#cybersecurity

(btw for extra resources used I'd assume you want new=1

1 opens a new window, 2 opens a new tab

The point is that it alternates between opening a window and opening a new tab so that the audio overlays, since just opening many youtube videos doesn't actually do much

It'll only play the recent iteration

With this, each tab can actually start before making a new one

thats lit.

nvm

damn wrong rule

lmfao

(someone delete that :p)

!rule 5

yep thats the correct one

Anyways I see this script really pointless. It doesnt give access to the malicious user to any kind of sensitive data. Fork bombs are programs that create duplicates of themselves. This can be usefull for worm viruses imo. Although still violates rule 5

aren't fork bombs just for using up system resources

hence the "bomb" part

Well yes, but if you think ablut it, a sophisticated script that duplicates itself may do more than just make the pc unusable

yeah, but that is not really the point of a fork bomb, a fork bomb are just temporarily destructive peace of crap

More annoying and useless than anything else

Yeh

Ik i just mentioned it

"Bomb" lmfao skids fav one

how do I prevent myself from an SQL injection?

Dont use sql

Jk

Its a joke srry

don't include any variables in the sql statements, only use placeholders/bind variables

alright thanks man

Can I store the salt of a key used in symmetric encryption as plaintext? I don't know how you would derive a key without it

*a key derived from a password

yes, that is what you do

hey guys, I need the rc2 algorithm for encrypting in python, but I don't find any module working. Any hint?

If you search for a rc2 Python library, you find lots

https://pycryptodome.readthedocs.io/en/latest/src/cipher/arc2.html

Yes but they are all deprecated

Thank you so much !!

That's the first link you get if you search

Not all are deprecated as you can see, if you take the few seconds time to search

I think he’s using a older version or other browsers

I installed the pycryptodome library

but when I try to import Crypto it says that it doesn't exist

how are you importing the library, are you using the following?

from Crypto.Cipher import ARC2
```and are you using a virtual environment of some sort?
also, why use RC2 when there are more secure options to use?

Yes I am using the following line

My thing doesn’t require that much of security

so?

it takes exactly the same amount of effort to use an objectively better algo

Well I just have passwords encrypted using RC2

Maybe I will use Fernet or something

But Ill first need to decrypt them

encrypted passwords?

what's this for

Just for a challenge

And I chose the first cipher I found

bruh

unless you're making a password manager or something
you should be hashing passwords, always

and I'm surprised you found rc2

fair enough, to correct your mistake you would need to decrypt first 😉

i'm really surprised AES wasn't the first you found

I found it too

Just didn’t like it

Lol everybody is surprised

¯_(ツ)_/¯

it's the most widely used encryption algorithm in the world today
what was it you didn't "like" about it?

Guys please suggest me best source to learn about Secret Key and CSRF token in django
I am newbie only did 2 projects in django

I was reading the OAuth protocol docs https://datatracker.ietf.org/doc/html/rfc6749#section-6 where it implies that you don't need a client_id and client_secret to refresh an access token, just a grant_type and the refresh token.

I was of the believe that in a situation where your refresh token is compromised, an attacker may not have your client id and secret therefore won't be able to get new access token even if they send a request to your server for one.

What am I missing here? Isn't the risk greater when you don't need extra layer of security checks to get new access tokens?

For context: This is for a Django application that uses Django rest framework for API support and simplejwt for API protection. Authentication is handled using CAS. Simplejwt for jwt.

Keep looking for ways to sanitize any/every input

In Payroll software, we called those "Features"😋

Which Oauth workflow are you using? Very important

Also note, the attacker MAY have your client id and secret, I wouldn’t count on them not having it

They’re all over GitHub

Client secrets are basically public info

They shouldn’t even call them secrets it’s stupid imo

When I asked about which workflow you were using I was referring to eg https://auth0.com/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use

Thanks for this link.

So, out of all the options in the link, the workflow for "Client absolutely trusted with user credentials?" seem closest to what I currently have.

https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow

The username and password part of the process is done via the orgs CAS server. So before a user can generate access and refresh tokens, they would have gone through CAS authentication, so I have their username, hence they can generate tokens to use for API access.

Guys I am trying out some backend API development etc. and this all seems totally unsecure the people who do this youtube tutorials never even mention how vulnerable everything is
im so confused

i think many tutorials just teach exactly the thing they are trying to teach and don't bother with all the other bits and pieces around it
because there is so much to cover, you can't cover it all in one tutorial and it would confuse the audience even more

im using rsa to encrypt and decrypt messages

problem is, i need to get an encrypted string in bytes into an input and convert it to bytes

i cant get the input of ```yaml
\x80l\x1c\xe4\xc2\x91\x8b\xe4\xc0\xa8\x15\x08S\xbce\x012L\xce\x82\xe5\x88\xef\xe0,]\x94\xeb\x9c]\x7f].&=-K\xf4q\xd1\xc3K\xdcE\x05\xf2\xa4\x065\xb7m\x7foJ\x1dZ\xeb,\xe9\xca\xee\xaa\x04\x11N\xfb\x19\x1e\xa0\xa4^\xc8\xa1\xfd\xdcF\xf3\x12\x86\xff\r[\xe4[\x9e\xc1\xd4\xef\xda>\x96\xaeN\x1aw\xa1\xb5\xddZ\x05\xf7QJ\x10u\x0e\xae\x07\x18o\xd5\x0b\xb9\xb5\xd1D\x17\xfb\xfc\xb6\xfc\xca>\xf9kjN\x0f5 \xb0\x84I\xd3\x91Y\x86x\x1d\xab\x7f\x0c\x91W\xeb\xc3\xe9\x01\xd6^\x94\xbe}z\x8a\xeeC\x8d"Q\x87\xc3w\x01Y$s\x94\xfd \xc7\xa0\x0b\x04\0Z\x9d\x8a\xfc\x1fI-X6V\xee\x9d*\xf9\xb4\t\x00\xe8\x9c\xe1\xde\x9ftL\x83\xf5O\xc5\x8c\x9fmF\xf1ST\x0b\xdb\xdfd1\xdcS\xdc\x91b\x02\x0f\x01U\xf5\x94\x9e@aDTsu\x00kl\x0fAHQ\xa5\x0b\x14\xdb[\xcb\x1c\xb0e8\xbd1kl\xd3\t\x89\x1b\xdc\xe34\x15?\x82.\xa1>\xb2\x1c\xc3"\xdb\x15\x04\xc1\x18\x18\x01\xf9\x18\xefY[\x9e\xf3-\xea\xf0cro\xff\x1a\xd3\xe3%[\xbep\xcf\x8fII\xae\xd2\x89g\xa79\x13\xb5\x81@\x8f\x90\xa3\xa5\x90P\xee\x04\x8e?\xc4\xfb(\x05\xab$\x87=\x87\xc6\xbe\x819\x9e~GI!\x8e\xe2\x86\xaf8\xc4\xe7\x1d\xe2\xe1^F\xf8\xf2\xfd\x16\x9f\xaa\x0b\x0eY@\x80\r\xfa\x17\x1a\x9d9\xd0r\xbc+\x03\x8bO\x89\xe7\xcb\xb5(\x0ed"\xe1\xc4\x92\xda\x87Z(U.<\x94\xa6b0\xc0\xf9\xf6\xfcs-\xec\x02\x87\xa7\xed\x97f\xef\x07\xa7\x0c\x0c\x8e\xb64\xd0C\xfeY\xa8\xd3\x98*\x076\xf6E\xa1\x05\xc5%\x0eZ\xe2\x04\x9c\xfe\xb37\xa2\xed\xaf\x90\x8c2\xa3H\x9c kV\x1d\x99J\xffP\xd8\xf2\xbb"\x8bM%\x85\xa3<\xf60<\xc6\xf8\xfd\xebr\x18\xcc'\xa2\x9bR\xe7\xf5\x18\xf7co?;\x00V=\xa4k\xf4\x19JP\xca

im aware i just leaked my key

import rsa

with open("public.pem", mode="rb") as pub:
    public = pub.read()
public_key = rsa.PublicKey.load_pkcs1(public)

client_id = input("What is the client id?")
encrypted_client_id = rsa.encrypt(client_id.encode(), public_key)

print("Encrypted client id: ", encrypted_client_id.decode("utf8"))

``` this is how im encrypting it

and im decrypting it like ```py
import rsa

with open("private.pem", mode="rb") as priv:
private = priv.read()
private_key = rsa.PrivateKey.load_pkcs1(private)

encrypted_client_id = input("What is the client id?")
print(encrypted_client_id, type(encrypted_client_id))

decrypted_client_id = rsa.decrypt(encrypted_client_id, private_key)

print("Decrypted client id: ", decrypted_client_id)

but i cant get the encrypted_client_id to get into whatever format this is

Im not sure what type of encoding this is, thats the problem

I cant encode and decode because I dont know what encoding type to encode and decode with

If you're going to print the encrypted ID, I would suggest using base64 or hex @solid yew

best way to convert arbitrary bytes to printable characters for copypaste

hex and 64 both raise errors

?

how would i convert this bytes object to a printable string

i cant do an example here because it contains " and '

by encoding it properly when you encrypt and print

could you give me an example? im struggling

!e

data = b"""\x80l\x1c\xe4\xc2\x91\x8b\xe4\xc0\xa8\x15\x08S\xbce\x012L\xce\x82\xe5\x88\xef\xe0,]\x94\xeb\x9c]\x7f].&=-K\xf4q\xd1\xc3K\xdcE\x05\xf2\xa4\x065\xb7m\x7foJ\x1dZ\xeb,\xe9\xca\xee\xaa\x04\x11N\xfb\x19\x1e\xa0\xa4^\xc8\xa1\xfd\xdcF\xf3\x12\x86\xff\r[\xe4[\x9e\xc1\xd4\xef\xda>\x96\xaeN\x1aw\xa1\xb5\xddZ\x05\xf7QJ\x10u\x0e\xae\x07\x18o\xd5\x0b\xb9\xb5\xd1D\x17\xfb\xfc\xb6\xfc\xca>\xf9kjN\x0f5 \xb0\x84I\xd3\x91Y\x86x\x1d\xab\x7f\x0c\x91`W\xeb\xc3\xe9\x01\xd6^\x94\xbe}z\x8a\xeeC\x8d"Q\x87\xc3w\x01`Y$s\x94\xfd \xc7\xa0\x0b\x04\\0Z\x9d\x8a\xfc\x1fI-X6V\xee\x9d*\xf9\xb4\t\x00\xe8\x9c\xe1\xde\x9ftL\x83\xf5O\xc5\x8c\x9fmF\xf1ST\x0b\xdb\xdfd1\xdcS\xdc\x91b\x02\x0f\x01U\xf5\x94\x9e@aDTsu\x00kl\x0fAHQ\xa5\x0b\x14\xdb[\xcb\x1c\xb0e8\xbd1kl\xd3\t\x89\x1b\xdc\xe34\x15?\x82.\xa1>\xb2\x1c\xc3"\xdb\x15\x04\xc1\x18\x18\x01\xf9\x18\xefY[\x9e\xf3-\xea\xf0cro\xff\x1a\xd3\xe3%[\xbep\xcf\x8fII\xae\xd2\x89g\xa79\x13\xb5\x81@\x8f\x90\xa3\xa5\x90P\xee\x04\x8e?\xc4\xfb(\x05\xab$\x87=\x87\xc6\xbe\x819\x9e~GI!\x8e\xe2\x86\xaf8\xc4\xe7\x1d\xe2\xe1^F\xf8\xf2\xfd\x16\x9f\xaa\x0b\x0eY@\x80\r\xfa\x17\x1a\x9d9\xd0r\xbc+\x03\x8bO\x89\xe7\xcb\xb5(\x0ed"\xe1\xc4\x92\xda\x87Z(U.<\x94\xa6b0\xc0\xf9\xf6\xfcs-\xec\x02\x87\xa7\xed\x97f\xef\x07\xa7\x0c\x0c\x8e\xb64\xd0C\xfeY\xa8\xd3\x98*\x076\xf6E\xa1\x05\xc5%\x0eZ\xe2\x04\x9c\xfe\xb37\xa2\xed\xaf\x90\x8c2\xa3H\x9c kV\x1d\x99J\xffP\xd8\xf2\xbb"\x8bM%\x85\xa3<\xf60<\xc6\xf8\xfd\xebr\x18\xcc\'\xa2\x9bR\xe7\xf5\x18\xf7co?;\x00V=\xa4k\xf4\x19JP\xca"""
print(data.hex())

@sinful cliff :white_check_mark: Your eval job has completed with return code 0.

806c1ce4c2918be4c0a8150853bc6501324cce82e588efe02c5d94eb9c5d7f5d2e263d2d4bf471d1c34bdc4505f2a40635b76d7f6f4a1d5aeb2ce9caeeaa04114efb191ea0a45ec8a1fddc46f31286ff0d5be45b9ec1d4efda3e96ae4e1a77a1b5dd5a05f7514a10750eae07186fd50bb9b5d14417fbfcb6fcca3ef96b6a4e0f3520b08449d3915986781dab7f0c916057ebc3e901d65e94be7d7a8aee438d225187c377016059247394fd20c7a00b045c305a9d8afc1f492d583656ee9d2af9b40900e89ce1de9f744c83f54fc58c9f6d46f153540bdbdf6431dc53dc9162020f0155f5949e406144547375006b6c0f414851a50b14db5bcb1cb06538bd316b6cd309891bdce334153f822ea13eb21cc322db1504c1181801f918ef595b9ef32deaf063726fff1ad3e3255bbe70cf8f4949aed28967a73913b581408f90a3a59050ee048e3fc4fb2805ab24873d87c6be81399e7e4749218ee286af38c4e71de2e15e46f8f2fd169faa0b0e5940800dfa171a9d39d072bc2b038b4f89e7cbb5280e6422e1c492da875a28552e3c94a66230c0f9f6fc732dec0287a7ed9766ef07a70c0c8eb634d043fe59a8d3982a0736f645a105c5250e5ae2049cfeb337a2edaf908c32a3489c206b561d994aff50d8f2bb228b4d2585a33cf6303cc6f8fdeb7218cc27a29b52e7f518f7636f3f3b00563da4
... (truncated - too long)

Full output: https://paste.pythondiscord.com/ogovoxinex.txt?noredirect

oh, I was trying the hex function

whats the difference between bytes.hex() and hex(...)

hex(187) only operates on one integer at a time

I have a question about computer security, so lets say I have two partitions: one with windows installed and one with some Linux installation such as arch or Ubuntu. Lets say that the windows one gets infected with some type of malware, can the malware spread to another partition infecting my Linux installation?

also notice how you can use three single quotes or three double quotes in your code to enclose a string that has one or both of those characters contained within without needing to escape them as long as you don't have three of them in a row within the data, that's why it's better to encode the binary data in hex or something similar instead to avoid such possibilities entirely

sure, it's probably not very common outside of crypto lockers that might encrypting the full drive or at least all partitions
but another type of malware could absolutely get on to there that way even if it's a bit less likely
especially if you don't use drive encryption for your linux partition and use separate/unique passphrases for that encryption, that you don't use anywhere else, like on the windows side for example

Would the malware have to have ring-0/kernel privileges to infect the other machine or is Admin enough ?

i don't know windows enough (full time linux user since many years)
but my guess would be that it's enough with admin rights as long as you can either mount another partition or load file system drivers to do it
even bare bones user space drivers would be enough if you can just get the raw access to the partition

yeah im appalled i forgot about that

anyways, the data type methods like bytes.hex() will operate on all their data instead of just one integer as in the case with the hex(...) function

by the way, if this is the encrypted data you already have it in bytes
you don't even have to represent it as hex
hex is just for us to be able to read it easier

Ok thank you so much!

The software I use is not supported on Linux

So I have to deal with Windows :(

i understand, hope you got the information you were looking for even if it might not have been the answer you would have liked

How to decrypt a Json file

That's a very vague question, there are lots of encryption algorithms existing. You will need to be more specific.

a json file is not encrypted by default, do you mean how to read/decod/parse it or do you have an encrypted json to deal with?

Thank you so much for the help, really helped me out!
Have a wonderful rest of your day!

thank you, and the same to you as well 🙂

Good day guys
Please have you ever encountered a virus that turns all your executable files to zero kb.
If so, please how did you fix it

Lots of tutorials on the internet here to help you, as there are different ways to remove the virus first and fix the files afterwards.

Anyone around

Please just ask your question. Don't ask to ask, ask for topic experts or DMs. Skip the formalities and ask away

I recommend resetting your pc

Don’t take any chances as the malware could have even more inbeded malware such as a RAT or a Trojan

A reset doesn't always do the magic to remove every malware.

i would recommend to reinstall form a known good media after backing up all the files you care about and that you don't have a known good backup of already, then scan those files from the newly installed os before you open or use them

how does HTTP web request message signing work, and could anyone help me implement it for myself?

i have found a website which does this, and i want to cough cough yoink their system and do it myself, for learning and fun purposes. i have the source code of that website but it is a spaghetti mess, i need help with reverse engineering the js for it lol

is it this that you are talking about? https://tools.ietf.org/id/draft-cavage-http-signatures-12.html

i've seen that but

how do i find the parameters which that particular website uses?

hmmm

i found something,

let me show you

i was just asking if that was the thing you were talking about so that we are even talking about the same thing and not something else

yeap

!eval

import hashlib
import time
from urllib.parse import urlparse


CHECKSUM_INDEXES   = (9, 26, 21, 20, 39, 26, 33, 0, 14, 38, 38, 7, 37, 34, 0, 2, 4, 12, 35, 7, 15, 25, 3, 7, 2, 26, 7, 34, 10, 36, 11, 33)
CHECKSUM_CONSTANTS = (-141, 117, 88, 84, 104, -104, 111, 87, -79, 142, 58, 118, -117, 71, -82, 117, 98, -76, 53, -148, -133, -77, 75, 84, -93, 70, -138, -114, -96, 90, 137, -55)
CHECKSUM_CONSTANT  = 246
WEBSITE_SECRET    = "R2fZMBwY2xGsuS4DPCVwVlKHJ7CNv8Ck"
APP_TOKEN          = "33d57ade8c02dbc5a333db99ff9ae26a"
SIGNATURE_TEMPLATE = "4092:{}:{:x}:62d047a4"

def _generate_signature(link: str, user_id: int, timestamp: int) -> str:
    """
    generate a signature for the given link and auth_id
    :param link: a link for the endpoint
    :param user_id: the user's id
    :param timestamp: the timestamp
    :param secret: the secret
    :return: the signature string, for putting inside the header, with key "sign"
    """
    path, query = urlparse(link).path, urlparse(link).query
    message = f"{WEBSITE_SECRET}\n" \
              f"{timestamp}\n" \
              f"{path if not query else f'{path}?{query}'}\n" \
              f"{user_id}".encode("utf-8")

    sha_1_hash  = hashlib.sha1(message).hexdigest()
    hash_bytes  = sha_1_hash.encode("ascii")
    checksum    = sum(hash_bytes[idx] for idx in CHECKSUM_INDEXES) + CHECKSUM_CONSTANT
    return SIGNATURE_TEMPLATE.format(sha_1_hash, checksum)

def test():
    test_url = "localhost/api2/v2/posts?limit=10&skip_users=all&format=infinite"
    ts = int(time.time() * 1000)
    user_id = 108230183
    sign = _generate_signature(test_url, user_id, ts)
    print(sign)

if __name__ == "__main__":
    test()

@wicked nest :white_check_mark: Your eval job has completed with return code 0.

4092:4497ea9cfd5b8ee33375adad6c8d90074241830e:9c0:62d047a4

this signature, although has similar structure, is wrong and outdated.

I have access to the original website's javascript, which i suspect the signature algo is stored, but its a hot spaghetti mess, its like looking for a needle in a haystack

@sinful cliff sorry for the ping, would you have any ideas, i've been struggling with this for 2 days hahaha

Is there a preferred way to read an API token or password in python?

If it was just me, and for something trivial, I'd just use a .ini file with 400 pemissions, or manually type it in every time. But that can't be right. And I have no idea how Windows would deal with it.

it depends on the environment that you run things in and your threat model
some environments use environment variables which i personally think isn't a very secure way of handling that data and strongly suggest you stay away from
i think storing and using secrets securely is a problematic topic, especially if it's going to be loaded unattended after a restart of a service or reboot of a server (or instance)
for me a TPM (local or network attached) comes in mind, but that isn't for the faint of heart

Hmmm. Thanks for the reply. I think a TPM is probably overkill, but I'd agree that environmental variables seem dubious. I might play around with the gnome-keyring, it looks like it prompts the user at the start of a session, and find something portable if it ends up on a Windows machine.

I guess that, if the program prompts for a password, and if it's only stored in memory, and the code is secure enough to not get hijacked, ... it's kinda all you can do? Still pretty concerning that (it feels like) all you'd need to do is have a sockets connection buried as a parent class somewhere deep in the code...

I'm glad the process wasn't to build a very small, very secure, very encrypted database. I would not be confident making one of those.

mode 400 files are totally acceptable, long as you keep your system safe - I administrate a bunch of fedora and centos machines and have yet to have security issues with these permissions

Im not storing credit card numbers or similar super sensitive data. API token or password should be okay to store in a file like that

I can help with hardening Fedora and derivative systems if you need help 🙂

Hey guys just some question about RSA keys.

we know that a server will always hold the private key, and the client will hold the public key.
There's this one thing that bugs me is that, sure the client can send encrypted messages over the internet but how does the server send back encrypted messages? We know that we cant use private key for encryption they're only for decryption.

What techniques are used?
Do a client send an encryption key over the encrypted message to let the server know what key to use for its encryption?

We know that we cant use private key for encryption they're only for decryption.
That is actually wrong, might understand better now how everything works.

here is a good blog post that will explain it for you: https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/

So the server holding the private key can encrypt and decrypt data at the same time?

basing on what I can gather,

Both Client and server connect on a secured connection, whenever they can connect to each other both client and server start creating a completely different keys for the current session. It still doesnt explain how the server can send an established secure encrypted response.

in modern TLS this is done by the Diffie-Hellman algorithm from both ends to agree on a key without actually having to send the key, a link in that blog post takes you to another blog post of theirs that explains that part in more detail: https://www.cloudflare.com/learning/ssl/keyless-ssl/

when using diffie-hellman to negotiate the symetric key for the bulk encryption and gain [perfect] forward secrecy, the asymmetric key pair is typically only used to prove to the client that the server is really who it clames to be and not an imposter (or man-in-the-middle) by proving that it has access to the secret private key material for the public key contained in the certificate with the correct domain name and signed by a trusted third party (the Certificate Authority)
earlier it used to be RSA that was used for the key exchange and that was a completely different story and you didn't have [P]FS either, but it was still symmetric encryption that was used for the bulk encryption, but the public and private key was used to transfer the key for that encryption

by read, do you mean read from file, or read from user input?

i interpreted the question as how to store and use/read in a secret for some application securely, preferably unattended, which is a difficult problem to solve

Anyone wanna de-obfuscate a sketchy file? I can send it as a .py.txt

It's using exec() and then a bunch of code as binary string, and I think it's also encrypted, but the key must be in there right?

Someone in a help channel said they got it as an "aimhack" but why would an aimhack need to import httpx it's very sus

@proper idol if its obfuscated in a base64 string, then just use echo to do it for you

Sharing aimhacks is against Discord Guidelines, therefore the question is against rule 2. (Follow the Discord Community Guidelines, in your question you proposed to share the file.)

Cheating is against the terms of services of the game concerned, therefore the question is against rule 5. (Do not provide help on projects that may breach terms of services.(

In addition to that, the channel topic is:

Securing code against hacking through techniques such as data sanitization and encryption, and protecting yourself and your devices.
Therefore the question is against rule 7. (Keep discussions relevant to the channel topic.)

The question broke 3 rules, I don't think we should answer to it and no need to further discuss it.

!encrypt

Hey @fair heron!

..........

how to encrypt my super pro file??

!secure

no

i didnt mean !source

!secure

BRUH

there is a channel for experiments with #bot-commands

tldr. suspicious software is suspicious. When it breaks rules of places and they use laws to do takedowns and stuff like that, files promising to solve those forbidden tasks are easy ways into peoples machines because they will try a variety of shitty options they wouldnt try if there was a good, acceptable solution.

So what is the acceptable solution that is secure and safe?

do not

generally speaking, gamers will elevate anything for their game so they are easy targets as well

!rule 6
and how how is this relevant to python?

hes new dont be so hard on him bro @sinful cliff

s

Rules apply for everyone, new or not