If you think it’s easy to deal with RSS read this:
inessential.com: Brian’s Stupid Feed Tricks.
It reminds me so much about handling StUF.
–jeroen
Archive for the ‘JavaScript’ Category
inessential.com: Brian’s Stupid Feed Tricks
Posted by jpluimers on 2013/03/20
Posted in Development, HTML, HTML5, JavaScript, SOAP/WebServices, Software Development, StUF, Web Development | Leave a Comment »
Great session on how to prevent SQL Injection Myths and Fallacies
Posted by jpluimers on 2012/08/15
A few weeks ago, Bill Karwin did a must watch webinar on the prevention SQL Injection titled ”SQL Injection Myths and Fallacies“.
Bill Karwin (twitter, new blog, old blog, Amazon) is famous for much work in the SQL database community, including InterBase/Firebird, mySQL, Oracle and many more.
He also:
- was product manager of InterBase (its screaming multi-generational database architecture - invented in the 80s by Jim Starkey, based on immutability now far more widespread and called MultiVersion Concurrency Control - still baffles many people)
- worked on Firebird
- is author of the book The Pragmatic Bookshelf | SQL Antipatterns: Avoiding the Pitfalls of Database Programmings, available on Amazon.
- is autohor of IBPerl
- is frequent answerer on many SQL related forums and QA sites, for instance Bill on StackOverflow
Anyway, his webinar is awesome. Be sure to get the slides, watch the replay, and read the questions follow up.
Watching it you’ll get a better understanding of defending against SQL injection.
A few very valuable points he made: Read the rest of this entry »
Posted in Delphi, .NET, InterBase, Software Development, Development, Database Development, C#, Prism, Firebird, SQL Server, Visual Studio and tools, C# 2.0, C# 3.0, CommandLine, Java, VBS, ASP.NET, Web Development, JavaScript, History, C# 4.0, WPF, LINQ, PowerShell, Delphi for PHP, xCode/Mac/iPad/iPhone/iOS/cocoa, Scripting, Batch-Files, SQL, Cloud Development, Windows Azure, Visual Studio 2005, Visual Studio 2008, Visual Studio 2010, VB.NET, PHP, MEF, EF Entity Framework, SilverLight, LLBLGen, SharePoint, Mobile Development, COBOL, iSeries, FireMonkey, WinForms, SQL Server 2008, XAML, Delphi x64, SQL Server 2000, Delphi XE2, JavaScript/ECMAScript, SQL Server 2005, SQL Server 2008 R2, SQL Server 7, SQL Server 2012, PowerShell, Microsoft Surface, Jet OLE DB, .NET 4.5, C# 5.0, Visual Studio 11, C# 1.0, F#, C++, Visual Studio 2003, Visual Studio 2002, .NET 3.5 | 1 Comment »
Paros Proxy | TestingSecurity.com
Posted by jpluimers on 2012/07/18
On the research list as it seems a lot wider than HTTP Fiddler:
Paros is a valuable testing tool for your security and vulnerability testing. Paros can be used to spider/crawl your entire site, and then execute canned vulnerability scanner tests. But Paros goes beyond that, it comes with a built in utility that can proxy traffic. This Paros Proxy utility can be used to tamper or manipulate any http or https traffic on the fly. This makes some of the more interesting security types of testing. It will help you isolate potential area’s of security concern and then manual attempt to perform the type of testing you desire.
Paros also comes with a built in Session ID analyzer. It will display a graph of all the types of Session ID’s it has been presented with using a multiple threaded session initiator. You then can determine if the graph appears random enough for the Session ID. It is a pretty unique and interesting tool to use. Although typically most developers will rely upon another technology tomcat, apache, or some other application to generate Session ID’s. This is not always the case and as such a Session ID analysis should be performed. Sometimes the Session ID will not be randomized enough and the hash used to create the Session ID is easily predictable.
Paros also comes with a built in Fuzzer. You will need to generate your own Fuzzer library to use the Fuzzer, but it will perform all the fuzzing for you.
