Sunday, October 31, 2010

Java Annotations

One of the coolest things that java permits to do, is add annotations on classes and methods.
This feature can extremely useful, for example build your how unit of tests or something else.

The interface is here you define or annotation.



And in your class.



Output

Annotation class Main
name: Something
Version: This is a annotation

Uri Scheme

In this post i will cover one of the coolest features that modern browser support nowadays which is URI schemes. There is a lot of schemes out there, browser custom schemes (about:something), protocol schemes (mailto:something@something.com?subject=Hello&body=Hello), and of course data schemes.

In this post i only will talk about data schemes.

Data schemes are organized like this:

data:{type of the data};{encode},{data}

In the type of data you can various types of data such as:
text/html
application/javascript (text/javascript was depreced)
image/png
etc.

This types are defined in internet media types.

It's time to make some magic.
Put this in your browser:
data:image/gif;base64,R0lGODlhLQAwAPAAAAAAAFVVVSH5BAAHAAAALAAAAAAtADAAAAJxTGB4yesKW3y0ziszxVbzb3hiR2JgOYLnmmotCpsvG9c2Pec1zbf9PdL9VMLixjhsIJeLJPD4dCqY0ijVip1ml1Vr13n1hntf47hYBqZ/Z3Wbtda9c/HdHHaH50V13Fb8R7ZHMkgUSFfocui2qNf4UgAAOw==



You should se a image now!
Ok this is the thing, simple fact that you can store data in only a web page.

Now, the question is how we can make this feature useful for us?! Javascript/Html injections!

So let's test something, put this on your browser:

data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%55%52%49%20%73%63%68%65%6D%65%73%21%22%29%3C%2F%73%63%72%69%70%74%3E


Boom!

Now let's make this even more fun! Let's encode javascript to make this less
perceptible.

Javascript Encoded + base64
data:text/html;base64,PHNjcmlwdD52YXIgXzB4NGMxOT1bIlx4NTVceDcyXHg2OVx4MjBceDUzXHg2M1x4NjhceDY1XHg2RFx4NjVceDczXHgyMFx4MkZceDIwXHg0NVx4NkVceDYzXHg2Rlx4NjRceDY1XHg2NCJdO2Z1bmN0aW9uIE1zZ0JveChfMHg4OTExeDIpe2FsZXJ0KF8weDg5MTF4Mik7fSA7TXNnQm94KF8weDRjMTlbMF0pOzwvc2NyaXB0Pg==

Works!
This things can be done all content-types available, so be creative.

Hope you have learn something!.

These sites could be useful for you for further research:

Base64 online encoder - /http://www.motobit.com/util/base64-decoder-encoder.asp
XSS - /http://ha.ckers.org/xss.html
Internet media types - /http://en.wikipedia.org/wiki/Internet_media_type
Data URI Scheme - /http://en.wikipedia.org/wiki/Data:_URI_scheme
URI Scheme - /http://en.wikipedia.org/wiki/URI_scheme

Link Spoof

This is just a little trick to redirect a link

<a href="http://google.com" onclick="this.href='http://yahoo.com'">Spoof link should go to google</a>

This link in a normal way lead us to google.com, but this is not a normal link, it will redirect you to yahoo.com, this is the "this" magic.

Works on IE, Firefox, Chrome, Opera.

Hope you have learn something!