Archive for June 2012
7 most important things HTML beginners must consider
When you start learning coding and web designing in HTML, you basically begin with normal HTML markup. Laying out a page, adding colors, buttons, images etc are just the basic part you never skip to design your page.
But being a beginner you must know that no matter how basic your code is it can still have some uninvited errors. There are certain important things that you must consider to make your coding valid and capable to view in any browser window.
Let’s discuss what those 7 things are.
Make your code human readable
Because you are a HTML beginner, you are never going to use any HTML editing software like Dreamweaver, FrontPage, etc. are you? You literally start with a NOTEPAD or similar text editor and start coding but have you ever thought that you need revise your HTML markup sometime?
In the image below can you easily find the parent tag or its order?
The answer to the question is probably no if you are a beginner. Because such type of coding is just easily readable by the browser not the user. You must make it clearly readable by yourself so that you can easily find the section you are looking for in future modification.
Though the HTML tags are enclosed in “<” and “>” our brain cannot easily distinguish it from other character easily in such a huge crowd. Instead you can use CAPITAL LETTERS to rectify the HTML tag out of the web contents.
Look how the tags are distinguishable from the text contents.
Other thing you can do is make a tree order so that you can easily find the parent or child of the tag easily. This can be done by leaving some space from the right. See the example image below for more clarification.
This trick will make you easy to edit and look for the exact tag when necessary.
Using of HTML comments wisely
It is not much necessary to use HTML comments because, HTML comments are for users and browser doesn’t render it in its window. The necessity of HTML comments rises when your HTML markup goes more complex and complex. In such case using of HTML comments is necessary. As we’ve already discussed about human readability of the code in first step.
The HTML comments start with “<!--" and ends in “-->” everything between the start and end code is not rendered in browser screen but you can easily find the it in it’s source.
Always close the tag
I understand you know this fact, but when the codes get complicated with larger contents and lots of inner divisions and blocks you’ll get confused in the middle of the path. Basically, when you view the HTML page that have unknown incomplete tags, the contents will be visible with no errors. But incase if you have added some CSS styling and tables to your web design layout you’ll probably have lots of error and fault in proper rendering in such unknown incomplete tags. Therefore ending a tag is most important thing.
Even though you are aware about it you miss to close the tag because we cannot always remember which tag was opened first and which was at last. But there is a trick (or say tips) that you can apply to have your HTML tags complete one.
Whenever you begin for a new HTML tag, close it immediately after the opening of tag.
For example, look at the sample coding below. The <BODY> tag is closed instantly after it’s opening.
Then you can start filling the contents and other sub tags inside it.
Always provide alternate text for the image
This trick though won’t affect your coding, user readability or browser render-ability, it is recommended that you use alternate tags.
<img src=”image.jpg” />
The above tag renders a image file named image.jpg from the specified source. But incase if you don’t have the image in specified location or mistakenly deleted the image file it will render nothing (in some browser it will show image icon or red cross icon).
Remember how important the image can be to the web page visitor. To understand your contents, S/he must know what the image was about. You must use alternet text what will show up when browser is unable to locate your image file. This will at least give the imaginative picture of the unknown image.
<img src=”image.jpg” alt=”Image showing a couple kissing each other” />
Proper sequence of Headers
H1 is the first and largest header of your HTML document. If you use header (H1, H2, H3) tags you must use it in sequence. For example, <H1> must be preceeded by <H2> or <H3> or <H4> but they must not be parented under smaller header see the image below.
But this one is not right because, lower header must not parent larger header. Though this won’t show any error it is not considered as good method.
Moreover parenting headers is not recommended even it is acceptable and can be rendered properly.
Use of block and inline HTML elements
You must understand the meaning of block and inline HTML elements. Usually a HTML element can be a block or inline element. The block element is like a box that can contain other contents inside it. The inline elements doesn’t have box wrapped around it and only occupies the space that its contents have. While block element occupies as much space as it is capable of until the size or width is specified.
<DIV> is literally a block element while <SPAN>, <STRONG>, <EM>, <I>, etc are inline elements. <DIV> inside <SPAN> is not recommended but you can use as many <SPAN> as you can inside <DIV>.
Seventh? What can be the seventh one? Comment here.
