XSS attacks : How to save yourself

Today, all of us have accounts on facebook. Other than that, we have several other online accounts too. What if I told you that without you realizing it, your account may get hacked? What if I told you that clicking a harmless looking link can cause you to lose your account? Would you laugh it off? If your answer is yes, think again.

I can give you a simple link. You click it and that opens up the Google. That’s all I require to hack into your account. Better yet, I can have a webpage with an image and soon as that image loads into your browser, your security gets compromised.

If you’re with me until now, read on.

This article – as the name suggests is about cross site scripting (XSS) attacks – and how to prevent your personal information from being stolen from such an attack. First up – this article isn’t a tutorial for XSS. It’s for people who are not familiar with all this network security stuff.

First things first. Cookies.  Yeah really. What are cookies? Cookies are basically some data stored on your pc that websites use to recognise you, keep track of your movements etc. So, the reason why you can close your browser, and, on opening facebook again in your broeser, it shows your account – that’s because of cookies.

Also, I’d like you to know a little about XSS. Even though this post isn’t meant to learn what XSS actually is – I’ll write something for it down the line – still, it would be good to have some basic idea of what might hit you. XSS is a scripting language based attack – primarily JavaScript. What can JavaScript do? It can do all kinds of weird sh!t. For example, it can open a lot of pop-up windows. It can be made so that whenever you open a page, some information  gets sent to a page that I want without you even knowing it. And, the most important thing of all – it can be used to send away your cookies.

Almost all the websites that you visit these days have some JS being used. Not that it is used only for malicious purposes – JS is used for some great stuff too. But one who wants to use it badly can indeed do so. To execute JS, one can have a link pointing to something like:

javascript: <some JS code>

Or, if the JS is integrated in the page itself, it can be executed as per the wishes of the one who created that page. This can mean that, for example, whenever you move your mouse over some part of the page, some information may be being sent in the background without your knowledge – and that includes cookies.

There are other ways too but I’ll not discuss them here. Now, when your cookies have been sent over – what happens. For example, I have an account that provides free web hosting services. Using that, I can make such an arrangement that whenever any information is sent, it gets recorded.

Generally, it’s the link based attacks that you should be aware of (I won’t explain the reason though). In such cases, the information is sent to the page that performs that recording and then redirects you to some other website. Most of you won’t even notice the address in the address bar when Google opens up in front of you. So, while you are thinking that the link pointed you to Google, something has already happened. Your cookies have been saved in a log file somewhere and you don’t even know about it.

Now, what can the other person do with these cookies? Well, he can set his own browser’s cookies – just like they would be in your browser – from your cookies and tada! In many cases he should be able to open your account just by going to that website.

How to prevent this from happening?

Well, the first thing you can do is this: NEVER paste anything in your address bar that starts with ‘javascript:’ unless you know what you’re doing. Secondly, always check where a link points to by hovering over it an looking at the bottom corners of the browser window. If it begins with ‘javascript:’ then there may be risk involved. Also, the surefire way to avoid this is to turn off JS in your browser but that can hamper the functioning of many websites too.

Anyway, I’ll have more on XSS somewhere down the line. This is it for the time being. Please leave a comment. Also, like and share.

Sudoku Solver – Version 1.1

I made the code cleaner and decomposed the one long loop from before into functions. Also, a new technique, naked pair, has been added.

The code can be viewed online here:

http://codetidy.com/2854/  : The JavaScript

http://codetidy.com/2855/ : The HTML

Download from here (Mediafire) or here (Rapidshare).

Please like and share ~_~ Also, add a comment if you have anything to ask.

How to send large number of mails automatically?

I have seen many of my friends sending promotional emails during the college fests. They typically have to send ~1500 mails. The other day somebody asked me if I was sending these promotional mails too. Well, of course I wasn’t. But it was then that I got to know that all these people were doing this stuff manually!! So I asked him – “Don’t you get tired?” To that he replied – “Sure I do. But what choice do I have?” And that was it.

Just so you know, there IS another way. As a matter of fact, after reading this post, you may think that you’ve wasted too much time on something as trivial as sending emails. So, read on.

First comes the format in which you have got your email addresses. These are generally provided in a csv file (comma separated values file) or so I’ve been told. A CSV file can be opened using any spreadsheet program (such as Microsoft Excel). If you open a csv file using a text editor (such as notepad), you may find that it contains something of the following format:

 
Name, Email
Leonardo DiCaprio, leo@gmail.com
George Clooney, georgy@yahoo.com
Matt Damon, bourne@identity.com

The format is fairly obvious. The top row contains field names – in this case – Name and Email. The remaining rows are just data for either columns.

Now, because of certain reasons I chose that I will use python as the scripting language here. Don’t worry if you don’t know python though. It’s all been made in such a way that you can just copy-paste and it’ll work. The primary reason why I chose python is because of the inbuilt csv module that makes handling of csv files a piece of cake.

Now, to make it work:

Procedure:

Step 1:

First download and install python from the website. I am using python version 2.7.3 at the time of writing. Unless you know what you are doing, I suggest you install version 2.7 and don’t install version 3.2 etc.

Step 2:

Now, for sending the actual emails. There are a couple of ways to go about this. First, and the one that I have used in this post is, by using a gmail address. I will advise you not to use your permanent gmail address for this. Make one or two new ones that you can use specially for sending bulk mails. This is just a safety measure. Google may think that you were spamming other people and may suspend your account. So, we are using a separate account for this purpose.

Among other methods, you can set up a mail server on you machine. But let me warn you that this process is somewhat difficult and takes time.

Another way would be to register for a free or paid SMTP server. These are generally much more flexible compared to gmail.  But, finding a good one is usually a not easy. You are free to try of course.

Step 3:

Now, in a directory, make a file called message.txt that will contain the actual message to be sent. Also, in the same directory, keep your csv file. We will call this file email.csv in this post.

Step 4:
In the same directory as before, make a file called sendmsg.py and copy the following code into it:

(Note: To copy the code, use the option on the top right of the code pasted below)

import csv
import smtplib

from email.mime.text import MIMEText

import re

fp = open('message.txt', 'rb')
msg = MIMEText(fp.read())
fp.close()
msg['Subject'] = 'Subject goes here'
msg['From'] = 'sender.address@gmail.com'

server = smtplib.SMTP('smtp.gmail.com:587')
server.starttls()
server.login('sender.address@gmail.com', 'password')
email_data = csv.reader(open('email.csv', 'rb'))
email_pattern= re.compile("^.+@.+\..+$")
for row in email_data:
  if( email_pattern.search(row[1]) ):
    del msg['To']
    msg['To'] = row[1]
    try:
      server.sendmail('test@gmail.com', [row[1]], msg.as_string())
    except SMTPException:
      print "An error occured."
server.quit()

And that’s it! You’re done.

Explanation:

Those of you who understand python should have no trouble understanding this little snippet of code. For those of you who don’t know python, you should follow these steps to correctly configure this script:

1. On line 8, if your text file is named something else, then you should change the name message.txt to whatever the name is. For example, if your file is named hello.txt, the 8th line will look like:

fp = open('hello.txt', 'rb')

2. In lines 11 and 12 you should change the subject and the from fields. For example, your subject was “Important message“(quotes are not included in the subject) and your gmail address was “my.email.id@gmail.com” (quotes not included), then the 11th and 12th lines would look like:

msg[‘Subject’] = ‘Important message’
msg[‘From’] = ‘my.email.id@gmail.com’

3. Next, in line 16, replace the email address with the one you used in step 2 and replace the password with your own. For example, if your email id was “my.email.id@gmail.com” and you password was “mystrongpassword”, then the 16th line  would look like:

server.login('my.email.id@gmail.com', 'mystrongpassword')

4. Next, in line 17,  if your csv file is named something else, say “data.csv“, then change the code so that it would look like:

email_data = csv.reader(open('data.csv', 'rb'))

5. Now, in your csv file, you will have may have many column. The one I used has two column. Open your csv file using a text editor and count from the left to find out in which column there is the email address. Now subtract 1 from that. For example, if you csv file has the email addresses in the fourth column then you will subtract 1 from that and get 3. Now, replace the index of the row list (the number in between [  ] ) in line 20, 22 and 24 like so:

if( email_pattern.search(row[3]) ):

and

msg['To'] = row[3]

and

server.sendmail('test@gmail.com', [row[3]], msg.as_string())

And that completes the configuration. Now, you don’t have to sit long hours sending all that email!

