attacks: what data should I register to identify an attacker

Do you know what information in the application I must register to identify a possible attacker?
I would like to improve the login in my web application. I would like to collect some information from the application to identify possible attackers, but I don't know what data I should register, for example, the IP address, etc.

xss – Letting the attacker control the type of content, why is this safe?

I found a strange behavior of Shopify, where an attacker can change the extension in a URL and the backend will send a type of HTTP content that matches that extension, for each of these extensions:

atom: application/atom+xml
bmp: image/bmp
css: text/css
csv: text/csv
gif: image/gif
jpg: image/jpeg
json: application/json
js: text/javascript
mp3: audio/mpeg
mpeg: video/mpeg
mpg: video/mpeg
pdf: application/pdf
png: image/png
rss: application/rss+xml
svg: image/svg+xml
tiff: image/tiff
tif: image/tiff
txt: text/plain
xml: application/xml
yml: application/x-yaml
zip: application/zip

For example, https://gavinwahl-test.myshopify.com/.foo.yml returns & # 39; Content-Type: application / x-yaml & # 39 ;, even a 404. https: // gavinwahl-test. myshopify.com/ search.svg returns the HTML of the actual search page but with image / svg + html content-type.

The search page also allows you to insert the text (escaped in HTML) of your choice:
https://gavinwahl-test.myshopify.com/search.zip?q=%50%4b%05%06%00%00%00%00%00%00%00%00%00%00%00%00 % 00% 00% 00% 00% 00% 00, for example, returns application / zip and is actually a valid zip file (despite having HTML around).

It seems that there should be a vulnerability here. The search query is escaped HTML, but we can tell the browser to interpret some other type of content that may have different escape rules. This has been done with EML files (Microsoft Outlook Express emails) previously. I know there are many vulnerabilities in which content of one type is interpreted as a different type of content, but Shopify states that this practice is safe and not exploitable.

Is there really a good argument that this is safe? Is there any way to get a reflected payload of xss based on the content type confusion?

(I have reported this as a problem to Shopify Security and they said it was safe, so I will publish it publicly)

Keepass: To what extent will rounds of maximum transformation in Keepassx deter an attacker over the next twenty years?

Keepassx allows you to decide how many rounds of transformations must be executed to unlock your Keepass database. In my version of Keepassx (2.0.3) the maximum value seems to be 999,999,999. With that configuration, it takes about 22 seconds for my laptop to unlock the database. I imagine that a robust workstation would take less time than that. With that in mind, how well can this configuration deter another person from accessing their database, assuming they have gained access to it? Let's just say an individual (not an organization) with a computer made to do this type of work. How much work can you assume that you will have to do per test with the type of computing power to which you will have access in twenty years?

How can the attacker use cookies to find the user's browsing patterns and countermeasures to avoid them?

Can anyone give examples of how the attacker can use cookies, such as tracking cookies to find user navigation patterns, as well as countermeasures to avoid them?

dnd 5e: does the radiant artificial infusion weapon blind a remote or hidden attacker?

Unless the function offers a specific exception, or there is a general rule, things do what they say they do. In the description of Radiant Weapon, no exception is given to creatures that are hidden or remote attackers, either specifically or in general, that would prevent this effect from blinding them, so it would also apply to them.

As a counterexample, consider the spell Blindness / Deafness:

You can blind or deafen an enemy. Choose a creature that you can see within reach make a saving shot of the Constitution. If it fails, the target is blinded or deaf (of choice) for the duration. At the end of each of its turns, the target can make a saving shot of the Constitution. In case of success, the spell ends.

In the case of this spell, it specifically says that they must be seen and within range. The Radiant Weapon effect has no such requirements.

blockchain: who can predict that a benign attacker has a hash rate of 51% of the system?

In the Bitcoin network, suppose there is an attacker who has a 60% hash rate (hr) and then other users have a 40% hr. Therefore, it is obvious if other users generate a new block, the attacker can ignore it and then generate a new block with the same height and then surpass all other miners.

However, suppose this benign attacker is not so malicious. I mean that if other miners find new blocks, then the attacker will accept his new blocks. Therefore, in general, other miners can extract 40% of the new block on average.

1) Since this benign attacker accepts any new blockade of other miners, is it illegal to have more than 50% of the total hash rate?

2) If yes, who can detect such a benign attacker?

csrf – Double send cookie: Can the attacker configure the cookie as a separate header?

I am using an HttpOnly cookie to store the authentication token on the client side. To mitigate some of the risks of CSRF attacks, I am using the double-sending pattern of cookies. The same token is saved client side as a separate header with the same value, and both are sent for subsequent requests when the user logs in.

My question: Obviously, the attacker will send the HttpOnly cookie when making a CSRF attack, but can you set a separate authorization header whose value is identical to the HttpOnly cookie, even if you cannot read the cookie's value?

Note: I am aware of the limitations and alternative solutions related to DSC.

proof of work: could a malicious attacker subvert the Bitcoin network by not creating a block?

I know it is astronomically improbable, but let's say a malicious node "wins" the proof of work inherent in the Bitcoin protocol. If a malicious node simply waited indefinitely or disconnected maliciously during the block creation process, what would the Bitcoin network do about it? If a block is not created, will the network hang indefinitely or is there a way to overcome a stop like this?

attack: how could an attacker with more than 50% of complete nodes damage the bitcoin network more?

According to Luke Dashjr statistics, there are currently about 61,000 bitcoin nodes that support the bitcoin network.
https://luke.dashjr.org/programs/bitcoin/files/charts/historical.html

What happens if an attacker establishes around 100,000 new complete nodes of bitcoins worldwide (at $ 100 each this could be feasible with only 10 million dollars invested in total), and at some point in the future implements changes in All nodes in your possession, which modifies some rules? Its modification could influence the validity of certain blocks and their transactions, which would probably lead to being blocked soon, but it could also simply filter transactions for certain addresses, or not propagate blocks of certain miners / not transmit them to other nodes. The rest of the honest nodes (in this case, 37%) would still transmit transactions and blocks in their entirety. How could that attacker further damage the bitcoin network? Keep in mind that the attacker is not a miner, and is not controlling any hashing power, it only controls most of the complete nodes existing in the network.

aes: What happens if the attacker manipulates the IV used in CBC block encryption mode?

I am a newbie to block encryption and to learn the CBC mode, I begin to understand that an IV is being used in this mode and will also be transferred to the message recipient.

So here is my question, what if the IV is it manipulated? CBC mode can help protect integrity, but the IV It is not encrypted, right?