AJAX Security

I read an interesting article today over at Darknet. It brings to light some of the “new” techniques that can be used to exploit newer Web 2.0 applications.

 

The article was an interesting read and got me thinking about application security again. I find myself spending more and more time on security in an application, and less time on features and actual logic. Generally I’m splitting coding time between idiot proofing the application so the end user is forced to put in the right data, and hack proofing the code against would-be hackers. Even with custom frameworks to handle the boring bits, it still takes a lot of time and effort to make sure you’ve covered your bases. Oh well, such is the world we live in nowadays.

The new ways to exploit applications are interesting as well. Actually, most of them aren’t new, but rather the same old hacks used to exploit the new way of doing things. For instance, in an AJAX application you pass information between the browser and the server, behind the scenes. Ok, all well and good, but how do you make sure you’re still talking to the original browser that opened the request? You could use a cookie, or perhaps some sort of a session ID. Maybe a combination of the two. And on top of it, you might check the User Agent string and the referrer URL. Mind you, this can all be spoofed. In fact, spoofing the UA and referrer is extremely easy and can be done with tools like curl and wget. So what is the best way to secure these apps?

I haven’t really started working with AJAX very seriously, so I haven’t done much research into the matter. But, thinking about it, maybe there is a way to secure things a little better? Perhaps a variable in the browsers memory rather than a cookie? Combined with a session ID? Right now I like to secure my apps by using a combination of a session ID, the IP address of the user, and a cookie with seemingly random data in it. This has worked pretty well thus far, but I’m not sure how hard anyone has tried to hack it. I’m definitely interested in more security, though, provided it doesn’t slow things to a grinding halt.

Of course, there’s always the one true way for security. Unplug it. Turn it off. If it’s not running, it can’t be broken into.. Well, not yet anyways.. There’s always the quantum level.

Qmail SPP 0.42

Pawel Foremski is preparing to release the latest version (0.42) of his qmail-spp patch for qmail. This incredibly useful patch allows you to modify the behaviour of qmail, on the fly, through use of external scripts. These external scripts can be written in any programming language that allows STDIN and STDOUT. I have found this to be incredibly useful and it has haled tremendously when targeted by spammers and virii.

 

There was some initial concern about the overhead involved with calling an external program for processing, but my fears have been calmed since then. I’ve seen this patch in production on machines processing over 250,000 emails per day. That’s a LOT of email.

 

The patch allows you to inject special processing during specific portions of the smtpd process. These areas include
HELO/EHLO, MAIL, RCPT, DATA and (if supported) AUTH. There is also another hook available when the client connects, before any data is transferred between the client and server. These 6 areas allow for a massive amount of power. For instance, you can interrupt the process right after the HELO/EHLO and run an spf plugin. Or, you can check the from address during the RCPT portion and determine if the user is relaying, and if they’re allowed. Basically, a chkusr function. Tarpitting is fairly simple at the RCPT level as well. The initial connection point is a great time to check for blacklists. In fact, you can set different SPP config files for use depending on where the connection originates. Thus, you can add additional RBL lists depending on the source. So, you can skip RBL altogether for known local connections, and use a wider range of blocklists for external connections. All in all, the flexibility is incredible.

 

I highly recommend the use of this patch for any qmail installation intended for normal mail use. Obviously if you’re never going to allow mail delivery, there’s no real point, but if you need a strong, secure mail server, this is definitely a step in the right direction. In fact, I worked with Pawel to create a patch that will work with the SMTP AUTH/TLS patch that Bill Shupp put together. Bill has a nice page with a complete qmail toaster on it. His toaster was the basis for my own foray into the qmail scene, and I owe a lot to the work he’s done. I’ve built my own toaster based loosely on his, but using the qmail-spp patch, and some of my own experience. You can find my toaster by either clicking here, or on the link to the right.

Review: Daxter (PSP)

Anticipation : 9
Expectation : 9
Initial Reaction : 10
Overall : 10
Genre : Third-Person Action/Adventure

 

To say I was expecting a lot from Daxter would be an understatement. I wasn’t aware of Daxter as a title initially, but I became aware of it when the Big Boss at Ready At Dawn spoke out against other PSP Devs. Bold words, so I had to check out the game..

 

The premise is pretty simple. Daxter is in town, not working with Jak at the moment. He boasts a bunch at a bar and an elderly exterminator hires him to kill bugs. Ok, it sounds kinda corny, but it’s actually a pretty decent game. I’m not too far into the story, but it’s pretty decent so far.

