2012 Aug 30, 5:00
I was the 546th person to complete Stripe's web security CTF and again had a ton of fun applying my theoretical knowledge of web security
issues to the (semi-)real world. As I went through the levels I thought about what red flags jumped out at me (or should have) that I could apply to future code reviews:
|
Level
|
Issue
|
Code Review Red Flags
|
|
0
|
Simple SQL injection
|
No encoding when constructing SQL command strings. Constructing SQL command strings instead of SQL API
|
|
1
|
extract($_GET);
|
No input validation.
|
|
2
|
Arbitrary PHP execution
|
No input validation. Allow file uploads. File permissions modification.
|
|
3
|
Advanced SQL injection
|
Constructing SQL command strings instead of SQL API.
|
|
4
|
HTML injection, XSS and CSRF
|
No encoding when constructing HTML. No CSRF counter measures. Passwords stored in plain text. Password displayed on site.
|
|
5
|
Pingback server doesn't need to opt-in
|
n/a - By design protocol issue.
|
|
6
|
Script injection and XSS
|
No encoding while constructing script. Deny list (of dangerous characters). Passwords stored in plain text. Password displayed on site.
|
|
7
|
Length extension attack
|
Custom crypto code. Constructing SQL command string instead of SQL API.
|
|
8
|
Side channel attack
|
Password handling code. Timing attack mitigation too clever.
|
More about each level in the future.
code-review coding csrf html internet programming script security sql stripe technical web xss 2012 Feb 17, 4:00
Sarah and I have been enjoying Glitch for a while now. Reviews are usually positive although occasionally biting (but mostly accurate).
I enjoy Glitch as a game of exploration: exploring the game's lands with hidden and secret rooms, and exploring the games skills and game mechanics. The issue with my enjoyment coming from
exploration is that after I've explored all streets and learned all skills I've got nothing left to do. But I've found that even after that I can have fun writing client side JavaScript against
Glitch's web APIs making tools (I work on the Glitch Helperator) for use in Glitch. And
on a semi-regular basis they add new features reviving my interest in the game itself.
video-game glitch glitch-helperator me project game 2009 Aug 18, 4:19
Before we shipped IE8 there were no Accelerators, so we had some fun making our own for our favorite web services. I've got a small set of tips for creating Accelerators for other people's web
services. I was planning on writing this up as an IE blog post, but Jon wrote a post covering a
similar area so rather than write a full and coherent blog post I'll just list a few points:
- The first thing to try is looking for developer help for the web service, specifically if there's a REST-ful URL based API. For example, Bing Maps has great URL API documentation that would be enough to
create an Accelerator.
- The Accelerator XML is very similar to HTML forms. If you can find an HTML form for the web service for which you want to create an Accelerator, you can view the HTML source and create an
Accelerator based on that.
- I created the FormToAccelerator extension based on the previous idea. You can
use the extension to create an Accelerator from an HTML form, or just use it to create the start of one and edit it manually after.
- If the page doesn't use an HTML form, you can start up an HTTP debugger like Fiddler, use the web service from the normal web
page, and then in Fiddler see if you can find a REST-ful looking URL you can use.
- When looking to create a preview for your Accelerator, see if the web page for the web service has a mobile version or a version that's intended to embed in other web pages via an iframe. On
this same line, iPhone apps make great Accelerators usually with lovely previews.
- If there's no mobile or embeddable version and the only thing wrong with the normal web page for the web service is that the useful information doesn't fit in the preview window then see if you
can find an HTML tag with a name or id near the useful information, and stick a '#' fragment pointing to that tag onto the preview URL template.
- Without a reasonable REST-ful API you can use a combination of Google's "site:" and "I'm Feeling Lucky" to find the most relevant page on a particular site.
- The value of a name and value pair need not consist of only a single Accelerator variable. You can get creative and put other text in there. For instance, I implemented a Google currency conversion by setting the query to "{selection} in US Dollars".
technical accelerator ie8 ie 2009 May 27, 4:45"This week, Zero Punctuation reviews Duke Nukem Forever."
humor videogame video duke-nukem 2009 Apr 21, 1:28Fallout 3's May 5th DLC removes old ending, adds new quests, new levels, new perks. Sounds good! "In a nutshell, Broken Steel will remove the game's ending entirely, with Bethesda's Pete Hines saying
simply to fans that called for an open-ended resolution, "We got the idea." Players will still have to make the final choice, but following that climax the game will continue, presenting new epilogue
quests, another 10 levels to gain, and new perks, monsters and achievements to keep the climb interesting."
