XSS Browser Filter Mitigation

I’ve recently become interested in XSS or Cross Site Scripting which is the process of executing arbitrary javascript on a website. It’s fairly simple and is interesting if you try it on websites you visit as a habit. This however got fairly boring fairly quickly as there are XSS vulnerabilities everywhere, I found one in the Bank of Queensland’s website (which is now gone sadly).  Because of the prevalence of XSS vulnerabilities browsers such as chrome, safari and internet explorer have started protecting users against these attacks. This link: translate XSS will not work in chrome, safari or internet explorer but it will work in firefox. This has led me to an interesting topic, XSS Browser Filter Mitigation. That’s the process of executing arbitrary javascript despite the browser protection.

There are some well known bypasses for chrome (and safari), these include executing javscript when you have control over two variables: From There is an example on my own website: here That link spreads the XSS attack over the variables a and b, completely removing the protection of chrome and safari. However Internet Explorer protects against this. Another attack on chrome’s protection is by using its html cleanup to execute javascript: From Another example is on my website: here However internet explorer still defeats it.

These general attacks are extremely cool and much Kudos to the people who discovered them. I’ve been looking at specific attacks which get round these filters. By specific I mean they only target specific websites. So how does one get around XSS filtering. The thing I realised (someone may have helped me realise this, I don’t know/can’t remember) is that if any data undergoes translation from input to output then the browser can’t protect against it as the browser can’t be aware of the translation that it undergoes. This isn’t exactly amazing or groundbreaking but it is interesting. The very first thing I tried was to get an XSS attack working for chrome on http://www.motobit.com/util/base64-decoder-encoder.asp  The first step was to encode the attack into a base64 string. </textarea><script>alert(‘hi’)</script> gets encoded to PC90ZXh0YXJlYT48c2NyaXB0PmFsZXJ0KCdoaScpPC9zY3JpcHQ+ If you decode that string you will get an alert saying hi. So success! (Auto submit)

I’ve found interesting vulnerabilities since discovering this. This includes a pig latin translator and other translators. Converters are generally vulnerable. However one particular  specific attack made me very amused. It uses an SQL injection vulnerability (and yes if your website has an SQL Injection Vulnerability in it then you have a lot more problems than arbitrary javascript execution. The attack is against MoreRFID.com and it selects a hexstring and dumps it to the page. The link is here (remember kids, data theft is illegal).

I like these attacks because it firmly places the responsibility of protecting the page back on the web developer. Browser filtering should not be an excuse for poor security. If you are a web developer who takes data and manipulates it in someway you need to be aware of these types of attacks and always escape your output.

, , , , , ,

Leave a comment

Starcraft

I’ve been playing Starcraft 2 recently. It’s a pretty cool RTS.  I’m pretty bad at it. But I have fun which is pretty much why I play games. However I have more fun when I win than when I lose.  It’s a little bit stupid really but I can get unreasonably angry at losing. I don’t feel it’s that beneficial at all to me so I try not. My response now is generally to GG (good game) and leave which actually tends to break my anger. I try this because there is one reason why I lost. I played worse than my opponent. It may be that I get cheesed but I didn’t scout it. It may be that my opponent went mass air but I went ground attacking units only. Regardless. It’s silly and stupid to get angry at the other person. It’s silly to be angry at myself when that won’t help me get any better and it certainly won’t help me enjoy the game. What’s really weird is that I don’t tend to get this angry in real life unless it’s about issues I find extremely concerning, namely people wanting to stop to loving people getting married. I don’t really consider starcraft worth getting angry over. Yet it is so compelling that I seem unable to help it sometimes

