We are using Azure ASE v3 to host our web app with Azure Application Gateway and WAF V2. We have been getting quite a lot of false positives on data our users enter into a form in the app.
For example
"Matched Data": in ( found within ARGS:medicationsList: Aspirin ( 81mg )
"Matched Data": t like t found within ARGS:supportPersonsAnswer: Support person felt like they take more aspirin.
Are there any standard approaches to addressing this problem apart from creating exclusions for medications? I understand those phrases were flagged due to combinations of SQL keywords but at the same time those are legitimate sentences a user would enter.
Related
In reading the Microsoft Graph documentation, we come across two related resource types:
plannerTask
plannerTaskDetails
Both plannerTask and plannerTaskDetails have an id attribute, which in both cases is 28 characters long and case-sensitive, with validation taken care of Microsoft.
In working with Microsoft Graph, I have noticed that for a given task, plannerTask.id === plannerTaskDetails.id. This makes sense, as there would be no need to define a new id for the details resource type, since this is a one-one relationship and MS may simply re-use the plannerTask id.
However in the documentation, the id's seem to refer to different things. I quote:
For plannerTask: "ID of the task"
For plannerTaskDetails: "ID of the task details"
This seems to leave the possibility of plannerTask.id !== plannerTaskDetails.id.
I was simply wondering if, in people's experience, if it is safe to assume what I noticed above, i.e. that the two id's are always the same, as it is unclear from working with MS Graph and reading the documentation. Perhaps someone working on MS Planner itself could elucidate.
You should not make this assumption. From the API perspective, they are different keys. Using Graph API, you don't really need to use the Task details id anywhere, and you can always refer to it as task abc's details.
The id values currently are coincidentally the same, but we are actively investigating some features which would require them to be different. If you take dependency on this, your app will break.
Yes, but if you are doing a patch call then the If-Match header which is Etag is going to be different. Because although task and task details have the same id they are different objects.
I've a tool(web application) which creates work-items in azure devops. (skipping the unnecessary details), just like how we assign any user a particular work-item from the Assigned To dropdown in azure devops, I too have a dropdown which when user enters any name/alias, a list of users starts showing based on the input.
The api which I was using in the backend was
https://abcorganization.vsaex.visualstudio.com/_apis/UserEntitlements?top=10&filter=name+eq+%27Tejas
Here filter=name+eq+%27Tejas in the query parameter helps to query the api and used to give set of users whose name starts with Tejas. It can be email alias too.
But for some reason, that doesn't work anymore. My guess, they've deprecated that API version
So in my search to find the alternative/answer, I came across the following documentation:
(https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/users/get?view=azure-devops-rest-5.1) in which the API given is: https://vssps.dev.azure.com/abcorganization/_apis/graph/users/{userDescriptor}?api-version=5.1-preview.1
Here the userDescriptor is some sort of unique key of AAD related to a particular user. (which I certainly can't use to fulfill my purpose).
The other thing which I've tried is the below query parameters but it still didn't worked out
https://vssps.dev.azure.com/abcorganization/_apis/graph/users?subjectTypes={subjectTypes}&continuationToken={continuationToken}&api-version=5.1-preview.1
So is there anyway/api which can fullfil my purpose or is it that I'm using this new API in a wrong way or something?
Any help would be much appreciated
I believe it should be $filter in the query. You are also missing the closing quote.
(See docs for more details)
https://abcorganization.vsaex.visualstudio.com/_apis/UserEntitlements?top=10&$filter=name+eq+'Tejas'
Use this. I tested it and worked for me:
https://vsaex.dev.azure.com/{organization}/_apis/userentitlements?$filter=name+eq+%27{name}%27&api-version=6.0-preview.3
Replace {organization} and {name} as needed
I am currently working at an Powershell script that will automatically download the billing data from my companies CSP platform. I use following powershell module (https://github.com/Microsoft/Partner-Center-PowerShell)
And use the following api(that the module calls I guess) To get the overall price from the last month of all my subscriptions. https://learn.microsoft.com/en-us/partner-center/develop/get-a-subscriptions-resource-usage-information. With the Powershell module that is wonderfull I've managed to recieve good data from my Azure Resources and print them out in a CSV file for Power BI to create a report of them.
My question now is when I use power BI to create graphs of my cost and usage. I don't see the name of my resources (vm, storage, sql) instead I see names of the types (Read Operations,LRS Write Additional IO, ...) And of course that's also a good indicator. I would love to see the VM (the name of the vm or storage or sql) with the highest cost and usage not which type. The ResourceName in the response of the api is not exactly right. The Resource name ( in Resource URL formatting) however is available with this api: https://learn.microsoft.com/en-us/partner-center/develop/get-a-customer-s-utilization-record-for-azure.
But here I cannot retrieve the cost of my Azure Resource. I tried to combine the 2 api's (one to retrieve the cost and the other one to retrieve the Resource URL with the Resource ID as a combiner) but strangly enough some customers have data in the usage api and not in the utilization api. So that didn't helped out well. My question today is: Is it possible to retrieve the resource name or URL with the response data i got from this api: https://learn.microsoft.com/en-us/partner-center/develop/get-a-subscriptions-resource-usage-information . Or is there another way of providing the name of the object instead of the service.
The resource usage feature will not return the resource name. So, you will need to combine data from Get-PartnerCustomerSubscriptionUtilization and Get-PartnerAzureRateCard to get the resource name and the partner cost associated with each billable meter. Since you are working with Power BI, it might be a good idea to check out Partner-Center-Query. It is another project that allows you query data from the Partner Center API through Power Query.
MS Graph API for Teams can create a team without resourceProvisioningOptions property set.
But, when get all teams with PowerShell 0.9.5(Microsoft.TeamsCmdlets.PowerShell.Custom.dll), it calls HTTP Get with "https://graph.microsoft.com/beta/groups?$filter=resourceProvisioningOptions/Any(x:x eq 'Team')"
So, it cannot returns all teams.
According to your description, I assume you want to list the teams by using the Power Shell.
I have tied this, and it works. First, I tried the following API GET https://graph.microsoft.com/beta/groups?$filter=resourceProvisioningOptions/Any(x:x eq 'Team') on the MS Graph Explorer. And it works. Then, I tried this API on the PowerShell, it works too.
According to this document,
If the group was created less than 15 minutes ago, it's possible for the Create team call to fail with a 404 error code due to replication delays.
So it maybe the reason about you could not get all the teams
I am practicing for Security Testing. I came across DVWA and I started practicing for Sql Injection. I was doing fine till I started with SQL Injection (blind). No matter which query I try I am not getting the desired result.
For eg :
1' and 1=0 union select null,table_name from information_schema.tables#
simply returns User ID exists in the database.
I have set the DVWA Security to Low. Also made sure there are no errors on setup page of the application under Setup Check section.
Following are environment details:
Operating system: Windows
Backend database: MySQL
PHP version: 5.6.16
I think the answer is here and the behavior is expected
https://github.com/ethicalhack3r/DVWA/issues/12
Someone complained of the opposite behavior and the developer agreed, and a contributor named g0tm1lk fixed it. He made the exercise really "blind" and we have to use blind injection methods to test the vulnerability.
Showing the SQL error messages to the user is just: a SQL injection vuln + a misconfiguration issue.
A blind SQL injection might occur when the columns of the results returned by a query are not shown to the user. However, the user can tell somehow if the query returned any records or none.
E.g.: Suppose the url "http://www.example.com/user?id=USER_ID" returns:
200 if USER_ID exists
404 if USER_ID not exists
But it won't show any information from the query results (e.g. username, address, phone, etc)
If the page is vulnerable to SQLi [blind], an attacker won't be able get info from the DB printed in the result page, but he might be able to infer it by asking yes/no questions.