## Single “User-Only” Page with SMS Verification?

I am building a relatively simple site for a client and am hitting a wall when it comes to what seemed like a deceivingly easy request.

He wants one page of the site with important info to be only accessible to users who have provided a valid phone number in a registration form for easy followup later on. I have a couple ideas for how to build that functionality, but neither cover every base.

• Use basic wordpress login/registration functionality and only allow logged in users to see the page. I feel as though sms verification isn’t an option as phone numbers aren’t stored via WordPress’s registration system.
• Use Orion SMS OTP verification on a basic form hosted on the site. When the user verifies their phone number and submits the form, the password for the password protected private page will be sent via SMS to their provided phone #. With this one, I’m confused as to where I could store the user’s information for easy lookup later on. Would Twilio be an option? or Mailchimp?

Thanks for any advice you can send my way. I’m relatively new when it comes to WordPress dev.

## Email Verification – Create Emails…

If you click on your project, go to email verification and hit create emails, the list is very outdated. Most don’t work.

The ones that are valid though, it’s not capturing any emails. eg. gmaile.design (No emails are being sent there when actually testing).  Can you fix this @Sven

I was looking for a catchall solution and this doesn’t work sadly.
http://prntscr.com/uh550p

## Pop3 Verification

I usually can load my list of emails, run it via pop3 checking but now it just test a few then stops and dies. the program doesn’t do anything. Can you please look into this?

## Client-side password strength policy verification. CVSS3.1? OWASP WSTG?

Using the OWASP testing guide, if password strength policy verification is implemented only client-side, can that be considered a vulnerability? In which category?

Also which CVSS it should have?

## Use of pumping lemma for not regular languages. (Proof Verification)

$$L=\{w \in \{0,1,a\}^* | \#_0(w) = \#_1(w) \}$$

We show that L is not regular by pumping lemma.

We choose w=$$0^p 1^p a$$

|w| = 2p+1

Now |xy| has to be $$\leq p$$

So x and y could only contain zeros. And $$z=1^p a$$

$$xy^iz= 0^p 1^p a$$

Now let i = 0

$$xy^0z=0^{p-|y|} 1^p a$$

Now hence $$p-|y| \neq p$$ this choice of i would lead to a word that is not in L. So we can not pump y and stay in the language.

So L is not regular.

I’m trying to learn the usage of the pumping lemma. Is my proof correct?

Any suggestions are welcome. Thanks!

## Is revealing phone number during OTP verification process consifered vulnerability?

One of the common way of implementing 2FA is using phone number Text message or Call with OTP. As I can see, usually web services show something like "OTP was sent to the number +*********34". Is is done because revealing the number is considered a vulnerability? If yes, then which one, is it described anywhere? I guess it has something to do with not wanting to show too much info about the user. This info might be used be social engineering, but maybe there is something else?

Having a link to a trusted location with the description would be great as well.

## Process and order of verification of a X.509 certificate chain

While going through the rfc5280 Certificate Path Validation to understand how the X.509 certificate chain is validated, I found out that the X.509 path processing Algorithm processes the chain in an order from trust anchor to the end entity. After reading this, I am a bit confused as to how the chains are validated. Is my understanding correct that Certificate Path validation mentioned in the RFC is sufficient to validate an X.509 certificate chain ?

The Algorithm accepts 9 parameters, out of which one is

 (d)  trust anchor information, describing a CA that serves as a        trust anchor for the certification path.  The trust anchor        information includes:       (1)  the trusted issuer name,       (2)  the trusted public key algorithm,       (3)  the trusted public key, and       (4)  optionally, the trusted public key parameters associated           with the public key. 

How does a verifier know what trust anchor to use before the path is validated.

The outputs of this algorithm as state by the RFC is

If path processing succeeds, the procedure terminates, returning a success indication together with final value of the valid_policy_tree, the working_public_key, the working_public_key_algorithm, and the working_public_key_parameters.

It’s returning the working_public_key* attributes and a success indication. Is that sufficient.