I find the most compelling aspect of starcraft to be the meta game. Starcraft has 3 races, each races has vastly different units and vastly different mechanics. What this means is that a huge amount of complexity arises, no game is the same. It’s hard to communicate how much this contributes to my enjoyment of the game but I’ll try to explain with an example. If you’ve ever played a card game you get given a random hand to begin with. This is what introduces compexity into the game. However it also doesn’t appear to be very fair. You could be dealt a very bad hand and auto-lose or you could be dealt and extremely good hand and win. With starcraft you don’t have randomness being used to give you your hand. You get given your hand and told to play the cards in any order you like. What’s great is that the way everything can diverge. Given the number of possible configurations there are still unexplored realms of the game. Every so often a jump is made as people realise that playing cards in a certain order yeilds better results than what currently happens. It’s this evolutionary nature of the game that is brilliant

Yet is the meta game reason enough to get angry? Not really. However all this talk of meta game makes me think of another question. Is getting angry reason enough to get angry at me being angry? Not really. The response that I should have to anger is inquiry. Why am I angry, does my anger bring me any benefit, should I make a blog post about it? Through this process of inquiry I find myself often becoming less angry because I realise being angry isn’t going to get me the result I want. Instead it makes me commit mistakes that often drive me from the result I want. I’ve actually found myself getting less angry in general after thinking about this. When I was younger I’d use to get really angry during those team building exercises you have on camps. In fact, most people got angry during them. there was no team building and a lot of friendship ruining. Which is stupid right? I don’t know when but I made a decision that I was going to have fun no matter what during those exercises. Everytime our group made a mistake I’d try and have a very bad joke that took the edge off it. Suddenly no matter how badly our team was doing we were enjoying ourselves a lot more. And I noticed we tended to do a lot better, we were alright to try something, make a mistake, and get back into trying to solve the problem.

I wish to leave you today with two quotes. One from my favourite Starcraft 2 casters Day[9] we you should check out on youtube: ‘When people tell me that life sucks I no longer believe them, I say “‘you’re being silly. Life is fantastic”‘ I disagree with this quote as I think life does suck for a lot of people. But it doesn’t suck for me. Why should I get angry when my life is so undeservedly good?

The other quote is from a book. It’s all about rationality. It’s called Harry Potter and the Methods of Rationality. This quote hasn’t made me stop thinking for quite a while.

“he’d found it tremendously amusing that the great and good Albus Dumbledore had been sitting there doing nothing as this poor innocent girl begged for help, while he had been the one to defend her. And he told me then that by the time good and moral people were done tying themselves up in knots, what they usually did was nothing; or, if they did act, you could hardly tell them apart from the people called bad. Whereas he could help innocent girls any time he felt like it, because he wasn’t a good person. And that I ought to remember that, any time I considered growing up to be good.”

Which can interestingly be considered an slightly more focused exploration of a previous quote from the book “if I always waited for perfect information before I acted, I would never do anything.”

I think the last quote says a lot about making decisions, it says a lot about the differences between being good or bad and it says a lot about the difference between a good action and a good person.

Also, watch this.

4 Comments

Stealing Someone’s Idea for Blogging in a Word

Plagiarism

 

Thanks to Beth (http://argonescence.wordpress.com) and Luke (“Plagiarism is fun”)

Leave a comment

Or is that the other way round?

Regardless. I’m slightly irritated and here’s why.

Today I went into my mother’s work to help her with her website. She is a primary school teacher in a primary school. Naturally this means she has next to no money to make this site on. However the DET provides the hosting which is good. Her website actually looks quite nice for something designed in expression web. She has put a lot of work into but kept coming up wrong when she tried to implement a contact us page. This sort of page is a very simple job, you can use a wide range of server side languages to get it to work, my weapon of choice is PHP. Astute readers will have already picked the main problem out now however I will dwell briefly on a contributing factor to my rage.

Firstly the Teacher accounts aren’t administrators. This sucks fairly badly. I had to go ‘get’ the admin account to install anything, which I needed to do to give me some essential programs. Worse still is the highly restrictive environment not related to administrator privleges but still applied to teachers. They don’t have a run box, they don’t have cmd. Though they do have powershell but I’ve never used that so oh well. They also don’t have access to their own desktop. You can’t actually copy files to the desktop. I was not impressed. The DET stupid.

