I cannot deny that it’s an awesome device and all that, but I’m still getting used to a new OS. The major work’s rediscovering the right tools and, of course, learning OS X’s keyboard shortcuts. Thankfully, it seems like a nice OS and all the work seems worth it.

by http://www.flickr.com/photos/mind-hacker/2726423319/lightbox/

That said, I now have a technology startup and cannot afford to just keep on ‘learning’. And that’s why small problems become big issues. All I needed was PHP-tidy to get on with life. Little did I know that it’d take up half of my day. So I’m putting it up here for people to download.

As most people, I got MAMP to avoid unnecessary complications and get on with “the code that matters to me”. MAMP is pre-packaged Apache-MySQL-PHP stack for Mac. My beef with the project is that they seem to be focusing on things that don’t really matter a lot to the target audience, like shiny-gui interface to configure document root, specify ports etc.. However, they seem to ignore few major bugs which seem to date around 2009.

1. They do not package tidy extension, even though there have been requests in the forum.
2. Their “pear.conf” configuration file’s broken, due to which neither pear nor pecl binary works, so tidy installation using pecl didn’t work either. The fix is a simple edit to the php_dir param though.
3. Sadly, pecl still fails due to some issue with phpize.
4. One solution is to compile PHP with tidy. However, there apparently is (or was) some bug with tidy, so I decided to avoid it and look around a little more.
5. Then, I found this post that recommends using pre-compiled php-tidy binary that comes bundled along with Zend Studio IDE. I decided to check it out, and thankfully, it worked.

Sigh! Such a crazy way to solve a simple problem.

Anyways, since tidy is an open source project, I figured it may not be illegal to put the binary up for download. (Zend Studio is NOT free.)

You may download php tidy for OS X (tested on Lion)  from my public Dropbox folder.

• Apache-MySQLPHP Installation & Configuration Tutorial for Beginners :)
• Drive-by Download: Where Network Security Meets WebAppSec
• Grabbing Video from Youtube.
• The Web is Broken
• Rediffmail Bug. Anyone Interested?

As ironical (or rather illuminating, depending on the way you see) it may sound; as I start my very first step to understand the fundamentals of Indian constitution on the 59th Republic Day, I also start to learn to question it. It’s disturbing to learn that the borderline difference between pretending to be a democratic nation, and actually being one, has already depleted. What pains me more is that we “celebrate” the Republic day in the form of a “holiday”, without actually caring about being sovereign and republic.

I am starting to get fed up of getting used to all the abnormalities in the normal flow of life.

• Apache Headache: “no listening sockets available”
• OWASP AppSec Conf Delhi – Day 2; and more
• A new home for us :)
• Bill Gates no more The Richest
• Orkut Latest XSS Worm; and what it means for Indian Orkuteers

This post was due since the Bank of India hack incident, and was fueled by PDP’s Drive-by Java post, which is a very simple, yet a well thought of extension (sort of) to the Drive-by Download attack. This post is aimed to provide a clearer understanding of the Drive-by Download attack (via a demo).

Citing Wikipedia, Any download that happens without knowledge of the user can be referred to as Drive-by Download (DBD). Pretty obviously, an attacker downloads (or uploads, depending on the perspective) malwares, viruses etc., especially in case of a zero-day. Now, I should also specify that by the sub-title “network security meets web application security”, I simply wish to point that viruses, malwares, worms are not really a concern of WebAppSec. Please note that these exclude the Javascript payloads.

Here is the video of Bank of India Hack, showing DBD in action.

Here is my demo of DBD in action.
All files downloaded to your system are 0 (zero) KB and are completely harmless. You’ve my word.

• Grabbing Video from Youtube.
• What a new year Gift! :)
• A new home for us :)
• IFrames – To be or not to be?
• SecurCamp and back.

presentation for OWASP Belgium Conf. I missed out on mentioning David’s name is the credits. Apologies David. I’ve updated and re-uploaded it.

Yesterday, I presented my first Webinar (Seminar on Web). It was titled, The Web is Broken –Why every feature is, in fact, a loophole. A great experience.

