OFCP – Offensive Security Certification

I joined a security mailing list some time ago, recently they got to talking about what the ‘best’ certification to get for security training is. A certification to be a professional hacker? Who knew there was such a thing? One of the most notable ones they mentioned was OFCP (Offensive Security Certification). I took a look at their website, there are a couple good demos on there and the price to get certified appears reasonable enough. Apparently passing the test is difficult with “90% of people failing the first time”, or so says one of the folks on the mailing list.

Check it out:

Here are a couple more sites they shared that look interesting:
Hacker High School


Syntax highlighting – Posting Source Code on Wordpress

Crikey! I’ve finally found a good way to get syntax highlighting on my code posts on WordPress! Here is the WordPress article on the tag to use for syntax highlighting, thanks WP!

To summarize, to outline your code include this around it:

[sourcecode language=”css”]
your code here

where language can be many things (check the link for a full list), these are some:
sql, csharp, vb, xml, javascript, java, html, css, powershell

This code highlighter is pretty neat, it’s client side JavaScript that does the highlighting. Written by Alex Gorbatchev, available on his site here. I have noticed a couple bugs in the sql parser, but overall I quite like it.

Google Gears

For those that have not heard, Google Gears is now deprecated. Gears was a great JavaScript framework that allowed many things previously difficult, if not impossible to do with browsers.

It’s not all bad news however, Google (Chrome) is ‘working closely’ with Microsoft (Internet Explorer) and Mozilla (Firefox) to develop HTML5 which will obsolete the features Gears used to provide.

I thought I’d give a heads up to all of you, I still see the odd job posting asking for people with Gears experience. If you don’t have to, I personally wouldn’t sink any more money into it.

How to write an add-on for Firefox 4.0

I recently watched a great tutorial that walks through how to write a “hello world” app for Firefox.¬† The demo was written for Firefox 3.5 and I have Firefox 4.0 but I manged to get past the one hiccup that caused and successfully made the app.

Here’s the coles notes version of that journey, I of course did my app on a windows machine so these notes are specific to windows.¬† If you want to view the original video in it’s entirety it’s available here (there are non windows instructions in it if you’re interested):
Scroll down the page to the video entitled “Zero to Hello World! in 45 Minutes”, that is the video I followed through on.

Follow these steps to create your own app / set up your environment:
Download and install Firefox 4.0 if you don’t already have it.
Create a separate profile in Firefox for testing Рthis helps you not make a mess of your personal profile.  To do so run this command:

md Profiles\helloworld-dev

Run Firefox with this command line (forces a specific profile, and a separate process (run two separate Firefox’s at the same time!) and the command window to open)
“c:\program files\mozilla firefox\firefox.exe” -profile “%USERPROFILE%\Profiles\helloworld-dev” -no-remote -console
Open advanced options in your new Firefox window by typing this into the URL:
Change these settings to true if they aren’t already (double clicking will work)
Create this next setting as a boolean = true (it probably won’t already exist), to do so r-click in the window.
You now need to install two Add-ons:
DOM Inspector
If those links don’t work searching the inter net for their name and “Firefox Add-on” should do the trick.
Create a extension directory, a good option is: (run this)

md Projects\helloworld

To navigate to any of the directories created try this at the command line:

explorer.exe %USERPROFILE%\Projects\helloworld

explorer.exe %USERPROFILE%\Profiles\helloworld-dev
Create the basic file layout in the “%USERPROFILE%\Projects\helloworld” directory:


Where names ending in “/” are folders, the others are empty files.
This is where things differ somewhat from the tutorial as it appears some changes were made in Firefox 4, or at least it seems they were as the example files wouldn’t work for me as is.¬† I had to open an existing add-on that was on my machine to get the syntax correct.
Populate the install.rdf file using:

<?xml version="1.0"?>
<RDF:RDF xmlns:RDF="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.mozilla.org/2004/em-rdf#">
<RDF:Description about="urn:mozilla:install-manifest">
<id>{77614715-3043-4CCC-9C73-23EE9C9ACB0A}</id><!-- This is the GUID of our add-on -->
<name>Hello world!</name>
<id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</id><!-- This GUID means Firefox -->

Populate the chrome.manifest file using:

content  helloworld         chrome/content/
locale   helloworld  en-US  chrome/locale/en-US/

overlay  chrome://browser/content/browser.xul chrome://helloworld/content/browser.xul

Let’s create some more files for a fully functioning add-on.¬† Create:

<?xml-stylesheet href="chrome://helloworld/content/browser.css" type="text/css"?>
<!DOCTYPE overlay SYSTEM "chrome://helloworld/locale/browser.dtd">
<overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<stringbundleset id="stringbundleset">
<stringbundle id="helloWorldBundle"
<script type="application/javascript"
<statusbar id="status-bar">
<button id="helloWorldButton" label="&helloWorldButton.label;" insertafter="statusbar-display"
style="color: green"/>


let HelloWorld = {
onCommand: function(event) {
let stringBundle = document.getElementById("helloWorldBundle");
let hours = new Date().getHours();
let greeting = (hours < 12) ? stringBundle.getString("morningGreeting")
: stringBundle.getString("eveningGreeting");
let message = stringBundle.getFormattedString("helloWorld", [greeting]);
dump(message + "\n");


#helloWorldButton {
font-weight: bold;


<!ENTITY  helloWorldButton.label  "Hello world!">


helloWorld = %1$S world!
morningGreeting = Good morning
eveningGreeting = Good evening

To get our new instance of Firefox to load our add-on the simplest way to do so for development purposes is:
NOTE: This is a file that is named the exact same thing as the id for our app in the RDF file.
C:\… your file path here …\Projects\helloworld\

After all that is done close your Firefox you opened via command line earlier, then re-open using the same command, that is:
“c:\program files\mozilla firefox\firefox.exe” -profile “%USERPROFILE%\Profiles\helloworld-dev” -no-remote -console

If you created all the files correctly you should have a button in Firefox with green text you can click on.  When clicked on it will send text to the command window that is probably in the background.  Thanks to the good people at mozillalabs for this.  If you have any questions feel free to post here, or take a look at the original lab available here:
Scroll down the page to the video entitled “Zero to Hello World! in 45 Minutes”.
View the supporting pdf here.
Or take a look at the source code here: (may not work in Firefox 4, it didn’t for me.)

Some definitions:
content is the web page loaded in Firefox
chrome is the Firefox UI, i.e. everything that’s not content
chrome privileges Add-ons have the same privileges Firefox does, making them a bit scary from a security perspective.

Technology used by Firefox that a Add-on developer needs to know (at least a little of)
XUL and XHTML for structure, widgets
CSS – appearance
JavaScript – behaviour
DTDs and properties files for localization (support for different languages)
JavaScript and C++ for modules/components

%USERPROFILE% does not consistently work for me and I’ve not figured out why as yet. The lines above did work for me when I wrote this article, yet today I try to re-create and this command:
‚Äúc:\program files\mozilla firefox\firefox.exe‚ÄĚ -profile ‚Äú%USERPROFILE%\Profiles\helloworld-dev‚ÄĚ -no-remote -console
is having issues. The issue is the mix of spaces in the variable and quotes around the input. The fix I believe is either to only allow 8.3 file names (so spaces are dropped) or to just type the entire path instead of using this nice shortcut.


I’ve started reading the latest on whatwg.org about HTML5.¬† It’s currently marked as a ‘Working Draft’.¬† I have to say, in places it had me laughing.¬† w3’s documents were known for their technically correctness, never their humor.¬† The document on whatwg.org however has the odd quip.¬† For example in the introduction section of the HTML5 spec look up 1.8.1.¬† I’ll quote it here in case they change it sometime soon.

“1.8.1 How to read this specification

This specification should be read like all other specifications. First, it should be read cover-to-cover, multiple times. Then, it should be read backwards at least once. Then it should be read by picking random sections from the contents list and following all the cross-references.”

Now that’s funny.¬† It seems to me the person filling out the template thought a section on how to read was pretty silly, and responded the same.¬† Well, whoever you are, thanks for the laugh!

Note: the same text is available on w3.org’s website here:
w3.org “A quick introduction to html”
only on this document the section is 1.7.1