DaST | A novel data-free model stealing method based on GAN | Machine Learning library

The video is actually inside an iframe. You'll need to navigate directly to the iframe src page before you can get to the video element's src.

Try this:

According to the Github Actions selfhosted-runner documentation found here you should be able to have processes run for up to 24 hours. And workflows for up to 72 hours.

I managed to fix my issue by changing the EXTERNAL_URL value in my /etc/gitlab/config.toml to http://192.168.xxx.xxx/ and then running gitlab-ctl reconfigure and gitlab-ctl restart. Apparently this was a misconfiguration while installing Gitlab and that's the URL that redirects the pipeline.

The core idea of delayed computations is to delay the actual calculation until the final target is known. This allows:

• increased speed of coding (e.g. as a data scientist, I don't need to wait for every transformation step to complete before designing the workflow),
• distribution of work across multiple workers,
• overcoming resource constraints of my client, e.g. if I am using a laptop with limited memory, I can run heavy computations on dask workers that are in the cloud or another machine with more resources,
• better efficiency if the final target requires only some tasks to be done (e.g. if the final calculation requires only a subset of the dataframe, then dask will load only the relevant columns/partitions).

Some of the alternatives to calling .compute are:

• .visualize(): this helps visualize the task graph. The DAG can become hairy when there are lots of tasks, so this is useful to run on smaller subsets of the data (e.g. only loading two/three partitions of the dataframe)
• using client.submit: this launches computations right away providing you with a future, an object that refers to results of a task being computed. This gives the advantages of scaling work across multiple workers, but it can be a bit more resource intensive (since dask doesn't know the full workflow, it might run computations that are not needed to achieve the final target).

With regards to distributed, I don't think there is a difference except for where the result will be: dask.compute will put the result in local machine, while client.compute will keep the result on a remote worker.

you can iterate over files in bash

first make sure that it only hits the folders that you want

I do my vulnerability scanning with OpenVAS (I assume this is what you mean by pentesting?). I am not aware of any IOT focused Tools.

If your server is running on esp8266, i would imagine that there is no much room for authentication and encryption of http traffic, but correct me if i am wrong).

Vulnerability Scan results might show things like unencrypted http traffic, credentials transmitted in cleartext (if you have any credentials fields in the pages served by the web server) etc. Depending on if there is encryption, you might also see weak encryption findings.

You might get some false positives on your lua webserver reacting like other known webservers when exploits are applied. I have seen this kind of false positive specially on DoS vulnerabilities when a vulnerability scan is testing a vulnerability and the server becomes unresponsive. Depending on how invasive your vulnerability scanner is, you might get a lot of false positives for DoS on such a constrained platform.

ZAP is Open Source so you can look at the source code of the scan rule yourself. It is available here: https://github.com/zaproxy/zap-extensions/blob/master/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/BufferOverflow.java

That'll let you see exactly why it's triggering for you.

Of course it is possible that the result is a False Positive.

From my quick review it sends a giant param value (2100 chars) and checks the response for Internal Server Error and Connection: close.

If that's how your app behaves:

1. Perhaps it is vulnerable.
2. Perhaps it needs some more robust error/input handling.
3. Perhaps the finding is a False Positive and you filter it out going forward:
   • https://www.zaproxy.org/docs/desktop/addons/alert-filters/
   • https://www.zaproxy.org/docs/docker/baseline-scan/#configuration-file

You open the file in the wrong mode:

"When a file is opened with the "a" or "a+" access type, all write operations occur at the end of the file. The file pointer can be repositioned using fseek or rewind, but is always moved back to the end of the file before any write operation is carried out. Thus, existing data cannot be overwritten."

Open the file in mode "r+" - Opens the file for both reading and writing. (The file must exist.)

This is indeed needless in JSF. This kind of attack is in JSF only possible when there's already an open remote code execution hole such as XSS (and thus the hacker has access to among others the session cookies and can therefore copy them via the phishing site), or when the view is stateless via (because you lose the javax.faces.ViewState hidden input field as implicit CSRF protection for the "normal" case when there's no remote code execution hole), or when you use HTTP instead of HTTPS (because a man-in-middle attacker can then plainly see all transferred bits and extract the session cookies from them).

All you need to make sure is that the enduser's session cookies are never in some way exposed to the world. The advised fix is not at all helpful in that. It only makes it the attacker more difficult to perform a successful CSRF attack when you sooner or later accidentally introduce a remote code execution hole. But then you have really way much bigger problems than only CSRF. All these efforts advised by this tool are only useful to give the hacker slightly less time to perform a successful attack, and to give yourself slightly more time to fix the remote code execution hole.

If all you want is to "suppress" this warning, then create a Filter which does the desired job. Here's a kickoff example, map it on /*.