malware – WordPress reauth attacks? How to prevent

I am running a forward proxy filtering outbound requests for the following in order to catch potentially malicious requests from hacked WordPress sites:

/wp-login.php*
/xmlrpc.php*

Lately this has been preventing the following requests:

http://www.site.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.site.com%2Fwp-admin%2F&reauth=1

Is this some form of attack, and if so is there anything I can do to prevent it?

Incidentally, I could run the site under SSL – would that prevent this behaviour? I know it would prevent the proxy from seeing it though…

dnd 3.5e – Can an Invisible Blade Full Attack with all Sneak Attacks?

As far as I can see, rogues have no limit to their number of sneak attacks. Using the bluff skill to feint can make an opponent flat-footed, but since bluff only affects your next melee attack, and it takes a standard action, a rogue can only use this method to deal sneak attack damage once per round (once every other round if they don’t have a way to attack outside their turn)

Invisible Blade from CW, however, makes feinting a free action. Does this mean that, for example, a rogue 15/IB 5 can make a full attack, feinting once before each attack, to deal sneak attack damage four or more times?

pathfinder 2e – Fantasy Grounds – Adding different attacks with one weapon

In the Fantasy grounds software: I am playing a ranger in PF2e and I am trying to understand how to apply my Hunter’s Edge: Flurry ability to weapons I own. I’ve imported a weapon into my inventory and it shows up in my action’s tab no problem. However since I’m looking to use this edge ability it doesn’t necessarily apply to all foes that I am fighting equally.
So how do I apply two weapon-actions with different bonuses under my actions tab? and most importantly how do I link BOTH to the associated weapon without doing something silly like adding a “fake” weapon in my inventory?

You can see in the image that figured out how to add a second action, but it is not actively linked to the appropriate weapon.
enter image description here

Alternately, is there just some toggle I can switch on and off to apply modifiers on the fly?

pathfinder 1e – Effective sneak attacks with spells

Update: Turns out there was an FAQ in 2013 which states that spells like scorching ray only get sneak attack applied ONCE (or to one ray) instead of each ray getting the sneak attack. Due to this the build becomes basically worthless for what the goal was.End Update.

I am trying to build a caster who also does sneak attack damage with their spells. This is for a gestalt game but would like help on accomplishing it if it was normal.

The problems that I have encountered are:

  • There are very few spells which have multiple ray attack rolls and deal lethal damage such as Scorching Ray and Contagious Flame. I am trying to avoid spell/feat creation.
  • To deal sneak attack you have a limited setting in which it can be used
  • before they act in combat
  • flanking (but ranged touch attacks dont benefit from flanking)
  • sniping (which implies greater invisibility basically every combat)
  • arcane trickster prestige class
  • Sneak attack rules on spells a little vague, best examples come from arcane trickster.
  • AoE spells normally cant benefit (arcane trickster can allow this)
  • Single ray spells benefit once as expected
  • no attack roll but multiple rays like magic missile only get one sneak attack applied even if each hits a different target
  • Unclear how spells like Scorching Ray have it applied. Either each ray gets it or only one ray.
  • DoT spells like acid arrow, is it applied only on the first hit or is it dealt each round?

So while its entirely possible to do sneak attack damage with spells, the rather small selection of multiple ray attacks and the restrictive conditions required to benefit from sneak attack makes it very challenging to use reliably.

My plan was to take wizard or Arcanist on one side and rogue (or something) on the other. The arcane trickster while interesting, doesnt really help.

pathfinder 1e – Range Touch Attacks, and Path of War Maneuvers?

It Cannot Be Combined With Maneuvers

Pathfinder rules place unlisted actions for supernatural abilities (that is, all that don’t have a listed action and are also not passive) as a standard action. You can’t make the standard action to cast your Arcane Bolt and also make the standard action to initiate a maneuver; further, the Arcane Bolt is not a weapon you are wielding, and thus further cannot be used with maneuvers.

Like all ranged touch attacks, it follows standard ranged attack rules

Among other things, that means you’ll provoke an AoO for making a ranged attack in melee, that you need Precise Shot to obviate the applicable penalties, etc. Because it’s not actually a weapon, certain ranged attack feats – such as Rapid Shot – are not applicable.

Combine 3pp Content At Your Own Risk

It is often not advisable to combine 3pp content from more than one company for the simple reason that they were not made with each other in mind, regardless of the quality or reputation of both or either publishers. Even if this combination did work by RAW, which it does not, it’s not a proposition you should just assume for yourself or your group.

pathfinder 1e – Aegis’ Range Attacks and Path of War Rules?