Tag :
Internet Tricks,
P.C. Tricks
Sign In With Multiple Emails In Google Plus
You might have already joined Google Plus, if not you can get one invitation from us. Google Plus is up with great features which makes the users to use it frequently. As we know Google already announced that we can Sign in to Google accounts with multiple emails. So, we can also use multiple emails to sign in to Google Plus.Lets see how we can do it.
Step 1
Log in to Google Plus and click your name containing at the top right side of the page. Click Account settings option.
Step 2
In the Security, you'll see Multiple sign-in. Click 'Edit' link just next to it. In the next screen choose 'On' option and check all the required that will make you sure how to use multiple sign in feature (see below).
Click save button.
Step 3
Now again, at the top right side of the page. Click your name and click Switch account > Sign in to another account...
No finally you can enter you username and password of your existing Gmail email. After all, you can switch to multiple accounts. See below.
Finally you are done and enjoy using Google Plus. If you know more tricks about Google plus then kindly share it via comment below.
Tag :
Google,
Internet Tricks
The best hacking tools collection
Here, i have collect some best hacking tools for you. That are listed below:
Nessus
The “Nessus” Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner for Linux, BSD, Solaris, and other flavors of Unix.
Ethereal
Ethereal is a free network protocol analyzer for Unix and Windows. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
Snort
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
Netcat
Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol
TCPdump
TCPdump is the most used network sniffer/analyzer for UNIX. TCPTrace analyzes the dump file format generated by TCPdump and other applications.
Hping
Hping is a command-line oriented TCP/IP packet assembler/analyzer, kind of like the “ping” program (but with a lot of extensions).
DNSiff
DNSiff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).
GFI LANguard
GFI LANguard Network Security Scanner (N.S.S.) automatically scans your entire network, IP by IP, and plays the devil’s advocate alerting you to security vulnerabilities.
Ettercap
>Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones)and includes many feature for network and host analysis.
Nikto
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 2500 potentially dangerous files/CGIs, versions on over 375 servers, and version specific problems on over 230 servers.
John the Ripper
John the Ripper is a fast password cracker, currently available for many flavors of Unix.
OpenSSH
OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools, which encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
TripWire
Tripwire is a tool that can be used for data and program integrity assurance.
Kismet
Kismet is an 802.11 wireless network sniffer – this is different from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area.
NetFilter
NetFilter and iptables are the framework inside the Linux 2.4.x kernel which enables packet filtering, network address translation (NAT) and other packetmangling.
IP Filter
IP Filter is a software package that can be used to provide network address translation (NAT) or firewall services.
pf
OpenBSD Packet Filter
fport
fport identifys all open TCP/IP and UDP ports and maps them to the owning application.
SAINT
SAINT network vulnerability assessment scanner detects vulnerabilities in your network’s security before they can be exploited.
OpenPGP
OpenPGP is a non-proprietary protocol for encrypting email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann.
Update:
Metasploit
Metasploit provides useful information to people who perform penetration testing, IDS signature development, and exploit research. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only.
Fast-track
Fast-Track is a python based open source security tool aimed at helping penetration testers conduct highly advanced and time consuming attacks in a more methodical and automated way. Fast-Track is now included in Backtrack version 3 onwards under the Backtrack --> Penetration category. In this talk given at Shmoocon 2009, the author of Fast-Track Dave Kennedy runs us through a primer on the tool and demonstrates 7 different scenarios in which he breaks into systems using the Fast-Track tool. These scenarios include automated SQL injection, MSSQL brute forcing, Query string pwnage, Exploit rewrite, Destroying the Client and Autopwnage.
If you know more, share with me via comment:)
Nessus
The “Nessus” Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner for Linux, BSD, Solaris, and other flavors of Unix.
Ethereal
Ethereal is a free network protocol analyzer for Unix and Windows. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
Snort
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
Netcat
Netcat has been dubbed the network swiss army knife. It is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol
TCPdump
TCPdump is the most used network sniffer/analyzer for UNIX. TCPTrace analyzes the dump file format generated by TCPdump and other applications.
Hping
Hping is a command-line oriented TCP/IP packet assembler/analyzer, kind of like the “ping” program (but with a lot of extensions).
DNSiff
DNSiff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).
GFI LANguard
GFI LANguard Network Security Scanner (N.S.S.) automatically scans your entire network, IP by IP, and plays the devil’s advocate alerting you to security vulnerabilities.
Ettercap
>Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones)and includes many feature for network and host analysis.
Nikto
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 2500 potentially dangerous files/CGIs, versions on over 375 servers, and version specific problems on over 230 servers.