 

The gameplay is top notch. Your primary weapon, at least to start, is a glorified bug swatter, electrified of course. Then comes the canister of bug spray, and then.. well, you’ll see. So far most of the game is on foot, but there are some vehicle sequences. There are some dream sequences too, but I’ll leave those up to you to find. They are interesting though.. :P

 

You have the choice of using the D-Pad or the analog stick to move Daxter, and the left and right shoulder buttons to spin the camera. Very effective, and nothing new. I’ve seen it used in other games, so I don’t think there’s anything new there. It works though, and very effectively on the PSP.

 

The RaD boss was right. Just because it’s a handheld, or only has one analog stick, doesn’t mean it can’t have good games. Daxter is excellent and I highly recommend it.

K I S S

I’ve been perusing the boards over at PHP Freaks

lately and I’ve noticed a few annoying practices that I want to highlight. In my experience, keeping things as simple as possible helps to keep the code clean and usable. It’s easier to debug, easier to change, and lasts longer. When dealing with something like PHP, you inevitably run into the problem of differentiating languages. PHP, HTML, CSS, Javascript, UGH! Far too many people combine everything in one file and try to make sense of it. It’s rough enough for some people to keep one language straight, let alone 4. So, let’s use some common sense. It’s possible to separate them, so why don’t we?

 

Let’s start with the simple ones. CSS and Javascript are easily put in separate files. Creating a .js and .css file is a good practice and should be a standard step in all web creation. Granted, this should be done with some additional common sense. Creating either file for one or two small additions is not necessary unless those functions/definitions are used frequently through several pages.

 

So, we’ve removed 2 of the 4 languages and separated them out to their own files. How about the PHP and HTML? Well, there’s a fairly easy solution there too. I, personally, use the Smarty Template Engine. I believe there are other template systems out there, but Smarty works for me and I like it. Basically, you put all your php code in one file, make calls to $smarty->assign() and variables from php appear as Smarty variables in the template. From there you can easily “print” them in the template by using something like {$var} … Extremely flexible. Smarty also allows you to do some primitive programming. Enough to make it useful, but not so much that you get confused once more by 2 languages in one file.

 

So now we’ve separated everything into it’s own file. It’s easier to read, easier to understand, and easier to make changes. Imagine being able to simply change the HTML only and not worry about impacting the logic in the PHP program! Ahh.. flexibility!

 

Next on my pet peeve list is programmers who just won’t use functions like sprintf()… Let’s try an example here.. Which looks simpler :

 

$query = ‘SELECT id, name, age, salary FROM users WHERE name LIKE “%’ . $name . ‘%” AND age > ‘ . $age . ‘ AND salary > ‘ . $salary . ‘ ORDER BY name’;

 

or this :

 

$query = sprintf(‘SELECT id, name, age, salary FROM users WHERE name LIKE “%%%s%%” AND age > %d AND salary > %f ORDER BY NAME’, $name, $age, $salary);

 

Now, at first glance, the second one looks a little suspect. That’s because I chose what might be considered an ugly example. But, an experienced programmer can tell at a glance what the intended value of the 3 variables used in the query should be. String, Decimal, and Float. In addition to making it look a little nicer, you also gain some security. If someone snuck a string in for $age, it has no effect. So even if you skip sanitizing your variables, you still have a little bit of security. (Don’t skip sanitization…)

 

Simple additions to your coding toolkit, tons and tons of enhancements to your skillset. Please, code responsibly.

AJAX : It’s not just for cleaning anymore…

There’s a new or, rather, old programming language.. wait.. language? Hrm.. mixture of concepts is more like it. Anyways, there’s this new way of doing things on the web. It’s called AJAX which is an acronym for Asynchronous Javascript and XML. Based on the XMLHttpRequest object, it allows a web programmer to transfer information between the server and the web browser without requiring a complete reload of the web page. Pretty nifty stuff.

 

Dubbed Web 2.0, this “new” technology is revolutionizing the way users interact with the web. More than a mere buzzword, AJAX is sweeping the web and offering up some very powerful web applications. Gmail has been using AJAX for a while now. AJAX, combined with DHTML, allows you to “build” your Google homepage, and allows that same page to be updated on the fly without reloading the entire page. More recently, sites such as Netvibes, Pageflakes, and Eskobo offer “Web Desktops”. Other sites such as Yahoo Maps and Google Local offer web based mapping software without the arrow clicking and page reloading.

I’ve purchased a book on AJAX to enhance my own knowledge of this powerful web development tool. It’s definitely an intruiging concept and it seems simple enough up front, but extremely powerful when you get deep into it. Stay tuned for more!!!

Phew! There’s a backup!

