Clickjacking and XSS on file upload input?

I reported a self-xss on file uploader input to a bug bounty company and they said that they will only accept it if i can find a good clickjacking exploit for that input. My question is: Is it possible to make a clickjacking proof of concept on a file uploader input? This XSS trigger if i select a file named <script>alert(1)<.pdf as file to upload. Is it possible to make automatically load a file with a custom name inside of an iframed page file uploader input with just few clicks?

The subset sum problem input

  1. The Subset Sum Problem: Input: a finite subset S of integers, and an integer t. Question: does there exist a subset A βŠ† S such that the members of A sum to t? Suppose you have access to an oracle that answers queries about instances of Subset Sum. Assuming (S, t) is a positive instance of Subset Sum, provide an algorithm for determining the set A whose members sum to t. Your algorithm should make at most a polynomial number (as a function of |S|) of oracle queries to compute A.

  2. For this problem you are to show that the Subset Sum decision problem (see previous exercise) is in NP. (a) Define an instance of Subset Sum. Define appropriate size parameters for Subset Sum. (b) Define the βˆƒ-variable and state its domain set (i.e. set of potential solutions). (c) Show that a domain element of the βˆƒ-variable has a size that is bounded by a polynomial in the size of the problem instance. Defend your answer. (d) Clearly define the verifier (i.e. predicate) function. (e) Prove that the verfier is computable in polynomial time, and give its running time.

Can a new SQL Loader field be defined before the data is actually available in the input file?

In the example below a new field, AOCN, will exist in some future input file.

AOCN is already defined in the Oracle table in anticipation, however positions 12..15 do not exist in current input files.

Can I pre-define the field in SQL Loader in anticipation of the future availability of the new field w/o causing an issue for input files where the positions (12:15) do not yet exist?

LOAD DATA

INFILE ‘G:\lerg\lerg16.dat’

TRUNCATE

INTO TABLE lerg_16

(

LRN position (1:10) NULLIF LRN=BLANKS,

STATUS position (11:11) NULLIF STATUS=BLANKS,

AOCN position (12:15) NULLIF AOCN=BLANKS

)

Should user input be validated/checked for it’s length in PHP (server side) as a security measure?

important to note that this user input is something that after validation & sanitation – will be inserted into a database, and later on be shown to other users on the same web site. (example: a forum) I’m referring to both a case when I know in advanced what’s the length I should expect from the user and a case in which I don’t but know vaguely that’s not more than 100 length. I’m trying to figure out if there is any security advantages for checking user input length in PHP. taking into account I’m already validation & sanitation user input based on the type of content I’m expecting using regex. I know this differs from language to language to I want to refer to PHP this time, but any referring to other language like Java, .NET, python etc. would be fine.

Input mask on email field a good idea?

A colleague of mine is arguing that we should use an input mask for email fields.

Personally I don’t think it is necessary. For phone numbers I can understand since a phone number can be written in different ways.

However everybody knows how to write an email address. Is it really useful to use a mask (and all the trouble it can get you with multiple devices)? Will people forget the @ if we don’t provide the mask? I don’t think so.

If the user enters an invalid email address we already use inline error (on blur) so what is the point. What do you guys think?

How to improve Legacy Form submission ( >20 input fields)

The product that I am working on has a lot of forms inputs in one page. I’d ideally want to bring the entire UX to 2019 (the application was built in early 2000).

One idea that I’ve tried is breaking down the form into wizards, that worked in few cases. But I’m looking for any different ideas on how to break it down/make it look better.

The forms that I’m talking about is close to how a Data Entry personnel enters Product details. So the form would include, product name, ID, Manufacturer details, Sizes, etc, it gets really long.

Any help would be lovely πŸ™‚

What is wrong with this input?

I’ve followed the examples from the introduction to mathematica for math students: https://www.wolfram.com/language/fast-introduction-for-math-students/en/more-plots-in-2d/

xdt[x_, y_] := (sigma + 3) x + 4 y ydt[x_, y_] := -(9/4) x + (sigma - 3) y sigma := {-1, 0, 1} StreamPlot[{xdt[x, y], ydt[x, y]}, {x, -10, 10}, {y, -10, 10}] 

I execute each row one after the other by pressing shift+enter, and when I get to the last row only an empty plot-window shows up.

Can anyone tell me whats wrong here?

User’s CLI input validation for filtering out injection attacks

I am writing a python script, Gestioner.py, which checks for some service CLI commands and validates them if they are suppported or not.

I am also trying to develop a test harness to verify and test such possible security attacks Like Injection attacks, Gest_Test.py, and see that if my earlier Gestioner.py should be able to stop/filter out injection attacks.

My question is :

How can I further add such security attacks filtering functionality in ‘Gestioner.py’, to stop any security injection related inputs given through CLI commands ?

Here are some of the example ‘valid’ commands:

--binfcmd filebinf  --filecmd fileftp  --binfcmd filebinf2 --zip testzipfile2 --stat --type None --mol None 

Here is the Gestioner.py file:

#Gestioner.py #For processing the PService cli commands  from pathlib import Path import os import errno import logging import sys from collections import namedtuple sys.path.insert(0, '..')   supported_cmds = ['binfcmd','zip','stat','type','mol','sync', 'filecmd'] ISSupported = namedtuple('ISSupported', 'result desc')  ### # Base Class for processing Pservice commands ### class CmdGestioner:     def __init__(self):         None      def set_full_command(self, in_cmd=None):         self.full_command = in_cmd      def get_full_command(self):         return self.full_command      def print(self):         print("Output: ", self.full_command)      def is_supported(self, in_command):         pservice_flags = [elem for elem in in_command.split() if str(elem).startswith('--')]          # Compare pservice flags with supported version.         command_not_supported = [x for x in pservice_flags if x.strip('--') not in supported_cmds]         # Compare pservice_flags with supported version.         if (len(command_not_supported) > 0):             commands = ' '.join(str(elem) for elem in command_not_supported)             command_not_supported_strs = 'The following commands are not supported: ' + commands             print (command_not_supported_strs)             return ISSupported(                 result=False,                 desc=command_not_supported_strs)          return ISSupported(                 result=True,                 desc='')   

Test file:

#Gest_test.py  from pathlib import Path import os import errno import logging import sys from Gestioner import CmdGestioner from collections import namedtuple   # Testing application. if __name__== "__main__":   print("Command line parser program.")   cmd = CmdGestioner()   cmd_mtg_str = ''.join(str(elem) for elem in sys.argv[1:])   cmd_args = [str(elem).strip('--') for elem in sys.argv[1:] if str(elem).startswith('--')]    print ("This is the name of the script: ", sys.argv[0])   print ("The arguments are: " , str(sys.argv))   print("The cmd.print() is: ", cmd)   print ("The program arguments are: " , cmd_mtg_str)   print ("Splitting commands into groups by -- from string: ", cmd_mtg_str.strip())   flags = cmd_mtg_str.split('--')   for x in flags:       print(x)   print ('Main commands i.e. those that start with -- ', str(cmd_args))    print('finished')  

Thanks for any suggestions/guidance to work my way in the scripts.

What’s the best practice for screen navigation after invalid user input?

Consider an Angular app with many user inputs over screens A, B and C. Screen C needs valid inputs from A and B; B from A only; and A is independent. Suppose while on screen B the user enters invalid inputs.

Question: What navigation should I support for B in this case?

My current thinking is to disallow navigation to C due to data validity issues. But what about navigating back to B? On the one hand, there are no validity issues, and the user may want to look up screen A to help with screen B inputs. On the other hand, this would complicate the app’s state management. An alternative is to disallow such navigation, possibly with an option to restore the last valid inputs at B. As I lack experience in UX, I’d appreciate answers to help me with this trade-off.

c# – Setup specific mousewheel rules and timer with reset function to control a value with minimal user input

My main issue here is to distinguish a first and a second stage when moving a mousewheel up and down.
How could I put the following together for a mousewheel solution in plain c#?
I have a value that controls the opacity level of an object and it could be a value between 1 – 255.
I started with a simple mousewheel setup so that each time the wheel jumps to its next spot upwards or downwards, another value returns a 1 or -1. What I need is moving the wheel up or down 1 time will start a timer event that changes the opacity value to the minimum or maximum value depending on wheel movement direction by adding/subtracting 1 to the current value every 1ms. For up direction, stop value increase only when the wheel was moved to the next spot upwards or when the value is 255. For down direction, stop value decrease only when the wheel was moved to the next spot downwards or when the value is 1.