upload - Dave's Blog

Search

Retweet of DrScienceCat

2015 Jun 24, 1:29
The Smithsonian uploaded this today pic.twitter.com/S6lWvgm0Pw
PermalinkComments

Retweet of DrPizza

2015 Feb 11, 12:38
btw, @fxshaw, if Microsoft wants to rebrand with my new logo, I'm sure we can come to a suitable arrangement. http://cdn.arstechnica.net/wp-content/uploads/2015/02/cool-microsoft1-300x150.png …
PermalinkComments

picjumbo

2014 Jan 5, 2:22
/wp-content/uploads/IMG_3811-1300x866.jpg"/>

picjumbo

totally free photos for your commercial & personal works

 

PermalinkCommentsphoto free photography

Stripe CTF - Level 5

2012 Sep 11, 5:00

Level 5 of the Stripe CTF revolved around a design issue in an OpenID like protocol.

Code

    def authenticated?(body)
body =~ /[^\w]AUTHENTICATED[^\w]*$/
end

...

if authenticated?(body)
session[:auth_user] = username
session[:auth_host] = host
return "Remote server responded with: #{body}." \
" Authenticated as #{username}@#{host}!"

Issue

This level is an implementation of a federated identity protocol. You give it an endpoint URI and a username and password, it posts the username and password to the endpoint URI, and if the response is 'AUTHENTICATED' then access is allowed. It is easy to be authenticated on a server you control, but this level requires you to authenticate from the server running the level. This level only talks to stripe CTF servers so the first step is to upload a document to the level 2 server containing the text 'AUTHENTICATED' and we can now authenticate on a level 2 server. Notice that the level 5 server will dump out the content of the endpoint URI and that the regexp it uses to detect the text 'AUTHENTICATED' can match on that dump. Accordingly I uploaded an authenticated file to

https://level02-2.stripe-ctf.com/user-ajvivlehdt/uploads/authenticated
Using that as my endpoint URI means authenticating as level 2. I can then choose the following endpoint URI to authenticate as level 5.
https://level05-1.stripe-ctf.com/user-qtoyekwrod/?pingback=https%3A%2F%2Flevel02-2.stripe-ctf.com%2Fuser-ajvivlehdt%2Fuploads%2Fauthenticated&username=a&password=a
Navigating to that URI results in the level 5 server telling me I'm authenticated as level 2 and lists the text of the level 2 file 'AUTHENTICATED'. Feeding this back into the level 5 server as my endpoint URI means level 5 seeing 'AUTHENTICATED' coming back from a level 5 URI.

Notes

I didn't see any particular code review red flags, really the issue here is that the regular expression testing for 'AUTHENTICATED' is too permisive and the protocol itself doesn't do enough. The protocol requires only a set piece of common literal text to be returned which makes it easy for a server to accidentally fall into authenticating. Having the endpoint URI have to return variable text based on the input would make it much harder for a server to accidentally authenticate.

PermalinkCommentsinternet openid security stripe-ctf technical web

Stripe CTF - Input validation (Levels 1 & 2)

2012 Sep 6, 5:00

Stripe's web security CTF's Level 1 and level 2 of the Stripe CTF had issues with missing input validation solutions described below.

Level 1

Code

          $filename = 'secret-combination.txt';
extract($_GET);
if (isset($attempt)) {
$combination = trim(file_get_contents($filename));
if ($attempt === $combination) {

Issue

The issue here is the usage of the extract php method which extracts name value pairs from the map input parameter and creates corresponding local variables. However this code uses $_GET which contains a map of name value pairs passed in the query of the URI. The expected behavior is to get an attempt variable out, but since no input validation is done I can provide a filename variable and overwrite the value of $filename. Providing an empty string gives an empty string $combination which I can match with an empty string $attempt. So without knowing the combination I can get past the combination check.

Notes

Code review red flag in this case was the direct use of $_GET with no validation. Instead of using extract the developer could try to extract specifically the attempt variable manually without using extract.

Level 2

Code

    $dest_dir = "uploads/";
$dest = $dest_dir . basename($_FILES["dispic"]["name"]);
$src = $_FILES["dispic"]["tmp_name"];
if (move_uploaded_file($src, $dest)) {
$_SESSION["dispic_url"] = $dest;
chmod($dest, 0644);
echo "

Successfully uploaded your display picture.