Both of these customizations can potentially benefit from boosts and stances. They are both ranged attacks, but not weapon attacks, so you have to carefully read each boost and stance to see if it is compatible. They also lack any ammunition, and are not thrown. Many boosts and stances will specify melee attacks, weapon attacks, ammunition, and/or throwing, and so not work with these customizations. Note that you have to check the full description of the boosts and stances to be sure—the abbreviated descriptions in the list are, well, abbreviated, and may leave out caveats like “melee” or “weapon.”

The ranged attack customization can also be used to make attacks called for during a strike. Again, it is a ranged attack and not a weapon attack and so that limits which strikes it is actually compatible with.

The energy blast customization cannot be used to make attacks during a strike: it is its own standard action, and you cannot take a standard action in the middle of some other action used to make the strike. Even if you somehow had two standard actions in the same turn, you would have to finish the strike (with some other attack) first, and only then use energy blast.

How to prevent directory traversals attacks when uploading a file?

I think it is the same as a normal php page, but, exists a specific way in Magento2 to prevent directory traversals attacks when uploading a file?

tls – How is HTTPS protected against MITM attacks by other countries?

The Certificate Transparency standard requires that when a certificate is issued, it should also be submitted to one or more Certificate Logs. These are simple network services that maintain cryptographically assured, publicly auditable, append-only records of certificates. Once a certificate has been added to a Certificate Log, an independent monitor can check the log to ensure that no fraudulent certificate has been issued. These days browsers require all certificates to have a Signed Certificate Timestamp (SCT) either in a TLS extension or through OSCP stapling, which is used to establish that the certificate has been added to a Certificate Log. Most browsers require the certificate to be present in more than one log (chrome requires atleast two). If the SCT is missing, the certificate is rejected. This ensures that whenever any root/intermediate CA starts issuing fraudulent certificates, the monitors will notice and raise a red flag. Then either the CA revokes the certificates, or browsers stop trusting that particular CA.

In the past, HTTP Public Key Pinning was used. This involved the browser saving the public key(s) of a site the first time it was visited, and if the keys suddenly changed, the browser would refuse to connect. Dynamic pinning, which allows any site to be pinned at the first visit, has now been deprecated. However, static pinning, in which browsers ship with hardcoded public keys for popular domains like google.com and facebook.com, is still used. This can also be used to detect MITMs with fraudulently issued certificates, if the MITM targets any of these popular domains.

attacks – SQL injection using brute force?

This is less a question about SQL Injection itself, and more about this particular ML based implementation.

I had to look at the code to understand better what the author tried to say with this example. To the best of my understanding, this is actually a very poor example, let’s remember this is a tool supposed to execute SQLi attacks, not to just run queries. In this example it seems like it is just trying to learn how to interact with a SQL server, what it’s not really it’s purpose, a much better(and realistic) example would be something along the lines of:

Input: SELECT * FROM example_table WHERE id == {ACTUAL USER INPUT}
Output: 1 // 200
Output: m // 500
…
Output: 1 OR 1==1 // 200

The “Input” field is actually the server-side query, and the Output would be the parameter the tool would give to the website.

Again, this is based on what I got from his article and code, to really understand what is happening I recommend you read the full code in the repository and try to run it yourself.

Firing Ranged Attacks past Other Creatures

I have recently come up against the problem that players want to fire ranged attackes through multiple enemies, or place AoE spells behind multiple enemies. The idea that one could fire an arrow past three or more other creatures (and yes, I understand that the creature does not occupy the whole 5ft square) seemed completely unrealistic to me. I consulted the rules, and found that (as I understand it), no matter how many creatures are between you and the target, they only get +2AC, and there is no restriction on AoE placement.

To solve this problem, I have come up with the following houserules (also includes some ruling clarifications for players, and rules from back section of DMG):

You can make a ranged attack against an enemy on the other side of an ally or enemy creature. However the following rules apply (based on how many creatures are between you and it):

  • One creature: Half-cover (+2 AC)

  • Two creatures: 3/4-cover (+5 AC)

  • Three creatures or more: Full cover (can’t target)

If you do not hit the AC of the creature you were trying to hit, but do hit the AC of one or more of the intervening creatures, then you hit the nearest one you hit the AC for instead. This includes allies.

For spells that specify targeting a location or creature ‘that you can see’, you can cast past one or two creatures, but not past three or more.

The above house-rules have not been playtested yet.

Does anyone have a better solution? Do the rules-as-written actually deal with the problem? Will these house-rules work?

I’m primarily looking for other people who have had a similar problem, and have play-tested house-rules (similar or different to these) to solve it.