Although after listening to my own recording, I felt that a number of things went wrong (mostly because of problems in connectivity and slow internet speed). The issue I was worried about was that it was targeted at developers with beginner to intermediate level knowledge of web, but the topic was very broad. Fortunately, I received some good feedback along with requests to conduct more such sessions. The talk was scheduled for 1.5 hours, but it stretched for 2.5 hours.

Here is the presentation:

| View | Upload your own

I hope you like it too.

• What a new year Gift! :)
• Open JavaFX, an alternative to AJAX?
• [How To] Implementing Shindig.
• Samy: A hero or a villian!
• HTTP protocol and other stuff that power the web

Update: Aah. It’s not that there couldn’t have been any better news , but today’s News is that Ma1 has agreed to provide feature to block frames through NoScript from the next version (1.1.7). NoScripts Rocks.
Oh and Yes! Ma1 Rocks too …;)

I have been pretty busy since the last few weeks (and this trend is likely to continue for the coming weeks). Thus, my posts have been more of “news-flashes”. Apologies for that. I’ve now decided to blog about things/technologies I am working on. (Expect some write-ups on security scanners like w3af and code auditing tools like LAPSE.) However, I couldn’t stop myself from putting forward this debate on IFrames. First, let’s see what are the *evil* things that IFrames can do for… *cough*… you

CASE-I
A couple of days ago, Bank of India site was compromised. It was serving malwares to the visitors. This was done by “drive-by downloads“. The criminals were (invisible) IFRAMES.

CASE-II
I hope most of you are aware how dangerous Javascript can be. Of course, I am referring to XSS attacks. However, the recent research, notably from Jeremiah Grossman, RSnake and Gareth Hayes, showed another shockingly dark side of XSS with CSS (yes, Cascading Style Sheets ). The criminals here are IFrames, visited attribute, etc.

CASE-III
Gareth also gave a proof of concept on his blog to perform CSRF using CSS, even when Javascript is disabled. He (very wisely) used CSS to change the LOOK and FEEL of a Submit button to a link. Now, when a *smart* user is surfing the web with javascript disabled, he’d not worry about clicking a link, and may end up clicking on the *link* to submit the form.

CASE-IV
You decide… .
I have anyways left some other known issues, I think.

Gareth has been preaching the evil nature of IFrames for quite some time now. Yesterday, he made a new entry titled “IFRAMES ARE EVIL” on his blog. He suggested using some attributes/tags to disable/enable iframes etc. Iframes have been on my mind for quite some time. I believe that Content Restriction, once introduced, can solve a number of issues. Till then, I believe, Maone’s NoScript can come to the rescue by proving optional feature to disable iframes. I know, this is definitely not a attractive suggestion, but who knew we’d have to browse with Javascript disabled!

Moreover, I thought it’d be a good opportunity to see what other researchers have to say about it. So, I posted it to the Slackers forum. I am watching keenly.

• NoScript: For Guaranteed Protection From Evil IFrames
• Rediffmail Bug. Anyone Interested?
• Yahoo!’s javascript based media player!
• Java vulnerable to remote compromise
• Apache Headache: “no listening sockets available”

The Sun advisory page on this flaw, however, informs you about two flaws which are nothing but Buffer Overflows. Do not mistake me that I am undermining the impact of Buffer Overflow Attacks in any way. It’s just the ZD Net article’s title which’s bugging me. It makes the flaw look like an out of world ET attack scenario.

1. A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.
2. A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.

Now firstly, Buffer Overflows are no new form of attacks. They have been here since the existence of man (I admit that’s a little much ), and they are here to stay. Thus, articles like this are more like FUD, IMHO.
Secondly, applet support is very limited in mobile devices. Not to mention that J2ME supports only PNG format. Thus, not “virtually everything” is everything.
Finally, image parsing library in Sun’s Java implementation is through a native library. It’s time that Sun writes a Java equivalent for it to avoid other similar issues. Further, since Java is now GPL, I also hope to see the code coming from some random, pimply, introvert teenage kid.

