In our mobile application, users need to register first before they can use it. After successful registration, they an now login and use features of the app. Now we will have a feature in our application where all users who have records in the active directory and “master” database but not yet registered in the app would be sent sms with a registration link. The details are the ff.
A static link is sent (not the usual dynamic ones where a token is appended to the url)
When that link is clicked, an authentication page would show up in the machines internet browser and show a page where it asks for the user’s email address and birthday. When the entered information is valid, a one time password is sent via sms and if valid, the user can now proceed with registration
The question is, is this kind of process secure? there was a debate within our team whether the link sent via sms should be dynamic or static? what are the possible vulnerabilities of this kind of process? doesn’t seem to violate any OWASP standard.
I have a static-page website that I need to pentest. What I mean by this is that the site does not have a database, and it has no area to submit user input except for to a third party payment service that is managed entirely by them.
I have actually done web app pentesting before and found vulnerabilities such as XSS, CSRF, IDOR, and DoS. However, these were web apps where content was being reflected back to the page, and a user was “logged in.”
Off the top of my head, I can think of:
- Exposed/improperly protected admin panels
- Directory traversal
- Weak admin credentials on the host accounts/admin controls
Aside from those issues, I am having a difficult time coming up with other vulnerabilities to look for on a static site where user input is not collected or reflected, there is no notion of an “account”, and etc… The site does use PHP 7 on Apache, but the site is rather basic compared to many of the modern “web app” sites which utilize OAuth, social media login, reflect content back to the page, and so on.
Note: I did see Which security measures make sense for a static web site? but that post is more from a “blue team” standpoint, whereas I am asking for pentesting advice, not advice for how to secure the site.
However I wonder the following: If the pages on example.org are all static, i.e. no forms that perform actions or endpoints that act on POST requests, does the SOP still matter?
I was thinking of attacks like: Can example.org/foo/ open example.org/bar/, but with manipulated content? This could be useful e.g. if example.org/foo hosts downloads that an attacker can manipulate or redirect. I have tried a few things, but I wasn’t able to perform such an attack. (One way might be ServiceWorkers, but they are path constrained, which limits possibilities quite a bit.)
And are there other attacks that one should care about in purely static scenarios?
I am trying to understand perfect hashing aka FKS, but I have a few questions.
From my understanding, perfect hashing is a two level hashing in which you take a hash function from a universal family of hash functions, and hash a key to a specific slot in a hash table. At this step there might be collisions and that’s why we apply a second hash function to the key and we store as the value another hash table of size at most 2n.
My questions are:
- Do we have two hash tables? Can we have 1 array and 1 hash table?
- Can the 2 hash functions used have different inputs? Meaning can I pass different keys to each hash function?
For example, I have a string and I would like to store it in a dictionary using static perfect hashing. Can I do the following? :
Have a hash table (A) that will store a counter that will be incremented and will be at max n. The counter will be used as the index where the string starts, for example, if the string is “hello”, and the counter= 2, the string will be modified and started from index 2, so the string will be “llo”. Therefore A will be of size n and will have as keys the counter, and as values it will have hash tables (B_i).
Then B_i will store as keys the character of the string and as values the position of each character with regards of the counter.
- Have a hash function that will be used to map the position of the character in the string to a specific slot in the hash table (A)
- Have a second hash function that will map each character in the string to a slot in the second hash table B_i.
Is that a valid way of performing static perfect hashing? Could I remove the first hash function and turn the first hash table (A) into a simple array (since at the first stage I am only interested in the index/position of the characters in the string?
I am currently looking into how to protect a BLE connection from active attacks (man-in-the-middle) if one of the devices neither has a display nor a keyboard.
Lemberg Solutions suggests this:
Alternatively, the passcode can be shipped together with the devices (on paper or as part of an online purchase), and the user should then manually input it to each separate device.
This can only mean that one device (device A) (most likely one without a keyboard and without a display) has a passkey embedded in the device somewhere. So it is static. This static passkey is also used by the other device (device B) (e.g. entered using keyboard input, via camera, …). The same passkey will be used every time BLE pairing is established with device A.
Am I understanding their suggestion correctly?
My understanding of Secure Connections with passkey is, that each device does the following for each bit of the passkey:
- create a nonce
- calculate a confirmation value using: nonce, passkey[i], SK
- exchange the confirmation values with the other device (send own, receive other)
- exchange the nonces (send own, receive other)
- check that the confirmation value of the other device is correct If one of the checks fails, the connection is dropped.
In the case of a man-in-the-middle attack, the attacker can figure out the passkey by “brute-forcing” each bit. After all, there are only two possibilities for each bit.
This is not harmful for the current connection, because the attacker is “too late” to use the passkey. And it is not harmful if a different passkey is used for the next connection. But this is fatal if another connection is made using the same passkey (which is going to happen if a static passkey is used).
