Thursday, February 05, 2009

Internet Explorer 8 Ad Blocking

I recently downloaded Internet Explorer 8 RC1 and was playing with the InPrivate Filtering feature. I think that this feature could be used as an Ad Blocker. I converted the adblock plus filters into xml format understood by IE and imported them in the InPrivate Filtering settings. Many websites worked fine while some (e.g. yahoo mail) appeared to be broken. I am sure that with a little tweaking of the rules it will be possible to get better results.

You can get the xml file I generated here.

Alternatively, you could paste your adblock rules in the text area below and click submit. You will get back the xml content in the same text area.

Edit InPrivate filtering options that can be found in right bottom corner in IE 8. Go to advanced options and import the xml file just created.


Tuesday, April 29, 2008

Can Browser's Password Manager Be Used As Sign In Seal?

Almost every user uses browser's password manager these days. You visit a site, enter password and ask your browser to remember it. The password manager is supposed to fill out user name and the password automatically when you go to the site again.

This can be used to avoid phishing attacks. The first time you visit any domain, make sure that you have typed in the url correctly in the address bar. Save your password. (You need not store the actual password, just make up a user name that only you would know and put any password). Now when you visit the site next time, you should expect to see the user name that you had already saved. Then it means that the page actually came from the right domain.

E.g. visit mail.google.com, enter user name as bla-google password as anything and save it. Next time you will see bla-google automatically filled only if the page originated from that domain. Effectively creating a sign-in seal.

What are the limitations? Well, it doesn't work across browsers unless you do this in all the browsers. Auto complete setting may cause trouble. This may not work on sub domains (If the site ran something like Yahoo! sign in seal on other hand, it may use same seal on its subdomains).

Any thoughts?

Saturday, March 08, 2008

Web2Torrent : Let web pages host your files...

This is for research and fun purpose only. Don't contaminate the web using this technique. Use the tool at your own risk.


I just finished a POC implementation of what I call as Web2Torrent. It is not exactly a torrent as you will know after reading this post. It is just a funny way of storing your files on blogs, message forums, mailing lists etc. (Note: This is no rocket science)

It consists of a php file uploader.php, a Javascript file fetch.js and a bookmarklet that uses this Javascript file. The idea is the following:

  1. A binary file is converted to a base64 representation.
  2. It is then divided into suitable number of segments.
  3. Each of these segments is hosted on a different web page. Appropriate delimiters are used to identify the file contents correctly.
  4. Each page also contains the link(s) of the next segment. If one link is down for example, others could be used.
  5. Since each page could come from a domain that you may not control, a bookmarklet needs to be manually loaded after the page is loaded. This bookmarklet (which uses fetch.js) reads the page content and submits it to uploader.php
  6. Uploader then stores the contents in a file and redirects the browser to the next url to be loaded.
  7. Again you manually click the bookmarklet and the process repeats until all segments are downloaded.
  8. After all of them are downloaded, uploader.php creates the output file and redirects the browser to that file.

Note: Now there is a greasemonkey script included that takes care of clicking this bookmarklet for you! Just install the script, edit the URL to point to uploader.php, and just load the address of the first segment. You will have the file downloaded automatically! The code has to undergo lots of improvements though.

Each segment looks like following,

One or more hrefs to the next segment with id linkid (Actually this could be anywhere on the page) ->
_begin_wt_ (The beginning delimiter)
base64 data possibly with tags and whitespaces
$filename$extension$linkid(s)$
_end_wt_

Link on the last segment points to 'http://final/' and thats how the segment chain ends.
Rest of it is probably self explanatory.


Advantages:
  1. You don't need a hosting service anymore, web pages start hosting files for you.
  2. The upload/download process can be automated.
  3. Spamming is first time being used for a good cause (Depends on what you share)
Disadvantages and possible solutions:
  1. Web pages start to look ugly ;) (Soln: use divs and display:none)
  2. base64 expands the data (Who cares, its not stored on your hard disk anyway :) )
  3. Legal issues may be involved (No solution)
  4. Security?

You can grab the files here.

Usage (Also includes a sample example):
  1. Extract the files so that they are accessible from http://localhost:8080/web2torrent/ (Otherwise change first url lines in bookmarklet and fetch.js)
  2. Allow php scripts to create files in the directory
  3. Load http://localhost:8080/web2torrent/uploader.php in the browser
  4. Enter the url http://webtorrenttestdata.blogspot.com/2008/03/segment-1.html in the text box and submit the form
  5. The page containing segment will load, then press the bookmarklet you just saved (copy it from bookmarklet.js)
  6. Now new segment will load automatically, use bookmarklet after every page load.
  7. After the third segment is processed, you will be redirected to a wav file (Borrowed from http://www.partnersinrhyme.com)
  8. The zip file also contains filesplit.php which lets you split files in specified number of segments. Before posting it, you will need to properly format it by adding delimiters etc described above. Its good to start from the last segment.

Other variants are possible, e.g. saving data in the images.