Points To Note:

1. Keep in mind that using a gmail account is somewhat restrictive. You can only send 500 email/24 hours. For this purpose, I suppose you can make 2 – 3 accounts. To know about any other restrictions, you can always search online.

2. If you want to add attachments, I would suggest that you upload the attachment to some file sharing website like mediafire and provide the link in the email. It is possible to add attachments by adding some extra code but it would generally take more time as then the code will have to send the attachment to every email.

3. Also note that if there is an error in sending the mail, it will bounce back to your own email address.

Okay then. That will be it for now. If you have any question, feel free to post them in the comments section. Also, any opinions are welcome. Please like and share ~_~

Scripting in Linux – Writing scripts

In the previous two posts, I covered the basics of shell scripting. Here are the links:

1. Scripting in Linux
2. Scripting in Linux – Part 2

Today, we’ll use that knowledge to write a few scripts, understand their operation, and, most importantly, get you started with writing scripts on your own.

Script 1: Downloading files from a server
In this example, we’ll write a script that reduces your work when you have to download multiple files from a server. There are some prerequisites though:

• You must have a direct download link to the file.
• There must be some kind of a sequence in the remaining download links.

These conditions are usually satisfied. As an example, the other day I had to download a manga. The images hosted on the website’s server were something like:

http://c.mfcdn.net/store/manga/106/65-668.0/compressed/u001.jpg

The number coloured in red changed for every page and for every page it corresponded to the page number. Now for the script:

#!/bin/bash
echo "At what page number do you wish to begin?"
read firstpage

echo ""
echo "At what page number do you wish to finish? "
read lastpage

cd ~/Desktop/manga/

for(( i=firstpage; i<=lastpage; i++))
    do
    if [ "$i" -lt 10 ]
    then
        url="http://c.mfcdn.net/store/manga/106/65-668.0/compressed/u00"$a".jpg"
    else
        url="http://c.mfcdn.net/store/manga/106/65-668.0/compressed/u0"$a".jpg"
    fi
        wget -U Mozilla $url
    done

echo ""
echo "Complete!"

Explanation:
The first couple of lines just get the starting and beginning page numbers. In the line number 9, we change our current directory to the folder in which we want to keep our files. Then follows a loop. The loop itself just loops over numbers starting from firstpage and ending at lastpage.

The condition inside the loop is for a different reason. If you look at the url closely, you’ll see that if the page number is less than 10, we have to put the page number by adding a zero in front of the page number. The condition checks whether the page number is less than 10, and, if it is, then, a url with the ‘extra’ zero is saved into the variable called url. In case the number is greater than 10, then there is no need for that extra zero.

Then, in line 19, we have used the inbuilt wget command. The options -U Mozilla ‘disguises’ the wget utility as Mozilla Firefox to the website’s server. And voila! You’re done.

I’ll keep adding more scripts here whenever I come across something useful. So, you can come back and check this page periodically. Also, please share this post on facebook if possible.

Scripting in Linux – Part 2

In my last post we discussed what scripts are and how they make your life easier. We also saw a how to get a script up and running within no time.

Today, we’ll use that knowledge to tackle something more than a ‘Hello World’ example 🙂

We’ll start with variables in bash (the terminal). Note that the shell need not be bash. Anyway, first are the system variables. They are named in all capital alphabets. Examples would be PATH, BASH, HOME, USERNAME etc. Go here for a full list. These variables are maintained by Linux itself.

To access the value of any one of them, open the terminal (ctrl+alt+t) and type, for example, echo $PATH and hit the return key. You’ll see something like this:

/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

These are the paths in your root directory that the OS looks in when you open a certain program.

Anyway, moving on to user defined variables. These variables are defined and initialized by you – the user. The general format is as follows:

var_name=value

Note that there are no spaces on either side of the = sign. That’s required. Unlike most of the programming languages that allow spaces, shell doesn’t. Also, there are some naming conventions. Variable name must begin with Alphanumeric character or underscore character (_), followed by one or more Alphanumeric character.

Now, you can define variables. Now, we’ll move on to accepting input from the user. For this, the following syntax is used:

read var_name

So, for example, if you want the user to enter a number, you could use:

echo "Enter Number"
read number

Now we can move on to conditions and looping.
Conditions
The if condition:
Syntax

if condition
then
    statement1
    statement2
    ....
fi

Note: Unlike programming languages where a non negative value evaluates to true and a 0 value evaluates to false, in shell, it’s just the opposite.