–jeroen
Posted in Development, HTML, Java, JavaScript, Scripting, SOAP/WebServices, Software Development, Web Development | 2 Comments »
Many more web platforms vulnerable to the hash collision attack (not only ASP.NET) #28C3 @hashDoS #hashDoS @ccc
Posted by jpluimers on 2011/12/29
When writing my Patch your ASP.NET servers ASAP early this morning, I didn’t have time to research the full extend of the vulnerabilities published at 28C3 (slides, mp4), though a small bell was ringing a message that I had seen something like it before earlier this century.
I was right, this posting on perlmonks direct me to a /. posting in 2003 pointing me to the research paper on low-bandwidth attacks based on hash collisions (pdf version) that I had seen before. Perl 5.8.1 fixed it September 2003 (search for “hash” in that link).
The attack can be used for DoS because a normal distributed hash table insert of n elements will be running O(n), but a carefully crafted insert of those elements will run O(n^2).
Carefully crafting a worst case scenario depends on how well you can predict collisions in the underlying hash table implementation, which - apparently - is not too difficult, and requires little bandwidth.
Many platforms and languages are vulnerable, including those based on Java, Tomcat, .NET, Ruby, PHP and more in greater or lesser extent. I have the impression that the list only includes big names, but presume platforms based on smaller names (ASP, Delphi, Objective C) are equally vulnerable.
Just read the articles on CERT 903934, oCERT 2011-003, Arstechnica, Cryptanalysis.eu, Heise (German), Hackillusion and the research paper published at 28C3.
a few quotes:
“This attack is mostly independent of the underlying Web application and just relies on a common fact of how Web application servers typically work,” the team wrote, noting that such attacks would force Web application servers “to use 99% of CPU for several minutes to hours for a single HTTP request.”
“Prior to going public, Klink and Wälde contacted vendors and developer groups such as PHP, Oracle, Python, Ruby, Google, and Microsoft. The researchers noted that the Ruby security team and Tomcat have already released fixes, and that “Oracle has decided there is nothing that needs to be fixed within Java itself, but will release an updated version of Glassfish in a future CPU (critical patch update).”
“The algorithmic complexity of inserting n elements into the
table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request”“We show that PHP 5, Java, ASP.NET as well as v8 are fully vulnerable to this issue and PHP 4,
Python and Ruby are partially vulnerable, depending on version or whether the server
running the code is a 32 bit or 64 bit machine.”
Microsoft seems to have been notified pretty late in the cycle, I presume because the researchers started with a some platforms and finally realized the breath of platforms involved.
The ultimate solution is to patch/fix the platforms using for instance a randomized hash function a.k.a. universal hashing.
Microsoft will provide a patch for ASP.NET later today, Ruby already patched and other vendors will soon or have already (please comment if you know of other platforms and patches).
The links this morning indicated there were no known attacks. That is (maybe was) true for ASP.NET, but for PHP a public proof of concept of such a DoS is has been published by Krzysztof Kotowicz (blog) with sources at github and a demo html page.
Temporary workarounds (based on the some of the links in this and the prior blog post, and the workarounds mentioned here and here):
- If you can: replace hash tables by more applicable data structures
(I know this falls in the for-if anti-pattern category, but lots of people still use a hammer when a different tool works much better) - Limit the request size
- Limit the maximum number of entries in the hash table
- Limit form requests only for sites/servers/etc that need it.
- Limit the CPU time that a request can use
- Filter out requests with large number of form entries
Some platforms already have applied temporary workarounds (I know of Tomcat (default max 10000 parameters), and PHP (default max_input_vars = 1000) did, and looks like the ASP.NET fix will do too).
Other platforms (like JRuby 1.6.5.1, CRuby 1.8.7 (comments) and Perl 5.8.1 in September 2003 ) fixed it the proper way.
Note: workarounds are temporary measures that will also deny legitimate requests. The only solution is to apply a fix or patch.
A major lesson learned today for a few people around me: when vendors start publishing “out of band” updates, do not trust a single 3rd party assessment with state “initial investigation”, but be diligent and do some further research.
–jeroen
PS: Just found out that most Azure users won’t need to manually apply a fix: just make sure your Hosted Service OS servicing policy is set to “Auto”.
Posted in .NET, ASP.NET, C#, Delphi, Development, Java, JavaScript, PHP, Scripting, Software Development, Web Development, Windows Azure | 5 Comments »
