Saturday, 02 April 2011
LizaMoon–Injection and Cross Site Scripting attacks

Following the news on the LizaMoon injection attacks which have been publicised a lot in the press lately really made me want to find out more. Being a technically minded person I wanted to scrape past the general media version of what was happening and get down to what this means to people who run websites that might be vulnerable.

Reading posts on Stack Overflow it seemed to be the same old vulnerabilities that have been around for a very long time were once again being exploited.   Even though I have checked many sites I have worked on in the past, you can't help but wonder if there is anything you have forgotten. Security vulnerabilities in websites is not something you can say "yes I fixed it" its an on going battle (a bit like an arms race) where you have to keep up to date with the latest vulnerabilities.

One of the classic vulnerabilities I have seen from such attacks in the classic query string SQL injection attack. Take for example the following url on a website.

readmessage.asp?messageid=234

or

readmessage.php?messageid=234

There is nothing wrong with the above urls as long as what happens behind the scenes makes sure that whichever SQL database you are using be it MySQL or MS SQL Server is protected from bad input. Basically you cannot trust any input you get from the web.

One of the things I like doing with the above type of input before I even reach SQL is to ensure that the query string I am being sent in this case messageid is an integer. So in what ever language you are coding in, a very simple step is if messageid is indeed intended to be a query string test it to make sure it is. If you find it is not a query string you can either boot the user back to the page they came from or just send them to a generic error page that basically says that you can't understand what they wanted to do. Never display a detailed error message that divulges SQL statements and lines of code.

If messageid is supposed to be a string such as say a GUID? Test that all the characters used in the GUID are in a whitelist of acceptable characters first so for example accept A-Z, a-z, 0-9 and -  and reject everything else. In addition you can also HTML Encode or escape the input before sending it along to your code that persists it to SQL. In your code that does SQL persistence you can also help prevent such attacks by trying to use parameterised SQL statements instead of building your SQL update or insert statements as strings.

Other methods I have seen being used (although not a fan of) is where no text input is expected is to literally remove words and symbols such as "update", ), (, ',"insert" and "delete" this however can only be done where you definitely know these words are not intended as text values in a table field. If not used properly this could backfire and you could end up loosing data in sentences a user may have been innocently entering into a system.

The other thing to remember is just because the content went into the database safely doesn't mean that when you display that same content back to the user its going to be safe. Take for example a message board that uses a SQL server to store its messages, its pretty easy to escape what a user enters so that its perfectly preserved in SQL. Lets for example say that happened to be some JavaScript and that the JavaScript functionality was to redirect a user to a malicious site.  If you do not HTML Encode the message board text when displayed in the users browser you are basically putting users that trust your site at risk. HTML Encoding what you display to the user ensures that the user sees text of what is being presented and that the browser doesn't suddenly kick in and starts to execute the code its been given. Remember that this is just about any text you display to the user including the browser title tag which may be  something like this..

<title>Does anyone know how to make green widgets?</title>

The above if not encoded could quite easily be changed to the following by a malicious user post on your message board.

<title>Does anyone</title><script>document.location='somesite'</script><title></title>

The code above could potentially redirect a user to a malicious site.

posted on Saturday, 02 April 2011 20:38:48 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Thursday, 10 March 2011
Cookie Trouble

I read the following news article with interest about the European Unions new laws that basically state you have to ask the users consent to place a cookie on their machine.  Reading through the new legislation I found the paragraph below, which appears to be the only paragraph that refers to cookies.

"Third parties may wish to store information on the equip­ment  of a user, or gain  access to information  already stored, for a number of purposes, ranging from the legiti­mate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spy­ware or  viruses). It is therefore of paramount importance that users be provided with clear and comprehensive infor­mation when engaging in any  activity which could result in such storage or gaining of access. The methods of pro­viding information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical  storage or access is strictly necessary for the legitimate purpose of
enabling the use of a specific service explicitly requested by the subscriber or user
. Where it is technically possible and effective,  in accordance  with the relevant  provisions  of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these require­ments should be made more effective by way of enhanced powers granted to the relevant national authorities.."

If you look at the second section of highlighted text it appears an exception to this rule is when placing a cookie onto the users machine is to do with the explicit working of the service the user was expecting. So for example if you log into your banks website with a username and password the placing of a cookie onto the users machine without their consent is legitimate as the service would not work without it as the user expected. This is basically how I understood this paragraph.

