BeEF – Browser Exploitation Framework

BeEF is a browser exploitation framework.

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

The end of CSRF?

The end of CSRF?” blog post talks about the new feature coming to browsers – SameSite cookie enforcement, which will help in getting rid of Cross-Site Request Forgery (CSRF) attacks.  Too bad this is currently only supported by Google Chrome (both desktop and mobile), and Opera.  But I’m sure it’s coming soon to the rest of the browsers.

Update:  It looks like the above blog post is almost a copy of this blog post, which has a number of useful comments.  Including this one, which links to a variety of projects and programming languages bug trackers requesting the support of the SameSite cookie feature.  Also, it looks like SameSite cookie is superseded by the Cookie Prefix solution, proposed by Google.

Secure Headers – a PHP library for easier management of browser security features

Modern browsers offer a variety of security mechanisms for web developers.  Unfortunately, some of these aren’t so easy to manage.  One needs a deep understanding of the functionality as well as theory behind.  Secure Headers is a library that makes all that work a lot easier for PHP developers.  Here are some of the features:

  • Add/remove and manage headers easily
  • Build a Content Security Policy, or combine multiple together
  • Content Security Policy analysis
  • Easy integeration with arbitrary frameworks (take a look at the HttpAdapter)
  • Protect incorrectly set cookies
  • Strict mode
  • Safe mode prevents accidental long-term self-DOS when using HSTS, or HPKP
  • Receive warnings about missing, or misconfigured security headers

Real Favicon Generator

Real Favicon Generator is a handy tool for setting up your website’s favicon properly.  It takes care of both the images (formats, resolutions, etc) and the HTML that you’ll need to include.  With just a few clicks your website will work properly with browsers, operating systems, and mobile applications.

With so many platforms and icons, it’s hard to know exactly what you should do. What are the dimensions of favicon.ico? How many Touch icons do I need? RealFaviconGenerator did the reseach and testing for you.

If you still prefer to do it yourself and know all there is to generating proper favicon images and markup, have a look at this resource for everything there is to it and more.

Spellbook of Modern Web Dev

Spellbook of Modern Web Dev is a collection of 2,000+ carefully selected links to resources on anything web development related.  It covers subjects from Internet history and basics of HTML, CSS, and Javascript, all the way to tools, libraries and advanced usage of web technologies, and more; from network protocols and browser compatibility to development environments, containers, and ChatOps.

  • This document originated from a bunch of most commonly used links and learning resources I sent to every new web developer on our full-stack web development team.
  • For each problem domain and each technology, I try my best to pick only one or a few links that are most important, typical, common or popular and not outdated, base on the clear trendspublic data and empirical observation.
  • Prefer fine-grained classifications and deep hierarchies over featureless descriptions and distractive comments.
  • Ideally, each line is a unique category. The ” / “ symbol between the links means they are replaceable. The “, “symbol between the links means they are complementary.
  • I wish this document could be closer to a kind of knowledge graph or skill tree than a list or a collection.
  • It currently contains 2000+ links (projects, tools, plugins, services, articles, books, sites, etc.)

On one hand, this is one of the best single resources on the topic of web development that I’ve seen in a very long time.  On the other hand, it re-confirms my belief in “there is no such thing as a full-stack web developer”.  There’s just too many levels, and there’s too much depth to each level for a single individual to be an expert at.  But you get bonus points for trying.

Block unwanted advertisements with /etc/hosts file on Linux

Back in the old days, before the browsers even had extensions like Adblock Plus, many of us – tech-savvy web surfers – used to block unwanted advertising, SPAM sites, and other non-sense using the /etc/hosts file.  The technology behind is very simple – you overwrite the IP address to which the unwanted website’s domain name resolves with a loopback IP address (127.0.0.1).  Whether you do it on your own machine or at a home/office proxy server is irrelevant.  And it worked magic!

Turns out, people still use this technique today.   I came across this article, which shows how to use a rather extensive list of domains for all sorts of online madness, collected and maintained by kind folks at http://winhelp2002.mvps.org/.

