Welcome

I'm Abbas Naderi Afooshteh, also known as Abius and AbiusX. A software engineer and a renowned security expert, I'm currently OWASP chapter leader of Iran, owner of many OWASP projects, a member of ISSECO and CIO of Etebaran Informatics. For more details of what I do and what I can do, check my resume.

Mass Removing Facebook Friends

Written by AbiusX on 22/03/2013. Posted in Computer, Development, English, Hacks

I have Googled around on how to mass remove facebook friends from time to time. Unfortunately facebook does not allow that, because its bad for business; but many people are looking for a hack around. Back in the day, the mobile version had a much easier friend removal process, but they’ve made it similar to the desktop version and very boring. The current method of removing a friend, involves either going to his/her profile or to your list of friends, hovering over friend-status button (first request), selecting unfriend (second request), confirming it (third request), approving the removal (forth request). Each of those asynchronous operations need to be done synchronously, because the confirmation dialogs take half of the page; so assuming each one takes half a second, it takes 3 seconds to remove a friend (on a delay-free connection). Now what if you have 4000 friends (many of which are taking dust) and you want to remove around 3000 of them? Welcome to hell. If you take up the manual approach, you’re bound to drop midway, because it takes more than 4 hours and drives you nuts. There are scripts around that usually don’t work, and are mostly non-user-friendly. I decided to filter my friend list today, and when I got to it, I realized it would be much better to spend those 4 hours creating something that others can use as well, instead of doing some repetitive work (which is literal hell for developers and hackers). So I made this script:

http://userscripts.org/scripts/show/162656

It’s a robust script run inside GreaseMonkey (for Firefox) or TamperMonkey (for Chrome), which are basically environments to run hack scripts for different websites. The script does not work on non-recent browsers and on Internet Explorer. I suggest using fresh Google Chrome, as the script is CPU intensive and Google Chrome is the best for rapid Javascript evaluation.

After installing the script in your grease environment, and enabling it (you should disable it after you’re done, as it messes with facebook dialogs), head to your friends edit page (https://facebook.com/friends/edit), and you should see Fast Remove buttons next to every active friend’s picture. The edit friends page of facebook only displays a handfull of friends, but scrolling to the bottom adds another handfull to the page. You can put some adequately heavy object on your Page Down keyboard button, and leave it be until all friends are listed.

Now the first thing to do, is delete all your inactive friends (people who have disabled their facebook accounts). 90% of them never get back to facebook, and those who do, can go ahead and add you again. From the TamperMonkey (or equivalent) menu, click on FacebookDeleteX – Remove Inactive submenu. A confirmation box will appear, saying how many inactive friends found, and if you’re sure to delete them all. After clicking yes, all deletions are queued and another dialog gives you some information.

At this step, you should wait (or you can start doing the fast removal – next step). Because each removal requires 4 steps (requests to be made by the script), each one of them takes some time to accomplish. Closing the page will cancel them. If you’re removing 1000 inactive friends, you should wait at least 1000×3 seconds (or an hour). You can always check your number of friends before starting this, and check it again in another window and see when it reaches the desired amount (total_number – inactive_number), then close this window.

The final step, is manual fast-removal of your friends. In this step, you have to click on each Fast Remove button, next to people who you don’t want anymore. Don’t spend too much time deciding if something belongs or not, just press Fast Remove. Later you can add them again easily.

Every time you press Fast Remove, it takes a second or so for the requests to be handled and for the button to disappear (if you’ve a lot of requests queued from previous step, it can take a lot. Just click them once and proceed to the next one, or open another window and do this there) . Right after that, a dialog box pops up informing you that the friend was removed. This script will automatically close these dialogs once every second.

If anything seemed not to work with the script, don’t hesitate to contact me for a fix. Happy facebooking.

P.S this script takes 60% CPU on a MacBook Pro Retina (which is equivalent of 4 regular PCs).

Continue Reading No Comments

Meta-Reflection variable name detection problem for Pull Widgets in PHP

Written by AbiusX on 19/03/2013. Posted in Computer, Development, English, Software Engineering

First of all, Happy Nowruz! Tomorrow is officially the new Jalali year‘s start. Best of wishes to everyone.

The Problem

I’ve been working on an elegant design for a new PHP Widget library for some time now. It is intended to provide a Pull MVC feature for jframework. As you know, MVC provides a separation of concerns, allowing different expertise people to work separately on their designated part of the application. The model part (which is the business logic of the application, plus some of the solution domain) is usually very re-usable and employs object oriented to great extent. The controller part, is mostly lightweight and consists of code usually not re-usable.

The problem resides in the view part of the MVC. Views are mostly HTML/CSS that dump some variables and arrays. Sometimes templates are employed in views, to reduce repeated code, but still most of the views are repeated code. Imagine two different areas of a web application, both providing tabular data of different origin. 70% of their code is the same but due to difference of data nature, usually no re-using is done.

I’m not gonna talk about benefits of code re-use here, but you get the picture.

Pull MVC, in contrast to Push MVC, is a system in which the view asks for content to render themselves by pulling them in, instead of pushing the content directly on the screen. It is usually provided by widget systems, and is much more object oriented. The problem with Pull systems is that view is usually designed and not developed, by a graphical designer who is adept in HTML and CSS.

The Actual Thingie

The first thing I wanted to do, was to preserve maximum simplicity. You can not expect a library to require redundancy to provide code re-use. I do not like libraries that take control of everything and don’t let developers to change their mechanics. So I wanted to replace this practice:

$form1 = new jForm();
$form1->setName("form1");
$form1->setMethod("post");
$button1 = new jFormButton("form1");
$button1->setName("button1");
$button1->setLabel("Push Me!");

To a single liner elegant approach:

$form1 = new jForm(jForm::Method_Post);
$button1 = new jFormButton($form1, "Push Me!");

So the first thing I needed to be done, was for jForm (or any other jWidget instance) to know what variable it is assigned to – in this case $form1 – and name itself after it. The name is actually used a lot in the generated HTML code, for validation, for CSRF protection, for HTML form element names, for HTML IDs, for CSS classes and a lot more.

Continue Reading 1 Comment

APA CTF 2013 Write-up

Written by AbiusX on 15/12/2012. Posted in Computer, English, Security

This post is about Sharif CERT (APA) center’s recent CTF (10 dec 2012), which is one of a kind in Iran. Most CTFs are a few days long since there are time-zone differences, but since this one is in Iran, its only a few hours long and full of pressure. Also it is fairly general purpose, with Trivia, Web Hacking, Cryptography, Steganography, Reverse Engineering and Forensics amongst it genres. There’s also the final scoreboard of the contest. As usual, team AbiusX nailed this CTF, though this was the initial round and the main round is held inside Sharif University of Technology in Tehran. APA CTF usually pisses me off, as some questions are not technical and more of a puzzle than a question – as you will see soon – and also because the guys in charge of making up questions have a very poor English (rofl). But it’s getting much better over the years and this version was perfectly acceptable, specially the parts about segmenting different teams’ flags. There were 2 trivia questions, 4 web flags, 2 reverse engineering flags and the rest each had one flag. Genre scores were 100 for trivia, 1200 for web, 200 for crypto, 600 for reverse engineering, 300 for steganography and 400 for forensics, plus bonuses for quick solvers.

The Questions

This section will describe each questions, its strengths and weaknesses and the solution to it.

Continue Reading 5 Comments

Migrating mail from one host to the other

Written by AbiusX on 31/10/2012. Posted in Computer, English, Server Management

I was in the process of migrating a host from Helm 4 to DirectAdmin, and it seems that Helm is pretty crappy and does not store mail in user’s storage, but instead in its own mail manager, but what else would someone expect of something Windows based. The problem and solution I describe here is applicable to all hosting managers, not just DA and Helm, but I use those in my examples. First step is to transfer files, which is pretty easy. You could zip the whole folder in any control panel (sometimes its referred to as Backup), then get it via wget’s ftp functionality:

wget -r ftp://user:pass@host.com/folder/file.zip

I’m assuming you have SSH access on your destination, or otherwise you have to do everything on your own computer and then move to the destination, which is not very engineery! Then you unzip and relocate the files. Then you have to move databases, which is pretty easy using mysqldump tool and mysql <dumpfile.sql trivia. Transferring the dumpfile is also done with wget or ftp. Keep in mind to export/import via terminal and not something like phpMyAdmin, as encoding problems could make your life miserable. Third and the most tedious and important step for every major website, is delivering mail. Unfortunately many hosting providers do not let you grab all your mail in a single shot, and many others do not let you import them that easily. Mail is a little complicated these days with all the MTA and MDA and Maildir and Mbox formats and all. The proposed solution of many hosting providers is to use Outlook on imap, download all mail from source, reconnect to destination and upload all mail to destination. This involves your personal system and is way slow for huge number of mails and mailboxes. The better way would be to first create the same mailboxes on your destination, then use a mixture of mutt, getmail and scripting to transfer the mail. Mutt is a terminal based IMAP/POP client, which allows you to read and compose mail. getmail is a brilliant software which simply gets mail from server to client and still stores it in standard formats. Assume that your user is named myuser and is located at /home/myuser. there is usually some folder named Maildir (or imap in case of DirectAdmin, but when you go in it, there is a list of mail users each having Maildir inside). This is the IMAP’s desired storage format (Maildir) also used by Dovecot. Now install getmail on your destination and create a file ~/.getmail/getmailrc with the following content:

[options] verbose = 1 delete = False [retriever] type = SimpleIMAPRetriever server = sourceMailServer.com username = srcUser password = srcPass [destination] type = Maildir path = ~/imap/domain.com/srcUser/Maildir/

You have to update this file for every mailbox you’re going to migrate, and replace username, password and path accordingly. Then go to the path you describe, see if it exists (it should be your control panels default path or you’re not migrating correctly). If it does not exist, create the folder Maildir with 3 subfolders cur, new, tmp. You could also create the structure by using mutt instead of manually, as follows:

mutt -f imap://user@srcHost.com

It then lists your messages and creates the folder structure for you. Now run getmail, and wait for the magic to happen. It is definitely going to take some time if you have huge email base. You could automated this process for multiple accounts with a simple bash script. This whole process is way faster and easier than any other solutions. Also keep in mind to use IMAP if applicable, otherwise you would only transfer Inbox. Don’t forget to ask your questions below.

Continue Reading No Comments

PHP Serialization Pollution Attack

Written by AbiusX on 02/10/2012. Posted in Computer, English, Security

PHP Serialization has a fatal flaw which allows for pollution of the scope and global context of an application, as well as running arbitrary code in some scenarios if sources of taint are allowed in. It is a very high impact attack but requires in-depth evaluation criteria and careful inspection to be caught. I have prepared a lab to explore and try this attack, available at:

PHP Serialization Pollution Lab

Give it a try and let me know what you think. I suggest you do a lot of debugging on the code and master its exact running flow. Don’t forget that the source code of that page is available at:

https://abiusx.com/lab/hacking/serialize.src.php

I’m gonna describe this with details in a much later date.

Continue Reading 1 Comment

Stripe CTF 2 – Web Challenges

Written by AbiusX on 26/08/2012. Posted in Computer, English, Network, Security

I participated in the Stripe CTF Web Attacks and thus far it was the most well designed CTF I have ever encountered (and I have participated in a couple dozen). This is the second Stripe CTF, the first was exploitation based and this one was web based. Some Concepts CTF stands for Capture the Flag, its a genre of games where you have to get past enemy lines and take their flag and bring it back to your base to win a score. Usually hacking games are CTF like, you have to hack a system, find the flag (its a random string) and bring it to your home to get scores for that level. There are plenty of servers for a CTF host, since many attackers try to just break the servers instead of solving the challenges. Also every participant’s environment has to be secluded to achieve best challenge experiences, so lots of cautious programming on the host side is required. There are almost always lots of bugs on CTFs due to huge codebases, and hackers tend to hack systems in a way that the host didn’t plan of, and get the score; thus the host people have to watch the event and remove those bugs asap, and to respond to questions and feedbacks of the participants. How did I do I participated in this CTF a couple days ago, at midnight. Unfortunately my beloved uncle had just passed away and he had no sons, so I had to take care of much of funeral stuff. I only had a couple hours at midnight (at the cost of not sleeping for the funeral) to participate in this, so I did. I was able to solve 8 out of 9 challenges in almost 3 hours, and left for the funeral chores afterwards. The 8th question was a little lengthy and I returned to it after almost 30 hours (after the funeral and a brief rest) and solved it in a few hours. Below I’m going to discuss the questions and their answers (how to hack them) as an educational document.

Challenges

I’m going to copy the challenges from Stripe-CTF, then provide the solutions in a section below each of them.

Continue Reading 76 Comments

Software Bloats: epic failure and how to prevent it

Written by AbiusX on 13/08/2012. Posted in Computer, Development, English

Bloating is one of the most fatal horrors that can happen to a piece of software. It is when you have a nice working software that everyone loves, and then you start adding odd crazy features into the software that nobody but you (who spent numerous hours thinking how you could reach perfection in your software) needs or uses. It might seem not very likely but believe me, if you don’t shackle your thoughts, you’ll definitely bloat it. For example, consider Apple TextEdit, which is somewhat a counterpart of Notepad on Mac OS X. TextEdit was a very powerful tool, yet simple enough for taking a few notes. It could open MS Word documents and other RTF-like formatted documents, as well as pure ASCII text files and it would automatically recognize the encoding and save with the appropriate encoding, all without the need to go through application preferences. Now they have added Versions and a lot of other magical stuff to TextEdit (as well as many fundamental OS X apps such as Preview), and it takes ages (in comparison to a nerd’s typing speed) for it to open, save, close and behave. Personally I haven’t used Versions once in this whole year I’ve been having OS X 10.7 Lion, and I don’t think everybody else has, that’s why most people hate Versions (dare Google it!). Another case would be Mozilla Thunderbird, which is a magnificent piece of software, but I strongly doubt that anyone unfamiliar with the mechanics of modern EMailing protocols could cope with it. Thunderbird is a strong Mail client capable of almost anything, but I bet half of my blog readers won’t be able to start checking their mail with it. It wasn’t like that in the first few versions, but the developers got involved in the software so deep they could only see the world as an EMailing infrastructure, and anyone has to know whats the difference between IMAP and POP3 to drive in their world.

