Thursday, February 27, 2014 and Facebook likejacking

Share/Bookmark, a Vietnamese startup invested by CyberAgent Ventures last year (

I am watching around and noticed that they are doing shit-trick called facebook likejacking as the screenshot below:

A POST request to facebook will be generated when you click the close button at the top-right corner.
It was blocked by my antivirus, sorry foody!

Look into the detail header of this request:

Request URL:
Request Headers CAUTION: Provisional headers are shown.

Content-Type: application/x-www-form-urlencoded



Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36

Form Data
fb_dtsg: AQDBhOAV
action: like
__user: 1117881115
__a: 1
__dyn: 7wfGbwKBAo
__req: 1
ttstamp: 265816866104796586
__rev: 1139153

So what happens behind that? The hidden like button is under the close button. By modifying css  it will appear:

Javascript function to check status of the current user to do their rat trick:
window.fbAsyncInit = function () {
        appId: "395614663835338",
        channelUrl: "",
        status: !0,
        cookie: !0,
        xfbml: !0,
        frictionlessRequests: !0
    }), $(function () {
        var a = $("#fbLike");
        a.length > 0 && FB.getLoginStatus(function (b) {
            if (b.status == "not_authorized" || b.status == "connected") {
                var c = $.cookie("fbCookie");
                c ? a.remove() : $(document).mousemove(function (b) {
                        left: b.pageX - 15 + "px",
                        top: b.pageY - 3 + "px"
                    }), $(document.activeElement).attr("id") == "fbIframe" && ($.cookie("fbCookie", "1", {
                        expires: 5,
                        path: "/"
                    }), $.cookie("fbPro", provinceId || 217), a.remove())
You can see the detail source here:
Backup code: public.core.min.js_part1 , public.core.min.js_part2
At this time, foody's facebook page has more than 240k like, how many of them are real;)

//After the basic review above, now we can take a deeper inside the real likejacking of
See the video pls ;)... Dog tail appears soon!

Friday, February 21, 2014

Penetration Testing Addons For Firefox Browser


The majority of the penetration testers are using the Mozilla Firefox as a web browser for their pentest activities.This article will introduce the firefox addons that can be used for a web application penetration test.

1) Firebug

It is useful for the debugging tools that can help you tracking rogue javascript code on servers.

2) User Agent Switcher

You can use this extension to change the user agent of your browser.Useful for web application penetration tests that you want to check and the mobile versions of the websites.

3) Hackbar

Useful for SQL injection and XSS attacks.It includes also tools for URL and HEX encoding/decoding and many more.

4) HttpFox

Monitor and analyze all the incoming and outgoing HTTP traffic between your browser and the web server.

5) Live HTTP Headers

View the HTTP headers of a website instantly.

6) Tamper Data

View and modify HTTP/HTTPS headers and post parameters.

7) ShowIP

Shows the IP of the current page in the status bar.It also includes information like the hostname,the ISP,the country and the city.


Open Source Vulnerability Database Search.

9) Packet Storm search plugin

Search the packet storm database for exploits,tools and advisories.

10) Offsec Exploit-db Search

Search the Exploit-db archive.

11) Security Focus Vulnerabilities Search Plugin

Search for vulnerabilities in the Security Focus

12) Cookie Watcher

Watch the selected cookie in the status bar.

13) Header Spy

Shows HTTP Headers on status bar

14) Groundspeed

Manipulate the application user interface.

15) CipherFox

Displays the current SSL/TLS cipher and certificate on the status bar.

16) XSS Me

Tool for testing reflected XSS vulnerabilities.

17) SQL Inject Me

Extension to test SQL Injection vulnerabilities.

18) Wappalyzer

Discover technologies and applications that are used on websites.

19) Poster

Make HTTP requests,interact with web services and watch the output.

20) Javascript Deobfuscator

Show the JavaScript code that are running on web pages.

21) Modify Headers

Modify HTTP request headers.

22) FoxyProxy

Advanced proxy management tool.

23) FlagFox

Displays a country flag for the location of the web server.It also includes tools such as Whois,Geotool,Ping,Alexa etc.

24) Greasemonkey

Customize the way a webpage behaves by using small bits of JavaScript.

25) Domain Details

Displays Server Type, Headers, IP Address, Location Flag, and links to Whois Reports.

26) Websecurify

Useful for security assessments in web applications.

27) XSSed Search

Search the cross-site scripting database at XSSed.Com

28) ViewStatePeeker

ASP.NET viewstate viewer.

29) CryptoFox

CryptoFox is an encryption/decryption tool for cracking MD5 passwords.

30) WorldIP

Location of the web server,IP,Datacenter,Ping,Traceroute,RDNS,AS etc.

31) Server Spy

Unveils the technology of the web server (Apache, IIS etc.)

32) Default Passwords

Search default password database.

33) Snort IDS Rule Search

Search for Snort IDS Rules.

By pentestlab

Phalcon, Python, NodeJS or even PHP on the battle of benchmark

Well, developers are surrounded by many stuffs mentioned on the title. Those things have their own market ...
Just have a look then make your choice...

We have some results of performance benchmark below, that all basic testing with response of "Hello World!" and we will move on a more advanced environment testing later. Then we will have RMDB, NoSQL, Session or anythings else that these stuffs often work with.

Nah, let's see:

NginX serve html file.

PHP-FPM + NginX, default configuration, what a downgrade :))

Oh wait, see what happened after some changes of configuration. Take care about min_spare_servers, max_spare_servers, start_servers ... they depend on your server resource, don't leave them GROSS.

Ok, now PHP APC but APC has issues with PHP version 5.5, don't upgrade your PHP server or you must use other one.

Meanwhile, built-in PHP Opcode gave a peak.

Ah, by the way have you ever heard about PHP Built-in Web Server?
They came from 5.4.0. php -S localhost:2000

Not bad huh?

So, people are messing around : Hey guy, do you know NodeJS? What the *beep* is it?
Hohoho, I think they said that it's blazing fast...
Ah, result above taken with single core CPU because by default NodeJS use single core of CPU.
How about add more CPU core? Okay, cluster gives you a hand. npm install cluster
The more you add the more you get :v

Phalcon, a PHP framework installed as a module. easy as f***
By the way, Phalcon testing result above came from a little difference structure.
I did it like a minimal application:
                    |---------index.php(where the request attack :v)

So don't give it a f*** because the low number from the test. We will build other ones as minimal application someday later to have their fair ;)

The last guy, Tornado from Python world. Non-blocking HTTP server, right?
Good enough?
No, I spent long time with these guys and now need a rest. Result with more complicated application will be added later.

See ya!!!