Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Bookmarklets
Posted by: rsnake
Date: December 05, 2006 12:29PM

As I'm putting together the list of bookmarklets I thought it would be a good idea to write one to automatically look for redirects, but for the life of me I can't figure out why this isn't working:

<A HREF="http://www.google.com/?http:%2F%2Fwww.asdf.com/">test2</A>
<A HREF="javascript:(
function(){
for (i=0; i < document.links.length; i++) {
if (document.links.href.match(/http:\/\/.*http(:|%3A)(\/|%2F)(\/|%2F)/i)){
alert(document.links);
}
}
})();">test</A>


It works if you strip it out of a link and put it into a script tag... any ideas?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bookmarklets
Posted by: jungsonn
Date: December 05, 2006 12:42PM

You know that a bookmarklet must be on 1 single line? by using semicolons between statements?
and what i remember that there is a 255 char limit for bookmarklets.

Options: ReplyQuote
Re: Bookmarklets
Posted by: maluc
Date: December 05, 2006 02:59PM

there's also links like this to look out for: <a href="NewAccount?continue=http%3A%2F%2Fwww.google.com%2F&amp;hl=en">

so it might be smarter to use 'x= blah.lastIndexOf(regex without first http);if(x!=0 && x!=-1) save'

and support for https:// and ftp:// which ima add now. but anyway, your problem was that the two %2F need to be %252F .. becuz in a GET link they get resolved to / which ends the match() regex prematurely.

also added in support for http://a.com/redir?http%253A%252F%252Fblah.com .. which needs the %25253A

javascript:(function(){
for (i=0; i < document.links.length; i++) {
if (document.links.href.match(/http:\/\/.*(http|ftp|https)(:|%253A|%25253A)(\/|%252F|%25252F)(\/|%252F|%25252F)/i)){
alert(document.links);
}
}
})();

but ya, should probably switch over to lastIndexOf

-maluc

Options: ReplyQuote
Re: Bookmarklets
Posted by: maluc
Date: December 05, 2006 04:01PM

okie.. i take that back. it does indeed find links like <a href="NewAccount?continue=http%3A%2F%2Fwww.google.com%2F&amp;hl=en"> already..

plus, it doesn't look like lastIndexOf allows regex anyway.. oops.

so stick with that one then.. unless someone thinks of a way to add support for http://test.com?page=asdf.com - without too many false positives

-maluc

Options: ReplyQuote
Re: Bookmarklets
Posted by: rsnake
Date: December 05, 2006 04:58PM

Jungsonn, even putting it on one line doesn't help, and 255 is not correct, they can be huge. Case in point:

