Archive for the 'China' Category

First look on Cookies

cookie_monster

I wrote a simple script to set some cookies, and found some cute numbers on the maximum cookies to be set per domain name per path. The cookies are in the form of <key>=<val>, e.g. 1=1, 2=1, 3=1, 4=1. The length of the cookie name matters, as I found out.

Internet Explorer 7 – 20 cookies, maximum of 244 Set-Cookies per page.

Firefox 3 – 50 cookies.

Safari 3 – 1161 cookies, no limit of Set-cookies per page. See analysis below.

Opera 9 – 30 cookies.

Chrome 0.4 – 59~70 cookies, I have no idea why it is varying.

Tencent Traveller 2 – 20 cookies, follows the behaviour of Internet Explorer 7.

Except Safari 3, all browsers have a limit on the number of cookies to be set. I guess Safari is using a link list for that. For most browsers, although the HTTP Response code is 200, they will report the page as cannot be displayed. However, for Safari, since it has no limit, when the cookie headers are too long ( > 7619 ), Apache replies with a 400 Bad Request.

Haven’t think of any interesting tests yet, but feel free to discuss if there is anything we can do about them. By the way, I remember hotmail sets a whole lot of cookies, like BrowserSense and BS are just duplicates obviously (legacy code, yeehh!), I wonder are they hitting the limits soon? =)

The Tencent Traveller 2, as I will bet none of you outside of China will know about, is actually a browser in China that is built on top of IE7. Consider a GUI on top of IE7, and it even uses cookies of IE7, too. I have no idea of its adoption in China. Only after testing I realized I am using a very old version of it. I’ll see if there’s anything interesting in its newest version, 4.4.

So much for debugging last time. Let’s get back to the web. =P

Tencent Traveller – http://www.skycn.com/soft/14500.html

RFC2109 – http://www.faqs.org/rfcs/rfc2109.html

RFC2965 – http://www.faqs.org/rfcs/rfc2965.html

China is a Good Place to Pen Test

In the midst of crazy work, I breezed through certain websites and randomly injected some simple attack vectors over this month in China. I found several large sites that are vulnerable to XSS and SQL Injection.

Large sites including DangDang, Sina China, Sogou, Baidu, some of them fixed the problems after emailing them or maybe after reading the logs, too. However, the SQL Injection in DangDang remains unfixed and that is not good. I will not disclose here though ( you can certainly find it easily. It is just simple and buggy. )

To give you an idea of how big the sites above are relative to China, here are some analogies :

DangDang – Amazon

Sina China – Yahoo! News

Sogou – Ask.com

Baidu – Google ( bonus, Baidu beats Google in China )

I guess I will have to find more time to play with these sites to look for more holes. But for now, I have tons of work piling up. Ouch. I have vacation today, in office.

No Law, Said Chinese Cop

I figure this is not closely related to security, but nevertheless like to let you know what’s going on here. Today I was in one of the streets with more tourists in Shanghai, and took a photo, and obviously a cop wanted to stop that and approaches. Here is the conversation translated into English.

He begins : “Kid, show me the photos.”
I replied : “What did I do that authorizes you to scrutinize my camera?”
He coldly said : “You do not need to know. Show me your photos, and your ID card.”
I replied : “Of which of the law and under what authority allow you such privilege?”
He seriously said : “It is your best interest NOT to know about which particular law. If you do know about it, you will be in serious trouble. You should not ask any further.”
I replied : “So, there’s no law here you’re talking about?”
He gravely replied : “Kid, I am telling you again, there is NO law. And even if you know what is the law we are talking about it, I WILL guarantee that you will regret deeply about it, and there is nothing you can do about it even if you know anything about it. So, are you going to pursue your question? I am telling you the LAST time, show me the photos and the ID card NOW.

I know he’s not kidding, because he’s a Chinese cop, and I know he is going to frame me whatever without fear. As a smart intelligent being, I know there is no way to win the dignity, so I showed him the photos and ID card, and of course there is nothing he want. He let me go shortly after a few series of warning. I felt angry, but I remember this is China, a place where law works even more unexpected than in other places such as Hong Kong.

So, whoever in China, be very careful of what you are doing and saying in China. The bar is invisible and can zap you anytime.