game videogame news fallout3 fallout 2008 Aug 4, 8:39
The weekend before last I saw Dark Knight with some friends from work and then we all ate at Z'Tejas after. Like everyone has said and as the name implies Dark Knight is... dark. Dark Knight was a
little over the top at times as compared to Batman Begins but I really enjoyed it. Two times during the movie I thought it had ended but I was wrong. The Joker is both frightening (Cringe inducing
line "Wanna know how I got these scars?") and humorous ("Where is Harvey Dent? ... You know where Harvey is? You know who he is?", as well as the pencil magic trick). I can certainly recommend it
to anyone who enjoyed Batman Begins. The previews included Burn After Reading a new Coen Brother's comedy that I look forward to, and
Quantum of Solace which hopefully does the same thing Dark Knight has, keep up the new direction on the refreshed franchise.
This past
weekend Sarah and I went to a Mariners baseball game. I think this is the first MLB baseball game I've seen in person. Sarah's company gave out tickets for the game and the use of a suite. Its a
room half way up the stadium with comfortable chairs, a mini-fridge built-in to the marble counter-topped center table, and a big flat screen television with the game on it. I suppose that's in
case you don't want to turn to the right and sit at the window, or walk out onto the balcony which features three rows of comfy chairs overlooking the field. Anyway there was free food and drinks
and I met some of the people Sarah works with.
baseball batman nontechnical 2008 Apr 10, 3:36See, the AV Club says Primer is awesome too! But don't read this or any other review, rather take my word for it and watch the movie now without any prior knowledge.
cult primer movie onion av-club reviews 2008 Feb 15, 2:47AV Club reviews Lost Pig, the 2007 Interactive Fiction Competition winner.
game games if interactive-fiction humor 2008 Jan 2, 8:57
Two and half weeks ago Sarah and I went to Las Vegas where I got to
see Jesse, Pat, Chris, and (briefly because he's some kind of big shot too busy for his friends now etc) Grib from college. They're mostly in San Jose and I hadn't seen them for a while so it was a
lot of fun to hang out. We all stayed at the MGM which is a nice hotel with some good restaurants. In other Vegas related links, Sarah added Sarah's Las Vegas restaurant reviews to her reviews and Jesse has Jesse's Vegas
photos up too.
Sarah and I saw the Blue Man Group (video from a concert) and the Price is Right Live Show. The Blue Man Group
was very cool although the music was all rock with a heavy drum focus (not depicted in the videos I linked) which I got a little tired of. But despite that I really enjoyed the show, very funny and
I totally recommend it. The Price is Right Live Show is like the regular show on TV except the recording is not televised and its not hosted by Bob Barker or Drew Carey. So folks from the audience
are still called up to play the same games and really win prizes. It was advertised as hosted by Todd Newton, B-list game show host, but was instead
hosted by JD Roberto who hosted such things as "Reality Remix" and the show "Are You Hot? The Search for America's Sexiest People". The showcase
showdown included the 2008 version of my car and thankfully I wasn't picked to compete for that because, well I don't know where they bought the car, but I would have gotten the price very wrong.
We sat right next to the stage for that show and had a good time.
For New Years Eve Sarah and I stayed in and watched the glitched Seattle Space Needle fireworks show from a safe distance. On New Years we went to a pot-luck at Todd's house and had a fun time. Todd's place
is on the top of a hill and has a lovely view of Washington's snow-capped mountains.
newyear vegas lasvegas personal bluemangroup 2007 Dec 20, 7:15Another profile on another site that I keep track of with wonderful del.icio.us.
me proldfile web 2007 Nov 28, 1:23One of the new Zune features that had me the most excited was the claimed improved Windows Media Center integration which unfortunately turned out to simply mean support for the Win MCE video format
(
with an exception for HD). I wanted to be able to pick shows recorded by my Win MCE and have the Zune automatically sync up the
latest episodes. However, with the improved podcast support in the Zune software one can easily create a ridiculous hack to accomplish this.
The new Zune software has podcast support which does everything I'd want to do with a
Win MCE recorded TV series so the goal is to shoehorn a TV series into a Zune podcast. An overview of the steps: Create an XSLT that converts Win MCE data to a podcast, run the XSLT as a scheduled
task every few hours per TV series, setup a Web server pointed at the resulting podcasts and the Win MCE Recorded TV directory, and subscribe to the resulting podcasts in the Zune software.
- Reading through the Win MCE data stored as an XML file in "C:\ProgramData\Microsoft\eHome\Recording\Recordings.xml" and the spec for podcasts I created an XSLT to convert a series from Win MCE data to a podcast.
- I added a new task to the Scheduled Tasks to run my XSLT using my xsltproc.js script. The task runs a handful of commands that look something like the following:
C:\windows\system32\wscript.exe C:\users\dave\bin\xsltproc.js C:\Users\Dave\Documents\trunk\development\mce-zune\mce-to-podcast.xslt
C:\ProgramData\Microsoft\eHome\Recording\Recordings.xml --param title "The Daily Show With Jon Stewart" --param max 4 --param baseURI "http://groucho/" --param thisRelURI "tds.xml" -o
"D:\recorded tv\tds.xml"
For each TV series I run a command like the above and that outputs a podcast for that series into my "D:\Recorded TV\" directory.
- Zune only allows http URIs for its podcasts so I installed a web server on my Win MCE server. I'm running Vista Ultimate so it was quick and easy for me to install IIS7 but any Web server will do. Then I pointed it at "D:\Recorded TV\".
- Once all the above was done I just subscribed to the resulting podcasts via my Web server and viola! Since I'm forced to use a Web server I can even run the Zune software on a machine other
than my Win MCE server. You can see a screen-shot above of my Zune software showing my Colbert Report podcast.
technical xml mce hack windows media center zune windows xslt podcast 2007 Oct 21, 10:28Sarah's restaurant reviews on urbanspon. The site provides feeds of user's reviews too.
review people sarah-moffatt restaurant 2007 Jul 26, 12:12The folks at the Internet Archive have created a user modifiable Open Library that intends to catalog all books. As in all of them. Includes links to the books online (Internet Archive for ex.),
where to buy (Amazon for ex.), reviews, etc.
archive library opensource wiki research book books literature catalog reference 2007 May 21, 10:41FTA: '... product reviews on Amazon give an average rating of 4.2 out of five.' I would've thought people would be more likely to review if they had an unhappy experience with something.
article review inflation economics technology 2007 May 11, 1:11Review of a USB Bluetooth adapter. Several reviews claim that it works with Wii remote.
bluetooth hardware purchase shopping usb review research:wii-remote 2007 Apr 17, 11:45Opera (
the fifth most popular web browser) has a new feature named
Speed Dial (video of it in action). Whenever you open a new tab you get your Speed Dial view which consists of nine thumbnails of user-settable
pages. Its like a quick-favorites that appears every time you open a new tab. I think this is a neat idea and was considering how I might do that in IE7. The following is my hack-y and ugly but no
coding required version of Speed Dial for IE7. I like my hack and I'm about to expound upon it in unnecessary detail so skip to the last paragraph if you're afraid of losing interest.
By default in IE7, whenever you open a new tab you navigate to 'about:Tabs'. As noted in wikipedia the result of
navigation to 'about:Tabs' is determined by values in the registry. Specifically, values in the key in
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs". Usually this fact is exploited by
malicious software to hijack
"about:blank" and show you ads but we can hijack it too in order to display our Speed Dial-ish page.
Of course since this is a code-less hack we've got limited options on what to change 'about:Tabs' to display. It should have the following requirements.
- Something local so that our 'about:Tabs' doesn't disappear when we go offline and so that its relatively fast.
- The user should be able to modify its content.
- Show links that the user uses.
- Show thumbnails of those links
- Provide easy to use drag and drop interaction and generally look cool.
Now, I use del.icio.us which allows me to store all of my favorites online and which provides RSS feeds that list my saved links. New in IE7 is an
RSS platform that will, among other things, cache RSS feeds locally. So, by pointing
about:Tabs to my del.icio.us feed 'http://del.icio.us/rss/sequelguy/quickreference' I get (1) from IE7's RSS support, and (2) and (3) from del.icio.us. Of course requirements (4) and (5) are missing
but hey, I said this was ugly.
In summary, if you change the registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs!Tabs" to point to an RSS feed of your favorites you can get a hack-y version of Opera's
Speed Dial. I should note that although its referenced on pages such as wikipedia changing your 'about:Tabs' URI in the manner I describe is not documented and not supported by Microsoft. There could
be all kinds of horrible repercussions from this change of which I'm not aware. Yeah, actually you know what? Forget I said any of this. Pretend I never wrote it...
browser technical hack 2006 Jan 2, 3:51Sci-Fi stories, reviews, and essays.
scifi free literature english
Some rights reserved