javascript:(function(){ function selectColor(i) { return [%22#fdc%22, %22#cdf%22, %22#bfd%22, %22#dbf%22, %22#fbd%22] [i%5]; } var u=location.href, ul=u.length; var tparts=[%22%22], zparts=[], nz=0; function isDigit(c) { return (%220%22 <= c && c <= %229%22); } for (i=0; i<ul; ) { for (; i<ul && !isDigit(u.charAt(i)); ++i) tparts[nz] += u.charAt(i); if(i<ul) { zparts[nz]=%22%22; for (; i<ul && isDigit(u.charAt(i)); ++i) zparts[nz] += u.charAt(i); tparts[nz+1]=%22%22; ++nz; } } if(!nz) { alert(%22No numbers in URL.%22); return; } D=window.open().document; D.write(); D.close(); function a(n) { A(D.body,n); } function A(p,n) { p.appendChild(n); } function E(q) { return D.createElement(q); } function cT(t) { return D.createTextNode(t) } function cBR() { return E(%22br%22); } function cS(t,ci) { var s=E(%22span%22); s.style.background=selectColor(ci); s.style.fontWeight=%22bold%22; A(s, cT(t)); return s; } function cTB(v,oc) { var b=E(%22input%22); b.size=6; b.value=v; b.addEventListener(%22input%22, oc, false); return b; } function cCB(t,oc) { var L=E(%22label%22), b=E(%22input%22); b.type=%22checkbox%22; b.checked=true; b.onchange=oc; A(L,b); A(L,cT(t)); return L; } function cL(nz,tparts,zparts) { var L=E(%22a%22); var u=%22%22; for (var i=0; i<nz; ++i) { A(L,cT(tparts)); A(L,cS(zparts, i)); u += tparts+zparts; } A(L,cT(tparts[nz])); u += tparts[nz]; L.href=u; L.target=%22_blank%22; return L; } a(cT(%22Original URL: %22)); a(cBR()); a(cL(nz, tparts, zparts)); a(cBR()); a(cBR()); var fromBoxes=[], toBoxes=[], padChecks=[]; for (i=0; i<nz; ++i) { a(cT(%22Run %22)); a(cS(zparts, i)); a(cT(%22 from %22)); a(fromBoxes=cTB(zparts, listURLs)); a(cT(%22 to %22)); a(toBoxes=cTB(zparts, listURLs)); a(cT(%22 (%22)); a(j=cCB(%22 Pad with zeroes to maintain length%22, listURLs)); padChecks=j.childNodes[0]; a(cT(%22)%22)); a(cBR()); } a(cBR()); resultDiv=E(%22div%22); a(resultDiv); listURLs(); function listURLs() { while (resultDiv.childNodes.length) resultDiv.removeChild(resultDiv.childNodes[0]); var lows=[], highs=[]; for (i=0; i<nz; ++i) { lows=parseInt(fromBoxes.value, 10); highs=parseInt(toBoxes.value, 10); if(highs-lows > 999) { A(resultDiv, cT(%22Too many%22)); return; } } urls=[]; function cb(sta) { var newzparts=[]; for (var i=0; i<nz; ++i) { var z=%22%22+sta; if(padChecks.checked) while (z.length < zparts.length) z=%220%22+z; newzparts=z; } A(resultDiv, cL(nz, tparts, newzparts)); A(resultDiv, cBR()); } fors(nz, cb, lows, highs); } function fors (n, callback, lows, highs) { function fors_inner (states, v) { if(v >= n) callback(states); else for (states[v]=lows[v]; states[v] <= highs[v]; ++(states[v])) fors_inner(states, v+1); } fors_inner ([], 0); } })()


So my question stands.... why isn't my original bookmarklet working?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bookmarklets
Posted by: maluc
Date: December 05, 2006 05:07PM

?.? your original bookmarklet works for me, just by changing %3A to %253A .. and the two %2F to %252F

-maluc

Options: ReplyQuote
Re: Bookmarklets
Posted by: rsnake
Date: December 05, 2006 08:17PM

Damnit. Now I see what you're saying. Gah! Thank you maluc.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bookmarklets
Posted by: jungsonn
Date: December 05, 2006 08:28PM

Nice they'dd change the char limit, i rememer back in the days from netscape 4+ that there was a 255 or 250 char limit, anywhere in that range.

Options: ReplyQuote
Re: Bookmarklets
Posted by: rsnake
Date: December 05, 2006 08:50PM

Kay, updated the bookmarklets page: http://ha.ckers.org/bookmarklets.html

Thanks again, maluc. That was really throwing me for a loop.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bookmarklets
Posted by: Kyran
Date: December 06, 2006 02:13AM

Just wanna note, most of those are already in Opera. :P

But thanks for the update!

- Kyran

Options: ReplyQuote
Re: Bookmarklets
Posted by: maluc
Date: December 06, 2006 03:14AM

rsnake: happy to help ^^

kyran: most? which ones can be done in opera aside from Edit Cookies.

Opera can zoom in pages with +/- (as can firefox with Ctrl +/-) .. but it can't zoom in images alone.

