XSS techniques: defeat a target that only escapes single and double quotes

I assume that you found an entry point either, from

1. the url
2. an injectable

   <input .../>

3. or a form input, find functions on certain websites are very exploitable

Assume that the target accepts injections with slashes and escapes only single and double-quotes as a security measure:

Try to break the webpage with '-->', e.g. html comment termination,
inject your payload, e.g. <script>...</script>

Escaping double and single quotes:

a.

(new String(1)).replace((new Number(1)).toString(10), /look no single or double quotes/);

b.

String.fromCharCode(n1, n2, ..., nX)

c. replace (for compression)

Use this python snippet to prepare the payload:

[ ord(c) for c in "http://payload_in_decimal" ]

The drawback of this technique is that the decimal payload will be huge and it might overflow the input, i.e. url input on the browser, input-tag, form etc.

Song lyrics memorization using method of loci

Sometimes when studying to play a song on guitar or bass it's difficult enough to memorize chord changes, let alone singing along. This becomes more difficult if there are any syncopations or some rhythmic off-beat device in the song. In some songs some words in the whole chorus are different each time in a different bar, but you just can't manage to memorize which words belong to which repetition of the chorus. I propose a remedy for this problem.

First the muscle memory must already be familiar with the chord progressions, if you're compin' along to the melodies, the chords could be anchored to the lyrics and melody of the song.

Use the mnemonic device called the method of loci. The advantage of this method is that you can jump between from verse and chorus by just stepping into the room you've associated the verse or chorus with (in your mind).
Use real objects in the room, that are usually there, (e.g. tv, couch, rug in the living room, and toilet seat, shower in the bathroom) to anchor an initial strand of a story. The story is just a sequential translation of the lyrics into memorable narrative. The more outrageous, the more memorable.
If you speak multiple languages use translations of words and the phonetic information to link words together.

Manipulate the object translation of words in the lyrics in the space e.g. explosions, actions etc. Use a phonetic approximation of the word if it isn't an easily translatable object. It's important to anchor to existing objects in the space, e.g. tv, couch, toilet, showerhead, cupboard, dining table etc. One could also use synonyms but this would tend to require some thought (introduce a new layer of translation), which would take extra time.
If you speak multiple languages use translations of words and the phonetic information to link words together.

It's key to reduce the recall-time, to stay in the rhythm of the song, even before you actually need the information.
I discovered a trick to optimize on recall time, by grouping triggers together for the next word which fall on the start of the musical phrase, before you actually need the trigger. For example, you need to recall B in the following melodic phrase, you need A in the current melodic phrase, so you chunk mnemonic triggers for AB together, before you actually need B. You could also memorize a meta-trigger for B, instead of the real trigger for B.

It's important to walk through (in the mind) the rooms, during practice, as if you're walking through different parts of the song, so the sequence of the verse, bridge, chorus is easy to traverse. I use my friends homes to memorize songs.

For instance a pop song of 2 minutes, there would be at most 3 distinct lyrical parts e.g. verse, chorus, bridge. If certain parts occur together like two verses followed by a chorus, this could be chunked together in one room, then the rest could be chunked together in the following room; a song could theoretically require two rooms. Two songs could theoretically could fit into a locus of 5 rooms, mnemonically speaking.
You can also try to engage your limbic brain in memorizing the lyrics, by imagining the sensations produced by the lyrics. You can imagine feeling a warmth on your cheeks, when you sing the word "Hot" etc.

It's also good to use multiple non-conflicting triggers (e.g. sensations, images, narrative, onomotopeia, synonyms), in your story to encode the lyrics, eventually the strongest trigger will remain.

It's fairly obvious that one should also practice recalling the triggers.

Fun with a whiteboard

IT worker with a mind like water

Introduction

In this entry, I'll be proselytizing about my interpretation of Getting Things Done (GTD) by David Allen, mindfulness and my implementation of Agile principles.

All of this culminates in a project portfolio, for a high-level view of the project status.

Quick reference to GTD

GTD principles and mindfulness

In order to work at maximum efficiency in bursts during the day, one must maintain a mind which flows like water. IT-workers, like physical athletes, chess champions etc. must keep their cool and maintain a certain level-headedness to perform at the top of their game. An IT-worker can get to this state by practicing mindfulness excercises during down-time and implement GTD in their personal and professional lives.

