Archive for October, 2009

How not to advertise for a PHP programming job

Wednesday, October 28th, 2009

So I got an email today for a job in Tower Hill (thats central london). The job came with a simple programming test to write a script that parsed a tab separated file and produced a batch script as the output. They kindly provided a working copy of their solution on their website so you could validate the output of your code.

If I was going to advertise a job in a company and provide an online example of my own code I’d make darn sure that, unless the sole purpose of my online code was to find someone who knew what an XSS flaw was, that the link to the script I sent a prospective employee to wasnt vunerable to Cross Site Scripting attacks. Eeek. Worse still as their script seemed to accept either GET or POST variables as inputs (they were probably checking $_REQUEST rather than $_POST or $_GET in their code) it was possible to format a link that injected HTML code straight into their website.

Screenshot of the flaw with 'Cheese!!' being injected.

Screenshot of the flaw

You can mitigate the threat from these types of attacks by properly sanitizing your variables before they are displayed. If this is on a HTML page and you are expecting an integer value then intval might be a good function to use, if its a text field you might try htmlentities. If any data is going into a database then you need to be using mysql_escape_string on all of your variables.

As I’ve not alerted the company to the flaw I wont post the URL to the exploit. Luckily the page in question can’t be found within googles’ indexes. I wonder if anyone else will notice…

Tags: , , , , , ,
Posted in PHP, Security | No Comments »

Learning Adobe Flex

Thursday, October 15th, 2009

Following the success of my Sudoku Solver over the past few days I’ve been practicing my Adobe Flex skills. I’ve now finished converting my Handwriting Recognition tool into Adobe Flex, away from the old SVG/JS mashup that was running it before. This means its finally cross browser compliant and will finally run in Internet Explorer.

I’ve enjoyed my experience developing with Flex, its nice to write a web application and find that it runs exactly how you want it to in every browser. A refreshing change from Javascript/CSS

I’ll release the source code shortly.

Tags: ,
Posted in Adobe Flex | No Comments »

Big Endian, Little Endian and Gulliver’s Travels

Friday, October 9th, 2009

So I was at the Perl Mongers meeting last night in London, got talking to someone who assured me there was a story behind the terms big endian and little endian. I was somewhat skeptical but they went on to explain that the terms origin comes from the 1726 novel, Gulliver’s Travels by Johnathan Swift and has something to do with an egg.

Anyhow, since then I’ve done a little bit of research and it turns out that the terms do indeed come from Gulliver’s Travels. Basically Lilliput and Blefuscu were to rival groups, at war over the way they ate their soft boiled eggs. The Lilliput said that the best way was to open them at the little end (small endian) while the Blefuscu considered it better to open them at the big end (big endian). This is apparently where the terms originate.

I’d still love to know who first coined the terms and if there are any more weird computer terms that have their origins from bizarre places… as a side note, did you know that Charles Babbage invented the Cowcatcher?

Tags: , ,
Posted in Random | 2 Comments »

Secure your wifi connection using SSL + mod_proxy

Monday, October 5th, 2009

Being ultra paranoid about using other peoples Wifi connections I’ve come up with a solution to make things a little safer. Its by no means new having been around for quite a while but it works well. Ive setup Apache on my web server to act as a proxy server for connections originating from 127.0.0.1. I then create a secure tunnel from my local machine using SSL and direct my web browser to connect using my new secure Proxy. This is great for extra security when browsing the internet and checking emails on insecure wifi networks.

If you want to setup your own Proxy you’ll need Apache installed with mod_proxy, mod_proxy_http and mod_proxy_ftp, you’ll also need ssh access to a server thats secure. Once Apache and mod_proxy are installed you need to add the following lines to your Apache config file.

ProxyRequests Off

Listen 127.0.0.1:80

<VirtualHost 127.0.0.1>
        ProxyRequests On
        ProxyPreserveHost On

        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        CustomLog /tmp/proxy_log common
</VirtualHost>

The proxy requests off line is very important as you dont want anyone else who cant connect to 127.0.0.1 from using your proxy server.

Once you’ve done that you just need to setup your SSH tunnel

ssh -p 22 user@yourserver.com -N -f -L 127.0.0.1/4444/127.0.0.1/80

This will connect from your computer to the sshd server on port 22, listen on the local port 4444 and connect to your proxy running on port 80 on 127.0.0.1 on your server. Once that has been done just change your Browser Proxy Settings to connect to 127.0.0.1:4444

Your setup will go from looking like this where your data is being sent over an insecure wifi connection

A normal browsing using a WiFi enabled laptop

A normal browsing using a WiFi enabled laptop

To this setup where your data is encrypted via a tunnel and passed to a server that is connected to the internet.

Browsing using an SSH tunnel and Proxy server via WiFi

Browsing using an SSH tunnel and Proxy server via WiFi

Now your crummy wifi connection is a little bit more secure (for all requests over the proxy at least)…

Tags: , , , ,
Posted in Linux, Security | No Comments »