Note: This tool was created just for fun. Use it at your own risk. Don't use it for bad purposes. It has no security built in it. May have XSS, may have command injection. Shut it down as soon as you are done. ENABLE JAVASCRIPT otherwise this tool won't work.



Let's see if I can get a research topic for my thesis from this idea... Maybe- distinguishing between good and bad spam? How to protect applications from web2torrent? ...

Thursday, February 14, 2008

Software Lawyers and Standardized License Agreements?

I posted following on my class blog. I think this should be interesting idea to consider.


After reading this post, I thought that we should standardize privacy policies and license agreements. Let me explain what exactly I mean by that.


In class Dr. Chen expressed the need of having information in a machine readable format. For this purpose we mainly use standards like FOAF, OWL etc. Companies are supporting development of such standards because its in their interest to have all data on Web in machine readable format. They can make money out of it.


Similarly, why shouldn't we have a standard for license agreements and privacy policies? E.g. a site like Orkut or MySpace should publish usage and license information in some standard format.

E.g.

<company > Google </company >
<application > Orkut </application >
<profilemode > public </profilemode >
<informationlifetime >forever:) </informationlifetime >
<othertags>value </othertags>


This way, I will be able to decide whether I want to join a particular site or not. I will use some automated "Software Lawyer" that tells me the risk associated in joining a particular site.

But I am sure that these companies won't have such a thing because they all want to use our information in abnormal ways and they want to hide this fact using those 10 page license agreements.


What do you guys think? Or does there exist something similar to what I just proposed?

Thursday, December 20, 2007

Your 'Private' Videos on Orkut Are NOT Private!

Hmmm.. After a long time I have found something interesting to write about.

Orkut now has a feature that allows you to set your videos and photos as private so that only your friends can see your videos and photos. Well its not implemented that well it seems.

Referer Header is at fault this time. Youtube videos have links section below each video which lists links referring to the current video. It reveals who has added the video to his/her profile even though that person has set videos to private.

E.g. visit this video.
Links section below the video shows following link.

This poor woman wanted to keep her videos private.

Anyway, severity of this issue may not be like > 6 /10. But you never know.

Google advanced search may allow you to target a particular orkut user profile. I have not evaluated this possibility though.

Fix is simple I guess. Google should make sure that no referer should be sent for private videos (There are more than few of ways to do that). GET method could be replaced with POST.

Keep integrating more stuff into your application and have fun.


Note: I have nothing against this orkut user. It was the first example of the issue I came across, that's all.

Sunday, September 09, 2007

IE home page URL resulting in XSS?

I am not able to phrase the title of this entry correctly, but this is what I have found....

Copy the following link location and set it as your homepage in IE 7.

COPY THIS LINK

When you open a new window in IE, it echoes your home page url in the window which results into something similar to XSS.

I am trying to find a way to exploit this (like automatically setting homepage and adding some javascript), but if you already have an idea, please let me know.

Tuesday, July 24, 2007

Is it that easy to write desktop worms?

Some days ago, a friend of mine wanted few documents from me. So I plugged his pen-drive into the USB slot. As the next obvious step, I opened the drive. And strange things started happening on my computer.


First of all, I saw an executable file with its icon similar to that of a normal directory. The name of which was MicrosoftPowerPoint.exe. Note that I noticed the extension because luckily I keep the 'Hide extensions for known file types' option off. Another reason why I noticed this was because I had 'Show all files' and 'Show system files' options on.


Next, I saw an alert with some strange text on it. Now this was clearly a sign of my computer being infected with some evil code.I quickly opened the pen-drive in explorer and noticed an Autorun.inf file! Now this was the root cause of the whole problem.

It contained the following lines

open=MicrosoftPowerPoint.exe

shellexecute=MicrosoftPowerPoint.exe

shell\Auto\command=MicrosoftPowerPoint.exe


Clearly, as soon as you/system opened the drive, the executable ran silently and did all the work. When I deleted the inf file and the exe file from the drive, it appeared again. Clearly a sign of something resident in memory.

Fortunately (?), the alert popped up again, and thus I was able to locate the exact process which was carrying out the whole operation.It was svchost. Now under normal circumstances, you see multiple instances of it in the task manager. The thing different about this one though was that it ran with user equal to my user name. I quickly killed the process, and deleted the two evil files on the pen drive.


As I had suspected, on rebooting my computer the alerts were seen again. Then after looking at the registry, I figured out that the worm had created a start-up entry on the system. It had copied itself at c:\heap41a.


On searching the internet for heap41a, I found the whole description of the worm.


Lessons learnt:

  1. Pen drives are dangerous!
  2. Never login as privileged user when running such devices.
  3. Never trust your antivirus (I have free edition of AVG fully updated).
  4. Inf files are 'BAD'.
  5. Propogating such worms is as easy as spreading ajax worms (? Any thoughts)

Luckily, the worm did not do anything evil I suppose. But you may not get so lucky.