That was the ‘minor’ problem. The major problem is the server. I came in expecting to write some php and leave. About half an hour later it became clear the server doesn’t appear to run php or python, or even asp{x}{.net} (Which I don’t actually know how to use but I ran through some tutorials to get a bit of an idea about how it worked.  So yay for new language, boo for the most useless language I have ever learnt. So the server doesn’t have any server side languages . This was so irritating, but being resourceful I decided to contact someone to find out how to get it installed. Well. I went to www.schools.nsw.edu.au to find out how to contact someone. Their contact us page is useless. The only thing close to general enquiries was the head office contact number. So I decided to call them. 5 minutes later someone picked up. So I let them know what I want and they go ‘not our problem, let me send you to the IT guys in North Ryde’ Which is fair enough, kind of what I expected. So I get onto the receptionist in North Ryde. She was completely useless, which is not what I wanted from the IT guys. I explained what I needed and she said. Do you know someone here?’ I said no. She said ‘I can’t make introductions, you need to know somebody.’ At this point I was thoroughly confused, I had got transferred to a brick wall, the reason I was calling them was because I didn’t have a good idea of who specifically to call. Not to be stopped however I asked ‘Then how do teachers ever find out the information they need?” Fair enough question really, So she goes ‘Oh you’re a teacher? I can just forward you to the help desk.” I will take this opportunity to deny that the dent in the plaster wall that fits my head shape was actually caused by me.  Anyway an interactive menu system later I got onto some guy. I asked if he could find out how to get php onto the server. So he said sure, we’ll call you back after it’s solved. Cheerful but not what I wanted. Stupid, stupid beuracracy.

So that was sucky. But it gets worse. They sent my mum an email. It said. ISSUE RESOLVED: There is no PHP on the server. Thank you so much DET. You make life worth living. Anyway, I wasn’t beaten yet. I mentioned we could get some cheap hosting and make a form submission page which would redirect back to the original website. My mum said “But <some other school> can do it” So I decided to email them. And guess what. They were doing it the way I came up with to solve the problem.

So basically. In summary: The DET is useless. The hacky solution is hacky (and to be honest, a great (fairly mediocre) business idea. $10 bucks a year for a submission handler. You could get every school in Australia) Then my mood improved because some girl had a birthday and had brought chocolate crackles so heck yes. Then my mum paid me. I don’t know why, I was taking the day off work anyway to do some study, I certainly wasn’t expecting it. But it was very nice of her.

One final thing on the DET setup. They have Square monitors…. Which makes no sense, our eyes are horizontal, we see things horizontally, hence horizontal monitors. Sure they cost a bit more but they lead to increased productivity and are ergonomic. And for the love of whatever you hold most sacred. Please install google chrome. It actually works -_- -end rant.

4 Comments

Wix, Bane of my existence

As of November last year I began working at an IT security company as a programmer, needless to say at the start I was very overwhelmed by both the work and the culture. It was so jarring compared to High school. No-one was breathing down your neck, you could go to lunch whenever you felt hungry – basically you were free. It was very jarring and slightly odd.

However the culture was not a large issue as I enjoyed it a lot more than school, the real problem was the work. Throughout high school I’ve programmed hundreds of tiny, and several large, projects. They were normally entirely programmed by me with no thought as to programming style or any sort of success metric to evaluate them. The largest program I had coded had been a prefect voting system that had been rushed together in two weeks and only works by magic and super glue.  This was a massive contrast to being asked to write an installer in a language I didn’t know for a program I hadn’t written. It was quite daunting.