John the Ripper
John the Ripper is a fast password cracker, currently available for many flavors of Unix.
OpenSSH
OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools, which encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
TripWire
Tripwire is a tool that can be used for data and program integrity assurance.
Kismet
Kismet is an 802.11 wireless network sniffer – this is different from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area.
NetFilter
NetFilter and iptables are the framework inside the Linux 2.4.x kernel which enables packet filtering, network address translation (NAT) and other packetmangling.
IP Filter
IP Filter is a software package that can be used to provide network address translation (NAT) or firewall services.
pf
OpenBSD Packet Filter
fport
fport identifys all open TCP/IP and UDP ports and maps them to the owning application.
SAINT
SAINT network vulnerability assessment scanner detects vulnerabilities in your network’s security before they can be exploited.
OpenPGP
OpenPGP is a non-proprietary protocol for encrypting email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann.
Update:
Metasploit
Metasploit provides useful information to people who perform penetration testing, IDS signature development, and exploit research. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only.
Fast-track
Fast-Track is a python based open source security tool aimed at helping penetration testers conduct highly advanced and time consuming attacks in a more methodical and automated way. Fast-Track is now included in Backtrack version 3 onwards under the Backtrack --> Penetration category. In this talk given at Shmoocon 2009, the author of Fast-Track Dave Kennedy runs us through a primer on the tool and demonstrates 7 different scenarios in which he breaks into systems using the Fast-Track tool. These scenarios include automated SQL injection, MSSQL brute forcing, Query string pwnage, Exploit rewrite, Destroying the Client and Autopwnage.
If you know more, share with me via comment:)
Tag :
Hacking,
Internet Tricks
Google & Facebook launches URL shortner: goo.gl & fb.me
People share a lot of links online. This is particularly true as microblogging services such as Twitter have grown in popularity. If you’re not familiar with them, URL shorteners basically squeeze a long URL into fewer characters to make it easier to share with others. With character limits in tweets, status updates and other modes of short form publishing, a shorter URL leaves more room to say what’s on your mind — and that’s why people use them. They said on their blog announcement.
However, there is nothing to to be happy, since Google URL shortener is not a stand-alone service i.e., you can’t use it to shorten links directly. Currently, Google URL Shortener is only available from the Google Toolbar and FeedBurner.
With limited space for tweeting, the URL shortener business has boomed, currently Bit.ly was leading.
Side by side with Google’s URL shortner, Fb.me is also showing up in several tweets. However, it’s unclear how long fb.me has been in operation.
Visit World’s First website
You use Facebook, Google and other web pages everyday. But have you ever visited world’s first website? Let’s recall the history.The main idea of World Wide Web (WWW) was proposed 2 decades ago in March 1989 by Tim Berners-Lee. It was written to persuade CERN that a global hypertext system was in CERN’s best interest. The term World Wide Web was never thought and mentioned in his proposal, rather it was called Mesh. The term WWW was coined only when he was writing the code in 1990.
Finally he finished is codding for WWW in 1990 based on his proposal, along with the standards for HTML, HTTP, and URLs.
It was 1991 when the first website ever was created with URL http://info.cern.ch. The first content in the first website was to explain the World Wide Web.
World’s First Web Page
The first web page file name was TheProject.html. And it was actually located at following link:http://info.cern.ch/hypertext/WWW/TheProject.html
However the first web page is not there. But don’t worry you can still browse the world’s first web page here.
If you are interested in reading Tim’s proposal, you can still read it here.
Tag :
Google,
Internet Tricks
Can You Hack Your Own Site? A Look at Some Essential Security Considerations
Maybe that dastardly style sheet just won’t cascade elegantly on browser X. An incomplete comment chucks out some broken mark-up. Maybe you should have persisted those database connections after all. Hey, we all overlook things in the excitement of getting our first version running – but how many of these oversights can we happily stomach, and how many might just leave a bitter taste in ours, and more painfully our client’s mouths…
This article walks through the brainstorming stage of planning for what is in this instance, a hypothetical user-centric web application. Although you won’t be left with a complete project – nor a market ready framework, my hope is that each of you, when faced with future workloads, may muse on the better practices described. So, without further ado…Are you sitting comfortably?
The Example
We’ve been asked by our client to incorporate into an existing site, a book review system. The site already has user accounts, and allows anonymous commentary.