The problems can be resolved by updating the packages. Detailed info provided on the Sun’s advisory.

• An insight into Sun’s *crazy* strategy.
• Open JavaFX, an alternative to AJAX?
• AdSense exploited by malware (Trojan.Qhost.WU)
• Amazing Interrupt Handling!
• Month of Search Engine Bugs: “Mission Accomplished”

The talk explained the (different) booting process of Windows Vista. It also introduced the concept of manipulating an OS during its boot process using VBootkit. Finally, they gave a live demo of VBootkit in action (on Vista).

This event was Slashdotted. VBootkit was also blogged by Bruce Schneier. Here is an interview of the “boys” at SecurityFocus by Federico Biancuzzi. In their own words, “Vbootkit is much like a door or a shortcut to access vista’s kernel……. since vbootkit becomes part of the kernel, it can do anything that Vista’s kernel can do.”

This all, however, is a news of past. The current news stirred more vigour and controversy. They had yet another paper “TPMkit: Breaking the Legend of Trusted Computing (TC [TPM]) and Vista (BitLocker)” scheduled to be presented at Blackhat USA – 2007. They withdrew there paper last week without any comments. This news was Slashdotted and resulted in a (typical) slashdotian variety of comments. Some even doubted if they really had any success in their research. Well, you cannot really blame them. That’s the fussy nature of our FOSS communities… errr… wait. Before you bash me, I’d like to remind you that it’s not (only) me who says that. It was originally cited by Mark Shuttleworth. An amazing number of people opposed Mark by creating a lot of Fuss.

Coming back to the story. A user, by the handle PoliTech, commented on Slashdot and reminded the Michael Lynn’s paper at Blackhat about his research on Cisco Routers. Cisco and ISS sued Lynn and the management of Black Hat conference. It’s worth noting that Lynn was an ISS employee.

It should be also be noted that Vipin and Nitin’s previous presentation was in Amsterdam, Europe. This presentation, however, was scheduled in US… and the (stupid) US laws can screw things up. Based on Lynn’s case, it is quite apparent that Vipin and Nitin didn’t wish to get caught in any such undesirable situation.

I hope to see them present the paper at some other conference (or location) pretty soon. Best of luck guys.

OffTopic: Coincidentally, my younger brother’s name is Nitin.

• Slashdot, uh! :|
• Vista!!! (3 Exclamations.) is here? (Why :-/)
• The Web is Broken
• OWASP AppSec Conf Delhi – Day 1
• Bittu’s back :)

MutLive reports:

In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).

Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.

Over a period of 30 days, 104 and vulnerabilities/bugs were discovered out of which only 44 have been fixed. Out of these 19 vendors, only two (Rambler and Ezilon) have thanked him for his commendable hardwork.

Several researchers, including Jeremiah, RSnake, Christ1an etc. blogged about it. Considering the complexities involved in the fixing a bug, they agree at some point that 44 is still a good number. However, there is one Big “Cheer” Leader which isn’t fixing the bugs. No points for guessing that the Leader believes in “not doing evil things”.

• AdSense exploited by malware (Trojan.Qhost.WU)
• Google Lost Me!
• Top Rating in Google :D
• Idle Nights: Devil’s Mind
• Is Google Bomb REALLY Diffused?

Now back to the topic.
Almost all the huge players are now moving to the AJAX arena. They are in fact coming up with new technologies like Silverlight, Apollo, JavaFx. I am personally not a very big fan of AJAX, but then it doesn’t make any difference. I am, however, interested in these new athletes, particularly JavaFx.

One of the major concerns of any AJAX programmer, IMHO, should be to take care of a situation where the user DOES NOT HAVE or DOES NOT WISH to use Javascript. It should be a growing concern when we have plugins like NoScript (Oh! I Love it.) and we have reasons to use it. Apart from the security concerns, it blocks most of the stupid ads that I am not interested in.

Bottom line, there should be a minimal interface to fall back to (like the one GMail has). The rediffmail coders have done the same and provided a…. ummmm BackUpInterface thingy. However, they probably forgot that the *thingy* is there because the person’s browser DOES NOT SUPPORT Javascript.

My Story, My Words:
I used the NoScript plugin to forbid rediff.com domain, opened the site rediffmail.com, entered userid and password… and said… Khul Ja Sim Sim.

Bingo I was in and was able to read my mails without any fuss. Then I decided to delete some mails… wait a sec! What the heck!
I am not able to.
Move mails??? Nopes.
Compose? Okay.
Send?? Sorry.
Save Draft? Sorry.
Cancel??? Sorry.

I concluded that all that looks like a Button uses javascript. However, the links were, fortunately or unfortunately, working.
The Logout‘s like a link. So it’d obvoiusly work.
click.. click.. clickclickclick.
What the Heck!.
Logout operation calls some javascript function do_logout().

So basically, if I am an average internet user and do not have javascript, I’d log into my rediffmail account, read mails, try composing but won’t be able to send… and worse, I won’t be able to logout. Not understanding anything, I might close the browser window.
And what if I am at a cybercafe???

I am sure there is way to revive the session even if the browser window is closed (I remember reading of some similar old Yahoo! bug). If you’re interested, take on from here.

Now for the other people. I would really like to know how many people actually have a rediff aaccount and actually use it .
I have one too… and I login in… say a month.
I am not at all blaming rediffmail service (Okay! A little ), I am just interested in the figures.

• Open JavaFX, an alternative to AJAX?
• IFrames – To be or not to be?
• An insight into Sun’s *crazy* strategy.
• Yahoo! gone Insane!
• NoScript: For Guaranteed Protection From Evil IFrames

I stay back in the office during night and return back at around 6-7 am, when everybody is coming . These nights are supposed to be LONELY as I am the only one in the building (actually in all the four buildings combined), apart from the security guards and office boys, of course. However, I’ve found my companions, and ways to refresh myself. I’ll list some of them.

1. Online Web/Security Cameras: Some of you who know that Google provides an API for refining the search queries (with a capital “R”) also know that the giant’s database is like an ocean. And you never really know what’s inside an ocean unless and until you dive in it. As you dive deeper, your jaw drops in awe.
Long story cut short, I use the query to discover (a part of) all AXIS cameras online.
For curious lot, the query is: inurl:/view/view.shtml AXIS and sometimes intitle:”Live View / – AXIS” | inurl:view/view.sht
[As I am writing this, I wanted check the second query. So I chose one of the results and something spooky happened. Someone was already controlling the camera. hehe.
I was moving it right, he/she was moving it left. We fought for a while but then I closed the window. I am nice guy you see )

Okay let's proceed.
So I have a bookmarked folder called "PastTime" on my browser, which has my favorite cameras bookmarked. My most fave are:
i) A coffee/wine shop camera, which is more lively during the night. Luckily, the camera is provided officially, so I can provide the link without any worries. Find the link to the camera here: buzzjunction_webcam

ii) A camera in the study room of a Polytechnic school of NewYork. It's a small room with a coffee machine, a microwave oven (?), a printer, a sofa, a bookshelf, and an elliptical table with power connection for the laptops and notebooks.
And that's the best part. People come here with there laptops, and sometimes I sit down looking at there screens, trying to figure out what they are doing.
I have also become acquainted with some regular visitors.
A spectacled guy with a cap and a laptop. (He is leaving right now. No kidding. What a coincidence [jawdrop])
A black girl, who has the headphones exactly like mine.
Two Muslim girls, with one Dell XPS laptop (probably).
The bad part is, there are no visitors on sundays
iii) A micro/nano lab camera of one of the world’s most famous universities. There’s nothing engaging about this, apart from the fact that the guys (or girls) roam around in spacesuit sort of dresses.
iv) A set of four surveillance cameras. Three of them pointing to car parking locations and one focussed inside some kind of room. I am still not able to get it yet. The only thing that makes me stick to it is the word “surveillance”

There are couple of others focussed on traffic, colleges, hostels (I guess), lake, parks… but they are pretty boring and pictures are not really clear.
I’d like to try my hands on other cameras like linksys too. Let’s see when.