Everything else, i don't see in Opera

-maluc

Options: ReplyQuote
Re: Bookmarklets
Posted by: Kyran
Date: December 06, 2006 01:36PM

Increment and decrement. Fast Forward and Rewind, but with better functionality.
Well, you can use the zoom to zoom in then press 6 to set the page back to normal quickly. And the cookie editor. The other ones are in Opera, but are more obscure. (UserJS or GM SCript)

- Kyran

Options: ReplyQuote
Re: Bookmarklets
Posted by: rsnake
Date: December 06, 2006 01:43PM

Yes but then we would have to use Opera. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bookmarklets
Posted by: Kyran
Date: December 07, 2006 03:46AM

:(
I'd rather start browsing Gopher+ sites than not use Opera.

- Kyran

Options: ReplyQuote
Re: Bookmarklets
Posted by: Anonymous User
Date: December 28, 2006 06:25AM

Hi!

[edit]
I have added some lines to highlight generated images purple
[/edit]

I have customized some of your work for my needs and maybe you could need this one.

it is pretty simple - all it does is highlight all links and forms. Redirects are highlighted red, links with parameters are highlighted orange, links with more than 3 slashes yellowish-greenish (could be rewritten links with params) and all other links in tasty grass green.

the forms are highlighted bright blueish and the hidden fields are made visible and highlighted blue.

here's the source:

[uncompressed]
javascript:( function(){
for(i=0; i < document.forms.length; i++){
document.forms.style.border = '1px solid #C3D9FF';
document.forms.style.backgroundColor = '#C3D9FF';
for(j=0; j < document.forms.elements.length; j++){
if(document.forms.elements[j].type == 'hidden'){
document.forms.elements[j].type = 'text';
document.forms.elements[j].style.border = '1px solid #0000CC';
document.forms.elements[j].style.backgroundColor = '#0000CC';
document.forms.elements[j].style.color = '#FFFFFF';
}
}
}
for (i=0; i < document.links.length; i++) {
document.links.style.border = '1px solid #15BF0B';
document.links.style.backgroundColor = '#15BF0B';
if (document.links.href.match(/http:\/\/.*\/.*\//i)){
document.links.style.border = '1px solid #9CBF0B';
document.links.style.backgroundColor = '#9CBF0B';
}
if (document.links.href.indexOf('?') != '-1'){
document.links.style.border = '1px solid #FFA70F';
document.links.style.backgroundColor = '#FFA70F';
}
if (document.links.href.match(/http:\/\/.*http(:|%253A)(\/|%252F)(\/|%252F)/i)){
document.links.style.border = '1px solid #DF0D0D';
document.links.style.backgroundColor = '#DF0D0D';
}
}
for (i=0; i < document.images.length; i++) {
if (document.images.src.indexOf('?') != '-1'){
document.images.style.border = '3px solid #CF0CCB';
document.images.style.backgroundColor = '#CF0CCB';
}
}
}
)();


[compressed]
javascript:eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('y:(z(){d(i=0;i<2.5.e;i++){2.5.3.6=\'9 8 #q\';2.5.3.7=\'#q\';d(j=0;j<2.5.a.e;j++){b(2.5.a[j].p==\'A\'){2.5.a[j].p=\'C\';2.5.a[j].3.6=\'9 8 #r\';2.5.a[j].3.7=\'#r\';2.5.a[j].3.u=\'#v\'}}}d(i=0;i<2.4.e;i++){2.4.3.6=\'9 8 #h\';2.4.3.7=\'#h\';b(2.4.g.l(/f:\\/\\/.*\\/.*\\//i)){2.4.3.6=\'9 8 #s\';2.4.3.7=\'#s\'}b(2.4.g.m(\'?\')!=\'-1\'){2.4.3.6=\'9 8 #k\';2.4.3.7=\'#k\'}b(2.4.g.l(/f:\\/\\/.*f(:|%x)(\\/|%o)(\\/|%o)/i)){2.4.3.6=\'9 8 #n\';2.4.3.7=\'#n\'}}d(i=0;i<2.c.e;i++){b(2.c.w.m(\'?\')!=\'-1\'){2.c.3.6=\'B 8 #t\';2.c.3.7=\'#t\'}}})();',39,39,'||document|style|links|forms|border|backgroundColor|solid|1px|elements|if|images|for|length|http|href|15BF0B|||FFA70F|match|indexOf|DF0D0D|252F|type|C3D9FF|0000CC|9CBF0B|CF0CCB|color|FFFFFF|src|253A|javascript|function|hidden|3px|text'.split('|'),0,{}))


Greetings!
.mario



Edited 3 time(s). Last edit at 12/28/2006 07:28AM by .mario.