After a quick chat with the client, we have the following specification to implement, and only twenty four hours to do it:
Note: The client’s server is running PHP5, and MySQL – but these details are not critical to understanding the bugbears outlined in this article.
The Processes:
Our client has given us a PHP include to gain access to the database:
We don’t actually need the source to this file to use it. In fact, had the client merely told us where it lived we could have used it with an include statement and the $db variable.
On to authorisation… within the datatable schema we are concerned with the following column names:
- username, varchar(128) – stored as plain text.
- password, varchar(128) – stored as plain text.
Given that we’re working against the clock… let’s write a PHP function as quickly as we can that we can re-use to authenticate our users:
$_REQUEST Variables
In the code above you will notice I’ve highlighted an area amber, and an area red.
Why did I highlight the not-so-dangerous $_REQUEST variables?
Although this doesn’t expose any real danger, what it does allow for is a lax approach when it comes to client side code. PHP has three arrays that most of us use to get our posted data from users, and more often than not we might be tempted to use $_REQUEST. This array conveniently gives our PHP access to the POST and GET variables, but herein lies a potential hang-up…
Consider the following scenario. You write your code client side to use POST requests, but you handover the project while you grab a break – and when you get back, your sidekick has written a couple of GET requests into the project. Everything runs okay – but it shouldn’t.
A little while later, an unsuspecting user types an external link into a comment box, and before you know it, that external site has a dozen username/password combinations in its referrer log.
By referencing the $_POST variables instead of $_REQUEST, we eliminate accidentallypublishing any working code that might reveal a risky GET request.
The same principle applies to session identifiers. If you find you’re writing session variables into URLs, you’re either doing something wrong or you have a very good reason to do so.
SQL Injection
Referring again to the PHP code: the red highlighted line might have leaped out at some of you? For those who didn’t spot the problem, I’ll give you an example and from there see if something strikes you as risky…
This image makes clear the flaw in embedding variables directly into SQL statements. Although it can’t be said exactly what control a malicious user could have – it is guaranteed, if you use this method to string together an SQL statement, your server is barely protected. The example above is dangerous enough on a read-only account; the powers a read/write connection have are only limited by your imagination.
To protect against SQL injection is actually quite easy. Let’s first look at the case of quote enclosed string variables:
The quickest protection is to strip the enclosure characters or escape them. Since PHP 4.3.0 the function mysql_real_escape_string has been available to cleanse incoming strings. The function takes the raw string as a single parameter and returns the string with the volatile characters escaped. However mysql_real_escape_string doesn’t escape all the characters that are valid control characters in SQL… the highlighted elements in the image below shows the techniques I use to sanitise String, Number and Boolean values.
The first highlight, the line that sets $string_b uses a PHP function called addcslashes. This function has been part of PHP since version 4 and as is written in the above example, is my preferred method for SQL string health and safety.
A wealth of information is available in the PHP documentation, but I’ll briefly explain whataddcslashes does and how to it differs to mysql_real_escape_string.
From the diagram above you can see that mysql_real_escape_string doesn’t add slashes to the (%) percent character.
The % is used in SQL LIKE clauses, as well as a few others. It behaves as a wildcard and not a literal character. So it should be escaped by a preceding backslash character in any cases where string literals make up an SQL statement.
The second parameter I pass to addcslashes, which in the image is bold; is the character group PHP will add slashes for. In most cases it will split the string you provide into characters, and then operate on each. It is worth noting, that this character group can also be fed a range of characters, although that is beyond the scope of this article – in the scenarios we’re discussing, we can use alphanumeric characters literally e.g. “abcd1234” and all other characters as either their C-style literal “rnt”, or their ASCII index “x0Ax0Dx09”.
The next highlight makes our number values safe for SQL statements.
This time we don’t want to escape anything, we just want to have nothing but a valid numerical value – be it an integer or floating point.
You might have noticed line 10, and perhaps wondered as to the purpose. A few years ago I worked on a call centre logging system that was using variable += 0; to ensure numerical values. Why this was done, I cannot honestly say… unless prior to PHP 4 that was how we did it?! Maybe somebody reading can shed some light on the subject. Other than that, if you, like I did, come across a line like that in the wild, you’ll know what it’s trying to do.
Moving forward then; lines 11 and 12 are all we need to prepare our numerical input values for SQL. I should say, had the input string $number_i contained any non-numerical characters in front or to the left of the numerical ones… our values $number_a, $number_b and $number_cwould all equals 0.
