macos – Is it possible to create a paid application which makes use of an Automator service?

macos – Is it possible to create a paid application which makes use of an Automator service? – Ask Different

web application – Watering hole Website NTLM Steal Attack

Im trying to recreate a Watering hole SMB theft attack
Where you send a victim a link to your website containing code like “file://ip/file.gif”
Causing Forced Authentication which passes the NTLM hash
I have the code which execute the process (check reference links)

But how can i retrieve/steal the NTLM hash back over the internet remotely without being on local network?

This process can be done locally very easily but im struggling with finding an NTLM listener to use over the internet remotely on a website

Reference:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/leafminer-espionage-middle-east

Newly Discovered Watering Hole Attack Targets Ukrainian, Canadian Organizations


https://unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/

WoWonder Combined Chat Timeline And News Feed Application For WoWonder PHP script

WoWonder Combined is a social timeline with chat application for WoWonder PHP Social Network, with WoWonder Timeline users can Post & Interact with users feeds and like and comment and more , now using the application is easier, and more fun !

WoWonder Combined Version is easy, secured, and it will be regularly updated.

Requirements:

WoWonder PHP 3.0.2 or…

.

design – File parsing in UI Layer or Application Services Layer

Let’s say that I have a list of financial transactions that I need to read in from the file. I want to make the best guess I can at what account should be credited/debited based on the transaction memo compared to past transactions.

For example, if Wal-Mart was used with ‘Shopping’ then if a transaction that gets read in from the file with Wal-Mart as the description should show ‘Shopping’. If there cannot be a match found, then the application should make the best guess and get feedback from the user. If there is not a best match then the user should be asked which account makes most sense.

To me, there is a lot of interaction with the user so it would make sense that this should all live in the UI layer. Once all the transactions are paired with accounts, then it should be sent to the Application Service layer to be saved.

Right now I’m just using a CLI, so I could inject an object that inherits from a ‘Presenter’ interface that the Application Service uses; however, this will not work when I get rid of the CLI and want to use a REST API around the Application Service layer.

Does it make sense to just include all this logic in the UI layer?

url – How to intercept application specific MIME types used by 3rd party (Windows) browser/plugins apps?

I’m trying to intercept and decipher scripted code that is sent to a previously installed Windows application, after a user have clicked on a particular URL in their web browser which is somehow returning a MIME response that is intercepted by the Win app and processed as a script/program.

The particular example of concern, is how the (Windows) trading application Think-or-Swim (aka. TOS) is downloading and running user scripts from either a custom URL handler of the form: tossc:XXXX or using a standard URL like http://tos.mx/A1PZUml which then sends one of the MIME types:

x-scheme-handler/tossc
application/x-tossc
application/x-thinkorswim

I have posted a similar question on SO here but I don’t think that forum is appropriate for this question and hope someone here would a have some more technical know-how of how to do this and also explain what’s going on. As you can tell I am probably not even using the correct language for asking the question in a clear manner. So feel free to correct me or this post.

Q: How can I intercept and inspect code that is loaded in this way?

(Hoping to also learn what is going on and how this is done, or an be done, by e.g. python?)

http – OAuth for command line application

I’m planning to add an “official” command line tool for developers to interact with our API. The tool is basically just a glorified curl client, interacting with the API via HTTPS exclusively. To make this convenient for developers, it should allow them to authorize the CLI using their existing user account, using an authorization_code grant.

Therefore, the user interaction should work like the following:

  1. The user executes acme-cli login.
  2. The CLI uses OpenID discovery to locate our OAuth endpoints, and builds an authorization URL. The client_id is hard-coded in the CLI source code; to prevent having to include the client_secret, we use PKCE to generate a local challenge.
  3. The CLI generates a random, unique hash as a device identifier. It then opens a URL in the user’s browser with the device identifier and full authorization URL as query parameters:
    https://app.acme.com/cli/start?device_id=<deviceId>&authorization_url=<authorization_url>
    This endpoint stores the device ID in a session cookie, then redirects to the authorization URL.
  4. The user signs in and authorizes the CLI to access their account on their behalf.
  5. The OAuth server redirects them to the redirect URI, which points to another endpoint on our application server:
    https://app.acme.com/cli/confirm?code=<authorization_code>&state=<state>
    This endpoint stores the authorization code to be fetched by the CLI instance later on together with the device identifier (step 3) from the cookie.
  6. After opening the authorization link in the user’s browser, the CLI regularly polls an endpoint on the application server, passing their device identifier, for the authorization code:
    https://app.acme.com/cli/poll/<device_id>
    As soon as the code is available, it exchanges it for an access token as an ordinary web application would.
  7. If the authorization code isn’t fetched within 60 seconds, the TTL expires and it is purged.

This process is defined pretty well by OAuth, apart from the signaling mechanism between our server and the CLI application instance running on the developer’s computer.

Considering we use PKCE, even leaking the authorization code somehow should not be a problem, as it is useless without the code verifier, so I think this process should be as secure as the OAuth spec allows. Are there any flaws I’ve overlooked? Is there a better or more secure way to implement this?

How might I prevent an application from refreshing itself?

Having already turned off “Background App Refresh”, how do I stop apps from refreshing when I open them?

XSNews | Android News/Blog Multipurpose Application [XServer]

Overview​

XSNews is the right solution for those who need to quickly make a mobile app to showcase your Blog or Magazine articles, with the power of XServer as backend.

Features​

Java/XML language – Native Android Studio project – Edit the template as you wish with the power of Android Studio and Java code.

Android 6.0 and above, Universal –…

.

how to have nginx fix bad CORS response from a application server?

I have an application behind a nginx server.
I have the backend doesn’t do CORS properly.
How can I make sure all of the upstream headers are replaced with the nginx proper ones ?

note: I can recompile nginx with fancy modules I am running v1.18.0 (ubuntu)

my Nginx setup is :

map $http_origin $allow_origin {
  default no;
  ~http://172.17.0.(0-9)+(?::(0-9)+)? yes;
  ~http://.*localhost: yes;
  ~https://gateway..* yes;
  "https://bl.ocks.org" yes;
}

# add_header Access-Control-Allow-Origin $header_allow_origin
map $allow_origin $header_allow_origin {
  yes $http_origin;
  no "https://www.drit.ml";
  all "*";
  default "";
}
map $allow_origin $header_allow_credentials { yes true; default ""; }
# add_header Access-Control-Allow-Methods '$request_method';
map $allow_origin $header_request_method { yes $request_method; default ""; }
map $allow_origin $post_only { yes "POST"; default "OPTIONS"; }
# add_header Access-Control-Allow-Headers "$http_access_control_request_headers";
map $allow_origin $header_request_headers { yes $http_access_control_request_headers; default ""; }
# authorization header
map $http_authorization $request_auth_header { ~Basic "authorization"; default ""; }
map $allow_origin $header_authorization { yes $request_auth_header; default ""; }

server { 

location /api/ {
     proxy_pass  https://api.drit.ml;
     #proxy_pass_header Authorization;
     set $authorization "$http_authorization";
     if ($arg_token != "") {
        set $auth "Bearer $arg_token";
     }
     proxy_set_header Authorization "$authorization";
     # conditional header (if $allow_origin = 1)
     add_header Access-Control-Allow-Origin "$header_allow_origin";
     add_header Access-Control-Allow-Credentials "$header_allow_credentials";
     add_header Access-Control-Allow-Methods "$post_only";
     # (if $http_autorization present)
     add_header Access-Control-Allow-Headers "$header_authorization";
     limit_except OPTIONS {
        auth_basic "Restricted API Access";
        auth_basic_user_file /etc/nginx/htpasswd;
     }
  }

}

with theses settings I still get a problem with an extra Origin from the app …

XHRPOST https://api.drit.ml/api/v0/dht/find?key=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15&num-providers=12
CORS Multiple Origin Not Allowed

any ideas how to solve the problem ?

finder – There is no application set to open the URL

finder – There is no application set to open the URL – Ask Different

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive Proxies-free.com New Proxy Lists Every Day Proxies123