Evasion and Vulnerability to Energy precedence?

A creature has Evasion:

‘If she makes a successful Reflex saving throw against an attack that normally deals half damage on a successful save, she instead takes no damage.’

And also has Vulnerability to Energy:

‘Some creatures have vulnerability to a certain kind of energy effect (typically either cold or fire). Such a creature takes half again as much (+50%) damage as normal from the effect, regardless of whether a saving throw is allowed, or if the save is a success or failure.’

Which rule takes precedence if a creature is attacked by an effect of that energy type and a successful Reflex saving throw is made against this energy attack that normally deals half damage on a successful save?

Potential vulnerability in JSON response returning base 64 encoded image data, with the response being vulnerable to MIME sniffing

A JSON response in the API of a webapp is returning the base64 of a user-uploaded image, and there’s no X-Content-Type-Options Header to prevent MIME sniffing.

Could this be a potential vulnerability such as an XSS for the webapp by using steganography to edit the image with a payload, uploading it, and then MIME sniffing the JSON response? (or by any other means?)

ASP.Net XSS – How does this vulnerability work

I have been tasked with fixing a XSS issue in an ASP.Net application, but I have never seen this kind of attack before so first it would be great if I could understand how this is working and then I need some help because I haven’t been able to fix it.

The attack goes like so:

https://example.com/AnyPageInTheApplication.aspx/(A('onerror='alert%601%60'testabcd))/ 

When I look at the network tab in Chrome’s dev tools I see that the request has been hijacked by the last section of the URL and the alert shows up, but I do not know how this is working. An explanation would be greatly appreciated.

To fix it I first looked at the application web.config file and I saw that the validateRequest switch is disabled so I changed it to true and the vulnerability is still there.

The application is really large and according to some documentation on it, apparently they disabled the validateRequest switch because it is supposed to be handled on the server by some backend code, obviously not working, and I am still to find out what are the reasons for this application to be designed this way (I’m very new to the company).

This issue begs a few questions:

  • Why would enabling the validateRequest switch does not fix the issue?
  • Where else could I look for the potential problem?
  • Is there an alternative to fix this vulnerability other than validateRequest?

How can wkhtmltopdf be used without introducing a security vulnerability?

Background

Per the project website, wkhtmltopdf is a "command line tool to render HTML into PDF using the Qt WebKit rendering engine. It runs entirely "headless" and does not require a display or display service."

The website also states that "Qt 4 (which wkhtmltopdf uses) hasn’t been supported since 2015, the WebKit in it hasn’t been updated since 2012."

And finally, it makes the recommendation "Do not use wkhtmltopdf with any untrusted HTML – be sure to sanitize any user-supplied HTML/JS, otherwise it can lead to complete takeover of the server it is running on!"


Context

My intention is to provide wkhtmltopdf as part of an application to be installed on a Windows computer. This may or may not be relevant to the question.


Qualifiers / Additional Information

  • A flag is provided by wkhtmltopdf to disable JavaScript (–disable-javascript). This question assumes that this flag functions correctly and thus will count all <script> tags as benign. They are of no concern.
  • This question is not related to the invocation of wkhtmltopdf – the source HTML will be provided via a file (not the CLI / STDIN) and the actual command to run wkhtmltopdf has no chance of being vulnerable.
  • Specifically, this question relates to "untrusted HTML" and "sanitize any user-supplied HTML/JS".
  • Any malicious user that is able to send "untrusted" HTML to this application will not receive the resultant PDF back. That PDF will only temporarily exist for the purpose of printing and then be immediately deleted.
  • Even someone with 100% working knowledge of all of the wkhtmltopdf/webkit/qt source code cannot concretely state that they have zero vulnerabilities or how to safeguard against unknown vulnerabilities. This question is not seeking guarantees, just an understanding of the known approaches to compromising this or similar software.

Questions

What is the goal of sanitization in this context? Is the goal to guard against unexpected external resources? (e.g. <iframe>, <img>, <link> tags). Or are there entirely different classes of vulnerabilities that we can’t even safely enumerate? For instance, IE6 could be crashed with a simple line of HTML/CSS… could some buffer overflow exist that causes this old version of WebKit to be vulnerable to code injection?

What method of sanitizing should be employed? Should we whitelist HTML tags/attributes and CSS properties/values? Should we remove all references to external URI protocols (http, https, ftp, etc.)?

Does rendering of images in general provide an attack surface? Perhaps the document contains an inline/data-uri image whose contents are somehow malicious but this cannot reasonably be detected by an application whose scope is to simply trade HTML for a rendered PDF. Do images need to be disabled entirely to safely use wkhtmltopdf?

What is the current state of the art vulnerability scanner? [closed]

I want to use my sparetime to fiddle around with Metasploitable 2 a little so I did a fresh installation of a Kali VM.

What confuses me is that there seems to be no vulnerability scanner on board anymore? If I remember correctly a few years ago Kali where shipped with OpenVas, NeXpose and Nessus.

I did a quick research in what tool is the current state of the art but only found very old and outdated informations. As far as I see Nexpose is now commercial whitout a community version?

What is the current state of the art vulnerability scanner and why isnt it shipped in Kali anymore?

Chrome Vulnerabilities are detected in vulnerability scan even after upgraded with latest versions

Had few chrome vulnerabilities [CVE-2020-6420] detected by BI(Retina). Upgraded the affected machines to chrome version 84.0.4147.89. After re-scan still the same vulnerabilities are detected.

Anyone experienced it before ? please help to resolve

File Upload Vulnerability SVG

I am currently doing a bug bounty program and was testing the company’s file upload functionality. After meddling with the functionality for a while, I was able to change the extension of the uploaded file to ‘.svg’ using burpsuite. I have read tons of article saying that .svg files is equal to XSS. In my case I was not able to fully upload svg file since the server is checking the content of the file. I have change the ‘Content-Type’ to image/svg and the file is uploaded, but when I change the content of the file with XML Tags, the server denied my upload. I found out that in order for the file to be uploaded successful, the beginning of the content type should be ‘…JFIF’ which is a metadata to describe that the content is JPEG/PNG and is interchangable. I have tried appending the SVG XML tag after the metadata and has successfully uploaded it to the server, but when the image is opened, a square image appeared and my XML tags are not being executed.

Is there any way I could bypass this image content to be able to execute XML? Is there any metada for SVG perhaps?

Is this a remote code execution vulnerability?

I am planning to evaluate and install a publicly available software.

https://github.com/opensemanticsearch/open-semantic-search

While reviewing the issues on github, there is an issue open which indicates possible remote code execution for Solr with screenshots.

https://github.com/opensemanticsearch/open-semantic-search/issues/285

I have no idea about security vulnerabilities and hoping this is the correct forum to ask experts. Do you think this is a security vulnerability and one should avoid using the software until fixed?