A long standing thread going on in the sla.ckers forums has been busy posting XSS flaws of major companies. One of the many companies in this list is the aforementioned Acunetix. This thread was linked to by darkreading (who themselves have several XSS holes) and later by slashdot. Acunitex, when later contacted for a followup article for darkreading denied all knowledge of any XSS holes, saying their site is not vulnerable and that they always check for flaws.
I know that XSS is looked down upon by a lot of people in the security sphere but I feel XSS has been severely underestimated by a lot of people. Using it to steal cookies is really only the very start of it.
That’s besides the point, though I will post links to rarely used (or maybe just up and coming) uses for XSS later in this post.
Here’s HTTP Expect header as defined in the RFC:
The Expect request-header field is used to indicate that particular server behaviors are required by the client.
Earlier today I stumbled across a link to explorerdestroyer.com which is a site trying to convince web developers to urge their IE users to switch to firefox. They ask web developers to employ one of a range of solution, from showing an advert of firefox to IE users to not allowing IE users near their pages.
To me their approach seems silly. The problem (as they see it) is that IE doesn’t support various standards and encourages proprietary features. If everyone used firefox then what’s to stop that from being the next “IE”? Won’t it get proprietary features which will then get used. As an example (last I read) firefox allows transparency via CSS but the W3C has no official support of transparency (IE and Opera also support this, but each in their own way).
I think there should be an even spread of browser usage. This would encourage sites being developed to the standards and more importantly would speed up browser improvements as all the various companies would have to constantly improve their browsers to maintain their user base.
I am reminded of a South Park episode where the people rebel against Walmart burning it down and instead all shop at a local shop turning it into the next Walmart, then repeating the whole process over again.
I’m all for people saying how bad one thing is and promoting another, but to me this seems too far. They go as far as saying that Firefox has to quickly gain users so that IE6 users don’t switch to IE7 and stay with it. IE7 is a good browser, it fixes a lot of issues that people hate about IE6. I think that IE6 users should switch to IE7 (when it’s released) and then leave it up to them to do whatever they want, but deliberately forcing people away from a good browser is simply not a clever idea. I’m glad that Mozilla aren’t affiliated with this site as I dislike the aggressive mannerisms, though I would enjoy reading Mozilla’s comment on it.
Oddly enough, the site I’ve linked to works perfectly fine with IE and they have no nag screens asking me to change over.
While hosts are still undecided on whether to upgrade to PHP5 or not, the people pushing the limits of possibility are busy planning PHP6. PHP6 is mainly a cleanup of code and the addition of some object oriented features (and some other little bits which probably mean more to others than to me). Nevertheless in terms of security it’s something I’m already drooling over.
All my life I’ve come across stupid people, I’ve come to expect people to be stupid, and I’m usually not let down by that assumption. When I find intelligent people I treasure them like Eskimos would treasure electric blankets covered in whale fat powered by a bucket sized cold fusion reactor. Of course I use the web more than is healthy, that’s one reason I always speak to stupid people, this is all fine and something I take in my stride. It’s when you come across people that aren’t meant to be stupid yet are that you lose that little faith you had left in humanity. It’s when an admin of a site which has thousands of members and has been running for 3 years doesn’t realise how bad it is that people can run HTML from PMs, signatures, usernames, forum posts or article comments.
Here’s my theory; People who had Geocities accounts when they were 10 branched into 3 paths. They either 1) Got bored of the whole developer thing and started collecting Pokemon cards 2) Got good and now make efficient, secure web applications or 3) stayed at the Geocities level but got money and can afford their own domain. It is this 3rd category that now pollute the web with their binary waste. When you don’t realise that error checking is needed to prevent anyone from deleting a PM you need to find a cliff to jump off. When told so and your counter-argument is that no one can be bothered to manually browse to /remove_pm.php?message_id=1, …id=2, …id=3 Then a cliff simply won’t do the job, you’ll need to find something simpler. I suggest jumping on front of a car…. …yes, a moving one.
The lesson: I understand that people have to start at the basics of anything before they can get any better, but for the love of all that’s holy (Eskimos in their bucket sized cold fusion reactor powered, whale fat covered, electric blankets) read articles on the web, ask people, learn mistakes others’ made, experiment on your own computer or borrow books from a library before you go spending money to manage a web site. I understand that everyone makes mistakes but learn from them and learn to accept help from people who offer it.
I’ll ask you what should be a simple question and let’s see if you know the answer. What is the user agent of the browser you’re currently using? Well… granted it’s not something people try to remember, but that almost all the user agents start with “Mozilla/x.0 (…” doesn’t help.
Here are my current user agents:
Firefox: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
IE: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Sure you can tell them apart, but what’s with all the junk? Why do they both start with Mozilla, what’s the junk at the end of IE’s UA and why does Firefox has Windows in the string twice? In case you’re interested, the reason “Mozilla” exists in just about every UA string around is mentioned here
Why not start afresh and make it properly this time around. What works well? What kind of a system should the new UA be like? Well… think about it for a minute, the UA string usually holds information such as browser name, version, OS name and OS version. In essence it’s attribute, value, attribute, value. Why not make it like an XML tag? You could immediately scrap the < and > as they’d be pointless, but otherwise taking this approach should work.
Unlike XML the attributes should be fixed. Not having them fixed means we’ll end up with the same mess we have at the moment, on the other hand it means we have to put great thought to what the attributes are. Firstly the most important one would be UAtype which could equal browser, spider, download manager or other. The last option would include such things as PHP, applets loading a page and people’s own programs which download a file (unless they are download managers of course). It could also be used to inform the server that this could be a braille browser or a screen reader, though maybe they should come under another optional attribute.
