How is browsing from a virtual machine/virtual box preventing fingerprinting or tracking?

is it increasing your internet security in terms of privacy/tracking/fingerprinting, if you are surfing with your web browser in a virtual machine enviroinment (virtual box + vpn)? Instead of surfing from your normal windows operating system…

Or is a virtual machine not helping you in fingerprinting cases? I just want to understand if you can use a virtual machine as a additional privacy tool and if yes, on what aspects would it have an impact (ip address, virus infections, fingerprinting, etc.)?


Preventing CSRF with SameSite=”strict” without degrading user experience?

ASP.NET will soon begin reflecting Google’s decision to default cookies to SameSite="strict" in a defense against CSRF attacks:

Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core

This means that if I own, any logged-in users who are directed to from off-site will consume the content as if they are not logged in, as the browser will refuse to send the forms authentication headers with the request by default.

This is a poor user experience, and I’m tempted to simply specify SameSite="Lax" to ensure that users are not surprised by this behavior.

Is there any way to have my cake and eat it too, in this scenario?

Getting around massive preventing of damage [on hold]

I’m currently running a game where one of the players has the ability to reduce/prevent a ton of damage. I’m looking for ways around this, such as the old school wights that did ability score damage, things like Ray of Enfeeblement that grants a strength penalty, diseases, etc.

Is there something I can search in the compendium, or is there a list somewhere online, that could save me hours of digging through every monster in 4e to find new and interesting ways to damage players other than just dishing out huge amounts of damage?

Server preventing colon character from being used

I have discovered an input field which accepts <img> and <h1> tags. I tried to use the events like onmouseover which is being stripped from the tag.

Example: If the input is <img src="a" onmouseover="alert(1)"> , the response is <img src="a">.

So it is not just for a single event, even an attribute like “onx” is being stripped off. Hence I tried to use the payload:

<img src="javascript:alert(1)"> 

Surprisingly, now the response is <img> which shows that this happens due to the character colon (:). If I use something like

<img src="javascript_alert(1)"> the response is given back the same way.

Is there anyway to bypass this?

Preventing boot from USB on Dell Inspiron 5559

So what I am looking for is a way to prevent anyone from booting from a USB drive on this specific Dell Inspiron 5559 so normally what I would have to do is to set an Admin password in BIOS that would prevent anyone from booting using a USB drive or change BIOS settings without the Admin password but the bad thing is the admin password could be easily bypassed using certain websites with the System Serial that appear in the message asking for the admin password I won’t post links here but you can search on Youtube and see for yourself so apparently that doesn’t work now I have windows 10 installed and I can use Bitlocker to encrypt my HDD and protect my Info but I am also trying to protect the HDD from sabotage ie formatting the HDD (without using external backup Drive) in short I want that if someone wanted to tamper with the laptop they would need to open the laptop casing and take the HDD out (or even the cmos battery if they tried to reset the BIOS settings) and I am OK with that.

Preventing Quota Theft of Embedded Service without API Key

The way the service works is that the user can embed content on their site, that is served from my servers. Usage is tracked in “views”, or how many times the src endpoint inside of the <iframe> has been called.

I am trying to find out a way to verify that the origin site of the request is indeed the customer’s, and not some other web server. Using an API key as a query parameter leaves the possibility to just copy the <iframe> element, and use the service for free, at the expense of the real customer.

Some methods that I have considered follow:

  • Using the origin/referrer header of the HTTP request
  • Using JavaScript to determine the origin site, then send for the data

The first of these methods can be defeated simply by sending a request to the endpoint from an AJAX request with the origin header set to a customer’s website.

The second may work provided the JavaScript method that requests the data is sufficiently obfuscated.

While I know that no solution is fool-proof, I am not quite satisfied with relying on the origin HTTP header to determine usage.

Are there any alternative methods that do not rely on the customer rotating code, api key or otherwise, to prevent quota theft? Thanks in advance.

Does preventing a creature from taking actions also prevent reactions?

I’m slightly confused by the use of the word “action” in the text. The section on “Reactions” states:

Certain special abilities, spells, and situations allow you to take a special action called a reaction…

And then there are times where you cannot take actions such as the dream spell which states:

[…] While in the trance, the messenger is aware of his or her surroundings, but can’t take Actions or move…

There are also time where something explicitly says you can’t take reactions like the Incapacitated condition which states:

An incapacitated creature can’t take actions or reactions.

And then there is this phrase from the section on “Bonus Actions”:

[…] anything that deprives you of your ability to take actions also prevents you from taking a bonus action.

There is no similar phrase in the “Reactions” section so I am left wondering:
If something, like the spell dream, prevents you from taking actions, but not reactions, can you still take a reaction?