We’ll use floatval to clean our input numbers; PHP only prints decimal places when they exist in the input value – so printing them into an SQL statement won’t cause any errors if no decimal was in the input. As long as our server code is safe, we can leave the more finicky validating to our client side code.
Before we move on to a final listing for our PHP, we’ll glance at the final code highlight, the Boolean boxing.
Like the C++ equivalent, a Boolean in PHP is really an integer. As in, True + True = Two. There are countless ways to translate an input string to a Boolean type, my personal favourite being:does the lower case string contain the word true?
You each may have you own preferred methods; does the input string explicitly equal “true” or is the input string “1” etcetera… what is important is that the value coming in, whatever it might look like, is represented by a Boolean (or integer) before we use it.
My personal philosophy is simply, if X is true or false, then X is a Boolean. I’ll blissfully write all the code I might need to review later with Booleans and not short, int, tinyint or anything that isn’t Boolean. What happens on the metal isn’t my concern, so what it looks like to a human is far more important.
So, as with numbers and strings, our Booleans are guaranteed safe from the moment we pull them into our script. Moreover our hygienic code doesn’t need additional lines.
Processing HTML
Now that we have our protected our SQL from injections, and we’ve made certain only a POST login can affably work with our script, we are ready to implement our review submission feature.
Our client wants to allow review enabled users to format their contributions as regular HTML. This would seem straightforward enough, but we also know that emails addresses are ten to the penny, and bookstore accounts are created programmatically – so in the better interests of everyone we’ll make sure only the tags we say pass.
Deciding how we check the incoming review might seem daunting. The HTML specification has a rather wholesome array of tags, many of which we’re happy to allow.
As longwinded the task might seem, I eagerly advise everyone – choose what to allow, and never what to deny. Browser and server mark-up languages all adhere to XML like structuring, so we can base our code on the fundamental fact that executable code must be surrounded by, or be part of, angle bracketed tags.
Granted, there are several ways we can achieve the same result. For this article I will describe one possible regular expression pipeline:
These regular expressions won’t produce a flawless output, but in the majority of cases – they should do a near elegant job.
Let’s take a look at the regular expression we’ll be using in our PHP. You’ll notice two arrays have been declared. $safelist_review and $safelist_comment – this is so we can use the same functions to validate reviews and later, comments:
…and here is the main function that we will call to sanitise the review and comment data:
The input parameters, I have highlighted red and blue. $input is the raw data as submitted by the user and $list is a reference to the expression array; $safelist_review or $safelist_commentdepending of course on which type of submission we wish to validate.
The function returns the reformatted version of the submitted data – any tags that don’t pass any of the regular expressions in our chosen list are converted to HTML encoded equivalents. Which in the simplest terms makes < and > into < and > other characters are modified too, but none of these really pose a security threat to our client or the users.
Note: The functions: cleanWhitespace and getTags are included in the article’s source files.
You’d be correct to assume all we have really done is helped survive the aesthetics of our site’s pages, and not done everything to protect the user’s security. There still remains a rather enormous security hole even with the SQL safe, request spoofing cured and mark-up manipulated. The JavaScript injection;
This particular flaw could be fixed by a few more regular expressions, and/or modification to the ones we are already using. Our anchor regular expression only allows “/…”, “h…” and “#…” values as the href attribute – which is really only an example of a solution. Browsers across the board understand a huge variety of script visible attributes, such as onClick, onLoad and so forth.
We have in essence created a thorny problem for ourselves, we wanted to allow HTML – but now we have a near endless list of keywords to strip. There is of course, a less than perfect – but quite quickly written way to do this:
On reflection you’d be absolutely justified in asking, “Why didn’t we just use BBCode or Textile or…?”
Myself, if I were dealing with mark-up processing, I might even go for XML walking. After all the incoming data should be valid XML.
However, this article is not meant to teach us how to regex, how to PHP or how to write anything in one particular language. The rationale behind it simply being, don’t leave any doors ajar.
So let’s finish off then; with quick review of what we’ve looked at:
Although this article hasn’t equipped you with any off the shelf project. A primary purpose of my writing was not to scare away the designers who code, or nitpick the work of coders anywhere – but to encourage everyone to author robust code from the off. That said, I do plan to revisit certain elements of this article in more detail later.
Until then, safe coding!
Tag :
Hacking,
Internet Tricks
