I’m going to run a 4th Tier One-Shot very soon, I have told all my players to build a 20th level character. One player built a powerful artificer (armorer subclass) that outshines every other PC, I will provide his saves, AC and so on:
- Strength: +13
- Dexterity: +7
- Constitution: +17
- Intellogence: +19
- Wisdom: +16
- Charisma: +6
Temporary HP: 20
Spell DC save: 20
Spell attack bonus: +12
I am perplexed and, to be frank, a little frightened by those saves, the AC too. I have also double checked his character sheet and nothing is wrong or miscalculated.
Should I nerf this build? If Yes, how?
I did not know well this class, I think I made an error allowing it, didn’t I?
How would you balance this situation?
PS: I’d like to specify that I am NOT a long experienced DM, I have run other epic level one-shots before and those went fine, but I clearly lack of experience.
PPS: if necessary I’ll post the complete character sheet.
I am working on a new project with a team of developers. The SOPA web services will be the main channel to publish the services.
I’d like to make secure those services from the begging and give the developers the guidelines on how to securely develop. I’d like to assign requirements from chapter “Session management verification” of OWASP ASVS 3.0.1 for SOAP web services. But those requirements are specialized for the Web application. So could you advise me which one of them are adequate for SOAP?
I am the DM for a long running game, we are going on 2 years, and while there was a rough start and a few changed characters, we have been in a good place. There was a Tiefling Barbarian (original), Dragonborn Paladin, and Human Fighter/Warlock. About 2 months ago, we added a Dragonborn Wizard to the party, and it has been a welcome addition thusfar. Tonight we had a relatively long roleplay section, first a meeting with a prominent NPC who has been around for a while, and then the characters discussed stories and backstories around dinner in a tavern. During this roleplay session, the wizard, fully within his character, used suggestion to entice backstory from the Tiefling (who has given basically nothing up until this point). This has created tension within the party (in game only), and has the potential to completely derail the campaign. I want to respect player agency, and I trust the players to not blow this out of proportion, but I also don’t want to throw away an entire main quest due to this. I am conflicted, and thus am requesting some differing views on the matter. Thanks in advance. Please feel free to request any information, I am happy to help.
I’m in the process of creating a password reset functionality for my project. I currently have my website send a password reset link to the user’s email if they request it and validates the link properly when clicked (checks for selector and validator tokens and not expired) before displaying the form to create a new password. The problem I’m having is finding a way to updating the correct user’s password in the database once they submit the new password. One method I have thought of to achieving this, is to get the email associated with the matched selector and validator tokens in my password reset database table and storing it into a session variable so it can be accessed by another php file to update that user’s password in my users database table. I’m wondering if this approach has any security risks to the user or is it a valid method?
I am wondering, assuming the latest version of Firefox, which of the following options would be more preferable security-wise (e.g. assess and/or password to user account will be stolen) and which one privacy-wise (exposing user to the least advertisement tracking etc.):
- Storing session cookies (i.e. logging in and never logging out), but not saving password & username in browser built-in Password Manager.
- Saving password & username in built-in Password Manager (without Master Password) and setting cookies and site data to be cleared when browser is closed.
P.S.: I am aware that using Master Password for password storage will increase security of the stored passwords. Though I am not wondering how to improve given options, but would like to asses them “as is”.
My server is using Django Rest Framework. My mobile app logs in using token authentication. However, I also have a webview in the mobile app where I need to log in. I can’t inject the auth token on every request in the webview, so I use the auth token for authenticating this endpoint and then create a session from it. This is the code:
class CreateSessionView(APIView): authentication_classes = [TokenAuthentication] permission_classes = (permissions.IsAuthenticated,) throttle_classes = [ScopedRateThrottle] throttle_scope = 'auth_token_verify' def get(self, request, format=None): login(request, request.user, backend='django.contrib.auth.backends.ModelBackend') return redirect(reverse('home'))
My questions are:
Is there a vulnerability here? If so, how can I secure it?
Do I need CSRF?
I’m doing a dockerized tool which logs in to a website for N users and performs N actions. The tool is coded using Python. If there are multiple users, the sign in takes time. However there are some websites which have a longer session expiry. In those cases,
s = requests.session()
Is it okay from a security perspective to save the session data in a file so that I can perform the actions straight away? Also I’ll check whether the session is invalidated or not everytime I get the data from the file. If not, what’s the best way to solve this problem?
We have a oxid onlineshop with different domains/subdomains depending on currency and language.
Now we have a problem with hreflang tags, because of parameters
1) the session of the basket between domains is set by
?force_sid=(random string for session id)
2) for different views in categories like
if the url is accessed without the parameters then the canonical and hreflang tags are correct.
If the parameters are set then the canonical and hreflang tags are wrong.
What are the correct tags for example:
<link rel="canonical" href="https://www.example.de/category-name/"> <link rel="alternate" hreflang="x-default" href="https://www.example.de/category-name/"> <link rel="alternate" hreflang="de" href="https://www.example.de/category-name/"> <link rel="alternate" hreflang="de-CH" href="https://www.example.ch/category-name/"> <link rel="alternate" hreflang="fr-CH" href="https://fr.example.ch/category-name/"> <link rel="alternate" hreflang="de-AT" href="https://www.example.at/category-name/"> <link rel="alternate" hreflang="fr" href="https://www.example.fr/category-name/"> <link rel="alternate" hreflang="en" href="https://www.example.com/category-name/"> <link rel="alternate" hreflang="es" href="https://www.example.es/category-name/">
I am puzzled by how people on Youtube bait scammers into connecting to their machines and end up “reversing” the connection on them. Essentially controlling the scammer’s PC.
Is this done via reverse shells ? Or do you get them to open up a malicious application, ie do you have to use a dropper ?
I want to know how is this possible.
Is using the source IP address in generating the session ID by servers common? I’ve seen this behavior with a banking website. You visit the website with IP 126.96.36.199, SSL session is generated and used by the browser for SSL session resumption. Now if your IP changes to 188.8.131.52, and if you just refresh the page, the browser will error out. Firefox will complain about BAD_RECORD_MAC, chrome will just say ssl error. I still don’t understand exactly why this happens, because according to the RFC if the session is not recognized a full handshake should be initiated but here everything just fails.
Using firefox with ssl session identifiers disabled doesn’t have this problem which is why I think the server is using the source IP to create the session.