What I do think will be an issue are people that use analytics packages on their websites (it is unclear if this is covered), paid for advertising and  affiliate tracking programs. I can already think of several organisations such as Google, Yahoo and even MSN/Bing that may be affected by this. I don't feel much thought has gone into this legislation and I am not too sure how this legislation will be enforced. It will not stop affiliate or tracking sites that are not hosted in the EU. It could end up with companies hosting these services or making use of services from countries outside of the EU zone to get around this issue.

One thing that is incredibly difficult to do, and that is to govern how sites work on the Internet. It is not the job of governments but of International bodies how this should work.  What the legislation cannot protect against are spyware and illegal sites making use of this information or tracking users in this way. I also feel that not much thought has gone into how this legislation would be interpreted or if it could possibly destroy how some businesses work.

A rather funny take on this new legislation can be found here

posted on Thursday, 10 March 2011 00:25:18 (GMT Standard Time, UTC+00:00)  #    Comments [1]

 Thursday, 23 December 2010
The Fritz Box 7170

fritzI've always had a problem choosing ADSL modems. They've had a habit of letting me down and just being downright unreliable. As my wife works from home, reliable internet access is essential and we in the past have faced many issues with our Internet access, most of these issues being down to the BT Home Hub which for reasons only known to BT will drop the connection and suddenly choose to run an upgrade patch on itself. It did this without asking and with no thought to what important work was being done on the Internet at the time.

Other times Internet access would drop completely and the only way to get it back was to reboot the dreaded BT Home Hub. What was worse is that I had two SIP phone lines coming through my Internet connection. The BT Home Hub was awful at routing any traffic to the phones making them unreliable. 

Having put up with this issue for such a long time I told myself enough was enough and decided to trawl around the Internet to find the best solution. Just about everyone complained about the popular makes of ADSL routers when reading the reviews on Amazon. Then I spotted something called a Fritz! Box on Sipgates website, it was definitely more expensive than the others but doing more research found that people had nothing but good things to say about it. I decided to see if I could get it a bit cheaper. Searching Amazon I found the above model the 7170 for £73. It appeared to be an older model, but it still had many of the features found in the newer models so I placed my order.

The Fritz!Box was simplicity itself to setup. I moved the box over to the IP range I use at home unplugged by BT Home Hub, plugged in the Fritz!Box and it just worked! So far so good, I then decided to setup my SIPGate phone numbers on the box, in order to do this I turned advanced settings on the box on first. Then I entered my SIPGate details and tested calling the numbers, they worked first time and were crystal clear! There was no need to configure any ports on the box's in built firewall everything just worked out of the box. It was the first time I had ever managed to setup a SIP device so easily. I then decided to open port 80 on the firewall for my web server and that worked without any issues. The only thing I had left was my old BT Hub Phone number, after a little bit of research I found I was able to set this up on the Fritz!Box with no problems and it also worked first time. Not bad, not bad at all..

Looking through the screens for the Fritz!Box I realised it had a lot more to offer than I thought actually came with the box. It had built in multiple answer phones, a fax machine, NAS drive interface, UPNP Media Server, USB print server interface and a VPN client! The answer phone was easy to setup and I discovered I could also route calls based on caller id. So in theory I could route calls that withhold their numbers to an answering machine as they are more than likely sales calls.

A month on and the Fritz!Box has been nothing but reliable. Where we have had Internet problems the box has seamlessly detected them and reset the Internet connection in many cases without us even realising it. I suppose the old adage, you get what you pay for is so true with the Fritz!Box. The Fritz!Box has also reminded me just how reliable German engineering really is.

posted on Thursday, 23 December 2010 13:51:09 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Saturday, 04 December 2010
Southeastern trains – content is king

SevenoaksStation

I read and watched the interview with Sarah Boundy spokeswoman for Southeastern Trains defending Southeastern's appalling service during the heavy snow fall recently.  I suppose the main point for me was how keen she was to talk about the improvements they had made since last time to their website. Unfortunately if Sarah had been monitoring the #southeastern twitter tag before she came to the BBC interview she would have realised that the information on the site was wildly inaccurate compared to what people were experiencing on the ground.  I appreciate the fact that Southeastern had invested millions in its new website but if the content is useless, so is the website which was why most customers resorted to twitter instead of trust what was on the website.

Many of us get the fact that the third rail system doesn't work too well in snowy conditions, however what we can't get is just how bad the communication is from this company.

