What’s the worst security issue what can happen by using eval() in Android WebView?

I’ve come across a hybrid Android app – meaning most of its UI is implemented in a WebView using HTML and JavaScript technologies. The app itself is connecting to the server and one of the possible responses can include evaluate field, which is then directly executed via JavaScript’s eval() command.

Is this a security issue? What kind of attacks can attacker do via this attack vector?

Issue using John The Ripper

First things first, I’m a newbie so, bear with me…

I created a word list with a combination of a possible password for a certain user using Crunch (it’s the dictionary output) and need to use John The Ripper to sort through all the possible combinations in the wordlist created for the password and display it, alongside the hash and also need to add the –format=nt option, since the hash came from a Windows system. The hash is saved on another file and is in the correct format. However, I’m having trouble with this, can’t seem to figure this out and, for better understanding, here are the screenshots of what I did:

Jonh The Ripper

Can you tell me what I’m doing wrong? What am I missing?

Custom data grabber with regex issue

Hello,

I’m looking to use Scrapebox to scrape all domain name mentions on a list just shy of 4000 web page urls.

The domain names are formatted on the pages like so:

Scrapeboxforum.com
Scrapeboxinfo.net
Scrapeboxhub.org

The domain names are plain text. They are not hyperlinks.

If it helps, they are also always in between <td> and </td> elements.  

I already have my list of almost 4000 urls I want to scan.

I am using 5 private proxies that have been tested and saved.
I think they’re being applied when using the Custom Data Grabber, but honestly I struggle with Scrapebox.

I created inbound and outbound rules for Scrapebox in Windows Firewall.
I can do other things using Scrapebox that do work. Like grabbing internal links on the domain I’m getting the urls from.  

I created a Custom Data Grabber Module and under that a Module Mask:

https://imgur.com/a/TpER4Q3

I tried several regex examples and found this one:

Code:
^(?=.{1,253}\.?$)(?:(?!-|[^.]+_)[A-Za-z0-9-_]{1,63}(?<!-)(?:\.|$)){2,}$

Source: https://stackoverflow.com/a/41193739/5048548

I tested it using the tool on https://regex101.com/ and 3 sample urls come up as matches (as far as I can tell?):

https://imgur.com/iVR422q

However, when I run my Module all I get is this:

https://imgur.com/dGgD3Ft

The Module data folder contains a csv for every time I run the Module, containing two odd characters in the first cell:

https://imgur.com/OS3uupX

I ran several of the urls through browseo.net and the domain names on those urls are readable according to that tool.

Does anyone know where I’m going wrong here?
Or is there a better way to scrape domain name MENTIONS from a list of urls?

Thank you in advance!

Patching session fixation issue on Apache server

I recently ran a Nessus scan on my network, and one of the issues that it revealed is a possible avenue for cookie injection (session fixation) through Javascript. The related Nessus issue can be found here:

https://www.tenable.com/plugins/nessus/44135

Is the only solution to update the Apache server package? Or is there some configuration option I can change? Because we are currently locked in to a specific distribution and version of our OS and cannot update to a newer version of Apache.

I should add that I don’t have very much experience dealing with security, and I was just tasked with patching issues found in the Nessus scan.

Can you continue to issue new commands throughout the duration of Geas?

Inspired by this answer and the comment by @jgn, it made me dig deeper into the wording of the Geas spell, and how it doesn’t seem to tell you if you can only give commands at the beginning, delay the command for another time, or even continue giving additional/new commands. The beginning sentence seems to hint at a single command (emphasis mine on the singular nature of the wording):

You place a magical command on a creature that you can see within range, forcing it to carry out some service or refrain from some action or course of activity as you decide.

And also later:

You can issue any command you choose…

But in the middle when explaining what happens when it ignores you:

…it takes 5d10 psychic damage each time it acts in a manner directly counter to your instructions

which could have easily been made singular if it was a single command.

this answer to a different Geas question seems to say that it’s a singular command, but it’s not backed up by anything, and doesn’t say when you can issue the command.

So my question is: When do you / can you decide what command(s) the affected creature should follow?

Rebooted host machine from inside VM, should I report this issue and where to report?

Excuse my ignorance as I don’t work in infosec.

I ran reboot inside a linux virtual machine using VirtualBox on Mac and it rebooted my host machine. I am trying to reproduce the problem but haven’t gotten it right just yet.

If I am able to reproduce the issue, should I report it and who should I report it to?

Is there a term for the psychological issue of “code loss” for programmers?

(Note: I wanted to post this to the “Psychology” category, but it had no matching tags at all.)

I am a programmer. I have just deleted a huge amount of code which I painstakingly researched, thought about, coded, then improved and fixed as bugs popped up for a long time.

All of that code, which took me a ridiculous amount of time, effort and general “mind work”, has now been replaced by a very small number of lines which basically leverage PHP’s built-in “ICU” features to properly output numbers, money sums and date/time in the correct manner for every combination of language, locale, currency and timezone imaginable.

Previously, I did not know that this already existed, so I basically replicated a lot of it myself, and I now realize how far from perfect it was. But still, I did it, and that code had in my mind “hardened” or “settled” as “gold code” which I never thought I would touch again…

Basically, I mourn my now useless, superseded, obsolete code chunks. I’m annoyed by myself for doing all that unnecessary work and it took a lot of mental wrestling to finally convince myself to go through with it.

Is this common among programmers, and does it have an established term? Such as “code loss” or “code mourning”?

Basically, even though I have really improved my application/library/framework to an extreme degree, it still feels like I’ve “lost all that work” because the numbers of lines are slashed so much in one go. It’s not a nice feeling.

UAC Security Issue when Running Batch Files

I was having trouble pushing a batch file to a local users machine, when it ran just fine on another person. It turns out I was having the file run as the Current Logged in User.

So the problem is the user is able to run any batch files without being prompted by UAC, they have the highest level of UAC set and they are a local Administrator. Other users with the same level of Access and UAC do get prompted when attempting to run any batch files.

Is there something I am missing here? Any ideas would be great!

Thanks! Eatery of Ramen

Custom data grabber with regex issue

Hello,

I’m looking to use Scrapebox to scrape all domain name mentions on a list just shy of 4000 web page urls.

The domain names are formatted on the pages like so:

Scrapeboxforum.com
Scrapeboxinfo.net
Scrapeboxhub.org

The domain names are plain text. They are not hyperlinks.

If it helps, they are also always in between <td> and </td> elements.  

I already have my list of almost 4000 urls I want to scan.

I am using 5 private proxies that have been tested and saved.
I think they’re being applied when using the Custom Data Grabber, but honestly I struggle with Scrapebox.

I created inbound and outbound rules for Scrapebox in Windows Firewall.
I can do other things using Scrapebox that do work. Like grabbing internal links on the domain I’m getting the urls from.  

I created a Custom Data Grabber Module and under that a Module Mask:

https://imgur.com/a/TpER4Q3

I tried several regex examples and found this one:

Code:
^(?=.{1,253}\.?$)(?:(?!-|[^.]+_)[A-Za-z0-9-_]{1,63}(?<!-)(?:\.|$)){2,}$

Source: https://stackoverflow.com/a/41193739/5048548

I tested it using the tool on https://regex101.com/ and 3 sample urls come up as matches (as far as I can tell?):

https://imgur.com/iVR422q

However, when I run my Module all I get is this:

https://imgur.com/dGgD3Ft

The Module data folder contains a csv for every time I run the Module, containing two odd characters in the first cell:

https://imgur.com/OS3uupX

I ran several of the urls through browseo.net and the domain names on those urls are readable according to that tool.

Does anyone know where I’m going wrong here?
Or is there a better way to scrape domain name MENTIONS from a list of urls?

Thank you in advance!