundane characters who benefit most from increasing their melee potential, and melee characters are rarely overpowered compared to casters.

However, lacking any first-hand experience, I wish to know:

Is it actually a bad idea to allow players to choose Large races for their characters?

By "Large races" I mean races that are properly Large, have all the related benefits, including reach. This race can be custom-made, adapted from another source, or an existing one can be used.

Please remember about the Good Subjective/Bad Subjective guidelines and state your experience of seeing Large or larger races in actual play if you decide to post an answer. Let’s not get this question closed.

Reverse shell from behind firewall and NAT

I have been working on a cyber security project in which I placed a web server behind ipfire router ( external IP 192.168.44.3). This is part of a GREEN LAN network (say IP IS 192.168.33.11). I am trying to get a reverse shell from this target web server to my attacker machine kali (ip 192.168.44.5). CAN somebody help me in detail as how to get this reverse shell successfully?

Can monsters use weapons they took from player characters via Disarm?

Without necessarily getting into whether or not Disarm is a waste of time or not, if a monster Disarms a PC, (page 271, DMG) can that monster use the weapon if it picks it up?

Example…

A Bandit Captain uses its first Melee Weapon Attack to Disarm a PC of their magic sword… then a free action to interact with an object to pick up the magic weapon, and its second Melee Weapon Attack to attack the PC with its new toy, the PCs former weapon?

Multiattack is specific to certain weapons sometimes… can monsters use other weapons not listed in its multiattack?