Joined up content channels
Even if the content had been accurate, and to be fair Southeastern started to pay more attention to their website when people got angry. All the other channels people receive content in National Rails Website and the Station PA System were showing wildly conflicting messages on what was going on.

Take for example Thursday 2nd December, I made my way down to Sevenoaks Train Station wading through knee high snow to catch a train I was told would be running at 5:30am to Charring Cross station according to National Rails website. I arrived at the station to find it closed and not a train on the platform. I decided to wait, and I did so for 20 minutes before I saw the first Southeastern staff enter the station. I waited another 15 minutes before more customers arrived at the door and finally the staff opened the door. The first thing we heard from the staff was "has anyone checked the site?" apparently the staff didn't even know what was happening.  I made my way to the platform and the train the National Rails website told me was waiting on the platform (I used National Rails iPhone app) wasn't there! The stations PA system was useless, the only message it told me was that there were adverse weather conditions. You don't need all your station displays to point out the bleeding obvious, what would have been nice was it tell me that the next train had been cancelled because it had become stuck on the tracks. One screen in the station told us to look at Southeasterns website! We are in the station surrounded by Southeastern staff and are told to go to a website. Why can't the systems sitting in place at the station give us this information?

sorry no serviceChecking Southeasterns website on my iPhone gave conflicting information which showed some services would be running from Sevenoaks station until one of the staff eventually got information (we know not where) and put up the following board, stating "Our website is incorrect and we are doing our best to get it sorted".

(Picture thanks to @Bobajobbob)

Southeastern really has to work on how it communicates the status of its service. National Rail and the iPhone apps were showing trains as running on time until the very minute the train was supposed to depart it was marked as cancelled or just disappeared from the site.

In an age where information is freely available to all through multiple devices and communication channels its key that the information you make available to your customers and your staff is the same information. Updating this information should not be difficult, make use of your staff at stations and the train drivers themselves to help drive your communication network. Actively watch twitter feeds as companies such as BT have been doing rather well to help with damage limitation. Don't post general announcements about difficulties running services, be honest if the service will run or not. Sending out a vague message makes people unsure, they have to make a decision on whether they contact their place of work and tell them they can't make it in today because of the lines. People also need to know if they will be able to make it back home. Southeastern failed not because of the third rail but because they didn't communicate well. I understand perfectly that other countries have suffered the same problems with their trains and that in many cases it just can't be helped. But what can be helped is a company that shows it cares and provides information to its customers.

Southeastern has been annoying its customers more and more, even before the the heavy snow. Trains are often not long enough for the amount of passenger because they are short of working rolling stock or trains don't run on time. When their service does work well as I remember it used to you could get from Sevenoaks to London within 23minutes which is a brilliant service when it works. For a company that charges their customers some of the highest fairs in Europe they really need to start investing more money into their network or face losing their franchise.

posted on Saturday, 04 December 2010 12:41:22 (GMT Standard Time, UTC+00:00)  #    Comments [1]

 Friday, 09 July 2010
Healthy eating in schools
I read with interest an article in the Evening Standard regarding the governments plan to do a u turn on healthy eating in schools. It appears the new government is rejecting the teaching of Jamie Oliver and will inevitably end up with school dinners going back to the unhealthy stodgy meals they were in many schools.

I don't believe parents should be forced to get their children to eat healthy school meals although I do believe schools should offer healthy meals. If parents and children don't like that approach they can always send their children to school with packed lunches, but at least the government and schools can say "we provided the healthy option and you didn't take it". Parents then only have themselves to blame if their children suffer from childhood obesity later in life. I am pretty sure if the government stuck with healthy meals in schools, over a period of time (and it will take a while) we will end up with generations who have been through the education system who have known nothing but healthy school meals. These changes are not going to happen over night we are talking decades here to see the end result each generation will eventually pass these healthy eating habits onto their children.
posted on Friday, 09 July 2010 19:43:25 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Saturday, 03 July 2010
The technology push to your living room

I've been reading articles about Google TV, Microsoft, Sony, BT, Sky and (now) Apple with interest regarding their push to your living room to put content on your TV.  There's a hell of a lot of content on the web and the age old issue of watching this content conveniently on your TV instead of having to fire up browsers on your PC is a problem none of the big companies appear to have really solved.