Options: ReplyQuote
Re: Bookmarklets
Posted by: rsnake
Date: December 28, 2006 11:26AM

For the parameter one it should also find anything with an equals sign or a question mark. I had to modify this slightly to make it into a book-marklet (had to change your double quotes into single quotes):

<A HREF="javascript:eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('y:(z(){d(i=0;i<2.5.e;i++){2.5.3.6=\'9 8 #q\';2.5.3.7=\'#q\';d(j=0;j<2.5.a.e;j++){b(2.5.a[j].p==\'A\'){2.5.a[j].p=\'C\';2.5.a[j].3.6=\'9 8 #r\';2.5.a[j].3.7=\'#r\';2.5.a[j].3.u=\'#v\'}}}d(i=0;i<2.4.e;i++){2.4.3.6=\'9 8 #h\';2.4.3.7=\'#h\';b(2.4.g.l(/f:\\/\\/.*\\/.*\\//i)){2.4.3.6=\'9 8 #s\';2.4.3.7=\'#s\'}b(2.4.g.m(\'?\')!=\'-1\'){2.4.3.6=\'9 8 #k\';2.4.3.7=\'#k\'}b(2.4.g.l(/f:\\/\\/.*f(:|%x)(\\/|%o)(\\/|%o)/i)){2.4.3.6=\'9 8 #n\';2.4.3.7=\'#n\'}}d(i=0;i<2.c.e;i++){b(2.c.w.m(\'?\')!=\'-1\'){2.c.3.6=\'B 8 #t\';2.c.3.7=\'#t\'}}})();',39,39,'||document|style|links|forms|border|backgroundColor|solid|1px|elements|if|images|for|length|http|href|15BF0B|||FFA70F|match|indexOf|DF0D0D|252F|type|C3D9FF|0000CC|9CBF0B|CF0CCB|color|FFFFFF|src|253A|javascript|function|hidden|3px|text'.split('|'),0,{}))">highlight</A>

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bookmarklets
Posted by: Anonymous User
Date: December 28, 2006 11:40AM

Yeah I know - javascriptcompressor.com inserted the double quotes. I am currently using dojo shrink safe - you can just replace all double quotes after the compression and it still works.

I am currently working on this bookmarklet and will post a link to get the final when ready - I think a little box where you can see, what external ressources besides the images are loaded could be useful. also a little bit of 'beautifying' is being done ;)

thx for the feedback!

Options: ReplyQuote
Re: Bookmarklets
Posted by: Anonymous User
Date: December 28, 2006 03:10PM

okay - i'm done for today. please tell me what you guys think or how this tool could be improved..

here's the blogpost
http://mario.heideri.ch/security-bookmarklet/

here's the bookmarklet install page
http://mario.heideri.ch/downloads/lfhighlighter.html

Greetings,
.mario

Options: ReplyQuote
Re: Bookmarklets
Posted by: rsnake
Date: December 28, 2006 10:28PM

Very cool... this might also help out people who have white on white links for SEO, as it makes them visible.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bookmarklets
Posted by: Kyran
Date: December 29, 2006 09:08PM

http://optools.awardspace.com/bmlet.html

My favorite two. There is a hidden value in a form and a few test JS variables. One is a new XMLHttpRequest().

Try them out on those pages.

- Kyran

Options: ReplyQuote
Re: Bookmarklets
Posted by: Kyran
Date: February 01, 2007 05:10PM

Updated it with two from the Opera devs.

- Kyran

Options: ReplyQuote
Re: Bookmarklets
Posted by: kuza55
Date: February 03, 2007 06:59AM

Hmmm, I somehow missed that last year, but the Show JS vars one is very nice, and I think I'll keep using it, so thanks, :D, oh btw - would you care to email the developer of the web developer toolbar (I think its Chris Pedrick) to see if he would include it in his extension, because while bookmarklets are useful, having things in manageable packages is generally easier.....

Options: ReplyQuote
Re: Bookmarklets
Posted by: rsnake
Date: February 04, 2007 10:13PM

While you're at it can you ask him to make a shortcut key for the change GET to POST method and also get him to add "View Generated Source" to the context menu. Those are the two most useful parts of his tool for web app sec by far and they are also both buried.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bookmarklets
Posted by: Kyran
Date: February 05, 2007 12:25AM

The latest version of Opera has a early developer console, including the CSS Editor and DOM viewer. But, I will look into the GET/POST switcher and View Generated Source.

- Kyran

Options: ReplyQuote
Re: Bookmarklets
Posted by: rsnake
Date: March 11, 2007 12:48AM

FYI, I contacted Chris Pederick (the guy who wrote WebDeveloper) and he will be including keyboard shortcuts in a future version. Whew! Good to know:

http://chrispederick.com/work/webdeveloper/documentation/todo/

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Bookmarklets
Posted by: jungsonn
Date: March 11, 2007 07:58PM

Looks very cool .mario! but it's rather slow on my browser, any suggestions to make it perform faster?

Options: ReplyQuote
Re: Bookmarklets
Posted by: Anonymous User
Date: March 12, 2007 03:43AM

thanx, jungsonn!

unfortunately i haven't had any time to work on the lfh for weeks. if i will sometime in the next weeks i will focus on that and on some other issues already reported... there's still some problems with the form scanner and i would like to implement the ability to test with xss fragments.

Greeting,
.mario

Options: ReplyQuote
Re: Bookmarklets
Posted by: psifertex
Date: March 30, 2007 11:21PM

btw, it's possible in FF to bind a hotkey to a bookmarklet using keyconfig. I use one for my genpass bookmarklet (http://labs.zarate.org/passwd/) for password generation (I know bookmarklets like this are subvertable, but actually noscript helps tremendously -- the bookmarklet can act on the DOM of the page, but no JS from the page itself is rendered helping protect against the page js attempting to steal the master genpass password).

http://ask.metafilter.com/23032/How-do-I-assign-a-hotkey-to-a-Firefox-bookmark

Also, while we're on the subject of bookmarklets, my absolute favorite was the javascript shell from squarefree.com -- at least until firebug came out. I still use it though when I'm on other machines. So handy.

Options: ReplyQuote
Re: Bookmarklets
Date: March 31, 2007 03:02AM

btw, for all of you bookmarklets coders, I've created a firefox plugin that allows you to build/edit bookmarklets if you have Firebug and also autorun them just like in Greasemonkey. You can specify the execution order of the bookmarklets which is really cool since you may do stuff like loading some libraries first and then run the specific functionalities that you need. The extension is super small and extremely fast. You can install it from here:

http://www.gnucitizen.org/projects/technika/

Options: ReplyQuote
Re: Bookmarklets
Posted by: jungsonn
Date: April 17, 2007 04:38AM

Cool PDP, I just installed it to brush up my knowledge with JavaScript bookmarklets, I'm not so experienced in it.

I really got interested in these things sicne the breaking of the heyes Captcha with JavaScript, I never looked at the possibility of using that. yes, might be called ignorance, but in any case it opened up my eyes far more. And I have to give trev credit when he said I didn't understand JavaScript. Well, I understand how to write it, but I missed a very huge point; what JavaScript is capable off.

Options: ReplyQuote


Sorry, only registered users may post in this forum.