From 72c1b072cc6c37e28670c362a80c0a510e50aed2 Mon Sep 17 00:00:00 2001 From: Jonathan Hodgson Date: Mon, 25 Oct 2021 16:10:54 +0100 Subject: [PATCH] Content --- .gitignore | 2 + build.sh | 36 +++- content/blog/013-writing-prose-in-vim.md | 175 ++++++++++++++++++ .../blog/014-xss-through-referer-header.md | 140 ++++++++++++++ content/other-stuff-you-might-like.md | 30 +-- 5 files changed, 360 insertions(+), 23 deletions(-) create mode 100644 content/blog/013-writing-prose-in-vim.md create mode 100644 content/blog/014-xss-through-referer-header.md diff --git a/.gitignore b/.gitignore index 1f99a0d..0f0679b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ generated-template-parts public_html +public_gemini tmp assets/css/main.min.css +xxx-* diff --git a/build.sh b/build.sh index fbad021..f353979 100755 --- a/build.sh +++ b/build.sh @@ -12,7 +12,11 @@ blog(){ find content/ -type f -name '*.md' $newer | while read file; do newFileName=$(getBlogSlug "$file") mkdir -p "public_html/${newFileName%/*}" + mkdir -p "public_gemini/${newFileName%/*}" pandoc --template=templates/blog.html -f markdown -t html5 -M comments "$file" > "public_html/$newFileName" + local info="$(sed -n '/---/,/---/p' "$file" | sed '/^$/,$d' | sed -n '1,/---/p' | sed '/^---$/d')" + local title="$(echo "$info" | yq -r .title)" + echo "# $title" | cat - "$file" | sed '/^---/,/^---/d' | md2gemini --link at-end > "public_gemini/${newFileName%.*}.gmi" done touch tmp/lastBlogUpdate } @@ -42,6 +46,10 @@ makeIntro(){

$description

Read More

" > "$output" + echo "=> ${slug%.*}.gmi $title + $date +$description + " > "${output%.*}.gmi" echo " <![CDATA[$title]]> @@ -59,7 +67,11 @@ getIntro(){ if [ "$2" = "rss" ]; then local output="tmp/rss/$file" fi - makeIntro "$file" + + if [ "$2" = "gmi" ]; then + local output="tmp/intros/${file%.*}.gmi" + fi + #makeIntro "$file" cat "$output" } @@ -70,9 +82,9 @@ index(){ # First loop makes all the intros needed and stores them in tmp/intros find content/blog/ -type f -name '*.md' | grep -v 'xxx' | sort -r | head -n 20 | while read file; do - makeIntro "$file" & + makeIntro "$file" done - wait + # Once they are created, we will put them in, in order ( @@ -82,6 +94,22 @@ index(){ done echo "$template" | sed -n '/#CONTENT#/,$p' | sed '1d' ) > public_html/index.html + + # Once they are created, we will put them in, in order + ( + echo "# Jonathan Hodgson" + echo "" + echo "## Blogs" + echo "" + find content/blog/ -type f -name '*.md' | grep -v 'xxx' | sort -r | head -n 20 | while read file; do + grep -Eq '^draft: true' "$file" || getIntro "$file" gmi + done + echo "" + echo "## Other Links" + echo "=> /help-me-out.gmi Help Me Out" + echo "=> /other-stuff-you-might-like.gmi Other Stuff You Might Like" + + ) > public_gemini/index.gmi } tagIndex(){ @@ -182,11 +210,13 @@ clean(){ rm -rf tmp > /dev/null 2> /dev/null # Don't remove the public_html folder or docker won't re-attach it rm -rf public_html/* + rm -rf public_gemini/* } # Make sure the folders we will need exist mkdir -p public_html/{blog,tag} +mkdir -p public_gemini/{blog,tag} mkdir -p tmp/{tag,templates,intros} diff --git a/content/blog/013-writing-prose-in-vim.md b/content/blog/013-writing-prose-in-vim.md new file mode 100644 index 0000000..f9f8422 --- /dev/null +++ b/content/blog/013-writing-prose-in-vim.md @@ -0,0 +1,175 @@ +--- +title: Writing Prose in Vim +tags: + - Vim +description: Vim is a popular text editor among programmers, it is not limited to programming though. In this blog I will discuss how I write just about everything in vim +date: 2021-10-06 +--- + +If you know me at all, you probably know I am a fan of vim. I have written [more +than a few](/tag/vim.html) blog posts on it already. + +Most vim users use vim for programming. That is, after all, what most people use +plain text editors for. However, since learning vim, I have tried to use it for +as much as I can. Everything from emails to blog posts to letters. Of course, +programming as well, but certainly not only that. + +"Why?", you might ask. Because it makes my life easier. I have said before that +Vim is not as difficult as many vim users would like you to think it is. + +## Spellcheck + +I need a spell check. My spelling is atrocious. This is not helped by the fact +that I am dyslexic. Having a decent spell checker is essential if I am writing +anything that is going to be read by another human. Incidently, I count future +me as another human in this regard. + +Vim has a built-in spell check. + +```vim +set spell +set spelllang=en_gb +``` + +How it will look will depend on your colour scheme but in my case it is an +underline. + +Basic usage consists of the following keyboard shortcuts: + +* `[s` or `]s` to move between misspelled words +* `z=` to get a list of suggestions +* `zg` to add the current word to your custom dictionary + +As with anything in vim, these shortcuts can be changed, although I have never +felt the need to. + +Vim's insert completion can be used to look up words in the internal dictionary +as well. To use this, start writing a word and complete it with `ctrl-x ctrl-k`. + +This will present you with a list of words that start with what you have typed. +You can select one, as normal, with `ctrl-n` and `ctrl-p`. + +Finally, on the topic of spell checking, I have added an insert mode mapping +that is used to correct the previous misspelled word. + +The mapping is as follows: + +```vim +inoremap u[s1z=`]au +``` + +1. `u` - break undo sequence (new change) +1. `` - go into normal mode +1. `[s` - go to previous spelling mistake +1. `1z=` - change to the top spelling suggestion +1. ```]`` - go to the end of the last changed word +1. `a` - enter insert mode +1. `u` - break undo sequence (new change) + +This was shamelessly stolen from [Gilles Castel's excellent blog post on using +vim for LaTeX](https://castel.dev/post/lecture-notes-1/#correcting-spelling-mistakes-on-the-fly) + +## Undo Points + +When programming in vim, a lot of time is spent in both normal mode and insert +mode. However, when writing prose, much more time is spent in insert mode. As a +result, each undo point tends to be much larger. This can result in the rather +annoying behaviour that undoing anything can remove a huge amount of writing. + +To minimize this annoyance, I add undo points whenever I type punctuation +points. + +```vim + inoremap ! !u + inoremap , ,u + inoremap . .u + inoremap : :u + inoremap ; ;u + inoremap ? ?u + inoremap ( u( + inoremap ) )u +``` + +The only point I really need to elaborate on here is that for the opening +bracket: I add the undo-point before inserting the character. This results in +what I consider preferable behaviour whereby a whole bracket group is removed at +once when undoing, rather than leaving the opening bracket. + +## Distraction Free Writing + +Distraction free writing seems to be quite a fashionable / desirable feature in +a lot of editors at the moment. I have tried and used [Goyo](https://github.com/junegunn/goyo.vim) +and [limelight](https://github.com/junegunn/limelight.vim) which go some way to +reproducing the distraction free environment of many other editors. However, I +no longer use them. Both worked well, but vim doesn't have that many +distractions without them. When I am writing, I open vim in a full screen +terminal. I don't even have a clock visible. Being able to highlight the +paragraph I am currently working on or putting the text in the middle of the +screen wasn't worth it for me. + +## Proselint + +[Proselint](https://github.com/amperser/proselint), as the name suggests, is a +linter for prose. It points out areas where my writing could be better. To use +it with vim, I have the following autofunction: + +```vim +function! mine#functions#proselint() abort + let oldmakeprg = &l:makeprg + " set new value of makeprg and call the function + set makeprg=proselint\ % + make + copen + " set makeprg back to old value + let &l:makeprg = oldmakeprg +endfunction +``` + +and a mapping: + +```vim +nnoremap p :call mine#functions#proselint() +``` + +This allows me to fill the quickfix list with a list of suggestions from +proselint. + +## LanguageTool + +LanguageTool is similar in concept to Proselint although seems to have a lot +more checks under its hood. It can be intergrated into vim in a similar way to +Proselint, with an autofunction. + +```vim +function! mine#functions#languagetool() abort + let oldmakeprg = &l:makeprg + let olderrformat = &l:errorformat + " set new value of makeprg and call the function + set makeprg=languagetool\ -l\ en-GB\ % + let &l:errorformat = + \ '%-GPicked up _JAVA_OPTIONS: %.%#,' . + \ '%-GExpected text language: %.%#,' . + \ '%-PWorking on %f...,' . + \ '%-I%.%# [main] DEBUG %.%#,' . + \ '%+IUsing %.%# for file %.%#,' . + \ '%I%\d%\+.) Line %l\, column %c\, Rule ID: %m,' . + \ '%-CMessage%m,' . + \ '%-CSuggestion%m,' . + \ '%-CMore info%m,' . + \ '%-C%\s%#^%\+%\s%#,' . + \ '%-C%.%#,' . + \ '%-Z%\s%#,' . + \ '%-Q,' . + \ '%-GTime: %.%#' + make + copen + " set makeprg back to old value + let &l:makeprg = oldmakeprg + let &l:makeprg = olderrformat +endfunction +``` + +You will notice that this is slightly longer because the error format used by +Proselint is compatible with Vim's default. LanguageTool's is not. + + diff --git a/content/blog/014-xss-through-referer-header.md b/content/blog/014-xss-through-referer-header.md new file mode 100644 index 0000000..b192e48 --- /dev/null +++ b/content/blog/014-xss-through-referer-header.md @@ -0,0 +1,140 @@ +--- +title: XSS Through the Referer Header +tags: + - Security +description: In this blog post, I document how I achieved reflected XSS though a malicious http header. +date: 2021-10-14 +--- + +XSS is a vulnerability in which a malicious actor is able to run JavaScript in +an unsuspecting clients browser session. Normally, this is done via input fields +whose values are reflected back to the user without proper sanitisation. + +In this blog, I demonstrate a method I recently used that injected the payload +via the Referer [sip] header. + +Only do this on websites you own or have permission to do so no. It is illegal +in most places to do this without permission. + +## Initial foothold + +I found myself looking at a website whose input fields were all well sanitised, +getting ready to write a pretty boring report. However, I spotted a snippet of +JavaScript in an analytics script that looked something like this: + +```js + +``` + +That sparked my interest so I opened pappy and changed the referer header to `" ++ alert(1),"":"`. + +BRILLIANT! That worked. The referer header was not being sanitised. + + +## Crafting the referer header + +So, that is nice, but it would take some serious social engineering to convince +someone to intercept a request in burp / pappy / some other proxy tool, change +their referer header to our payload and then submit the request. Really we +needed a way to control that header ourselves. For anyone that doesn't know, the +[referer header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) +holds the address of the page that makes the request. This basically means the +previous page if a link was clicked. + +There is also a related header called [referrer-policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) +that controls how much information is sent. I want to send as much as possible +so I manually set this to `unsafe-url` for my proof of concept. + +```php + +``` + +I am using php here because I know it. I'm not saying php is the best choice. +Use what you know and can use quickly for proof of concepts. + +My initial thought was to simply use HTTP redirects to first redirect the user +to a page whose url contained my payload, and then from there to the vulnerable +page. + +The code for that was: + +```php + +``` + +That didn't work. After some searching I realised that the referer header is not +changed when an http redirect is followed. It does however if the url is changed +with JS. + +```php +$payload='"+alert(1),"":"'; +header('Referrer-Policy: unsafe-url'); +if ( $_SERVER['REQUEST_URI'] == "/index.php" ) { + $location='//localhost:8081/index.php/' . urlencode($payload); +}else{ + $location='https://vulnerable-site.com/page'; +} + + + + + + Example + + + + Example + + +``` + +So, after hosting this at localhost:8081, I was able to visit it in my browser. +If doing this in the real world, I would host it on a public server somewhere +and try and convince a victim to click a link. + +In my case, the initial link would be to `//localhost:8081/index.php`. This +would then use JS to redirect the victim to to +`//localhost:8081/index.php/%22%2Balert%281%29%2C%22%22%3A%22`. We would then +use JS again to redirct the user to the vulnerable site. With the +referrer-policy header set to unsafe-url, the browser will set the referer +header to the url including our payload and trigger our payload. In this +example, we are doing `alert(1)`. That's pretty boring and obvious to the user. +However, in the real world, we could send another request back to our server +with the contents of document.cookie to steal the session, or prompt the user to +re-enter their credentials and send that to ourselves. Once you have +unrestricted XSS, account compromise is normally possible. + +## Improvements + +Many of you may have noticed ways to improve the payload. For example, I hard +coded localhost:8081, the payload and various other information. If you want, +feel free to improve it but this is supposed to be a proof of concept, not a +well build program. When you're making POCs, it's the one time you really don't +need to worry about coding well - it's about getting something that works in a +short time frame. + +## Solution + +This issue came about because http headers were trusted. If the site had +validated the http header, or encoded it in some way, this would not have been +possible. Always sanitise. Never assume that anything that comes in the request +is safe. diff --git a/content/other-stuff-you-might-like.md b/content/other-stuff-you-might-like.md index 3c1f90f..9349a88 100644 --- a/content/other-stuff-you-might-like.md +++ b/content/other-stuff-you-might-like.md @@ -7,11 +7,19 @@ I consume a lot more content than I produce. If you are interested in similar st ## Linux +### HexDSL + +Does a lot of videos on Linux gaming (not of much interest to me) but also does +great videos on non-gaming linux content. *Side note:* He seems like a great guy +on his discord server. + +* [Website](https://hexdsl.co.uk/) +* [Youtube](https://www.youtube.com/channel/UCRE3NFNtdjR96-H4QG4U1Fg) + ### Brodie Robertson Videos about Linux and surrounding areas -* [Lbry](https://open.lbry.com/@BrodieRobertson:5?r=Cwnz9X9qaNkaYo8TbcVaFFZMBx7SsyfV) * [Youtube](https://www.youtube.com/channel/UCld68syR8Wi-GY_n4CaoJGA) ### Greg Hurrell @@ -20,20 +28,6 @@ Mostly videos on Vim and some tools he uses with Vim. * [Youtube](https://www.youtube.com/channel/UCXPHFM88IlFn68OmLwtPmZA) -### Hex DSL - -Does a lot of videos on Linux gaming (not of much interest to me) but also does videos on interesting Linux tools - -* [Lbry](https://open.lbry.com/@hexdsl:7?r=Cwnz9X9qaNkaYo8TbcVaFFZMBx7SsyfV) -* [Youtube](https://www.youtube.com/channel/UCRE3NFNtdjR96-H4QG4U1Fg) - -### Luke Smith - -Videos on Linux, Vim, LaTeX and surrounding areas. - -* [Lbry](https://open.lbry.com/@Luke:7?r=Cwnz9X9qaNkaYo8TbcVaFFZMBx7SsyfV) -* [Youtube](https://youtube.com/c/lukesmithxyz) -* [Blog](https://lukesmith.xyz/) ### Self Hosted @@ -53,7 +47,6 @@ Interviews with hackers (white and black hat) as well as discussing famous hacks Hacking tutorials -* [Lbry](https://open.lbry.com/@HackerSploit:26?r=Cwnz9X9qaNkaYo8TbcVaFFZMBx7SsyfV) * [Youtube](https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q) ### Ippsec @@ -89,7 +82,6 @@ Hardware reviews, weekly news roundup, tutorial videos Mostly mathematical videos. Includes a brilliant playlist on basic calculus -* [Lbry](https://open.lbry.com/@3Blue1Brown:b?r=Cwnz9X9qaNkaYo8TbcVaFFZMBx7SsyfV) * [Youtube](https://www.youtube.com/channel/UCYO_jab_esuFRV4b17AJtAw) ### CGP Grey @@ -102,14 +94,13 @@ Informative, well researched videos on lots of topics (although often opinionate Informative, well researched videos on lots of topics -* [Lbry](https://open.lbry.com/@Kurzgesagt:e?r=Cwnz9X9qaNkaYo8TbcVaFFZMBx7SsyfV) * [Youtube](https://www.youtube.com/channel/UCsXVk37bltHxD1rDPwtNM8Q) ### Minute Physics Science videos. Mostly physics and applied maths. -* [Lbry](https://open.lbry.com/@MinutePhysics:5?r=Cwnz9X9qaNkaYo8TbcVaFFZMBx7SsyfV) +* [Youtube](https://www.youtube.com/channel/UCUHW94eEFW7hkUMVaZz4eDg) ### Numberphile @@ -127,7 +118,6 @@ Podcasts about all sorts of interesting things. From disappearing aeroplanes to Science videos, mostly physics and applied maths. -* [Lbry](https://open.lbry.com/@veritasium:f?r=Cwnz9X9qaNkaYo8TbcVaFFZMBx7SsyfV) * [Youtube](https://www.youtube.com/channel/UCHnyfMqiRRG1u-2MsSQLbXA) ### Yuval Noah Harari