";
}

Issue

This code accepts POST uploads of images but with no validation to ensure it is not an arbitrary file. And even though it uses chmod to ensure the file is not executable, things like PHP don't require a file to be executable in order to run them. Accordingly, one can upload a PHP script, then navigate to that script to run it. My PHP script dumped out the contents of the file we're interested in for this level:


Notes

Code review red flags include manual file management, chmod, and use of file and filename inputs without any kind of validation. If this code controlled the filename and ensured that the extension was one of a set of image extensions, this would solve this issue. Due to browser mime sniffing its additionally a good idea to serve a content-type that starts with "image/" for these uploads to ensure browsers treat these as images and not sniff for script or HTML.

PermalinkCommentsinput-validation php security technical

Stripe Web Security CTF Summary

2012 Aug 30, 5:00

I was the 546th person to complete Stripe's web security CTF and again had a ton of fun applying my theoretical knowledge of web security issues to the (semi-)real world. As I went through the levels I thought about what red flags jumped out at me (or should have) that I could apply to future code reviews:

Level Issue Code Review Red Flags
0 Simple SQL injection No encoding when constructing SQL command strings. Constructing SQL command strings instead of SQL API
1 extract($_GET); No input validation.
2 Arbitrary PHP execution No input validation. Allow file uploads. File permissions modification.
3 Advanced SQL injection Constructing SQL command strings instead of SQL API.
4 HTML injection, XSS and CSRF No encoding when constructing HTML. No CSRF counter measures. Passwords stored in plain text. Password displayed on site.
5 Pingback server doesn't need to opt-in n/a - By design protocol issue.
6 Script injection and XSS No encoding while constructing script. Deny list (of dangerous characters). Passwords stored in plain text. Password displayed on site.
7 Length extension attack Custom crypto code. Constructing SQL command string instead of SQL API.
8 Side channel attack Password handling code. Timing attack mitigation too clever.

More about each level in the future.

PermalinkCommentscode-review coding csrf html internet programming script security sql stripe technical web xss

Kim Dotcom image macros?

2012 Jun 26, 6:58PermalinkCommentshumor legal technical kim-dotcom mega megaupload politics twitter

Changing Windows Live IDs

2012 Jun 6, 2:54

Use of my old Hotmail account has really snuck up on me as I end up caring more and more about all of the services with which it is associated. The last straw is Windows 8 login, but previous straws include Xbox, Zune, SkyDrive, and my Windows 7 Phone. I like the features and sync'ing associated with the Windows Live ID, but I don't like my old, spam filled, hotmail email address on the Live ID account.

A coworker told me about creating a Live ID from a custom domain, which sounded like just the ticket for me. Following the instructions above I was able to create a new deletethis.net Live ID but the next step of actually using this new Live ID was much more difficult. My first hope was there would be some way to link my new and old Live IDs so as to make them interchangeable. As it turns out there is a way to link Live IDs but all that does is make it easy to switch between accounts on Live Mail, SkyDrive and some other webpages.

Instead one must change over each service or start over depending on the service:

Xbox
In the Xbox 360 system menu you can change the Live ID associated with your gamertag. This worked fine for me and I got an email telling me about the transfer of my Microsoft Points.
Zune
There's no way to do this for the Zune specifically, however changing over your Xbox account also transfers over all your Zune purchased content. I don't have a Zune Pass so I can't confirm that, but all of my previously purchased television shows transferred over successfully.
Windows 7 Phone
To change the main Live ID associated with your phone, reset your phone to factory default and start over. All purchased applications are lost. Had I purchased any applications I would have been pissed, but instead I was just irritated that I had to reset my phone.
Mail
I don't use my Hotmail account for anything and it only sits and collects spam. Accordingly I didn't attempt switching this over.
SkyDrive
I didn't have much in my SkyDrive account. I downloaded all files as a zip and then manually uploaded them to the new account.
PermalinkCommentshotmail domain win8 skydrive technical windows live-id

Raising the bar on web uploads

2012 Apr 25, 5:00

Flickr’s new HTML5-ish photo upload feature technical overview.

