Archive

Posts Tagged ‘browser’

Installing Tor Client on Ubuntu

May 31st, 2014 No comments

The use of Tor software to hide your network activity occasionally comes up in the main stream news media as being only for illegal purposes such as drugs or pornography. There are however many instances where individuals or groups rely upon their activity being hidden from prying eyes. Examples are… Journalists, politicians and even common citizens that don’t want to have their personal information gathered and shared/sold.

Installing the client software is easy for most platforms. You can download and verify the signatures from the Tor website to be absolutely certain. If you trust the maintainers of the Ubuntu PPA’s or other compilations, you can also do so… (with appropriate precautions):

INSTALLATION:

sudo add-apt-repository ppa:webupd8team/tor-browser
sudo apt-get update
sudo apt-get install tor-browser

REFERENCES:

Comcast Business Class gateway forwarding port 22 for SSH

March 13th, 2014 No comments

For as long as I’ve had Comcast, and other providers for that matter, I’ve been able to configure my internet gateway/router to allow port 22 (SSH) access to an internal machine. It came as a surprise to me earlier this week that I was blocked when I tried to use their web admin console to change the internal forwarding to a newer machine. As usual, Technical Support was less that helpful and said that it was not possible to do so, and never should have been as Comcast uses that port to administer the gateway. To make matters more disturbing, I was told that I could not have similar SSH access to the gateway, and that replacing their hardware, while permitted, would prevent my use of a static IP.

Back to the solution, as I know that I had only setup this forwarding about a year ago, and it was working only minutes before I tried to change it, I knew that the configuration was possible if I could figure out how it was being blocked. The message in the web console was a javascript alert(); and gave me a starting point. I opened up Firefox and used Firebug to look for the message. Here are a few interesting findings from:

http://HOSTNAME/user/feat-firewall-port-forward-edit.asp

var RemoteManagementPortsCgiBase = “8080,8080,1\|8181,8181,1\|2323,2323,1\|22,22,1\|”;

msg += “Public Port Range conflict with Remote Management Ports.\n”;

if (msg.length > 1)
{
alert(msg);
return false;
}
return true;
}

If you even a little bit of javascript (or simple computer programming for that matter), the solution is clear…. if the ‘msg’ value is empty you will not see the alert or be prevented from making the change you desire.

Lesson to be learned by the Comcast developers (or most likely = subcontractors), always validate submitted form data in your application code, NEVER rely upon javascript alone to verify user entered data!

I also find it interesting that they are also preventing 8080, 8081 and 2323… perhaps that’s their other back doors in these gateways for their access. The same approach should work for those ports if you need it!

HTC/.htc files

January 12th, 2014 No comments

What is it? Internet Explorer 5-9 introduced behaviors. Behaviors are a way to add behaviors to XML (or HTML) elements with the use of CSS styles.

Why avoid it? The behavior attribute is only supported by Internet Explorer.

What to use instead? Use JavaScript and XML DOM (or HTML DOM) instead

MSIE 5-9 support a scripting (VBScript/JScript) technology called HTML Components (HTCs) to aid in DHTML behaviors. Support was dropped in MSIE 10, you will have to force the browser into MSIE 9 compatibility to use these.

Mozilla? it has a similar proprietary implementation.
http://dean.edwards.name/moz-behaviors/

Included CSS style:

<style type="text/css">
h1 { behavior: url(example.htc) }
</style>

Inline CSS style:

<p style="behavior:url(hilite.htc)">Hello World</p>

Apache MIME Type:

AddType text/x-component .htc

REFERENCES:

HTA/.hta files

January 11th, 2014 No comments

HTA/.hta files are a technology that Microsoft implemented in it’s browsers MSIE 5-9 to support rich web applications, MSIE 10 and newer do not implement it and must be forced into MSIE 9 compatibility mode.

Most often HTA was/is used to hide the browser controls (chrome) from the user to provide dialog windows.

EXAMPLE:

<html>
<head>
<meta http-equiv="x-ua-compatible" content="ie=9" />
<!-- does not work in 10 or above, so force it back down -->
<hta:application id="example"
applicationname="example"
border="1"
caption="no"
icon="icon.ico"
navigable="no"
scroll="no"
showintaskbar="no"
singleinstance="yes"
sysmenu="no"
windowstate="normal">
</hta:application>
</head>
</html>

Apache MIME Type:

AddType application/hta .hta

REFERENCES:

Hiding Firebug Lite controls in browser

January 5th, 2014 Comments off

I started getting extremely tired of the FireBug Lite overlaying content in some of my legacy websites. By taking a look at the markup it was adding, I found a quick and easy way to hide it for most users.