The other attributes could be Organisation which would be the organisation which made the agent, UAname, which would be the name of the software, UAversion, which would be 1.5 in the case of firefox and 6.0 in the case of IE, OSname and OSversion. This would make my firefox UA string:
UAtype=”browser” Organisation=”Mozilla” UAname=”Firefox” UAversion=”1.5″ OSname=”Windows” OSversion=”XP Pro SP2″
This is much easier to read and understand. Obviously each attribute should be optional but you shouldn’t be able to add your own. Well… you could add your own but don’t expect it to make a difference.
Eventually the regular UA string could be dropped.
Maybe you feel I missed out a crucial attribute, maybe you feel the current system works fine (why fix what ain’t broke?). Let me know.
A friend of mine has been playing a game which you play through the browser, some tasks can be automated which allows the player to earn money or increase stats quickly, or while not at the computer (this particular action does not interact with other players). My friend then create a bookmarklet (?) which would automate this task. All was hunky dory until the game asked the user to read an image and copy the text down. This is done precisely to prevent these automated bots, still…. it provides an interesting problem. How could you read the image and continue the game automatically?
I remembered a certain web service that I’d used a while back, namely WhatTheFont (WTF). This service can read an image and tries to deduce the font used from the characters it can find. I figured I could use this to read the characters in an image.
I found a random image such as which is the kind of image the user has to copy. I tried uploading the image to the WTF site, but it failed to read the image. I noticed the sample images they provide are much larger, so I scaled up my image and submitted it again, this time WTF could read the image perfectly.
Now… if only I could get some PHP code to read an image file, scale it up, submit it to WTF and read the response.
I should say that the code I provide is very untidy, this is because it’s the result of sleepless nights and at points I hacked certain bits, then edited them later again. I explain the code just below the code itself.
$r = rand(100000,999999);
$ext = 'gif';
$ext = 'png';
if (!@copy ($_GET['img'],$r.$ext))
$img = up_size($r.$ext,5,$ext);
$lines = file("http://www.myfonts.com/WhatTheFont/Upload?url=http://www.whiteacid.org/img_reader/".$r.$ext);
The code initially determines what image type the image is. The script only allows PNG and GIF. BMP wouldn’t be used as no one really uses it any more and JPG wouldn’t be used as it would blur the lines making it difficult for humans to read the letters. It then saves the image to the same folder the script resides in under a random name (or quits if there’s a problem). I did this because for some reason the script seemed to work better when the image was in the same folder, or at least on the same domain. I then scale the image up (that function is below), perform the request and run parseInput (again, code coming below). Finally I remove the image (which up_size() creates).
The up_size function’s code is here:
if ($extension == 'gif')
$src_img = imagecreatefromgif($imageUrl);
$src_img = @imagecreatefrompng($imageUrl);
$origw = imagesx($src_img);
$origh = imagesy($src_img);
$dst_img = imagecreatetruecolor($origw*$ratio,$origh*$ratio);
It reads the file and creates an image object, reads it’s width and height, makes a new image with a larger canvas and copies the old smaller image onto this canvas streching it to fit. That’s how it scales up images. Finally it saves this in a file.
Now that the image had been scaled up it was sent off to WTF and the reponse was stored in a variable ready to be parsed. Now, before I give the code for the parsing section you should know how the outputted HTML looks. Very simply WTF prints out;
<input type=’text’ name=’ch’ id=’wtfchar0′ value=’T’ size=’2′ maxlength=’1′ style=’font-size:20; font-family:verdana; text-align:center;’>
<input type=’text’ name=’ch’ id=’wtfchar1′ value=’o’ size=’2′ maxlength=’1′ style=’font-size:20; font-family:verdana; text-align:center;’>
<input type=’text’ name=’ch’ id=’wtfchar2′ value=’k’ size=’2′ maxlength=’1′ style=’font-size:20; font-family:verdana; text-align:center;’>
<input type=’text’ name=’ch’ id=’wtfchar3′ value=’y’ size=’2′ maxlength=’1′ style=’font-size:20; font-family:verdana; text-align:center;’>
<input type=’text’ name=’ch’ id=’wtfchar4′ value=’o’ size=’2′ maxlength=’1′ style=’font-size:20; font-family:verdana; text-align:center;’>
There is more stuff and things in between those segments, but that’s what we’re after. The easiest thing to search for would be id=’wtfchar$n‘, then parse the value field after it. We’d have to note that if the character would not be identified the value attribute would be blank, so we could return a question mark instead, to let the user know that one character remained unknown. ok, the code
foreach ($lines as $line_num => $line)
if (strpos($line,"id='wtfchar$c'") != false)
$char = substr($line,strpos($line,"id='wtfchar$c' value='")+strlen("id='wtfchar$c' value='"),2);
if ($char == "' ")
$char = '?';
$char = substr($char,0,1);
For each line of output search for “id=’wtfchar$c'” where $c is an incrementing integer which starts at 0. Essentially if found (then you’re on the right line of code), then parse out the value or echo a question mark.
One more line of code is also required, you need to run doIt(), then you’re done.
That’s about it, using that code you can parse text from an image. This allows you to complete some forms automatically. This obviously could be used for spamming reasons, which is why instead of using images like I’ve used them people should use ones like hotmail and gmail:
To see the script in action I’ve made one script which allows you to create images of text and the other one as described here. I used to host examples of this code in action but my new host doesn’t allow file-access from a URL.