Network management is a field I’ve been in for the past few years. In addition to making sure that packets get from point A to point B in the most efficient manner, I’ve also had to deal with network failures and disaster recovery. Essential to the disaster recovery scenario is the concept of backups. We’ve all heard of backing up the files on your computer, and backing up the servers, and storing them off-site, etc. But sometimes people overlook other backups that need to be handled. Namely, network device configuration backups. It really sucks when you realize that the smoking router in the corner has the only copy of the configuration you need to get the network back up…

 

I’ve written a bunch of code in the past to handle backing up a bunch of different types of equipment, and I’ve decided to make it open source. This new project will be hosted at SourceForge, and there is a link to the project page in the links section of this blog.

 

The initial code release will take a little bit to put together, but I’m hoping to have an alpha release within a month or so. It’s all written in object-oriented perl, a language I find fun to code in. I hope someone out there finds this useful. I know I spent quite a bit of time looking for a solution like this, and was sadly disappointed that I did not find one…

 

Review : SOCOM: U.S. Navy SEALs Fireteam Bravo (PSP)

Anticipation : 7
Expectation : 6
Initial Reaction : 9
Overall : 9
Genre : First/Third-Person Tactical Shooter

 

About a year ago or so I tried out SOCOM for the PS2. The game was simply incredible. But, I never purchased it for PS2. Basically, I just don’t have time to play my consoles.. :( Flash forward to today! PSP.. Best thing ever. I get to play games now! :)

 

Anyways, back to the review. I wasn’t really looking to get this title. It was on my wish list, but only as an interest. Not really a “must have” title. I received it for Christmas and it’s been sitting around since then, waiting for me to open it. (Lots of GTA:LCS play lately) … Well, I took the plunge the other day and I must say, I’m quite impressed. First person shooters on consoles aren’t really my thing. I prefer a mouse and a keyboard. Quick reflexes, ability to spin quickly, etc. But, with a tactical shooter, it’s a little different. It’s definitely a slower pace, so the need to spin around isn’t as prevalent. I wish the reticle in sniper mode moved a little faster, but I can live with it the way it is..

 

Overall I’m pretty happy with the game. The graphics are excellent, the gameplay is smooth, and online play is actually a lot of fun.

 

Speaking of online play. THANK YOU ZIPPER! WPA support. *phew* I didn’t think WPA support was something that was that difficult, and it bothers me greatly that it’s not included in Madden ’06.

Look, I’m a programmer, and as a programmer, I tend to look at things a little differently. I understand the technical challenges that game developers have to overcome, and I understand why some features work the way they do. But, for the life of me, I cannot figure out why Madden does not support WPA. Let’s look at this from an API/framework view. I’m Sony, and I have an API for my PSP. My API has basic features, and an entire network featureset. I include some hooks to make it easier to deal with the network stuff. For instance, I may have a “startnetwork()” routine. I probably have a “senddata()” routine, and so on. In version 1.0, I have support for wireless, and just WEP at the moment. Of course, I’m all about future upgrades, so when 2.0 comes out and I support WPA, I build that into the existing commands, letting all the existing software take advantage of it. Right? Well, maybe. Unfortunately, I don’t have access to the PSP’s API, but it makes sense. So why doesn’t Madden support WPA? Good question.. :(

 

But, SOCOM does. So that’s at least one game I can play at home on my WPA protected network. Madden, no. (Not that it matters, EA has my copy of Madden at the moment. Hopefully they send me a “fixed” version soon)

 

Overall I think SOCOM is pretty decent and I’d definitely recommend it. I’m pretty impressed so far, and I’m definitely willing to continue playing it!

21-10

Ok, so it’s not a tech post. But I have to post. I’m pretty impressed and fairly proud. Pittsburg Steelers. 21-10 over the SeaHawks. Not my team, but still. They looked great all season and were just awesome in the big game. Randel El’s touchdown pass was simply incredible. All in all, an awesome game. And for the most part, it was actually close..

 

Congratulations Pittsburg! Live it up! Next year it’s my turn! :)

phpTodo 0.6 Released!

I released version 0.6 of phpTodo last night. There were some minor bugfixes, nothing major though.

 

Added to this release were a few new fields in the database to track creation date, and last modified dates. Future releases may utilize these fields more, but at the moment they’re only being used for the sort stabilizer.. The task modify code was updated to deal with these 2 new fields. Each time a record is created, the create_date field is populated. Every change updates the last_modified field.

Which brings me to another feature I added. I noticed that if you sort by priority, status, or anything other than subject, the entries shifted when you reloaded the page. My initial thought was to just add a behind the scenes secondary sort on id. I changed my mind and decided to give that choice to the user. So, on the preferences screen, the user can choose what field to sort on. This is set to task ID by default.