Boolean Value	Programming languages	Linux Shell
True	Non – Zero	0
False	0	Non – Zero

The conditions are a bit different compared to programming languages.
For comparing integers:

Expression in programming lang	Usage in shell	Example
==	-eq	if [ 5 -eq 6 ]
!=	-ne	if [ 5 -ne 6 ]
<	-lt	if [ 5 -lt 6 ]
>	-gt	if [ 5 -gt 6 ]
<=	-le	if [ 5 -le 6 ]
>=	-ge	if [ 5 -ge 6 ]

For strings, we have following expressions:

Condition	Usage in shell	Example
Strings are equal	=	if [ “$str1” = “$srt2” ]
Strings are unequal	!=	if [ “$str1” != “$srt2” ]

And yes, that’s a single equals sign, not a ‘==’.
Similarly, we can have if-then-else style conditions:
Syntax

if condition
then
    statement1
    statement2
    ....
else
    statement3
    statement4
    ....
fi

Also, we can have multiple conditions checked using elif in between then and else blocks. See here
Also, note that the condition used here is provided in square brackets and the variables are put in double quotes
Now, we’ll move on to loops.

Loops:
The for loop:
Syntax:
Fortunately, the for loops executes just as a for loop in C/C++

for (( initialization; condition; counter ))
do
.....
.....
repeat all statements between do and done until condition is TRUE
done

Here, the condition is also the of the same type as used in C/C++ and Java etc.
Also, there’s another type of loop that can be used which is more python oriented:
Syntax:

for {variable name} in {list}
do
.....
.....
done

As an example

for i in {0..10..2}
do
.....
.....
done

Here the list is constructed similar to the range function in python. In this example, the list will be { 0, 2, 4, 6, 8 }.

The while loop:
Syntax

while [ condition ]
do
statement1
statement2
statement3
....
....
done

Note:Here the condition used is similar to that used with the ‘if’ condition.
As an example, to print numbers from 1 to 10:

count=1
while [ "$count" -le 10 ]
do
echo -e "$count \n"
count=$[count + 1]
done

The echo -e represents that the echo command will interpret the ‘\n’ as a new line character.
In the fifth line, where we have performed the increment in counter. To know more about shell arithmetic, see this page.

Okay. So, that will be it for today. In the next part, we’ll see some real world examples of using scripts. Go here for the next part.

Scripting in Linux

Using scripts in Linux to simplify tasks

Okay. So, officially, this is my second post. Today, I will show you how to use scripts in a Linux environment to simplify (and do more) with many repetitive tasks.
As a first thing, I’d like to tell what scripts are.
Scripts are small programs written for automating tasks which could alternatively be performed by a human in a step by step manner.
Enough with the formalities. So, where can you use scripts? Well, let’s see. The other day I needed to download a couple of pictures (more like 500 pictures) from a certain website. The website supported online viewing of the images but they did not support downloading the images. Of course you could save the images one by one but you wouldn’t want that now, would you? So, what do I do? That’s right. I use a script for pulling the images off the website’s server 🙂
Similarly, you can have a situation where you have a folder full of files whose names start with ‘Copy of’. Such as – ‘Copy of xyz.mp3’. Now, that’s not pleasing to the eye at all. Here also, you can use a bit of advanced scripting to rename all files such that the ‘Copy of’ part is removed.
Okay. Now to work. We’ll start with an example and work out the steps as we move along. Make a file. Call it script.sh and then type in the following content in it.

#!/bin/bash
echo "Hello World!"

Now comes the analysis part. The first line is what is called a shebang. Now don’t laugh. That’s what it is called. This lines tells Linux where to look for the program that executes this script. The next line, as you would’ve guessed by now, prints to the screen.
Note: It is possible to write this output to a file rather than your screen since Linux considers the screen also as a file. More on this later
Now change the permission of the file so that it becomes executable. For this, open the terminal (Ctrl+alt+t) and navigate to the folder containing the file and enter:

chmod 755 script.sh

This sets the permission to read-write-execute for the user and to read-execute for all other users. Alternatively, you could right-click the file and go to properties and change the permission to make it executable.
Now, navigate to the folder containing the file and in the terminal enter:

./script.sh

You should see a hello world message!
That’s it for the time being. Come back later as we tackle something more complex. Go here for part 2.