2. Google Again: Google queries can be real fun.
Have you ever come across a search result when Google tells you that the original number of results is pretty large, however, most of them are sort of repetitions hence they have been truncated.
Have a look at the following two pictures.

 

You think that’s funny?
I leave it up to you to decide.

3. Slashdot, and blogs of others friends (and their friends) and some geeks like de Icauza etc. Initially I was a Digg addict, but then got completely fed up.
So guys, keep blogging.

4. Movies and Documentaries: Net speed during the night is awesome (generally). So I don’t mind downloading them. Though I don’t get time to watch them.

5. Off late I’ve also found some vulnerabilities in the policies and network of my company. I try to keep the management informed.
After all it’s my company. I’d definitely not like any jerk to poke his nose in.

That’s it.
These five (along with the songs being played ALL the time) are currently more than enough to consume my free time (In fact more than JUST the free time).
But even after all this, it gets freaking lonely sometimes… not that I am complaining

• How my Kindle cover saved my Kindle, OR How I got robbed of my DSLR and laptop
• AdSense exploited by malware (Trojan.Qhost.WU)
• [How To] Implementing Shindig.
• Slashdot, uh! :|
• Google Bomb! [Update: Diffused]

I was returning back to my room at around 6:30 in the morning after spending the whole night, as usual, in office. Suddenly this though struck me.
I always talk about codes and related stuff and ask people to map their algorithms to real life while coding, especially in OOP languages.
I asked myself, what would it be like to describe myself as a code, a script… a program.
So I (climbed two my cabin, which is on the second floor) and here is my honest attempt.

Om, unlike other programs, wasn’t really planned. There were no plans usually made back then in the early eighties; at least not in India. He was an additional functionality (a small script back then) of two programs, M & R.

However, since M & R were pretty solid codes in themselves, Om inherited most of the good features and was pretty healthy (I mean robust ) even as a tiny script.
So far so good. But it could never rely on conventional ways of compilation and execution. It was a rebel. Some people call such programs as “malfunctioning programs” . Programs that do not do what they are meant to do.

Time passed on.
It received formal education that helped him access various code repositories to incorporate other functionalities. It gathered data about various modes and environment of operation. It also learnt efficient memory and execution-time management.
However, these all came at the price of dependencies on various libraries, viz., friends, relatives, emotions, money, etc.

Microsoft has some strange reason for assuming that all human beings use IE and are on a windows box. This assumption makes most of their products, even the web applications, dependent on these assumptions.

Dependencies are bad.
Bad were they for Om as well…

It gradually got frustrated (a human emotion).
It got frustrated at lots of things… at almost everything.
It got frustrated on the formal way of code development, the conventional way of execution, the hypocritical nature of the IDEs that are supposed to facilitate development, and lot more.

There’s an unwritten law, which says that all rebels become an outlaw sooner or later.
So did Om.
Most of the libraries on which it was dependent had grown up to be pretty matured libraries and the outlaw was no more supported.
Dependencies are bad…

…but some codes die hard.
Since most of the libraries on which Om was dependent were under GPL, it simply incorporated the required code snippets instead of referencing the libraries. This has made it a pretty complex and buggy code… but hey that’s why the saying goes:
“There is code in my bug”

• Dreams… and (huh!) Reality.
• Life, so far…
• Apache Headache: “no listening sockets available”
• Open JavaFX, an alternative to AJAX?
• Grabbing Video from Youtube.

Anyways. There is this guy who created a, so called, WORM for MySpace.
It was a beautifully written piece of code… all in javascript. What this worm did was, it added Samy as a hero in the profile of every person who visited Samy’s profile.
And that’s not all, it also added Samy as a hero to the visitors who visited ANY affected profile.
He gives a beautiful (and “for-dummies”) writeup:
Story in his own words
Technical details

It created a havoc. Lakhs of profiles were infected in a few hours. MySpace had to take down the site to “repair” it.
The code is so beautifully crafted that it made me smile.