Why GTD? Because it is a means to cast away projects and tasks and entrust them to a externalized system, so there would be no need to retain excess information in the mind. So your mind is free to react to or observe the situation. I'll write up a blog entry to illustrate some points made by cognitive studies which support the beneficial effects of the GTD system.

Why mindfulness? Because it's the new fad. No, not really, meditation has been with us for a long time, but meditation is only a means to an end.

Mindfulness can potentially relieve (not a 100% cure) certain physical manifestations of mental blockages (I'm not a dualist in the cartesian tradition). Like all other things in life, you need a time and a place to do this and practice. So that's taking care of the body/mind. Regular physical conditioning/exercise  is also a good idea. I won't cite the hundreds of research papers which confirm the relation between being mentally fit and physical exercise.

Meditating Lotus

A common goal mindfulness and GTD is to empty the mind of all baggage and to get in a relaxed control of the task at hand, with minimum interference from other senses. Even if you think it's all weird esoteric unscientific crap, there's always a possibility of a positive placebo effect on your mind. So try it.

David Allen also stresses the importance of setting positive goals. This creates a positive feedback loop, when things actually don't turn out like the worst-case scenario you initially envisioned.

Teams and Agile and GTD

I could imagine that the other team members might not fully appreciate your fascination with GTD or mindfulness. So lead by example.

So, how does one share a mind-like-water epiphenomenal state with your colleagues? Grab adhesive pieces of paper (e.g. stick-it), get a large sheet of paper or a whiteboard, start writing down all of the project details as a group. Group together similar tasks / details. Find a comfortable granularity i.e. level of description for the tasks for the whole team. Not too abstract and not too detailed. Unload your team's collective mind. This is a free-flowing brainstorm / brain unload state.  The unloading state can be done over a week or in 5 minutes. Depending on the size of the project. I personally did a drive-by braindump with my team once.

Braindump / fun with stick-its

The whiteboard

Get together with your team. Your role is to provide the constraints of the project. Per task, sort the precedence of certain tasks depending on the priority of the task. This is a filtering state. Make a plan in iterations for the coming x weeks. Every iteration should be no longer than 2 weeks. For every task, subproject, try to make a informed guess how long that task would take to accomplish. Also try to define the priority of that feature with the client and your teammates. It's important to make a clear seperation between the "unloading" state and the filtering / analytical / censor state.

If management insists on disrupting you or team members to do multi-project multi-tasking, use GTD on a lower-level for each disruptable team member. Use your project portfolio and project backlog to defend your team member, against unwelcome intrusions like these, for example make your point clear to "intruders" that your project has no time to spare etc. In any case a project portfolio is a common base you can use to negotiate, within the team or with upper-management.

Spreadsheet based project portfolio, left: monthly plan, right: weekly plan.

Another method to maintain a team's commitment during a barrage of incidental crap, use a kanban to keep the focus on the project at hand. Also, use commitment and consistency. Let the person(s) who is or are going to be responsible for the task write down her name on the piece of paper.

Simple KanBan: wait, active, finished.

For software developers you might want to describe the following states on the kanban (per feature) for an iteration:

1. Develop
2. Test
3. Refactor
4. Merge
5. Commit to version control
6. Integration Test
7. Deploy

Listen to your team members, to find the right kanban which works for everyone. Update the kanban when required.

Depending on the size of the team, do standups. Do project backlogs, so you can make a project portfolio, do a velocity charts. But in any case never plan alone, always use the data provided by the whole team.

My software idea

I envision a drag and drop interface to create an online kanban system, where states can be defined. Using xmpp and bosh to give project members updates in changes within the kanban system. Integration with XMPP-based chat systems. All of this integrated with a calendar (gcalendar?) and a GTD based system where tasks can be delegated to people and be inserted to the wait list or the calendar.  Ad hoc commands are in the protocol to deliver the data payload.

Conclusion

There is a common thread between agile and GTD. If you include team members and let them actively participate, you can leverage the group's wisdom to improve commitment to the project and also improve the way it is going to be developed. This is a way for your team to get into the zone.