### My understanding of the X.509 chain validation.

For certificates supplied as Cert[1] signed by Cert[2] signed by Cert[3] where Cert[3] is a CA,

1. Find certificate responsible for Cert[1].AKID and extract public key
2. Verify Cert[1]’s signature and other attributes
3. Check if Cert[2].SKID is trusted in the system trust/loaded trust of the client performing the operation. If not found, exit with an invalid verdict.
4. If yes, the chain is trusted, exit with a valid verdict
5. If no, then repeat the steps from 1 with Cert[2].

If my understanding is correct, why is the RFC version written in such a way.

### Reasons of why I think the RFC mentions the chain is processed in the reverse order

1. The prospective certificate path section 6.1

(a) for all x in {1, …, n-1}, the subject of certificate x is the issuer of certificate x+1;

(b) certificate 1 is issued by the trust anchor;

This states that certificate is ordered from trust anchor to end entity. Also supported by Subject(x) == Issuer(x + 1). Meaning, Cert[n] is the end entity cert

2. Certificate processing in section 6.1.3.

 The basic path processing actions to be performed for   certificate i (for all i in [1..n]) are listed below. 

This also reads the certificates from 1, i.e. the trust anchor.

3. In the section for Preparation for Certificate i+1,

To prepare for processing of certificate i+1, perform the following steps for certificate i:

(c)  Assign the certificate subject name to working_issuer_name. 

The subject of Cert[i] is assigned to Cert[i + 1] as an issuer.

1. In the section for Wrap-Up Procedure
To complete the processing of the target certificate, perform the following  steps for certificate n: 

This also mentions Cert[n] as the target certificate.

## Minimum Subsequence Sum Algorithm Verification

I have an algorithm which is meant to solve the following computational problem:

Input: Sequence of positive integers
Output: A Sub-sequence of some desired length derived from original Sequence such that the sum of the sub-sequence’s elements are the minimum sum possible

The Algorithm I have to solve this problem is implemented as a method in Java:

public int[] runA(int k) {          //k is desired length of sub-sequence          /*Sequence S is the original sequence provided as input, it is available as a class variable         for the class 'MinimumSubsequence' which this method 'runA' is apart of*/                                 //A is Sequence S copy with pseudo-boolean values attached to each element in S         int[][] A = new int[this.S.length][2];         //B is size K array storing the k smallest elements found in S along with their indexes         int[][] B = new int[k][2];          //initialization         for (int i = 0; i < this.S.length; i++) {             A[i][0] = this.S[i];             A[i][1] = False;         }         for (int i = 0; i < k; i++) {             B[i][0] = this.S[i];             B[i][1] = i;         }          //Execution         //search for k smallest elements in sequence S         for (int i = 0; i < k; i++) {             for (int j = 0; j < this.S.length; j++) {                 if (A[j][0] <= B[i][0] && A[j][1] == False) {                     B[i][0] = A[j][0];                     B[i][1] = j;                 }                 A[(B[i][1])][1] = True;             }         }          //build subsequence         int[][] C = new int[this.S.length][2];         for (int i = 0; i < C.length; i++) {             C[i][1] = False;         }         for (int i = 0; i < C.length; i++) {             for (int j = 0; j < B.length; j++) {                 if (B[j][1] == i && (C[i][1] == False)) {                     C[i][0] = B[j][0];                     C[i][1] = True;                 }             }         }         int[] D = new int[k];         int j = 0;         for (int i = 0; i < C.length; i++) {             if (C[i][1] == True) {                 D[j] = C[i][0];                 j++;             }         }          return D;     } 

The algorithm basically works by scanning the original sequence provided, each time scanning for the next smallest number. Once it has found the k smallest numbers in the sequence it builds and returns a sub-sequence made from those smallest elements in the original sequence

I believe that this algorithm does correctly solve the computational problem and that the running time of this algorithm is in O(N) (N being size of input sequence). I would just like some verification about the correctness and efficiency of this algorithm. I am also wondering if there exists are more efficient algorithm to solve this computational problem as I’m just not very satisfied with this one but can think of no other approach.