Now, was this wrong?
To a certain extent, YES.

Was it a punishable crime?
mmm… Depends on the extent and type of punishment. [If my views matter... well it's my blog, so it matters ]

The recent news is that Samy has been sentenced for three years of probation and 90 hours of community service. He cannot have access to internet during this period. [Though I am not able to understand what it means. He'll anyways be using ATM etc.]
However, this kind of “punishment” doesn’t make a sense to me.

If we really have to punish the “culprits”, why not punish MySpace too?
Why shouldn’t MySpace take the responsibility of the privacy of it’s users?
Why was MySpace stupid to allow DIV tags?
Why shouldn’t iexplorer and safari be sentenced for allowing javascript inside CSS?

These are questions that cannot be answered because the world belongs to the BIG-BAD-BOYS.
What this boy did not really harm anyone. He could have modified the code to steal private information, (the way your gmail book can be stolen).
Moreover, he published the code after MySpace had fixed the problem.
……. and yet he has been SENTENCED.

I am reminded of an incident that Lalit told me about.
There was this guy who informed the site administrator about some loophole in his site and was jailed.

“… but why?”
“Because you are not supposed to peek inside my house, even if the door is open.”
“… and what if I am one of those who have signed up to stay in your house? Isn’t my privacy your responsibility? Shouldn’t I be allowed to check the locks and doors?”
“No. I am a freaking BIG-BAD-BOY. You’ve no right to mess with me. If you even dare, be prepared to be jailed.”

Well…. That makes sense now.
So next time you find a loophole either sit silently or sell it.
That’s all I can conclude.

• M$ WindowsXP just got a newer version of Update with new Components!
• The Web is Broken
• IFrames – To be or not to be?
• Orkut Latest XSS Worm; and what it means for Indian Orkuteers
• AdSense exploited by malware (Trojan.Qhost.WU)

The words “your security got bypassed .. see more security next time” are clear enough to announce that security is not an feature or an event, it’s a process.By the way, I liked the music

• SecurCamp and back.
• TPM Boys withdraw paper from BlackHat USA
• Amazing Interrupt Handling!
• IFrames – To be or not to be?
• Slashdot, uh! :|

Update: This hack doesn’t work any more. I’ll post the latest pretty soon. Hopefully.

I loved this performance by Tina & Hussain. It left me breathless, and wet-ted my eyes .

I wanted it s badly. Did a l’ill research, found a hack, and here I am, sharing [& open sourcing it ].
You can find various sites and ‘n’ number of tools to grab your favorite video from Youtube.
There are definitely simpler ways, including a javascript. However, I liked this manual way of doing the job. It let’s me see where’s what…

1. Goto the page containing the video.
2. View page source. [Ctrl+U in firefox]
3. Search [Ctrl+F] for “player2.swf?“. It’d be something like “/player2.swf?video_id=jksdjs….“.
4. Copy the part after “?“, i.e., “video_id=jksdjs….“.
5. Append it after “www.youtube.com/get_video.php?“. It’d look something like “www.youtube.com/get_video.php?video_id=jksdjs….“.
6. Paste your string in the address bar of your browser and hit enter.
7. Please note that the video that we download is an flv file [and needs ".flv" to be manually added.]
8. If you don’t have an flv player, get it from HERE.

I hope it helps you get what you want I am not sure as to how long it’d work as the YouTube guys do not like people to download the videos and keep changing the settings. [ I am still wondering why!!!]
If the above mentioned steps do not help, please leave comments.

Psst.: I am planning to write a script to do it automatically. However, I am not sure if I want to do it in Perl or Java. [Perhaps, I'll code in perl and ask my students to do it in Java ]

• Yahoo!’s javascript based media player!
• Drive-by Download: Where Network Security Meets WebAppSec
• Apache-MySQLPHP Installation & Configuration Tutorial for Beginners :)
• Apache Headache: “no listening sockets available”
• Download PHP tidy extension for Mac OS X