Friday, January 10, 2014

Recursively Minify JavaScript and CSS folder with Yahoo Yui Compressor MsBuild a quick hack

Yahoo! UI Library's YUI Compressor was a java project but you will found a .NET port of the this project here.

NuGet package and nice documentation all are available here but after a quick check I found its better to use by quick hack.

Create a quick mvc project and install it from package manager console .

Collect three dll(s) 

  • Yahoo.Yui.Compressor.Build.MsBuild.dll (packages\YUICompressor.NET.MSBuild.2.3.0.0\lib)
  • Yahoo.Yui.Compressor.dll (packages\YUICompressor.NET.MSBuild.2.3.0.0\lib)
  • EcmaScript.NET.dll  (packages\EcmaScript.Net.1.0.1.0\lib\net20)

Now you need to modify or create a “MSBuild.proj” xml  file. A sample file will be found under

“packages\YUICompressor.NET.MSBuild.2.3.0.0\Samples\YUICompressor\MSBuild.proj”

Include a recessive folder in MS build syntax is

<JavaScriptFiles Include="Scripts\**\*.js"/> 

to output in relative path use OutputFile="%(RelativeDir)%(JavaScriptFiles.Filename).min.js in JavaScriptCompressorTask

here is my final “MSBuild.proj” file

<?xml version="1.0" encoding="utf-8"?>
<Project xmlns="http://schemas.microsoft.com/developer/MsBuild/2003">

<UsingTask TaskName="CssCompressorTask" AssemblyFile="Yahoo.Yui.Compressor.Build.MsBuild.dll" />
<UsingTask TaskName="JavaScriptCompressorTask" AssemblyFile="Yahoo.Yui.Compressor.Build.MsBuild.dll" />

<Target Name="Minify">
<ItemGroup>
<JavaScriptFiles Include="Scripts\**\*.js"/>
</ItemGroup>

<JavaScriptCompressorTask
DeleteSourceFiles="false"
CompressionType="Standard"
ObfuscateJavaScript="false"
PreserveAllSemicolons="False"
DisableOptimizations="No"
EncodingType="Default"
LineBreakPosition="-1"
LoggingType="Info"
ThreadCulture="en-au"
IsEvalIgnored="false"
SourceFiles="@(JavaScriptFiles)"
OutputFile="%(RelativeDir)%(JavaScriptFiles.Filename).min.js" />

</Target>
</Project>



I copied all dll and script in a temporary directory so I do not have to worry all relative path location and other hassle.


image


now open Developer Command Prompt and navigate to your directory and type “msbuild”


image  Bingo you have all minified  js with *.mim.js recursively.

Turn on/off $log in AngularJS completely

We have  $logProvider.debugEnabled(true) to stop logging from AngularJs 1.1.2 or later. However this is only stopped logging used by $log.debug(‘happy log’) but we use other method like  $log.info(‘this is from log info’), $log.warn etc. $logProvider.debugEnabled(true) not going to stop those log. Here is the code snipped you can stop those
//in production this should be true
 if (config.isProduction) {
     $logProvider.debugEnabled(true);
     $provide.decorator('$log', ['$delegate', function ($delegate) {
     $delegate.table = angular.noop;
     return $delegate;
     }]);
    $provide.decorator('$log', ['$delegate', function ($delegate) {
    $delegate.info = angular.noop;
     return $delegate;
     }]);
    $provide.decorator('$log', ['$delegate', function ($delegate) {
       $delegate.warn = angular.noop;
       return $delegate;
     }]);
    $provide.decorator('$log', ['$delegate', function ($delegate) {
        $delegate.error = angular.noop;
         return $delegate;
      }]);
}

How this will work? AngularJs  give nice capability to extend it many way $provide.decorator can extends or override a implementation. The code snipped in basically override the internal implementation with a  angular.noop which mean do nothing.

You can also extends $log to get new console.table supported by chrome following way
$provide.decorator('$log', ["$delegate", function ($delegate) {
         $delegate.table = function () {
            console.table(arguments);
          };
       return $delegate;
 }]);

now you will have $log.table() all over the module and output is really more friendly working with a tabular data.

table

Happy $logging.

Friday, September 30, 2011

OWASP’s herd of goat

Sorry for weird funny title. Every security folks know about OWASP Web goat project, one most successful project of OWASP.

WebGoat is a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.

image 

Just copy following quote from OWASP wiki why the name is WebGoat.

Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!

But there are also other OWASP goat(s) project available less people know about them.

OWASP .NET Goat

One of them is OWASP .NET Goat. Will be found is Codeplex.OWASP .NET Goat is a webgoat style security learning application written in C#.

image

And another Goat join recently is GoatDroid. owasp-goatdroid is also open source goat found in here is a a fully functional training environment for exploring Android mobile application security.

image 

Well what about iPhone, Yes OWASP owasp-igoat is for apple iPhone.This OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them.

image

OWASP-iGoat project home.

Happy learning… if anyone know other goat please write on comment.

Tuesday, September 27, 2011

Web Application Analysis With Owasp Hatkit

Yet another proxy to analyses web application. We already have WebScarab,burp,paros,ratproxy,OWASP zap proxy,fiddler so many now another one  OWASP Hatkit which is released in defcon 19. The main feature that may capture your attention is it has a database to store all recoded data that’s helps further analysis. Hatkit use MongoDB where parse data store in as JSON document. So you can use MongoDB advanced querying facilities and even can use other tools to view and analyze data.

Now how do you configure it in your favorite backtrack, I’m try it in backtrack5r1. First you need to install MongoDB . if you install synaptic you should found MongoDB by search in default repo. obviously there should other way to do it but I’m take simplex options.

Or just $sudo apt-get install mongodb

Next download Hatkit it self from from here. direct link hatkit_proxy-0.6.1.zip

just extract it in /opt
#ls
#hatkit_proxy.jar  hatkit_proxy.sh  lib  LICENSE.txt  processors  README
#java -jar hatkit_proxy.jar

image

hatkit has web scrapper converter you need to locate its install path

image

Well so to analyze data there is another project available Owasp Hatkit Datafiddler project. So with help of this is a tool basically you do performing data analysis of data in a MongoDB, particularly Http traffic.

This tool can be download from here, Direct link hatkit_datafiddler-0.6.0.zip.

$ unzip hatkit_datafiddler-0.6.0.zip
$ cd hatkit_datafiddler-0.6.0/
$ python datafiddler.py

you may got dependency error of python mongoDB if you are not install it before

pymongo : Python drivers for MongoDB
there are different way of installing pymongo but I did install it from source.Installing pymongo python driver for mongodb from source is easy
git clone https://github.com/mongodb/mongo-python-driver.git
python setup.py install
$ python datafiddler.py

image


My first look feeling is still this tool need some UI improvement and need to a bit user friendly. I will try to update this post after more work with this tool. And hope this tool will keep updated.


More info: defcon conference slide here. OWASP project home here

Friday, September 9, 2011

registrydecoder

Registry Decoder provides a single tool in which to perform browsing, searching, analysis, and reporting of registry hive contents. All functionality is exposed through an intuitive GUI interface and accommodates even novice investigators.

Download http://code.google.com/p/registrydecoder/downloads/list

SWFREtools

The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files.

Current version is SWFRETools v1.4.0

Download  https://github.com/sporst/SWFREtools/downloads

Pentest cheat sheet bookmark

Original sources and other sources