Understanding CSP: report shows blocked that shouldn’t have been blocked

I’m having trouble making sense of some reported CSP violations that don’t seem to actually be violations according to the CSP standard. I have not managed to reproduce the violations in my own browser, and based on my own testing I believe that the block is the result of a non-compliant browser. That seems like a bold assertion, but based on all the documentation I’ve read and my tests it’s the only thing that makes sense.

Here is (more or less) what the CSP is:

frame-ancestors [list-of-urls]; default-src https: data: blob: 'unsafe-inline' 'unsafe-eval' [list-of-more-urls]; report-uri [my-reporting-endpoint] 

The problem is that I’m getting some violations sent to my reporting endpoint. Here is an example violation report:

{"csp-report":{     "document-uri":"[REDACTED]",     "referrer":"[REDACTED]",     "violated-directive":"script-src-elem",     "effective-directive":"script-src-elem",     "original-policy":"[SEE ABOVE]",     "disposition":"enforce",     "blocked-uri":"https://example.com/example.js",     "status-code":0,     "script-sample":"" }} 

The context would be that the page in question had a <script src="https://example.com/example.js"></script> on it somewhere.

To be clear, https://example.com is not in the list of allowed URLs under default-src. However, that shouldn’t really matter. Here are all the relevant facts that lead me to believe this is being caused by a non-compliant browser that someone is using:

  1. There is no script-src-elem defined so it should fall back on the default-src for the list of allowed URLs.
  2. default-src includes the https: schema, which means that all urls with an https scheme will be allowed. The blocked URL definitely uses HTTPS
  3. This source agrees that the scheme source (https) will automatically allow any https resources. Therefore this should be allowed even though example.com is not in the list of allowed URLs.
  4. The official CSP docs also agree, showing that scheme matching happens first and can allow a URL even before the list of allowed URLs is checked.
  5. Therefore, if you include the https: scheme in your default-src, your CSP will match <script src="https://anything.com"> even if not specifically in the list of allowed URLs
  6. In my own testing I found the above to be true.

Despite all of this, I have sporadic reports of CSP violations even though it shouldn’t. Note that I’m unable to replicate this exactly because the pages in question have changed, and I don’t have easy control over them. The only thing I can think of is that some of my users have a browser that isn’t properly adhering to the CSP standard, and are rejecting the URL since it is not on the list of allowed URLs, rather than allowing it based on its scheme.

Is this the best explanation, or am I missing something about my CSP? (and yes, I know that this CSP is not a very strict one).

Running PHP echo $_SERVER [‘DOCUMENT_ROOT’]; Shows Apache Default Path

Trying to get set up and running on a new hosting company after the old one announced they are discontinuing their service at the end of the year, I am having difficulty getting the sites to run. I narrowed it down to Apache’s DocumentRoot for each domain showing the Apache default path rather than showing the path to the individual site’s file location. In other words, when I run echo $ _SERVER ['DOCUMENT_ROOT']; in a test script, it shows the path as /etc/apache2/htdocs when it should show /home/username/public_html/domain.com. They seem unable to fix it so can DocumentRoot be changed through cPanel for each domain?

MessageBoxA only shows up in debugger?

This question is related to crackmes.de’s k1 by xtfusion. I’m trying to add custom shellcode through stack overflow.

The shellcode works perfect under Windows XP (without ASLR) when the program is attached in the debugger. But when I run the program with double click, the program only exits quietly and no window pops up.

Full alphanumeric shellcode (and the screenshot above):

                     ; no need to LoadLibraryA manually push eax             ; eax should be 0 now push 0x646E7770      ; 'pwnd' push esp pop ecx              ; address of 'pwnd' push esp pop eax push esp pop edx              ; address of 'pwnd', backup for later use sub eax,0x55555521   ; only `sub eax, xxx` is allowed for Alphanumeric shellcode sub eax,0x55555421 sub eax,0x55555648 push eax pop esp push 0x7E and eax,0x554E4D4A and eax,0x2A313235 sub eax,0x55555555 sub eax,0x55555555 sub eax,0x334D556E   ; encode intruction e8070822 push eax             ; write to memory on the fly push edx pop esp push esi             ; 0, esi should be 0 now push ecx             ; address of string 'pwnd', 4 bytes to save life push esi             ; 0 push esi             ; 0 jne 0x22FFE6         ; jump to the generated instruction `call USER32.MessageBoxA` 

I’m not quite familiar with Windows API.

What does the window do when the program exits? Do I need to migrate the window to another existed process?

Why the window does not show up without the debugger?

Thanks in advance.

