BigBlueButton Checksum Bypass? - interceptor

There this VC site which uses the BBB Api and sends over variables and checksum to BBB to join a conversation. I wanted to know how I could change the fullName property without alerting the checksum.
I've tried using Burp Suite to pause redirection to API and then switch fullName with "Test101" and then forward, but then it results in Checksum failed, which is expected.
How do I (only) change my name without the checksum failed error? Ideas?

It is impossible to do so. I have tried a lot and couldn't make it work. You are supposed to generate a checksum exactly based on the complete URL; any minor change in the URL, would cause Checksum failure.

Related

how do I handle the response order of multiple API calls in React correctly (like auto-complete searching)

I'm trying to implement a search box, where every time user types something, the search result will show on the page.
JS fiddle link : https://jsfiddle.net/wsypeter/dh59Lwr2/47/
here is the code for fetching the data and setting the state
basically as I type abc the response might came back in order abc ab a and the result is finally a which is wrong.
How should I fix this ? I know one way is to use debounce, but I think it will still run into issue if the response timeout is super long.
This is an interview question, the interviewer said canceling pending request or debouncing is not the solution he's looking for.
For the above example , there must be 3 requests going out and the final result should be the response of the last request.
How do I do it?
You could use debounce for this kind of issue.
Only after the user finished typing and hasn't typed anything else for e.g. 500ms then you call the api.

How can I identify an untranslatable value exists in FormRecognizer analysis

I posted the following Feature Request to the azure-sdk, but not sure if that was the correct place for getting a response, so reposting here.
https://github.com/Azure/azure-sdk-for-net/issues/20764
When processing a document against a custom trained model, when a value is present but not able to be translated (such as a signature), would it be possible to include something in the response to identify it as having a value though it wasn't able to be processed?
The specific use case is that our client needs to know that a document was signed by the parties involved. Without this feature, someone will be required to manually review thousands of document images per week to verify that they have been signed. In testing we have found that very few signatures are being translated any way, so the string response is coming back as null.
Thank you,
Rich
For Form Recognizer when a value is not detected although it is present it will be extracted as Null as Form Recognizer is not aware that a value exists it did not detect it. In case of signature this is usually due to the signature being unreadable and just a scribble.

REST optimistic-locking and multiple PUTs

Far as I understand, PUT request is not supposed to return any content.
Consider the client wants to run this pseudo code:
x = resource.get({id: 1});
x.field1 = "some update";
resource.put(x);
x.field2 = "another update";
resource.put(x);
(Imagine I have an input control and a button "Save", this allows me to change a part of object "x" shown in an input control, then on button click PUT changes to server, then continue editing and maybe "save" another change to "x")
Following different proposals on how to implement optimistic locking in REST APIs, the above code MUST fail, because version mark (however implemented) for "x" as returned by get() will become stale after put().
Then how do you people usually make it work?
Or do you just re-GET objects after every PUT?
You can use "conditional" actions with HTTP, for example the If-Match header described here:
https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.24
In short: You deliver an ETag with the GET request, and supply this ETag back to the server in the If-Match header. The server will respond with a failure if the resource you are trying to PUT has another ETag. You can also use simple timestamps with the If-Unmodified-Since header.
Of course you will have to make your server code understand conditional requests.
For multiple steps, the PUT can indeed return the new representation, it can therefore include the new ETag or timestamp too. Even if the server does not return the new representation for a PUT, you could still use the timestamp from the response with an If-Unmodified-Since conditional PUT.
Here is probably what I was looking for: https://www.rfc-editor.org/rfc/rfc7231#section-4.3.4
They implicitly say that we CAN return ETag from PUT. Though only in the case server applied the changes as they were given, without any corrections.
However this raises yet another question. In real world app PUT caller will run asynchronously in JS gui, like in my example in the question. So, Save button might be pressed several times with or without entering any changes. If we don't use optimistic locking, then supposed PUT idempotency makes it safe to send another PUT query with each button click, as long as the last one wins (but actually if there were changes then it's not guaranteed, so the question remains).
But with optimistic locking, when first PUT succeeds, it returns updatred ETag, ok? And if there is another PUT request running, still with outdated tag version, that latter request will get 412 and the user will see a message "someone else changed the resource" - but actually it was our former changes.
What do you usually do to prevent that? Disable the Save button until its request is fully completed? What if it times out? Or do you think it's acceptable to see concurrent-change error message if it was a timeout, because the stability is already compromised anyway?

What's is the right way to trigger an error callback in Backbone if my response has a certain flag?

This is my use case: I call fetch on a collection and receive a JSON from my server yet I have an error flag. This will always trigger the success flow, and I can detect the error by 2 means:
In my parse method - which is ugly.
By not using the success option, and using the Deferred's Done callback to check for the error. This is ugly as well since I have to call parse myself afterwards.
This would be solveable if Backbone had a validate function on collection but it doesn't...
Any suggestions?
EDIT: I know there's a way to do it by supplying my own Sync method but I got a bit lost there...
good question.. I'm not sure it's so bad to work with the parse method. It's name doesn't fit but it's all you've got in the natural path of the code and I guess you can just return an empty list without breaking anything.
The question to me is what is the cause of the error? If it's, say, a permissions thing (or some other error covered by the http protocol), you could return an error code from the server which should trigger your error callback..

Preventing download of video files from outside the web server (via .htaccess)?

I've got video files stored as:
www.example.com/video_files/abc.flv
My application uses FlowPlayer which streams this video file to the end user.
How can I restrict access to these files only to the application within the server and prevent ppl from typing in the url/file link directly and downloading the file?
The short answer is you can't, if the media is streamed unprotected. People with packet sniffers will always be able to dump the stream as it's sent to their browser.
If this is really important to you, you should investigate a DRM solution. (But note that DRM is not unbreakable either.)
No way to do it.
The best thing, that you can do, add to link some hash and timestamp.
For example www.example.com/video_files/abc.flv => www.example.com/video_files/12345678901234567890123456789012/12345678/abc.flv
12345678901234567890123456789012 - is hash
12345678 - is timestamp, to which that link will be valid.
as hash function you can use for example something like:
hash = md5(abc.flv12345678somesecretkey)
After reciving request, webserver must check hash and timestamp and after that output file to user or throw an error.
For each user you must generate it's own url with a small lifetime.
User can't redestribute url's because it's expires very quuickly.
PS, sorry for my bad english

Resources