I tried it out of pure curiosity and sure enough it does what it says.  I’ve reverted back to Adblock Plus a couple of days later though, as random sites were breaking here and there.  I think this might be related to different adblock-detectors that many sites employ these days.  Also, some of the ads use things like embedded scripts or buttons, which might render JavaScript errors, preventing the rest of the page from loading.

But if you’ve never tried it, I strongly recommend giving it a go.

Headless Browsers

Headless Browsers is a list of (almost) all headless web browsers in existence.  These are browsers without graphical user interface, controlled programmatically, and useful for testing, automation, and other similar tasks.

I’ve used one or two.  I’v heard about three of four.  I had no idea there was such a variety though.

Why are browsers so slow?

As a user of Opera browser in the good ol’ days, I share Ilya Birman’s pain

But I am not talking about rendering and scripts. I am talking about everything else. Safari may take a second or two just to open a new blank tab on a 2014 iMac. And with ten or fifteen open tabs it eventually becomes sluggish as hell. Chrome is better, but not much so.

… and this too …

What would you do today if you opened a link and saw a long article which you don’t have time to read right now, but want to read later? You would save a link and close the tab. But when your browser is fast, you just don’t tend to close tabs which you haven’t dealt with. In Opera, I would let tabs stay open for months without having any impact on my machine’s performance.

Wait, but didn’t I restart my computer or the browser sometimes? Of course I did. Unfortunately, modern browsers are so stupid that they reload all the tabs when you restart them. Which takes ages if you have a hundred of tabs. Opera was sane: it did not reload a tab unless you asked for it. It just reopened everything from cache. Which took a couple of seconds.

In fact, maybe it’s a good time to try out Opera browser again.  After all, the two primary reasons I’ve switched from it were:

  • Open Source.  This was back in a day when I was a zealot.  (Yeah, if you think I’m one now, you should have seen me in my 20’s.)  Now  I am much more calm about the licensing.
  • Rendering issues.  That was back when Opera had its own rendering engine and couldn’t quite keep up with all the changes on the Web.  Since then, Opera has dumped its Presto rendering engine in favor of Webkit (the same engine that Google Chrome, Chromium and Safari browsers are using), and then dumped Webkit in favor of Blink, which is like … erm .. new Webkit (?) or something like that.

So maybe it’s good enough in rendering department and I can have my performance and tab management back.  As Ilya mentions, no other browser came close to the tab management of Opera back in a day.  I frequently have a 30+ tabs open, and its only because that’s as much as Chrome can handle on my laptop.

Update: Tried out the latest version of Opera now for about half an hour.  I suddenly remembered another reason for why I’ve switched – fonts.  Default fonts configuration is far from optimal.  For multilingual pages (English and Russian) is more than horrific.  Oh well, I guess, I’ll have to wait some more.

Chrome Extension : var_masterpiece – turn PHP var_dump() into a thing of beauty

var_masterpiece

Var Masterpiece is a Google Chrome add-on, which formats PHP var_dump() output into something much more beautiful and useful.  You can customize the type colors and a few other things in the extension options, once installed.

Ask Slashdot: Best Browser Extensions — 2016 Edition

Slashdot is running a discussion thread on what are the best browser extensions these days.  The comments cover a variety of browsers and all kinds of extensions.  The most popular are, of course, well know.  But there are a few gems here and there.

snooze_panel

For me personally, I’ve picked the Tab Snooze extension.  I’ve tried quite a few tab management solutions, and neither one of them fits my needs even though most tried (I want to run a single browser window, with dozens or hundreds of tabs open, but I want them to be organized into groups and hidden until later, when I need them).   Tab Snooze approaches the problem from a slightly different angle. It sets the reminder for when to reopen the tab, and once that’s done, it closes the tab.  You can find all snoozed tabs and open them before the due date, of course.

This works surprisingly well for me.  If only I could control the opening of the tabs with something like “17 tabs were woken up and are about to be open. Continue?”.  Currently, I get the notification and the tabs are open automatically, which is often not at the best time.  Waking up a lot of tabs can slow the system down a bit and get in the way of things on which I’m working at the time.