How do I upload movies for free to my website for watching movies and TV shows? [closed]

So, I want to make my own website for watching movies and TV shows but not in English but in my native language. So I was wondering is it legal to just upload videos from the openload server or some other server to my website without having to pay for an openload account or something or does openload just let me upload their videos for free. It might be a stupid question but I am really not familiar with this subject and if you have any tips for building my movie watching website what would be great. Thanks!!!

Step by step integration solution that shows where substitutions occur without using Wolfram Alpha

I know there is heaps of people’s code around the forum with code that shows step by step solutions for integration. But they don’t specify where certain things happen like substitution (u sub) or recognition by integration and stuff like that. Is there a code (has to work offline) that can show you what is being made (like u sub, simplify, expand, double angle…) for each step?

Player shows up inconsistently

I am a DM playing Waterdeep: Dragon Heist (soon to progress to Undermountain). There are three players, I play a generic paladin, and we play via Zoom. One player, however, is inconsistent showing up, and I am worried that he is going to miss too much of the story to progress. The characters are level 4, and we started doing Zoom at about level 2.

Since then, said player shows up to about half the sessions, and even then he only stays for part of it. That bothers me the most, as he is new to D&D and I believe he does not grasp that the game is supposed to take about 4 hours at a time, because he only stays about 1-2. He has missed out on much of the story and we often have to fill him in.

The other two players are fine playing without him, but I can tell that they too would rather have him play for the full length. Whenever I mention it he just shrugs it off and wants to keep playing. I am hoping there may be a solution to this inconsistent behavior.

[Note] This may be a duplicate but I am not sure

Hacking Attempt Requests Not showing Up on Webserver Logs But Google Analytics Shows it

Which hacking tool makes a request and does not show up on web-server logs?

/en/latest/ has been requested over 116, we don’t have this URL on the website at all!

The request to that URL does not show up on web-server logs but I setup google analytics to track ad-blockers by loading the script on a different URL that ad-blockers don’t know . But ever since i setup this google analytics it has trapped lots of hacking request on none existing URL?

How comes google analytics captures the request(The Hackers don’t actually know) and the request seems not reach the web-server because no logs are shown?

The thing is there is a deliberate request to none existing URL, that don’t show up on web-server logs, but my secrete google analytic scripts captures the URL

URL editing shows success message, but doesn’t carry out function

I’ve been looking into my college’s internal alumni network. In that we can send connections to users and when you send a connection request, you’re taken to a url which is: https://www.website.com/yourwall/sent-invite/username/?Sendcon=true And a message

Your invitation to Name was sent.

is displayed where ‘Name’ is the name of the user associated with ‘username’ Even though we get a success message, the connection request is not sent. And if we supply an invalid ‘username’ parameter into the url we still get a success message but as:

Your invitation to {:user} was sent.

Could this be a vulnerability? How can it be exploited and mitigated?

getting no subject alternative name present exception when the csr shows that the SANs are present

I am trying to setup ssl for grpc but no matter what I try I get a no subject alternative name present. I’ve verified the SANs are in the certificate signing request. The common name and also a SAN are the ip addr. I am trying to connect using the ipAddr. The exception I get is

Caused by: java.security.cert.CertificateException: No subject alternative names present     at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:137)     at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:96) 

The text of my csr follows:

sysadmin@rit5 san]$   openssl req -in my.csr -noout -text     Certificate Request: Data:     Version: 0 (0x0)     Subject: C=US, ST=TX, L=Austin, O=MYCOMPANY, OU=MYUNIT, CN=172.28.4.89     Subject Public Key Info:         Public Key Algorithm: rsaEncryption             Public-Key: (2048 bit)             Modulus:                 00:b9:1d:0c:80:ee:b3:20:06:df:6e:f1:04:e5:10:                 54:5d:70:07:fd:68:25:33:12:37:73:98:45:8b:35:                 ba:cf:9b:7c:63:82:0a:e2:16:0d:33:36:10:dd:b5:                 f9:21:da:04:8c:18:15:77:e2:65:72:e8:c9:6e:01:                 dc:47:48:53:ce:45:c9:a9:f1:9d:d0:0f:a7:cb:d5:                 5b:55:eb:b4:38:cb:50:5d:51:c2:bb:65:f6:76:09:                 76:8d:34:0a:c6:35:95:e3:0f:8f:71:be:73:22:78:                 84:26:4f:5e:d3:6a:2c:69:b4:57:e1:fc:37:47:e6:                 56:80:6c:bf:7a:97:78:20:17:22:d0:fc:c6:0c:17:                 0b:dc:23:8f:0e:8a:cb:48:6d:a6:0c:ce:4b:24:54:                 66:82:d0:29:dd:bf:5b:5f:cd:b8:f3:2f:3a:40:09:                 cd:84:6c:2f:74:60:74:e2:3a:13:b9:2e:5c:df:39:                 a3:47:07:96:5a:ed:be:14:71:42:58:6b:53:77:a2:                 af:0a:6d:c3:57:ba:e0:95:ed:55:78:2f:21:cc:af:                 95:e7:de:50:3d:7d:7e:29:4e:ed:bf:9e:14:36:0e:                 71:a3:e4:79:03:12:cd:55:c3:77:00:0f:02:2d:d1:                 e6:2f:a5:b0:3e:62:76:4e:bd:2a:33:56:76:8f:8d:                 2f:b5             Exponent: 65537 (0x10001)     Attributes:     Requested Extensions:         X509v3 Key Usage:              Key Encipherment, Data Encipherment         X509v3 Extended Key Usage:              TLS Web Server Authentication         X509v3 Subject Alternative Name:              DNS:172.28.4.89, DNS:rit5.mycompany.com, DNS:rit5 Signature Algorithm: sha512WithRSAEncryption      17:18:63:dc:d9:84:90:da:de:b6:8e:82:ce:84:6a:a3:5d:11:      87:37:2b:e7:56:6e:e5:ea:42:11:4c:8f:66:28:8b:44:4f:0a:      b9:89:d9:67:86:f4:0f:8a:44:b8:b2:87:62:65:c2:9c:7a:08:      bf:74:4a:b3:f4:35:82:45:50:7f:3f:ab:c4:97:60:59:99:8c:      8e:8b:12:0f:3b:dd:2a:6d:a9:be:06:8a:70:e7:e6:08:22:57:      89:e8:c0:86:f1:26:dc:23:08:aa:ab:2f:07:0d:0b:78:0b:3d:      d9:ce:ac:92:32:80:81:18:25:17:d4:04:22:e2:f9:f2:96:b1:      be:76:96:0c:70:39:cf:64:d3:7d:66:b9:f8:b5:20:18:17:66:      a4:f8:26:a7:02:42:0e:9f:6f:1e:4c:19:1d:d5:19:7b:17:0c:      64:45:34:d0:12:af:e1:8e:9d:e1:ce:84:49:54:87:78:c9:ba:      10:f0:65:5b:0e:f4:4f:3f:91:de:cc:46:36:fa:45:ff:0d:7a:      a4:c7:9b:b7:82:f6:b0:3b:c4:f3:9f:45:94:43:a8:ad:ae:e2:      e2:a2:66:59:d1:5e:b2:ee:a6:55:90:27:4c:57:c8:04:4b:30:      bd:02:bf:e5:3e:7c:b1:c6:0f:04:50:f5:96:76:37:bb:ed:7a:      ba:3c:7c:07 

The config file I used to create the csr and key is here

[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no  [req_distinguished_name] C = US ST = TX L = Austin O = MYCOMPANY OU = MYUNIT CN = 172.28.4.89  [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = 172.28.4.89 DNS.2 = rit5.mycompany.com DNS.3 = rit5 

To generate the csr I used the following command

openssl req -new -out my.csr -newkey rsa:2048 -nodes -sha512 -keyout my-private-key.pem -config ssl.ext 

To self sign it used the following command

 openssl x509 \         -signkey my-private-key.pem \         -in my.csr \         -req -days 365 -out my-public-key-cert.pem 

I’m at my wits end. Any help would be appreciated. The certificate is generated without the SANs.

Certificate:     Data:         Version: 1 (0x0)         Serial Number:             c7:af:ad:c2:98:be:7b:c1     Signature Algorithm: sha256WithRSAEncryption         Issuer: C=US, ST=TX, L=Austin, O=MYCOMPANY, OU=MYUNIT, CN=172.28.4.89         Validity             Not Before: Jun  5 20:26:00 2020 GMT             Not After : Jun  5 20:26:00 2021 GMT         Subject: C=US, ST=TX, L=Austin, O=MYCOMPANY, OU=MYUNIT, CN=172.28.4.89         Subject Public Key Info:             Public Key Algorithm: rsaEncryption                 Public-Key: (2048 bit)                 Modulus:                     00:b9:1d:0c:80:ee:b3:20:06:df:6e:f1:04:e5:10:                     54:5d:70:07:fd:68:25:33:12:37:73:98:45:8b:35:                     ba:cf:9b:7c:63:82:0a:e2:16:0d:33:36:10:dd:b5:                     f9:21:da:04:8c:18:15:77:e2:65:72:e8:c9:6e:01: