DEV Community: Asher Mathews Shaji

Smart-i

Asher Mathews Shaji — Fri, 13 Jan 2023 15:25:59 +0000

Tracking and detecting any fatal activities in the surveillance camera footages using deeplearning and storing them in decentralised storage.

Problem

Every day, there is a rising number of tragic road accidents and other violent offenses.

Road accidents are often caused by someone else's irresponsibility. If the wrongdoers are affluent and powerful, they try to erase any evidence. In other circumstances, evidence disappears easily. This denies victims justice.
Inaccessibility to aid is also a major problem. With Smart-i, immediate notifications can be sent to the authorities for help.

Solution

Smart-i is a blockchain-based web application that utilizes real-time surveillance footage to discover and report fatal accidents.

The footage that contains evidence of any such fatal happenings is stored in the blockchain, thus making them unalterable by anyone.

Also, the authorities concerned can be notified, thus immediate actions can be taken.

How it works?

EPHELOG

Asher Mathews Shaji — Fri, 13 Jan 2023 15:19:02 +0000

Usernames and passwords are ubiquitous today on possibly any website. In this online era, passwords are considered a mechanism of security. But often, one might come across a situation where he/she needs to share login credentials with a friend, colleague, or acquaintance. The most common practice is to change this password later. Not only that, it is possible that most people tend to keep similar passwords in different handles, putting them all at risk.

These temporary credentials expire after a specified interval. After they expire, any calls made with those credentials will fail, so one must generate a new set of temporary credentials. Temporary credentials cannot be extended or refreshed beyond the originally specified interval. A history of the login and the logout details are also recorded.

Detailed Working:

For this service, both the users, the one who needs to share his login credentials and the one who requires it, need to login to the platform. They will be provided with a unique username.
After logging into the required platform, the user can select Ephelog service from the extensions tab and copy the site link, and the Ephelog username of the intended user.
The login credentials (real username and password) are not stored in the server, temporary tokens are generated dynamically and provided to the intended user. Tokens are basically masked session ids.
Using the token, the intended user can login and use the site for the allowed time frame. He can enter the token on the extension bar and the browser tab will refresh itself to let the user use the platform. Until the temporary login credentials expire, he can surf the site.
When the timer runs out, the site refreshes again and the session will expire automatically.
The temporary login credentials have a limited lifetime, so one does not have to rotate them or explicitly revoke them when they're no longer needed. After they expire, they cannot be reused. The user can specify how long the credentials are valid, up to a maximum limit

Hacker101 CTF Micro-CMS v1 Writeup

Asher Mathews Shaji — Wed, 03 Mar 2021 15:03:58 +0000

Challenge Link : https://ctf.hacker101.com/ctf

Flag0

let us look at the challenge Micro-CMS v1

it is an easy challenge and we want to find 4 Flags

So lets dive in

on the entry page 2 pages named testing and markdown

and we can also create a new page.

So lets go to the first page named testing

nothing special here.

lets check out Markdown test

nothing special here.

lets try creating a new page

lets name the page

lets write any content

BUT!!

When we look at the url

the first page is numbered 1

next page is numbered 2

but when we open the next page we can see that it is numbered 6

so let us try to access the 3,4,5 pages

when we try to access it we can see that

when we access the 3rd page it says that it is not found on the server

similar story on the 5th page but when we try to access the 4th page we get a different response

it says that the 4th page is forbidden but it is present in the server

so the fourth page may contain a flag.

now we have to figure out a way to access the 4th page.

we can see that every page has a button for editing the page

when we click at the edit button

the url of the edit page has an "edit" tag in the url

so by adding an edit in the url we can edit any page

since we want to access the 4th page lets try to edit the 4th page lets add an edit to the url

YES we can edit the fourth page and here is the flag..

Flag1

For this one the the hint was like

Make sure you tamper with every input
Have you tested for the usual culprits? XSS, SQL injection, path injection

so I tested the usual things such a XSS and SQL injection. When i was playing with the edit URL

I found out that it was excepting a number at the

so I tried to break the query by simply putting a ' in place of a number

the page that loaded contained the flag.

Flag2

for this one the hint was like

Sometimes a given input will affect more than one page
The bug you are looking for doesn't exist in the most obvious place this input is shown

from it we can understand that the flag has something to do with input

so as a first step I looked for XSS

the First page that we can enter user input was the create a new page form

I tried to inject an alert() function into the page but the alert doesnt pop up

when we look at the source we can see that the script tag has been replaced by

tag that means it was checking for XSS(Cross Side Scripting).

but when we go back home Suddenly an alert pops up revealing the flag.

I didn't fully understand how this happened

But my assumption is that the content of the pages get loaded when we go back to the home page

Flag3

For this one the hints where like

Script tags are great, but what other options do you have?

so it must be refering to other ways of injecting javascript into the page

one of the other ways of injecting javascript into you page is by using button elements

I noticed that only tags get replaced so i created a button in the description of a page and on the "onclick" attribute (onclick is an HTML attribute in which we can pass some javascript code which gets executed when the button is clicked) I tried to pop and alert.. it did pop an alert but the flag was not found.. but then i added flag property to the Button element and kept it empty and i saved the page BUT!! when i looked at the source of the page the content of the flag property was not empty it was replaced with the flag This shows us the amazing advantages of values that already exist but lacks the correct placeholder to contain it. Eventhough it was an easy CTF i learned a lot from this..