PermalinkCommentstechnical html html5 javascript css3 css flickr file-upload

Three arguments against the singularity - Charlie's Diary

2011 Jul 1, 10:09"I periodically get email from folks who, having read "Accelerando", assume I am some kind of fire-breathing extropian zealot who believes in the imminence of the singularity, the uploading of the libertarians, and the rapture of the nerds. I find this mildly distressing, and so I think it's time to set the record straight and say what I really think. Short version: Santa Claus doesn't exist."PermalinkCommentsscifi singularity charles-stross future fiction

Listen to Max Tannone and Watch Moon

2011 Feb 23, 1:13
Max Tannone does awesome remix albums:


Also, the movie Moon is really good on a variety of points. Sam Rockwell and the voice of Kevin Spacey! Its available on Netflix Watch Instantly so you have no excuse!
PermalinkComments

Ajaxian » Drag and drop file uploads in Gmail using just the specs

2010 Apr 15, 1:52Gmail now allows you to drag and drop files to make them attachments. This is HTML5 drag and drop plus file API. AwesomePermalinkCommentshtml html5 gmail google file drag-and-drop technical

(Video) Panic Attack! And The Power Of The Web - PSFK

2009 Dec 21, 3:40"“I uploaded (Panic Attack!) on a Thursday and on Monday my inbox was totally full of e-mails from Hollywood studios,” he told the BBC’s Latin American service BBC Mundo. “It was amazing, we were all shocked.”" And I can see why -- its a good video.PermalinkCommentsvideo scifi robot youtube hollywood

Official Google Blog: Automatic captions in YouTube

2009 Nov 20, 2:31YouTube now does automatic captioning in some cases and automatic timing in all cases. Automatic timing lets you upload a transcript with a video and YouTube will do speech to text and figure out when the various parts of the transcript need to be displayed.PermalinkCommentsyoutube video caption accessibility audio subtitles technical

Recap Firefox Extension | "turning PACER around"

2009 Aug 14, 3:55The government program PACER is an online archive of court records and even though the documents are public domain, PACER charges access to them ostensibly to pay for PACER. This plugin uses the Internet Archive as a kind of free intermediate cache, rewriting the PACER HTML to reference the free Internet Archive versions of the documents when available and uploading PACER documents to the IA cache when you download one it doesn't yet have.PermalinkCommentsvia:waxy firefox government politics research reference legal law plugin technical

Ajaxian » W3C publish first working draft of File API

2009 Aug 12, 5:02W3C File API makes it to first published working draft. Like the use of data URLs, don't like the new filedata URLs.PermalinkCommentshtml5 w3c file upload script url data-scheme technical

W3C File Upload API

2009 Jul 27, 5:34"This specification provides an API used to prompt the user with a file selection dialogue and obtain the data contained in files on the user's file system."PermalinkCommentsweb w3c api upload script dom technical

Gravatar - Globally Recognized Avatars

2009 Apr 20, 3:37Web service that hosts avatar images for things like blog comments. The image is ID'ed by a hash of the user's email address. Auto generated or if the user signs up, the image can be whatever they upload. Lots of plugins for different blogging platforms.PermalinkCommentsblog web photo avatar image authentication identity icon hash

CW 11 Files Copyright Claim at Improv Everywhere

2009 Apr 15, 7:38The Improv Everywhere's "Best Funeral Ever" April fools prank is reported as news and then runs into copyright issues: "The biggest fools of all were the CW 11 news team who reported on the funeral as if it actually happened... I of course uploaded their story to my personal YouTube channel to show the world their lack of journalism skills. Tonight I got a copyright notice from YouTube informing me that Tribune ... had filed a copyright claim against the video and that it had been removed."PermalinkCommentscopyright humor video prank improv-everywhere funeral via:boingboing

Photosynth of my Office

2008 Aug 26, 11:08

I've had a little fun messing around with Photosynth, a Microsoft research project turned into a Live service. You upload a bunch of photos from around the same area and it makes a 3D panorama out of them. For instance, here's National Geographic's photosynth of the sphinx and pyramids in Egypt. Messing around with this I've made one of half a vase of roses, and a larger photosynth of my office.

PermalinkCommentsmicrosoft photosynth photo office nontechnical
Older Entries Creative Commons License Some rights reserved.