How to prevent it

They say that people use 20% of a software’s features 80% of their time, so bloating will just make this percentage look uglier. The best method to prevent bloating AFAIK is to go agile, this way you would only implement what your customer needs and uses, and if they didn’t like it, you would either change it or dump it.

Continue Reading 1 Comment

HTTP Host Alteration Attack

Written by AbiusX on 16/07/2012. Posted in Computer, English, Security

While I was thinking about certain ways of summarizing CSRF prevention for OWASP PHP Security Cheat Sheet - mixing taint tracking with different request criteria – I found a certain type of attack against certain high-level web applications and frameworks, which I named it HTTP Host Alteration Attack. Many web appl1ications rely on the HTTP host (accessible via $_SERVER['HTTP_HOST'] in PHP) to determine their running environment, e.g development or deployment. For example, if HTTP_HOST is localhost, 127.0.0.1, or 192.168.*.*, the application is presumably running in development mode, so it would dump error details, SQL queries, profiling details and more importantly, stack traces. When the application is running on a deployment server, it logs errors instead of dumping them, and reduces critical details on the screen. Also credentials for connecting to the database and other 3rd party tools are different on development and deployment servers. The code snippet below, taken from earlier versions of the almighty jFramework, is used to determine the running state of the application:

if (jURL::HTTPHost()==”localhost”) reg(“app/state”,”develop”); elseif (strpos(jURL::HTTPHost(),”jframework.info”)!==false) #replace this with your site reg(“app/state”,”deploy”); elseif (php_sapi_name()==”cli”) reg(“app/state”,”develop”); else trigger_error(“No running state determined.”);

Then the rest of application behaviors are determined by this state. Now what the developer (embarrassingly myself) had forgotten there, was that HTTP Host is provided with the HTTP Request, and though it is part of the standard HTTP protocol and should ALWAYS be provided and valid, can easily be forged by an attacker. I became aware of this issue while using my Mozilla Add-on, IRUnfilter, to get around Iran’s Internet restrictions. IRUnfilter removes the Host header from HTTP Request – which is used by government to determine if a site is allowed or not – and sends the request to a web proxy outside Iran, which effectively replaces the host header with the valid value. Now if you skip the proxy and visit a jFramework powered website using it, the “No running state determined.” error would pop-up. An attacker could simply replace the Host header instead of removing it, with something fabulous such as “localhost”, to get “Development” access to the deployed application. I was about to advertise jFramework’s old method of determining the state in OWASP’s wiki, but fortunately I was a little busy and started to realize this issue before publishing it to the world!

Continue Reading No Comments

12 3 4 »Last

AbiusX :
- Résumé/CV
- on Twitter
- on Facebook
- TA pages
- Pieces of Code
- Documents
- Presentations
- on Slideshare
- Company
- Contact
OWASP Iran :
- on Twitter
- on OWASP.org

Latest Posts

Warning: Most former contents of this website are in Persian. You should be able to see them correctly if your platform supports UTF-8 encoding. Download Persian Fonts to see them better.

AbiusX@Twitter

I won the PHP Programming Innovation Award with my PHPRBAC package!
http://t.co/Deao44nqss

2013/05/01 16:22

My PHP-RBAC is nominated for best PHP Class Package. You can vote to make it win! via @phpclasses
http://t.co/d1Ms3FFu8m

2013/04/01 16:42

(Software Engineering) meta-object problem in pull MVC at
http://t.co/MAFAfXcLQb

2013/03/19 19:08

Today I tried using #Dojo Toolkit (v 1.8) again after a few years. After reading countless pages of documentation I dropped it again

2013/03/06 07:25

My PHP class PHP RBAC Class was considered notable by the PHP Classes site. Check it out. They said: Interesting ...
http://t.co/NLQhoTtJ7q

2013/03/05 18:06

Just got admitted with funding to Ph.D. Computer Science at University of Virginia

2013/03/01 08:51

I just published PHP-RBAC, the de-facto PHP Role Based Access Control Library! #phprbac
http://t.co/QiuenSmMLI

2013/02/24 01:21

Hurray! I have one of the top 10% most viewed @LinkedIn profiles for 2012.
http://t.co/8A219pzI

2013/02/11 22:06

Why did they make email this complicated? DKIM SPF MTA MDA Maildir Postfix exim sendmail bla bla bla… SNAP!

2013/02/07 21:43

I'm gonna ask the university medical center to cope with my #non24 syndrome for exams.

2013/01/07 08:00