How is Authentication Required different from Access Denied [closed]

I was trying a bug bounty challenge and I was given a vulnerable URL which needs a password to access it.

  • Case 1: When I try to do SQL-Injection in Username and Password, I get a page: access denied “Username not found
  • Case-2: If I keep entering random normal usernames and passwords, I get the “Enter username and Password” dialog box, and after so many trials I get the page which says: WWW-Authentication needed!

How are the two scenarios different?

Is Case 1 different than Case 2 in terms of vulnerabilities?

enter image description here

Knapsack Problem with exact required item number constraint

How would we solve the knapsack problem if we now have to fix the number of items in the knapsack by a constant L ? This is the same problem (max weight of W, every item have a value v and weight w), but you must add exactly L item(s) to the knapsack (and obviously need to optimize the total value of the knapsack).

Every way I’ve thought of implementing this so far (dynamic programming, brute force) has resulted in either failure, or lifetime-of-universe level computation times. Any help or ideas are appreciated.

Is it possible to emulate all dice rolls required for a D&D5e game using just a d6, and if so, how?

This is a question that I’ve asked myself numerous times, but I’ve never gotten a really satisfying result.

The issue is this: let’s assume we only have one or multiple d6 dice (arguably the most common type of dice outside of pen & paper), but we still want to play D&D 5e or another RPG game. The game doesn’t really matter here, we just need to be able to emulate different kinds of dice, such as d4, d8, d10, d12 or d20. I presume that if calculating these dices from rolls of a d6 is possible, any other potentially required dice rolls can be calculated as well in a similar fashion.

Therefore: How can the probability results of a d4, d6, d8, d10, d12 and d20 be emulated by rolling only with a d6?

Injectivity not required for unification algorithms?

When learning about a general unification algorithm, we learned the rule decompose, which states unifying $ G \cup \{f(a_0,…a_k)=f(b_0,…,b_k)\} \Rightarrow G \cup \{a_0=b_0,…a_k=b_k\}$ . The question of, “What if $ f$ is not injective?” stood out to me. Say $ f$ is not injective, and we traverse that branch of computation where $ f(a_0,…a_k)=f(b_0,…,b_k) \Rightarrow \{a_0=b_0,…,a_k=b_k\}$ and lead to failure. Is it possible that there’s another way to assign $ a_0,…,a_k$ to $ b_0,…b_k$ such that it’s unifiable?

I was thinking maybe of an example to demonstrate what I mean. This may not be a good example, but say we consider $ f(x,y) = x+y$ , and we want to unify $ f(h(a),g(b)) = f(g(c),h(d))$ then we would fail by assigning $ \{h(a) = g(c), g(b)=h(d)\}$ by decompose, but succeed in unification if instead we first switch the arguments of $ f$ (valid since $ f(a,b)=f(b,a)$ ), which will yield $ \{a \mapsto d, b \mapsto c\}$ .

I was reading a bit about it in this paper on page 6 where they discuss the idea of strictness in terms of decompose, but I don’t quite understand it, and more generally how we can perform this unification step of decompose on a general $ f$ without somehow backtracking on failure.

Oracle query’s required

The variables $ a,b,c \in \{0,1\}$ , thus $ a^k, b^k, c^k \in \{0,1\}$

I want to pass a query to an oracle that returns the coefficients of each term $ (1,a,b,c,ab,ac,bc,abc)$ in the expansion of products such as this one $ (1-a+ab)(1-b+bc)(b-bc)$ . There could be more variables and more brackets to expand.

Do I require a single FP query to do this or something more?

What is the minimum required for creating an RPG [closed]

This is something I used to do a lot when I was younger, and I fancy getting back into it.

The types of RPG I used to make and want to continue making are simple ones, akin to Dragon Warriors or Fighting Fantasy. This is strictly in response to the stat & rule heavy RPGs out there, like MERP, AD&D or even to some degree D&D. For comparison, Fighting Fantasy proposes a system with only 3 stats: Skill, Stamina and Luck.

The players will be friends who just want to do some role play in a fictional setting, but without having to read player manuals or have a character sheet with 20+ numbers all over it.

Given this, what is the absolute minimum I would need in terms of rules/character stats that I would need to create a new RPG that could be used to play D&D style campaigns (eg. group of heroes off on adventures, slaying monsters, outsmarting evil, collecting loot, saving people, winning the day etc).

Obviously the RPG systems I am inspired by are quite old now. Out of interest, is there any modern/new RPG systems with a similar level of simplicity. My focus here is on player interaction with each other and the setting/NPCs, and not having to memorize a huge amount of rules.

Is HTTPS required for local network server to server communication

I am building web applications for my customer’s company. At the server side, there will be 2 kinds of server to server network communication.

  1. Separated REST API servers making requests among each other.
  2. Communication from application load balancers (AWS ALB specifically) to their auto-scaling EC2 instances.

Currently all of these communications use HTTP protocol. Only the customer-facing nodes (such as the load balancer or the web server reverse proxy) will serve HTTPS with valid certificates.

The customer’s security audit tried to enforce us to change them all to HTTPS.

The audit cannot provide a practical reasoning behind this except he believe that it is the modern best practice to always use HTTPS instead of HTTP anywhere.

In my view, I think the purpose of HTTPS protocol is for being a trusted channel in an untrusted environment (such as the Internet). So I cannot see any benefit of changing the already trusted channel to HTTPS. Further more, having to install certificates to all servers make it difficult to maintain, chances are, the customer will find their application servers broken someday in the future because some server has certificate expired and no one know.

Another problem, if we have to config all the application server, apache for example, behind the load balance to serve HTTPS, then what is the ServerName to put inside the VirtualHost? Currently we have no problem using the domain name such as my-website.example.com for HTTP VirtualHost. But if it were to be HTTPS we have to install certificate of my-website.example.com to all instances behind the load-balancer? I think is weird because then we have many server claiming to be my-website.example.com.

I would like advice from security community if my view above is correct and can be used as valid reasons to dispute the security audit’s enforcement.

Is CSRF protection required for sensitive GET requests with CORS enabled?

Based on other questions, it seems protecting GET resources with CSRF tokens is useless. However, that quickly becomes untrue when CORS gets thrown into the mix

I have a server domain server.com and a UI app at client.com. The server.com domain handles user auth and sets a session cookie under the server.com domain. It also has a rest-like endpoint that serves GET requests at /user_data and returns sensitive user data to users with a valid session. The 3rd party UI at client.com needs access to the user_data in an AJAX call, so CORS is enabled at the /user_data endpoint for the origin domain client.com via Access-Control-Allow-Origin.

The endpoint in question has no side effects, although it serves sensitive data to a 3rd party. Do I need to implement some CSRF token protection for the endpoint? Could the user_data be read by a compromised client.com webpage (via persistent XSS)? If so, can I use a query param mechanism of CSRF token exchange? The way I understand it, it’s the only option, because the client.com cannot read csrf tokens stored in a server.com cookies. However OWASP guidelines state that:

Make sure that the token is not leaked in the server logs, or in the URL.

If that’s also a problem, how can I secure my application?

Do any action traits indicate that free hands are required?

What action traits or tags, especially for spells, require the user to have a free hand (if any)?

I am asking because I was caught by surprise to this answer to a question regarding lay on hands and how many free hands it required. Specifically that the somatic trait – which as I understand it means physical movement, such as hand gestures – does not in fact require a free hand.

N.b. I am the GM.