Monday, July 13, 2015

Web Hacking 101: Javascript

While this is a broad subject, let's start with the assumption you know the basics on programming in Javascript. Javascript opens up unique opportunities for altering websites. Javascript, when used properly, should be for creating a dynamic web page and not for any security measures. The reason for this is quite simply because Javascript is as easily viewed as the web page's source. With a DOM inspector like the kind in Firebug, you can find lots of things on websites to play around with.

The easiest to start messing around with are variables. An easy way to demonstrate this would be an example. So going a bit old school, the Nyancat website. Let's make it look like we've had that site up for way longer than it has been up. We do this by checking out some of the variables. In the code I find this snippet:

var startTime = new Date();

So in the Firebug console, I simply put in

startTime = new Date(0);

And like magic, it thinks I've been there since 1969.

Now that's purely basic and mostly useless, unless you like showing off random stuff like that. However, this is just an example of what you can change in Javascript to mess with things. The simple fact of the matter is that you can alter anything in the Javascript of a website or add stuff to it.

Now there are two other things you may run into. The first is obfuscated Javascript. This is when the code is made to be very hard to read. This means no real formatting, nondescript names for variables, functions and classes and other things that can be quite a headache. The easiest way to deal with that is to look for a Javascript beautifier. A simple Google search will give you some results.

The other thing you could run into will appear like a garbled mess. This is JScript encoding, created by Microsoft and not often used. It may take a bit of searching, but there are decoders you can use to view the source. I wouldn't obsess over this, though, as it is a rare thing to find.

As you move on with Javascript exploits, down the road you will come across something called XSS, or Cross Site Scripting. This is when you manage to get others to view a page with Javascript that is used for malicious purposes. This can be anything from stealing information to simply annoying people. To pull stuff like that off requires a bit of filter evasion or knowing somewhere it can be executed. That in itself is a topic of its own. Until then, try using Javascript on sites to see what can be altered or changed.

Wednesday, July 1, 2015

Information Dump: Comptia A+ 801 Study Guide

I was originally going to post this in pieces, however not only will that take a lot of work due to how the formatting is, but it would also be the worlds biggest pain if I need to update anything. As a result, I am uploading it to Google Drive and docs or whatever. Yay! A few things to note.

  1. This is very cut and dry, basically like a quick reference or "cheat sheet"
  2. Not all the information is necessary to be memorized
  3. I make no guarantee that there are no errors
  4. Stuff may and most likely will change over time
Now I post this for those looking for some free study material and it's basically notes I was making while I was studying.

So here's the information from me to you.


*** Currently it is missing some stuff. I am in the process of finishing it, so check back every so often. The 802 should be following shortly after I finish this one and then possibly a Security+ study guide after that.

Tag Cloud

.NET (1) A+ (2) addon (6) Android (4) anonymous functions (5) application (10) arduino (1) artificial intelligence (2) bash (4) c (7) camera (1) certifications (4) cobol (1) comptia (4) computing (2) css (2) customize (16) encryption (2) error (19) exploit (17) ftp (3) funny (2) gadget (3) games (2) Gtk (1) GUI (5) hardware (7) haskell (15) help (8) HTML (6) irc (2) java (5) javascript (21) Linux (20) Mac (5) malware (2) math (8) network (9) objects (2) OCaml (1) perl (4) php (9) plugin (7) programming (42) python (24) radio (1) regex (3) security (25) sound (1) speakers (1) ssh (3) story (1) Techs from the Crypt (2) telnet (2) tools (15) troubleshooting (5) Ubuntu (4) Unix (4) virtualization (1) web design (14) Windows (8) wx (2)