Sure you can watch some of Sky's content on your Xbox 360 now. But you won't get all of Sky's content because of content restrictions enforced by content distributors. You also won't get 4OD, BBC iPlayer or the ITV Player on this service. In addition to that you won't get YouTube, Hulu or Joost. Basically there is not one set top box that will give you all of these services through your TV without having to switch or unplug some box out of the VGA, SCART or HDMI slot on your TV. My guess is that Google are trying to address this with their new set-top box idea. Weather it will work remains to be seen, because at the end of the day it doesn't matter how fancy your platform is, content is still king.

Content distributors also hold a lot of sway, they dictate how their content can be distributed. If a channel is distributed via the Internet and over encrypted satellite in the eyes of the content provider they are separate mediums which require separate content rights. Hence Sky's problem of only being able to broadcast some of their Sky 1 shows via SkyPlayer and blocking the channels for the duration of that show for SkyPlayer customers while satellite customers get to view it.

Likewise content providers may give the writes to distribute a show over a streaming Internet Service with the caveat that it cannot be streamed to a service that connects to a TV as this right could have been solved to a terrestrial provider. This arrangement makes things incredibly difficult while all the user wants to do is watch their TV shows in the most convenient way possible.

I wish Google TV every bit of success although I am struggling to see how they will be able to offer the content we want all through one set top box. In addition to this problem when watching a series on TV sometimes people would like to start from the beginning of a series people are all raving on about. Content providers don't make it easy to get to this content and their appears to be a high amount of people using illegal downloads via services such as Bit Torrent to get to this content. The video/TV entertainment industry appears to be out of touch with how people would like to consume their content. The same thing happened in the music industry which saw a huge shift in how music was distributed which lead to services such as Spotify.

Wouldn't it be nice if there was a service that held just about every movie, TV series, documentary that had ever been made, made available on demand? You could pay for the content per item or for a monthly fee have access to all of it?

posted on Saturday, 03 July 2010 10:42:38 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Friday, 04 June 2010
Handling the DropDownList SelectedIndexChanged event in a Repeater

This is more for my own reference more because I keep on forgetting how to do it and am constantly look it up all the time. If it helps you out, even better! And before you say "..but in MVC you can do it like this..". I know, but some of us still have to work with Webforms working with legacy apps. 

My main problem with DropDownLists in Repeater control examples on the net is they don't show you how to figure out which DropDownList in your Repeater list fired the SelectedIndexChanged event.

 
   1:   
   2:  // This is bound to the ItemDataBound event on the repeater.
   3:  protected void RepeaterBasketItems_ItemDataBound(object sender, RepeaterItemEventArgs e)
   4:  {
   5:      DropDownList DropDownListQuantity = 
   6:          (DropDownList)e.Item.FindControl("DropDownListQuantity");
   7:   
   8:      // hint after typing += you can hit TAB TAB in Visual 
   9:      // Studio for it to create the event handler for you.
  10:      DropDownListQuantity.SelectedIndexChanged 
  11:          += new EventHandler(DropDownListQuantity_SelectedIndexChanged);
  12:  }
  13:   
  14:  // Handles the Selected Index changed event. 
  15:  void DropDownListQuantity_SelectedIndexChanged(object sender, EventArgs e)
  16:  {
  17:      
  18:      DropDownList dropdown = (DropDownList)sender;
  19:   
  20:      // Cast the parent to type RepeaterItem
  21:      RepeaterItem repeaterRow = (RepeaterItem)dropdown.Parent;
  22:   
  23:      // Inside the RepeaterItem find a hidden Literal I 
  24:      // placed there which contains the Item Id of the row. 
  25:      // You could use the DataItem if this is being persisted
  26:      Literal LiteralItemId = (Literal)repeaterRow.FindControl("LiteralItemId");
  27:      
  28:      // Parse this string into an integer
  29:      int itemId = int.Parse(LiteralItemId.Text);
  30:      
  31:      //You can do some error handling here if the parse doesn't work..
  32:      
  33:      
  34:      // Get the value from the dropdown list.
  35:      int newQuantity = int.Parse(dropdown.SelectedValue);
  36:      
  37:      // Over here you could put your update method. that uses itemid and new quantity.
  38:  }
posted on Friday, 04 June 2010 09:09:36 (GMT Standard Time, UTC+00:00)  #    Comments [0]

 Tuesday, 01 June 2010
Test blog entry from my iPhone
Testing blogging from my iPhone
posted on Tuesday, 01 June 2010 20:23:16 (GMT Standard Time, UTC+00:00)  #    Comments [0]