 

At this point the program is pretty much feature complete. I’m adding in WML support before the 1.0 release, but that’s about it. Besides bugfixes, of course.

 

After the 1.0 release, I have some bigger plans. I read a book by David Allen about todo lists and handling tasks.. Really enlightening stuff. Basically, the idea is to process everything in your inbox (anything you need to do), and determine what the next action is. At that point, you file it away based on when it needs to be done. There’s obviously a lot more to it, and if you’re interested, you can find his book on Amazon.

Based on what I learned, I’m planning on adding a number of features to phpTodo. First, I plan on adding an email module. This will allow the user to email todo items to their list. I’ll be adding some sort of authentication schema to it to ensure the item goes to the correct list. That has yet to be worked out.

I’m also looking at updating the main screen. I’ll break it up a bit to become a dashboard of sorts like the presonalized google homepage. Essentially, there will be an inbox which will consist of un-sorted todo items, an interface to quickly go through those items, the main todo list, and a calendar with appointments.

Since I’m adding a calendar, I want to also add a tickler module that can send reminders via email, sms, IM, etc. The user can choose the method(s) they want to be notified by and the system will alert them when the time comes.

I also want to add group todo lists. In essence, another user that will “share” their list with other users. This will, I believe, add more project management capabilities. Anyone can add a todo list item, and anyone else can take it and work on it. Possibly some sort of notification feature to update all users regarding those items.

 

Overall, I think this project is working out pretty well. I’ve learned a lot about php programming and I’m working on solidifying my coding style. It’s helped me a lot with the coding I’ve been doing for work. I’ve put together a complete database system, dsl tools, and the like. Good stuff that I seem to be getting some decent praise for.. :)

 

You can download the latest version of phpTodo from the phpTodo SourceForge page.

Firefox turns to the dark side?

I noticed an article over on Slashdot about a new attribute, ping, that Firefox handles. That is, the development version of Firefox. This isn’t your standard network ICMP Echo Request, but rather an HTTP Request designed to track a users movements.

 

Ok, ok.. Stop screaming about privacy and security. I’ve thought about this a bit and I think Firefox is doing the right thing. The intention, as far as I’ve been able to tell, is to actually put more control into the users hands.

 

Let me explain how this “feature” works. There’s a small writeup on the Mozilla Blog that you can read as well. Tracking the browsing habits of a user is actually fairly harmless, at least in my opinion. The idea is to get feedback about what a user at that site likes to see. Do more people click on links to cartoons? Or perhaps to political information? It’s all about creating websites that people want to see.

 

So, Joe User goes to a website. There he sees a link for a new type of fusion rocket. He’s interested, so he clicks the link. Nowadays, tracking happens one of two general ways. The easy one is that the “real” destination is wrapped up and appended to a link to a tracking site. These links usually have the real destination URL in plain text, but some sites obfuscate the URL so the user can’t bypass the tracking. The other method is to use javascript to change the URL after the user clicks on the link. The user never sees this happen, so, in a way, it’s even worse from a privacy perspective.

 

Either method then directs the user to the tracking site, which tracks the request (and could, by the way, take advantage of any exploits that may exist), and then redirects you to the real site. This takes time, and the user is generally left sitting there with a blank screen.

 

The ping attribute, on the other hand, is much nicer. The owner of the website uses the ping attribute to specify tracking urls. When the user clicks on a link, the browser goes directly to the intended site, and then “pings” the tracking sites in the background. This means that there are no redirects, and no “trickery” to get the user tracking info. It all happens in the background, and that’s where all the privacy concerns come from. But, according to the spec, the browser is intended to have controls to allow a user to decide how the pings are handled. A user can choose to disable them completely, or enable them for some sites, etc.

 

Currently, the development version of Firefox has the bare minimum. That is, it sees and obeys the ping attribute, but there are no fancy GUI interfaces to change settings. Of course, this is the DEVELOPMENT version! They have to start somewhere. It’s not like these new features get a complete GUI, implementation, etc the moment they’re added. This stuff takes time! And it’s enabled by default! Light the torches! Stone the oppressors!

 

Seriously though, I feel confident, based on their past record, that the creators of Firefox will get this right. Sure, it’s enabled by default. But so is Javascript. The “correct” path is not always clear cut. If a feature is disabled by default, the chances of it ever getting enabled are slim. Most users just don’t know how! So, enabling it by default, and then popping up a message stating that the feature is active, here’s how to disable it, etc. is the right thing to do. I’m actually interested in this feature because it will allow the web, at large, to remove some of the trickery currently used to track users. It will allow this information to be up front and not hidden, and I think it will allow the end user greater control over their own security and privacy.