Thursday, May 29, 2008

URI / URL Parsing Using RegExp in JavaScript

Sometime back when I was writing a web crawler in JavaScript, I had to parse URIs into their constituents. And for that task I modified Flog's URI Parser class for my needs.

Well, as part of the licensing, and for sharing of information, I thought I'd post the JavaScript code here.

function UriParser(uri){
//define class (for use with prototype.js) to do URI parsing
//modified from FlogUriParser found at http://www.flog.co.nz/index.php/journal/prototype-uri-parser-class/
this._regExp = /^((\w+):\/\/\/?)?((\w+):?(\w+)?@)?([^\/\?:]+):?(\d+)?(\/?[^\?#;\|]+)?([;\|])?([^\?#]+)?\??([^#]+)?#?(\w*)/;
this.username = "";
this.password = "";
this.port = "";
this.protocol = "";
this.host = "";
this.pathname = "";
this.url = "";
this.urlparamseparator = "";
this.urlparam = "";
this.querystring = {};
this.fragment = "";
this.results = null;

this._getVal = function(r, i) {
if(!r) return null;
return (typeof(r[i]) == 'undefined' ? "" : r[i]);
};

this.parse = function(uri) {
var r = this._regExp.exec(uri);
this.results = r;
this.url = this._getVal(r,0);
this.protocol = this._getVal(r,2);
this.username = this._getVal(r,4);
this.password = this._getVal(r,5);
this.host = this._getVal(r,6);
this.port = this._getVal(r,7);
this.pathname = this._getVal(r,8);
this.urlparamseparator = this._getVal(r,9);
this.urlparam = this._getVal(r,10);
this.querystring = this._getVal(r,11);
this.fragment = this._getVal(r,12);
return r;
}

if(uri) this.parse(uri);
}

Assessment Methodology

Done by hitechpo on House of Hackers blog.

[Parts 1, 2, 3, 4 and 5]

Introduction to reverse engineering

Done by n2u in House of Hackers blog.

[Part 1]
[Part 2]

Cool hack: Man exploits random deposit verification flows to steal $50,000

This is really really impressive, though on a serious note it's not that funny for a system to be so poorly designed and implemented.

Link: http://www.cgisecurity.com/2008/05/12

Tuesday, May 27, 2008

Backdated post [23:11 Tue 6-May-2008]

My presentations skills suck. At least for now?

After hearing two independant (largely similar) reviews on my presentation, I'd have to listen, unless I'm not interested in improving in this general aspect. :-P

Stuff to note:
- using pictures to illustrate points is ok, but at least have some words/a title to clarify on the point of the slide.

- let the audience know what will be covered in the slides

- put the speaking notes in the slides themselves, not the preceeding slide

- organize the time properly

- manage the audience, not the other way round

- don't use useless filler words

Backdated post [20:37 Sun 27-Apr-2008]

It's pretty exciting to see the house come up bit by bit, part by part. Planning, deciding, buying, cleaning...

Heh, it's also very exciting to see our expenditure and money in the bank as we spend on stuff for this and that. Hahaha.. :-D

Suggestive

Was looking for the meaning of the word "obviate" on the net, and I found this ad in one of the sites. Really really suggestive..



For your info, the word obviate means to do away with something (unnecessary).

Nintendo DS freestyle music creation

Just...wow.

From Digg.

Wednesday, May 14, 2008

Click Crime

I seldom write about articles that I read, preferring to share them in my Google Reader or put the link in my Twitter. But I'll make an exception here:

http://www.securityfocus.com/columnists/471

Mark Rasch gives a very good description on "criminal honeypots" some of it's possible implications worldwide if implemented on a larger scale. The difference between setting up a trap and entrapment is talked about here also.

From the web application security perspective, it would be possible to frame someone else not only by using social engineering, but also even attacks like this:

  1. Create javascript code in a site that you control that exploits CSRF weaknesses in the criminal honeypot. Wait for the target to access your site and "click" the link automatically.
  2. Create a site that's linked to your target somehow, and get many many people to click on the link (to the criminal honeypot) that you put in the site. The FBI sees the referrals from that site, and traces it to your victim.