hijack
Provides an irb session to a running ruby process.
Hi basically I am lost in apples documentation and not sure where to start on this.
I need to record the audio from applications running on my system, similar to audio hijack and wiretap studio pro, but I am unsure where to start with the audio captuer. I see reference to quicktime capture documentation but it is not clear how to acheive what I require.
Ideally I want to be able to modify audio in/out from an application such as skype to record and manipulate (think novelty voice effects).
Any pointers where in the documentation I can look, or how to start with this?
Source: (StackOverflow)
It keeps running in my mind the last couple of days, but I read some articles about how to make your PHP sessions more secure. Almost all of these articles say that you need to save the useragent in the session WITH an additional salt. Something like this:
$fingerprint = md5('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']);
The salt would make it harder for an attacker to hijack or whatever the session. But WHY add a salt every time you would check it like this:
md5('SECRET-SALT'.$_SERVER['HTTP_USER_AGENT']) == $_SESSION [ 'fingerprint' ]
So WHY would a salt make it more secure, since the attacker still only needs the useragent (which is relativly a small set of different useragents) and the sessionid?
Probably something small I'm overlooking, but can't figure it out, drives me crazy haha
Thanks!
Source: (StackOverflow)
I just wrote a scraper process. It's a single file program — loads ActiveRecord, creates a couple models, defines a couple scraping functions, and then runs in a loop.
Sadly, I messed up a git command, and now the file itself is gone.
However, I do have one instance of the scraper currently running. I sent it SIGSTOP to prevent any possible error outs.
How can I attach to the process and get it to dump the code, such that I can copypaste it back into the .rb file?
I don't care about its stack trace or other random objects in RAM; those are completely unimportant, since it's written to be killable at any time without loss. I just want to not have to rewrite the damn thing.
https://github.com/ileitch/hijack seems like it'll let me attach a debugger to the running process, which is a good first step. But supposing I do that, then what?
FWIW, I have managed to recover ~60 lines of it using puts Readline::HISTORY.to_a.reverse.uniq.reverse from an irb console in which I was playing with the code. But I'd rather have the rest of it if I can.
Thanks!
ETA: https://github.com/ngty/sourcify is another possible link here.
ETA2: … phew, dropbox caught it. Should've thought to check that sooner. ><
So, no longer critical, but still curious if this can be done.
Source: (StackOverflow)
Go http pkg provide a Hijacker interface, can anyone tell when should I use it.
I check the comment, after a Hijack call lets the caller take over the connection, the HTTP server library will not do anything else with the connection.
I understand it as it's used to support both http request and common tcp interactive within one port. Is it right? Does it has any other benefits.
Source: (StackOverflow)
Lets say my silverlight app uses Webservice to for example perform login operation and acquire security token to allow further calls to webservice.
And webservice sets clientaccesspolicy to only allow my SL application.
If hijacker tries to host this app with no modification he wont be able to get anything to work, since his hosting address will be different (I hope I am correct here, if not call this Q1)
But instead he can mimic my webservice on his own platform, change SL to call his service instead of mine (which will allow access), and inside his webservice simply redirect all calls to my initially protected against silverlight calls, but unprotected against direct service calls service..
I think this apporach allows to steal my application without any problem, how would one protect against it, if what I write is correct? (Q2)
Calls to my service will be transparent to fiddler etc. its not that hard to creat mimic service and redirect SL to it I think.
Source: (StackOverflow)
Is there a way to "hijack" a file in subversion like there is in ClearCase. Googling so far has not given me a definitive answer. (For non ClearCase users) Hijacking a file means temporarily removing it from version control.
Source: (StackOverflow)
Yesterday, I read some nice articles about how to prevent Json Hijacking with Asp.Net MVC. The rule is: never send sensible data in json format over a get request. With a simple search on google, you can easily learn how to define a script that will be use to extract data from another use with the help of his auth cookie.
But after reading all these articles, I don't know why it's not possible to do Json Hijacking with Ajax Jquery post request. I read that Ajax requests are subject to the same origin policy but JQuery have a property to be able to do cross-domain request.
In this case, is it possible to do Json Hijacking with a script using $.postJSON on the document ready event? If yes or no, could you explain my exactly why?
Here is a simple bunch of code to do what I'm thinking:
$.postJSON = function (url, data, callback) {
$.post(url, data, callback, "json");
};
<script>
$(function(){
$.postJSON("/VulnerableSite/ControllerName/ActionName",
{ some data parameters }, function() {
// Code here to send to the bad guy the data of the hacked user.
}
});
</script>
Thank you very much.
Source: (StackOverflow)
I'm using Lync to share my Visual Studio screen with another developer (this issue aside, environment has a bias toward Lync).
When I press Ctrl-Shift-S to "Save All" in Visual Studio, Lync intercepts the keyboard shortcut and performs its "Stop sharing your screen" command.
I see no way to change Lync keyboard shortcuts.
How can I prevent Lync from intercepting Visual Studio's "Save All" keyboard shortcut?
Source: (StackOverflow)
This was inadvertent on my part. I was installing a DivX upgrade and the "Install blah blah" checkbox (I only got a quick glance) was checked by default - on Mac OS, certain windows and application can steal my "focus" away from me so if I hit ENTER while I'm in, say TextWrangler, but the installer window steals my focus just before I hit ENTER and the "Install Conduit Search" is already checked, well, this add-on gets installed before I can stop it from happening! I hate that behavior on Mac OS passionately.
Now, I'm trying to remove it. Mostly because I hate the fact that Bing appears all over the place. I hate Bing, too.
Anyway, I followed instructions here: https://support.mozilla.org/en-US/questions/713710 and here: http://community.conduit.com/Community/Forum/Community-Toolbar.aspx?threadid=35114 but about:config doesn't contain anything, nor does "Add-ons", Extension, or Plug-ins...nor does /Library/InputManager/
Right now, I have removed all traces of Bing and Conduit found in "Manage Search Engines" and anything in about:config, but a 404 page still redirects to the "Whoops! The page could not be found. Try giving it another chance below." and at the bottom of the page, it says "Why did I get this page?". When I click on "Why did I get this page?", it tells me because I installed "Community Toolbar", which I guess I did, but I see no signs of it what-so-ever. The Plugins and Extensions settings for my Firefox do not contain anything that I'm not familiar with and most certainly don't contain anything about Conduit or Community or even Toolbar for that matter. If I go to "View" > "Toolbars", the only thing listed there is "Navigation" and "Bookmarks". There is an "Add-on Bar" but when I enable/disable, it appears to only be for my 1Password App.
I am stumped. I like to keep my browsers lean and mean and not install any of this crap. I'm not sure why I chose to install DivX in the first place but that's another lesson for another day.
The goal at hand is to get rid of this Conduit/Bing crap. Conduit's customer service is pretty non-existent, as expected.
The only sign that it exists is when I go to a URL and get a 404 page, it takes me to search.conduit.com rather than just a 404 page. In about:config, there is a "alternate_error_page" key listed but its value is "blocked", meaning "about:blocked" is how you see why a page was blocked.
I don't know where else to turn. Please help!
Source: (StackOverflow)
This question is related to What are the best practices to follow when declaring an array in Javascript?
Let's say a client, let's call them "D. B. Cooper", has a first requirement that the following code must run before any other JavaScript code:
Array = function(){
alert('Mwahahahaha');
};
Furthermore, Cooper requires that custom functions must be added to the built in Array object (not the hijacked one). For example, if Array was unhijacked, this would be done with:
Array.prototype.coolCustomFunction = function(){
alert('I have ' + this.length + ' elements! Cool!');
};
Which would afford:
var myArray = [];
myArray.coolCustomFunction();
However, this is not compatible with the first requirement. Thus, how can you best fulfill both of D. B. Cooper's requirements?
Note: D.B. even wrote a test fiddle to help make sure solutions meet his requirements...what a guy!
Update:
For those of you who like a challenge: please try to find an unhijackable cross-browser solution to this problem. For example, here's an even more hijacked test case (thanks for reformatting this Bergi) that hijacks Array, Object, Array.prototype.constructor, and Object.prototype.constructor. Thus far, it looks like there may be a browser-specific solution to this (see Bergi's comment on his answer, and let us know if you find a way to hijack it in FF), but it is unclear at this point if there is a cross-browser solution to this.
Source: (StackOverflow)
In reading about how to avoid json hijacking I've come across various methods including POSTing everything or prepending responses so they are not valid JavaScript.
The most common way to prepend seems to be to add {} && in front of your object or array. Angular suggests prepending with )]}',\n.
Why does angular not use the more standard {} && approach? Is one not totally secure? Is one more difficult to use in JavaScript? Angular aside, is there a good reason for taking the less popular approach?
Source: (StackOverflow)
Lets just consider the trust that the server have with the user.
Session fixation: To avoid the fixation I use "session_regenerate_id ()" ONLY in authentication (login.php)
Session sidejacking: SSL encryption for the entire site.
Am I safe ?
Thanks.
Source: (StackOverflow)
so I've made a website which has registration/login. I can see the PHPSESSID cookie in Chrome's Developer Tools, so I'm wondering how can I use this session id value to hijack into the account I'm logged, from let's say a different browser, for simplicity's sake? Should a secure website be able to determine that this session is being hijacked and prevent it? Also, how come other big sites that use PHP (i.e. Facebook) do not have PHPSESSID cookies? Do they give it a different name for obscurity, or do they just use a different mechanism altogether?
Source: (StackOverflow)
I had a discussion in another thread, and found out that class methods takes precedence over extension methods with the same name and parameters. This is good as extension methods won't hijack methods, but assume you have added some extension methods to a third party library:
public class ThirdParty
{
}
public static class ThirdPartyExtensions
{
public static void MyMethod(this ThirdParty test)
{
Console.WriteLine("My extension method");
}
}
Works as expected: ThirdParty.MyMethod -> "My extension method"
But then ThirdParty updates it's library and adds a method exactly like your extension method:
public class ThirdParty
{
public void MyMethod()
{
Console.WriteLine("Third party method");
}
}
public static class ThirdPartyExtensions
{
public static void MyMethod(this ThirdParty test)
{
Console.WriteLine("My extension method");
}
}
ThirdPart.MyMethod -> "Third party method"
Now suddenly code will behave different at runtime as the third party method has "hijacked" your extension method! The compiler doesn't give any warnings.
Is there a way to enable such warnings or otherwise avoid this?
Source: (StackOverflow)