Adding the following to one of your CSS files should do the trick…


/* Begin hide FireBug Lite */
#jsConsole,
#jsConsoleShowSourceButton,
#jsConsoleHideSourceButton,
#jsConsoleShowConsoleButton,
#jsConsoleHideConsoleButton { display:none; }
/* End hide FireBug Lite */

NOTE: I have not yet confirmed, but this approach should work in other browsers such as MSIE, Chromium and Safari that also may use FireBug Lite.

Content-Security-Policy HTTP Header

July 19th, 2013 No comments

There’s yet another new means to ‘help’ client User-Agents with preventing XSS on your websites.

In it’s simplest form you can simply use the following HTTP Header(s), the second one is for earlier versions of Webkit (Chrome/Safari):

Content-Security-Policy: default-src 'self'
Webkit-CSP: default-src 'self'

You can also add to the above to permit assets to load from other sources.
For example, if you were to permit javascript files from example.com you could include:

Content-Security-Policy: default-src 'self'; script-src http://example.com

Additionally, while failures are noted in the client’s browser console (that most users are not aware of), you can have them sent back to your server by adding a ‘report-uri’ attribute with an appropriate handler:

Content-Security-Policy: default-src 'self'; report-uri http://example.com/csp-report.php

REFERENCES:

Device Fingerprinting

July 16th, 2013 No comments

Often it can be beneficial to ‘more’ uniquely identify your users. For applications this is trivial, but in a web browser this can be accomplished via only a few attributes.

  • HTTP – User-Agent, IP Address, Content types and languages accepted.
  • HTTPS/SSL – the keys and encryption methods available to a specific user may vary for each client configuration.
  • HTML5 – local storage and capabilities supported.
  • Geolocation – this is included in HTML5, but also supported in many clients without full HTML5 support, or via browser extensions.
  • JavaScript – Installed version – and many DOM attributes/capabilities such as timezone, installed plugins, screen sizes and fonts from the browser can be detected.
  • Java (Applet) – Installed version – this can often be used to get additional information regarding the client system directly from the VM or Operating System itself. (* Persistent Cookies possible)
  • Flash – Installed version – this can often be used to get additional information regarding the client system directly from the Operating System itself. (* Persistent Cookies possible)
  • Silverlight (for Microsoft Windows) – – Installed version and additional information from Operating System?
  • GoogleGEARS (deprecated) – Installed version and additional information from Operating System such as Geolocation

REFERENCES:

HTML5 speech input

July 12th, 2013 No comments

Adding speech input to your webapp is much easier than it might first seem.
This is part of the proposed HTML5 enhancements to FORMS and is already implmented in some browsers.

Google Chrome (WebKit 534.24) added this in version 11 in April 2011.

XHTML compatible example:
<input type="text" x-webkit-speech="x-webkit-speech" speech="speech" value="" />

NOTE:
In this example, ‘x-webkit-speech’ is the proprietary attribute used by Google Chrome (WebKit). ‘speech’ is the expected HTML5 attribute when it is finalized.

REFERENCES:

Automatically update Java on Ubuntu Linux

June 19th, 2013 No comments

With the rate of updates and security patches for Java, administration of your Ubuntu machines can become tedious. There’s a better way… allow it to check for and update with your other software. The steps are easy…


sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java7-installer

NOTE: The Java Control Panel can sometimes be hard to locate, it will be at the following:
/usr/lib/jvm/java-7-oracle/bin/ControlPanel

REFERENCES:

CSS Cursors

December 9th, 2012 No comments

The use of CSS cursors within your browser based application or website is a great way to add feedback to the user to increase usability. This is increasingly important for AJAX applications that may be “busy” even when the user is not directly taking action within their browser.

These are all easily appended to classes in your CSS files:

  • default
  • auto
  • inherit
  • pointer
  • crosshair
  • text
  • help
  • move
  • progress
  • wait
  • e-resize
  • ne-resize
  • n-resize
  • nw-resize
  • w-resize
  • sw-resize
  • s-resize
  • se-resize

Partial (CSS3) support in current browsers:

  • none
  • all-scroll
  • context-menu
  • cell
  • vertical-text
  • alias
  • copy
  • no-drop
  • not-allowed
  • col-resize
  • row-resize
  • ew-resize
  • ns-resize
  • nesw-resize
  • nwse-resize

NOTE: for very old browser, you can also set several attributes to allow for the supported one to be used.

.example {
cursor:hand;/* IE5-IE5.5 only support (dropped in IE9) */
cursor:pointer; /* IE6 and later */
}

REFERENCES: