View contents of Zip/Jar files using firefox

With Firefox 3, you can use firefox browser to view contents of zip/jar files.
For viewing contents of filename.zip type following at location bar:

jar:file://< full path to filename.zip >!/
Example: jar:file:///home/user/Desktop/filename.zip!/
Also: jar:file:///home/user/Desktop/filename.zip!/dir/file1.js

This is specially very useful when you want to see contents (.js, .css, .html files) included in firefox extension’s jar file. After it list the contents, you can easily browse through the directory, sorting files etc.

Update: Security problems that come with jar: protocol
While serching for pages related to jar protocol in firefox, I found an interesting article at www.gnucitizen.org

In simple terms, it means that any application which allows upload of JAR/ZIP files is potentially vulnerable to a persistent Cross-site Scripting. Potential targets for this attack include applications such as web mail clients, collaboration systems, document sharing systems, almost everything that smells like Web2.0, etc, etc, etc.

Similar security concerns also arise in data: protocol in firefox. So one need to be careful to filter files you want to allow for upload. Actually, once I had similar situation with a website which allowed you to host image files, but the problem was they were not checking for file types. Thats means you are allowed to upload a php file too. So now you can do anything you want with that server (don’t ask me what I did :) ). So beware of such issues.

Related Post:
Perfect password according to firefox
View Page Source trick in firefox/flock
Firefox about pages
Cross Site Scripting

May 13, 2008 | Filed Under firefox, hacks | 2 Comments 

Perfect password according to firefox

I was going through bits of firefox code, and I found the algorithm used by firefox to measure password strength. You can find it in function setPasswordStrength() in this file : chrome://mozapps/content/preferences/changemp.js.
So point schema for password strength:

For length :       password-length*10 - 20   (Max 30)
For Numbers:    no-of-numerics * 10          (Max 30)
For Symbols:     no-of-symbols * 15           (Max 45)
For UpperCase: no-of-Uppercase * 10        (Max 30)

Your password strength is sum of all these points. So smallest password that would get 100 on password meter can be : AAA@@@ or something similar. But there should also be some criterion for the uniqueness of the characters.

Interesting read-on how to choose good passwords. that are also easy to remember. Please share your tips on choosing passwords [but yeah dont share passwords :) ]

Extra Cookie:
Type resource: in your location bar to directly go to firefox installation directory.

Related:
Choose and remember great passwords.
Firefox about pages

May 3, 2008 | Filed Under firefox | 4 Comments 

Cross-site Scripting (XSS)

Two days back, my shoutbox was hacked :). I was not aware that people are actually visiting this, which I made long back to have similar thing for Ethos in june, 2005. After that i haven’t updated the code and many things were left in between.

What actually happened: Cross Site Scripting, when we want user to input some data (which may be html/javascript) and displays it back. So if html/script tags are not properly checked it can cause trouble. Earlier I hadn’t checked for javascript, iframe inputs. So somebody just inserted an iframe as message input in my shout box. And the source of iframe contained redirection to another website. So when shouts were displayed on the page the iframe code was displayed as it is and page got redirected to other page.

Luckily I checked the page just after the day this happened, So that way i actually got chance to update this orphaned code and made some fixes.

Solution : Idea is to filter meta characters such as (< , >, ‘ , ” etc) Which will prevent browser from processing them as part of some script, they will be processed as plain text only.
So while doing in php you can do:

$shout=str_replace("<","<",$_GET["shout"]);

And to be on safer side we should also replace following characters:

replace ( with (
replace ) with )
replace & with &
replace ' with '
replace " with "

Or If you are not expecting user to input these characters then you can simply replace these with null string;

Update: (25-apr-2008)
You can also use php functions htmlspecialchars, htmlentities, strip_tags.

The replacements which I have mentioned above can be easily done using htmlspecialchars but if you want to extend it to all html tags then you can use htmlentities. And to strip both html and php tags from string you can use strip_tags. The disadvantage with strip_tags is that it doesn’t validate html so can cause trouble in case of broken html tags. It also provide you option to exclude list of tags from being stripped.

So now you can enjoy Shout Box until some new bug is found or its hacked again [;)]

Related post:
SQL Attacks: Hacking (SQL injection)

Update(14th May 2008): XSS cheatsheet by ha.ckers.org lists possible cross site scripting methods on various browsers.

April 15, 2008 | Filed Under hacks, programming, tips | 1 Comment 

Choose (and remember) great passwords

Great tips on how to choose password from lifehacker

A secure, memorable password is easy for you to remember, and hard for others to guess.

Everywhere you turn you’ve got to come up with a password to register for something or another. Whether it’s the dozens of web sites that require you log in to use them, or your ATM card PIN, or your wireless network login, how do you decide on a new password? More importantly, how do you remember it?

Read More >>
Also http://en.wikipedia.org/wiki/Diceware   Interesting

July 6, 2006 | Filed Under Uncategorized | 1 Comment 

Some SSH tips

First connecting to a remote host : (althoug trivial)
ssh username@remote_host_ip
The first time around it will ask you if you wish to add the remote host to a list of known_hosts, for that you have to say yes . But if case is that it asks such think again than remote server’s host key is changed (such as if SSH was upgraded or the server itself was upgraded). But if there is no upgrade n server side than this may be to trick you into logging into their machine instead so that they can sniff your SSH session.

Now Generating Key :
ssh-keygen -t dsa // here -t specifies type of key

Generating public/private dsa key pair.
Enter file in which to save the key (/home/localuser/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/localuser/.ssh/id_dsa.
Your public key has been saved in /home/localuser/.ssh/id_dsa.pub.
The key fingerprint is:
93:58:20:56:72:d7:bd:14:86:9f:42:aa:82:3d:f8:e5 localuser@mybox.home.co

The reason why you would generate a keyfile is so that you can increase the security of your SSH session by not using your system password. When you generate a key, you are actually generating two key files. One private key and one public key, which is different from the private key. Whenever you connect via ssh to a host that has your public key loaded in the authorized_keys file, it will use a challenge response type of authentication which uses your private key and public key to determine if you should be granted access to that computer It will ask you for your key passphrase though. Now you need to copy to remote machine as :

scp ~/.ssh/id_dsa.pub username@remote_machine_ip:.ssh/authorized_keys

Now if ssh-agent is running on your machine (Most recent distributions will automatically start ssh-agent) then you can do

ssh-add

Now you can try logging into that remote machine again and this time you will notice that it just logs you right in without prompting you for any password or passphrase.

X11 -Session Forwarding

ssh -X username@remote_machine_ip
now you be able to transmit window and bitmap information over a network connection. So essentially you can login to a remote desktop machine and run some X windows program like Gnumeric, Gimp or even Firefox and the program will run on the remote computer, but will display its graphical output on your local computer. If this doen’t work then you may need to change file /etc/ssh/sshd_config change the following

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

TCP Port Forwarding :

you can setup a port forward for your connection from your home machine to arvo.suso.org so that it will take connections to localhost port 3066 and forward them to the remote side mysql.suso.org port 3066. for this you can uses
ssh -L 3066:mysql.suso.org:3066 username@arvo.suso.org
The -L (which means Local port) takes one argument of ::, so you specify what host and port the connection will go to on the other side of the SSH connection. When you make a connection to the port, it sends the data through the SSH connection and then connects to : on the other side. From the point of view of , its as if the connection came from the SSH server that you login to. In the case above, arvo.suso.org.

Another useful one is for when you are away from home and can’t send mail through your home ISP’s mail server because it only allows local connections to block spam. You can create an SSH tunnel to an SSH server that is local your ISP and then have your GUI mail client like Thunderbird make a connection to localhost port 8025 to send the mail. Here is the command to create the tunnel:
ssh -L 8025:smtp.homeisp.net:25 username@shell.homeisp.net

Running command over ssh

ssh username@remotehost_ip ls -al /
Then you can process the output however you want using the normal shell conventions

Using SCP
 if you want to copy a file to a directory relative to the home directory for the remote user specified.
scp filename username@remote.host.net:some_dir/new_filename

To copy the file back from the server, you just reverse the from and to
scp username@remote.host.net:some_dir/new_filename filename

for copying some director
scp -r dir_namel username@remote.host.net:

Updated : http://dag.wieers.com/howto/ssh-http-tunneling/
for more on ssh tunneling

March 5, 2006 | Filed Under linux, tips, tutorial | 2 Comments 

SQL Attacks : Hacking

Yesterday I was participating an hacking competetion in which at one stage I had login on a page and after that can get to next level . When at first i randomly typed any password. then it gave an sql error that ” zero row selected” and incorrect password. So I thought of using SQL string injection . SQL is poor in security issues surrounding is the login and url strings. So idea is you give these values in login form :
user : ‘ OR 1=1–
password : ‘ OR 1=1–

and voila you are in. the other possible strings for password are :

A funny comic strip from xkcd illustrating sql injection.
xkcd

So whats the funda behind this :
When you click “login” or “enter” on webpage the variables ‘userid’ and ‘password’ are to sql. The underlying query is :

SELECT * from auth_db where username = ‘ $userid ‘ AND password = ‘$password’

So if you have entered username = admin and password = test123 then query executed will be :
SELECT * from auth_db where username = ‘ admin ‘ AND password = ‘test123 ‘

So in auth_db , if userid and password are correct than corresponding row will be selected and as no of rows returned is > 0 you will be granted access. But if password is incorrect than it will retun zero rows and permission won’t be granted. But if you use SQL string injection like if you put ‘ OR 1=1– as password and username both than query executed will be :

SELECT * from auth_db where username = ‘ ‘ OR 1=1– ‘ AND password = ” OR 1=1– ‘

Because a pair of hyphens designate the beginning of a comment in SQL, the query becomes simply becomes :

SELECT * from auth_db where username = ” OR 1=1

The expression 1=1 is always true for every row in the table, and a true expression or’d with another expression will always return true. So, assuming there’s at least one row in the Users table, this SQL will always return a nonzero count of records.So you are logged in now. And if in some cases But many times sql tries to parse = character in input strings and didn’t allow to do so, hence trick is using :
‘ OR userid LIKE ‘%%

So resultant query will be

SELECT * from auth_db where username = ‘ ‘ OR userid LIKE ‘%% ‘ AND password = ” OR userid LIKE ‘%%
So every string matches ‘%%’ so it returns non zero number of and you are granted access.
Not all SQL injection attacks involve forms authentication. All it takes is an application with some dynamically constructed SQL and untrusted user input. Most SQL-compliant databases, including SQL Server, store metadata in a series of system tables with the names sysobjects, syscolumns, sysindexes, and so on. This means that a hacker could use the system tables to ascertain schema information for a database to assist in the further compromise of the database. For example, the following text entered into the txtFilter textbox might be used to reveal the names of the user tables in the database:

' UNION SELECT id, name, '', 0 FROM sysobjects WHERE xtype ='U' --

The UNION statement in particular is useful to a hacker because it allows him to splice the results of one query onto another. In this case, the hacker has spliced the names of the user tables in the database to the original query of the Products table. The only trick is to match the number and datatypes of the columns to the original query. The previous query might reveal that a table named Users exists in the database. So after this with multiple queries you can get control over database.

Updated :
Also visit Ten hacker tricks to exploit SQL Server systems
http://us2.php.net/mysql_real_escape_string
http://www.unixwiz.net/techtips/sql-injection.html
*******************************************************************************
WARNING: the information provided is for educationally purposes only and not to be used for malicious use. i hold no responsibility
********************************************************************************

March 4, 2006 | Filed Under hacks, tutorial | 3 Comments