Highlight 3 and DynaCloud 5 released

Posted 2009-02-22 in JavaScript by Johann.

I have just released Highlight 3 and DynaCloud 5.

Changes

• The API of highlight was simplified, as suggested by Nox.
• Internet Explorer would highlight more than the desired element, as document by Teye.
• Extra code for Internet Explorer was removed, making both jQuery plugins smaller.
• Removing highlights would not work in Internet Explorer.
• It is no longer required to upper case the pattern in highlight.
• Packed/Shrunk versions no longer use /packer/, but simply YUI Compressor.

Download

If you use highlight or DynaCloud, please update to the latest versions, available from the blog posts above.

Simple Mobile Phone Detection

Posted 2009-02-12 in Mobile Web by Johann.

Looking for an easy and simple way to detect mobile browsers?

This regular expression should be able to detect most popular mobile phone browsers:

(IEMobile|Windows CE|NetFront|PlayStation|PLAYSTATION|like Mac OS X|MIDP|UP\.Browser|Symbian|Nintendo|Android)

Explanation

• IEMobile selects newer Windows Mobile browsers.
• Windows CE selects older Windows Mobile browsers.
• NetFront obviously selects NetFront browsers.
• PlayStation and PLAYSTATION select the PlayStation browsers.
• like Mac OS X selects iPhone and iPod browsers.
• MIDP selects most BlackBerry and Opera Mini browsers.
• UP.Browser selects OpenWave-based browsers.
• Symbian selects Opera browsers for Symbian.
• Nintendo selects Opera browsers on Nintendo.

There are a few rare other mobile browsers not covered by this regular expression. Do you know of some that should be included? Please post a comment!

13 comments

MVEL Templating Introduction

Posted 2009-01-29 in Java by Johann.

MVEL is an expression language – similar to OGNL – and a templating engine.

I’d like to give you an example of MVEL Templates in this post so you can find out if MVEL might work for you.

Templating Examples

This is how templating with MVEL looks like.

Basic Object Access

<h1>@{name}</h1>

Simple Iteration

<p>
@foreach{index : alphabetical}
<a href="@{index.uri}">@{index.description}</a>
@end{}
</p>

Accessing Static Methods

<a href="@{ua.pageURI}">
@{org.apache.commons.lang.StringEscapeUtils.escapeHtml(ua.name)}
</a>

Inline Ternary Operator

<li>
@{ua.hitsTotal} total @{ua.hitsTotal == 1 ? "Hit" : "Hits"}.
</li>

MVEL Integration

The following code integrates MVEL into your application. The first part parses a template from a String, the second part applies an object to the template and writes it to a file.

public class MVELTemplateWriter {

    private final CompiledTemplate template;

    /**
     * Constructor for MVELTemplateWriter.
     *
     * @param template the MVEL template
     */
    public MVELTemplateWriter(String template) {
        super();
        this.template = TemplateCompiler.compileTemplate(template);
    }

    /**
     * Merge an Object with the template and write the output
     * to f.
     *
     * @param o the Object
     * @param f the output File
     */
    public void write(Object o, File f) throws IOException {
        String output = (String)
            TemplateRuntime.execute(template, o);
        Writer writer = null;
        try {
            if (!f.getParentFile().exists()) {
                boolean created = f.getParentFile().mkdirs();
                assert created;
            }
            writer = new OutputStreamWriter(new
                FileOutputStream(f), "UTF-8");
            writer.write(output);
        }
        finally {
            close(writer);
        }
    }

}

You use this code like you would use other templating engines/expression languages: You add your objects to a Map and then merge the Map with a template. In the template, you reference the objects in the Map by their key.

Note that the template is pre-compiled for performance reasons. You can use something like FileUtils.readFileToString(File) to read a template file into a String.

Summary

Good

I liked:

• Speed is excellent. Most of the time when building the User Agent Database is spent writing graphs and parsing log files however.
• Clean syntax. Cleaner than everything Sun has ever produced, but probably not as clean and simple as Velocity.
• Supports arbitrary methods. Velocity makes it hard to use static methods and does not support operations on arrays at all.

Bad

Not all is nice however. I did not like the following:

• No streaming output. All output is cached in RAM before it can be written to a file.

Do you use a templating engine/expression language? Maybe you use Velocity, OGNL, FreeMaker, StringTemplate or something else entirely? Please post a comment if you do.

9 comments

“Toata dragostea mea pentru” Vulnerability Scanners

Posted 2009-01-16 in Spam by Johann.

I have many visits from people who are interested in vulnerability scanners, whether libwww-perl or the “Toata dragostea mea pentru diavola” scanners.

Requests

Here are all requests made by them. They did change user agents in the meantime to something cloaked – their latest one is

62.75.224.201 … "GET /roundcubemail-0.1/bin/msgimport HTTP/1.1" 403 4131 "-" "Toata dragostea mea pentru god    (god     is a girl and this is not a pbot or a browser)"

I wonder what they were smoking…

• /bin/configure?action=image
• /bin/msgimport
• /bt/login_page.php
• /bug/login_page.php
• /bugs/login_page.php
• /bugtrack/login_page.php
• /bugtracker/login_page.php
• /cgi-bin/configure?action=image
• /cube/bin/msgimport
• /domain_default_page/index.html
• /email/program/js/list.js
• /issue/login_page.php
• /issuetracker/login_page.php
• /login_page.php
• /mail/bin/msgimport
• /mail/program/js/list.js
• /mail/roundcube/bin/msgimport
• /mantis/login_page.php
• /mantisbt/login_page.php
• /msgimport
• /portal/login_page.php
• /program/js/list.js
• /projects/login_page.php
• /rc/bin/msgimport
• /rc/program/js/list.js
• /round/bin/msgimport
• /roundcube-0.1/bin/msgimport
• /roundcube//bin/msgimport
• /roundcube/bin/msgimport
• /roundcube/program/js/list.js
• /roundcubemail-0.1/bin/msgimport
• /roundcubemail-0.2/bin/msgimport
• /roundcubemail/bin/msgimport
• /roundcubemail/program/js/list.js
• /roundcubewebmail/bin/msgimport
• /support/login_page.php
• /tag/configure?action=image
• /tracker/login_page.php
• /twiki/bin/configure?action=image
• /vhcs/domain_default_page/index.html
• /vhcs2/domain_default_page/index.html
• /webmail/bin/msgimport
• /webmail/program/js/list.js
• /webmail/roundcube/bin/msgimport
• /wiki/bin/configure?action=image
• /wiki/cgi-bin/configure?action=image
• /wiki/cgi/configure?action=image
• /wikis/bin/configure?action=image
• HTTP/1.1

The last line is not a mistake – their code just makes malformed HTTP requests. They also do not send any host headers with the requests. In other words, they do not have a list of domains they’re scanning, just IP addresses. Maybe not even that.

Targets

Just by going through the list of requests, we can see

• webmail systems,
• bug tracking software,
• Wikis and
• unspecified login pages.

Tips

How can you harden your web server against these attacks?

• No default paths. Never install web applications in default paths suggested by installation instructions.
• Remove footprints. Most web applications leave notes in the HTML. “Powered by WordPress” is a very common one. Make sure you remove the most obvious hints.
• No default web sites. Make sure a host header is required. Try wget -d http://<your IP address>. You should not get your home page back.
• Have a strategy for other types of web abuse. Spamtraps, the ability to block by IP netblock and user agent, firewalls.

11 comments

Pages

Page 1 · Page 2 · Page 3 · Page 4 · Page 5 · Page 6 · Page 7 · Next Page »