So, after the attacker listened to the pairing attempt, she interrupts the connection (e.g. right after the last set of nonces was transmitted). Now she only has to wait until the next connection attempt is made. She can now hijack the whole connection.
Is my assessment of this situation correct and the static passkey is a bad idea or am I overlooking something?
I’ve got a very hard issue with a blog (a two years setup) in 4.8.12 (many plugin was install and uninstall…)
My static page display all post;
I have correctly setup settings – reading with 10 posts
T have try the custom post limits
But nothing works, certainly a variable in the table option in mysql override this param
Have you got an idea about ?
I have try to upgrade the version of wordpress in 5.3.2 but it still not work.
With a fresh install, it works fine.
I have this in my .htaccess file:
When I do a speed test, I get a C in “cache static content”, because of this:
Leverage browser caching of static assets: 79/100 Learn More
FAILED – (No max-age or expires) – https://static.cloudflareinsights.com/beacon.min.js
FAILED – (5.0 minutes) – https://www.google.com/recaptcha/api.js
FAILED – (15.0 minutes) – https://www.googletagmanager.com/gtm.js?id=GTM-P55kj6J
WARNING – (1.8 hours) – https://www.google-analytics.com/analytics.js
WARNING – (24.0 hours) – https://fonts.googleapis.com/css?family=Chewy|Open+Sans:300,400|Merriweather:400,700
WARNING – (2.0 days) – https://learningeveryday.org/cdn-cgi/scripts/5c54i28/cloudflare-static/email-decode.min.js
WARNING – (2.0 days) – https://ajax.cloudflare.com/cdn-cgi/scripts/708564e/cloudflare-static/rocket-loader.min.js
WARNING – (2.5 days) – https://learningeveryday.org/includes/lazyload.min.js
WARNING – (2.5 days) – https://learningeveryday.org/includes/tinymce.min.js
WARNING – (2.5 days) – https://learningeveryday.org/includes/listo.min.js
WARNING – (2.5 days) – https://learningeveryday.org/includes/jquery.validate.min.js
WARNING – (2.5 days) – https://learningeveryday.org/includes/js/popper.min.js
WARNING – (2.5 days) – https://learningeveryday.org/includes/js/jquery-ui.min.js
WARNING – (2.5 days) – https://learningeveryday.org/includes/js/jquery-3.3.1.min.js
WARNING – (6.9 days) – https://learningeveryday.org/style.min.css
WARNING – (6.9 days) – https://learningeveryday.org/includes/bootstrap.min.css
Why I’m getting these errors? I thought that I’ve already cached js files…
I found CRLF injection on a site but it doesn’t has any login, session or anything or that sort. I wonder if there’s any way to prove impact of CRLF injection here.
Something that I think can be done is, an attacker can craft the payload in such a way that it would respond with
Location header and user would be redirected to a malicious site. This is called Response Splitting. But I’m not sure if the company would consider this as a vulnerability because user’s can only be redirected.
I asked myself if that’s the only thing an attacker can do? After sometime I realized XSS can also be perform with response splitting but what would attacker get with XSS as there is no session cookie or anything?
I can’t figure out how to show am impact of this, are you aware of any interesting header or anything, any help?
EDIT: I found a broken link to an external site on this same forum and checked for content on wayback.
Cross-User Defacement: An attacker can make a single request to a vulnerable server that will cause the server to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the server. This can be accomplished by convincing the user to submit the malicious request themselves, or remotely in situations where the attacker and the user share a common TCP connection to the server, such as a shared proxy server. In the best case, an attacker can leverage this ability to convince users that the application has been hacked, causing users to lose confidence in the security of the application. In the worst case, an attacker may provide specially crafted content designed to mimic the behavior of the application but redirect private information, such as account numbers and passwords, back to the attacker.
But I don’t understand it properly, can anyone please explain it in simple words?
If I use static damage from monsters, how do I calculate the value on critical hits? I can’t just double the value, because that includes the static modifier. Should I recalculate the damage on the fly (so, if the monster usually has (7) d8 + 3, I make it (11) 2d8 + 3)? That’s kind of pain in the ass. Or do the monsters not double their static damage on critical hits and only get the benefit of the guaranteed hit? Alternatively, I could decide that I roll on crits.
Are there official rules the govern this?
One of my players has a Cloack of Displacement, which grants, for every round, monsters have disadvantage attacks against the player until the first attack hits.
What follows from that power, is that I have to ask the player for every attack, if the monster has disadvantage or not. That is an extra effort I don’t want to do; the information about whether or not he has a benefit is on his side of the table. (Note: as a DM I always ask “does AC X hit you?”)
So, we want to change the Cloak; instead of granting the monster disadvantage on their attack, the Cloak offers him, for every round, a bonus to AC, until he is hit.
Here is my question; what bonus should the Cloak give to the player?
Assume the player is a level 12 PC with an AC of 16. If we need to take the attack bonus of the monsters into account; assume a master needs to roll a 10 to hit.