The language I didn’t know had a name: Wix. A name which should put the fear of god into anyone. I may be over dramatising but finding good information on Wix is like finding a needle in a haystack. After you find it, it’s still only a needle. The main point being, it’s very hard and very tiresome to get wix to do what you want it to do. There is lots of tiny stuff like setting GUIDs for each version of the installer so that you can update without issue. However one thing eluded me. A 64 bit switch.

To explain what this is, the program I had to write the installer for had 32 and 64 bit versions. Don’t worry about what makes them different, the important thing is that they are.  This meant that every time I wanted a new installer I had to rename everything for 64 bit and then for 32 bit. Futile searches on the internet turned up nothing, it wasn’t that no-one had done this before, the information just wasn’t there. Till today

Wix is a markup language. This means it uses english words to describe data. So an easy example is writing a markup language for a database of books. It would look like this

<Author Name = “Dianna Wynne Jones”>

<Book name = “Howl’s Moving Castle”/>

<Book name = “Archer’s Goon”/>

<Book name = “Charmed Life”/>

</Author>

The Author descriptors tell you that any books in the following bits of data are written by the same Author. It is possible to extend this so that the Book descriptors contain more information perhaps the year of publishing or ISBN. The main point is that it is very static. It’s all about hard coding data in. The Name Diana Wynne Jones will never mean anything different. It’s why webpages used to be static, they were all hard coded and static pieces of data, they are now more active due to new, non-static languages. This makes it difficult to write flexible or conditional code in your program.

Today I found out how to do that. Warning. If you’ve found the beginning dull it will only get worse. In Wix you have an descriptor that looks like this

<? define XXX = YYY ?>

So an example is

<?define Win64 = “no” ?>

An interesting thing to note is that this value is still hard coded, even though it is a variable it would be better described as a constant. It turns out there are several other <? .. ?>  descriptors in Wix. The ones of the most use are if, else and endif

The way to use them is such:

<?define Win64 = “no” ?>

<–! code setting up features and directories –>

<?if $(var.Win64) = “no” ?>

<file id=’32dll’ name = ‘program32.dll’ />

<?else ?>

<file id=’64dll’ name = ‘program64.dll’ />

<?endif ?>

This means that instead of changing the file name every time you can simply change the variable to a yes or no. This was brilliant.

Also in case you were wondering I haven’t been working on the Installer for three months. I’ve been doing other stuff as well, which I have enjoyed immensely and has really stepped up my programming knowledge and skills.

However if I’m _ever_ asked to write an installer with a dialogue box I will be forced to kill everyone. Those things look disgusting.

See you in 2 months! (which is when I’ll next write a blog post if the past is anything to go on)

, , ,

1 Comment

NYE blog post.

This post is of entirely my own volition and beth did not in anyway force me to do this.

Skype-ing with  friends in New Zealand is fun🙂 Especially if you play certain skype games with them. Also Robert can’t feed chocolate to anyone. anyone at all. Also watching the Doctor Who special at NYE is a brilliant thing to do.

some resolutions.

  • Don’t commit genocide.
  • Finish GEB
  • Increase my powers of rationality
  • Get Beth drunk
In reverse priority
w00t

2 Comments

Thoughts

It’s been a while but now I have a physics exam on Thursday so now seems like a good time to make a blog post. It’s going to be a little collection of thoughts I’ve had recently.

The first is the projection fallacy. I have no idea if this is a) Technically a fallacy or b) one that I’ve thought of and that no-one else has. It seems fairly common. Anyway the projection fallacy to my mind works like this. You treat everyone you meet as yourself in a different context which leads to false predictions about their behaviour. An example of this happened whilst playing a game of celebrity heads, the celebrity was extremely hard yet the kid who was playing got it almost immediately. This lead another student to accuse the kid that he had simply looked over his shoulder. What was interesting to note was that the kid himself hadn’t looked over his shoulder at any point (I know this because I’m creepy like that). I then accused the accuser that he was simply saying what he would have done in that situation and that just because he would cheat didn’t mean he had to accuse everyone else of cheating. What amused me greatly was I basically did the same thing. I said to myself, In that scenario I would have accused the original kid as if I was playing the game. That’s like nested projectioning.

So how much does this make sense to you? Have you ever found yourself interpreting other’s actions and words as if they were simply you in a different context? If I notice myself doing this I try to stop. If I notice others doing it I try to see if it’s actually me thinking that I would be projectioning in that scenario. I find that having done this I can predict actions of people a lot better. If they aren’t all projections of me then I’m forced to think like them rather than thinking they think like me. Harder but more optimal

Second thought. Hamlet/Shakespeare in general is a lot cooler when not studying it. It’s easier to appreciate someone’s skill when you aren’t being forced too. I spent most of  engish raging at the teacher’s for going over the top and most of the time lying through their teeth about meaning in texts. I now can think about Hamlet in a positive light, in the way I want to.  Hamlet and Othello  still have weird problems with time but it’s easier to ignore it and just enjoy the play. I have also come to a new opinion about Romeo and Juliet. I spent a fair bit of my time going ‘what the hell, this isn’t love!’ However I have come to the conclusion that this was intentional and you can see it across Shakespeare’s plays as a fairly unifying theme. That is, False love is a destroyer of everything.

Examples 1. Romeo and Juliet: Romeo and Juliet meet one night and then profess true love to each other. One of them pretends to commit suicide and then the other one commits it for real and then the original one commits it for real and the entire city goes to war. Possibly not the best summary ever but I think you can see that the love there wasn’t perhaps the most true of all and the end result was fairly bad

Example 2. Othello: Othello confesses that he truly loves Desdemona. He then kills her out of jealousy that could simply be overcome by asking her outright. Then Othello commits suicide.

Example 3. Hamlet: Hamlet loves Ophelia. Then treats her like an object. Gertrude apparently loves King Hamlet, yet jumps into the bed of Claudius straight after he gets murdered ‘With such dexterity to these incestuous sheets’ (disclaimer I didn’t check that quote) Ophelia commits suicide or becomes insane and dies because of that. Hamlet gets killed by Ophelia’s sister. Gertrude gets killed by Claudius and Hamlet kills Claudius

So I think that there may be a common theme here, firstly Shakespeare is a macabre character and secondly he has a slight thing against false love. I may be reading far too much into it. Something I hope never to do but is also possible. Whatever you think though, don’t think I’m trying to shove this down your throat. If you have a different opinion then you have a different opinion, let me seek to persuade you but never let me force you to choose something different.

Third thought. I’m legally allowed to vote and I don’t want to. Mainly because I think it’s stupid to vote in a system where the correct result is voted on by the most amount of people. If you took that seriously Obama would be a muslim. The earth changed from being flat to being spherical once more people believed that. Just because most people believe it’s right doesn’t make it so. Imagine if scientific research was delegated to voting on it. Everyone could just vote on whether gravity was the best theory. It wouldn’t matter if it got the right result, they got it in the wrong way. Likewise with politics, politics is (should) be about serving the countries best long term interests. In the case of Australia it appears to be, serve the short term interest so that the government can be re-elected next election. This is hopelessly foolish. The main problem I see is that most people don’t have a clue. That makes them easy targets to convince. You say a simple argument and you win their support, you point out a negative point about your opposition and you win their support. People vote for ‘Liberal’ or ‘Labor’ they don’t vote for policies. This is so irrational and confusing to me. In the words of Shakespeare ‘A rose by any other name would smell as sweet’ Who cares if you’re voting for a party called Liberal, labor, the shooter’s party? It doesn’t matter what they are called. It matters what their policies are. I’d vote for the Hitler-Communism alliance party if the party had policies that were better than any of the other.

I’m sure I’ve thought more but whatever. Leave a comment if you have any thoughts yourself. I am confident that my loyal readers shall be able to pick apart exactly why I’m wrong. And Go!

3 Comments

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: