web

28 Articles

search-console

Fooling Google Search Console With Tricky PHP

July 17, 2015 by 42 Comments

When [Steve] received a notice from Google that a new owner had been added to his Google Search Console account, he knew something was wrong. He hadn’t added anyone to his account. At first he thought it might be a clever phishing tactic. Maybe the email was trying to get him to click a malicious link. Upon further investigation, he discovered that it was legitimate. Some strange email address had been added to his account. How did this happen?

When you want to add a website to Google’s services, they require that you prove that you own the actual website as a security precaution. One method to provide proof is by uploading or creating an HTML file to your website with some specific text inside. In this case, the file needed to be called “google1a74e5bf969ded17.html” and it needed to contain the string “google-site-verification: googlea174e5bf969ded17.html”.

[Steve] logged into his web server and looked in the website directory but he couldn’t find the verification file. Out of curiosity, he tried visiting the web page anyways and was surprised to find that it worked. After some experimentation, [Steve] learned that if he tried to load any web page that looked like “googleNNNNNNN.html”, he would be presented with the corresponding verification code of “google-site-verification: googleNNNNNNNN.html”. Something was automatically generating these pages.

After further investigation, [Steve] found that some malicious PHP code had been added to his website’s index.php page. Unfortunately the code was obfuscated, so he couldn’t determine exactly what was happening. After removing the new code from the index.php file, [Steve] was able to remove the hacker’s email address from [Steve’s] Google account.

This is a very interesting hack, because not only did it allow this one hacker to add himself to [Steve’s] Google account, but it would also have allowed anyone else to do the same thing. This is because each new hacker would have been able to fool Google’s servers into thinking that they had uploaded the verification file thanks to the malicious PHP code. It makes us think that perhaps Google’s verification system should use a separate randomized string inside of the verification file. Perhaps one that can’t be guessed or calculated based on known variables such as the file name.

jackolantern

Simple LED Project To Spice Up Your Halloween Party

October 26, 2014 by 3 Comments

[Paul’s] project is a great example of how you can take a simple project and turn it into something more interesting. He built himself a jack-o-lantern with an Internet controlled RGB LED embedded inside.

[Paul] first wired up an RGB LED to a Raspberry Pi. He was sure to wire up each color using a 100ohm resistor to prevent the LED from burning out. The web interface was written in Python. The interface is pretty simple. It consists of three text fields. The user enters a value between 0 and 255 for each of the three LED colors. The program then lights up the LED accordingly.

[Paul] realized he would need a diffuser for the LED in order to really see the blended colors properly. Instead of using a common solution like a ping-pong ball, he opted to get festive and use a plastic jack-o-lantern. [Paul] removed the original incandescent bulb from the lantern and mounted the LED inside instead. The inside of the pumpkin is painted white, so it easily diffuses the light. The result is a jack-o-lantern that glows different colors as defined by his party guests. Be sure to check out the demonstration video below.

Webmote: Control Anything With Web-based Remote

December 14, 2012 by 8 Comments

control-anything-from-the-web

We’ve seen a lot of projects that let you control all of your devices from a smartphone. But this universal web-based remote control system looks like the most versatile we’ve seen yet. The project is called Webmote as the controls are served up as a web interface so that you’re not limited to say an Android device. The UI can be customized by choosing what buttons you will use and where to place them on the display. You can get a good feel for this by viewing this G+ album. Setup is made a bit easier thanks to an add-on system that has predefined layouts for common things like controlling XBMC.

The hardware seen above is the business end of Webmote. It’s an Arduino with an IR receiver, IR LED, and an XBee module. For your common home entertainment devices you can teach the system your codes using the IR receiver. The IR LED is used to transmit those codes back, and the Xbee gives you the ability to control X10 (home automation) devices. Right now the setup requires the hardware be connected to a server via USB, but it shouldn’t be hard to set up some type of wireless alternative.

Web-enabled Kinect

December 6, 2011 by 11 Comments

There are Kinect hacks out there for robot vision, 3D scanners, and even pseudo-LIDAR setups. Until now, one limiting factor to these builds is the requirement for a full-blown computer on the device to deal with the depth maps and do all the necessary processing and computation. This doesn’t seem like much of a problem since [wizgrav] published Intrael, an HTTP interface for the Kinect.

[Eleftherios] caught up to [wizgrav] at his local hackerspace where he did a short tutorial on Intrael. [wizgrav]’s project provides each frame from the Kinect over HTTP wrapped up in JSON arrays. Everything a Kinect outputs aside from sound is now easily available over the Internet.

The project is meant to put computer vision outside the realm of desktops and robotic laptops and into the web. [wizgrav] has a few ideas on what his project can be used for, such as smart security cameras and all kinds of interactive surfaces.

After the break, check out the Intrael primer [wizgrav] demonstrated (it’s Greek to us, but there are subtitles), and a few demos of what Intrael ‘sees.’

Continue reading “Web-enabled Kinect”

Ego Box Monitors Web Hits

January 29, 2011 by 12 Comments

[Bogdan’s] latest project is a box that displays web hits for a chosen site. He calls it the Ego Box because depending on how traffic goes it either bloats or crushes your ego. This provides similar functionality as our Troll Sniffing Rat but the biggest difference is that this is a stand-alone Ethernet device. That’s thanks to the ENC28J60 Ethernet controller chip which manages the stack and has been quite popular in DIY electronic projects. In order to monitor your hits [Bogdan] crafted a bit of code to add to the header of your index page. It increments the counter file each time the page is loaded, and the Ego Box simply monitors that file, displaying the traffic on an eight digit 7 segment display.

[via Adafruit]

Abusing HTTP Status Codes

January 25, 2011 by 25 Comments

Concerns over privacy online are an ever growing theme. Every day we see people complaining about the policies of facebook and the like. [Mike Cardwell] points out another method of gleaning a bit of personal data from you that you may not have seen yet. By embedding a hidden image or using some really simple javascript, he can tell if you are currently logged into Gmail, Twitter, Facebook, or Digg. While this could possibly be used for more nefarious things, he points out that you could also use it for customizing your website to better suit the experience of the browser. For example, if the “reader” is already logged into Gmail, you could have any email links automatically open a gmail instance instead of the local mail client.

Internet Controlled Remote

September 10, 2010 by 41 Comments

How often does this happen to you? You’re leaving on a long trip, and half way there you remember the TV was left on. Never? Alright then, how about wanting to control an Xbox 360 from within the other room and you don’t have the remote. Still a rare occurrence?

Perhaps you have a better situation where an internet controlled IR remote, that can be programmed to work with any TV or IR accepting device, would be useful. [Nicholas McClanahan] starts off with USB Propeller from Parallax, adds an Ethernet module making a mini server, and ends with an IR LED and receiver. The code is nearly as simple being a combination of SPIN, Html, and JavaScript. All coming together under a nice website GUI that prompts for what IR signals to send. To make the project even more straightforward, [Nicholas] has included an Instructable as well. In the end though, while the hack is great, we’re still trying to find a decent enough use. Video after the rift.

Continue reading “Internet Controlled Remote”