Thursday, March 22, 2012

Basics to website security

I just recently updated a forum and decided to give the security fixes a quick read. Still need to run another update, but figured I'd upgrade it little by little rather than a huge jump. While reading what was fixed on the next version up, I decided to poke at some of the security holes currently on the site to see how in-depth it was to use them. The main ones I poked at was XSS, and it was easy. No filter evasion needed. I typed in some inline javascript, went to a certain page and got me a simple alert message that I expected. The limited character space would make it hard to do something really useful, but it was still possible.

Now I'm not saying the forum designers missed some basics, it's a well developed forum and better than anything I could make, however they overlooked some things that could have some simple fixes if you know where everything is (I don't, so need to rely on their fixes because it would take me forever to learn their software and try to correct it better than a team of multiple people could who designed it).

So first thing's first, don't let people post html. If any html will be viewed, sanitize it. Even if only select people who you don't think it can effect will be viewing the end result, sanitize all of it. This means convert html special characters to html entities before they are displayed. Also should be noted that if you plan on doing things like decoding or encoding a string (like encoding a utf-8 string), do it before you sanitize. In the other order, people can use that to get around filters.

Now there's also things like SQLi (SQL injections). Anything being put into an SQL query should be sanitized, and should be sanitized after any encoding/decoding to prevent evasions of the filters you use. Protect your data, protect your database. Make sure you use the up-to-date methods to sanitize, or if offered, use an API for it as it may include certain things to make it work with your site, where using the raw methods might cause a problem along the line.

Php injection is not something I'm good at. But what I do know is an easy way to exploit this is to embed php code in a file you upload then trick the server into running it. If you do something like include a gif in a php script, php embedded in the gif can be evaluated and ran. Do not do this. Also, do not allow a file to be uploaded with an extension that would cause it to run.

A little funny security hole I've seen someone use, which is really a facepalm type of deal, is including hidden file paths in robots.txt. If it needs to be hidden, do not put it in robots.txt. Anyone can view that file. I managed to get some free software because someone found the location of it in a robots.txt file, software that they were charging $20 for. If this is the case for you, put some protection so only the person who pays can get it and don't go disclosing a location, especially if it's not linked. If it's not linked, a normal search bot that obeys robots.txt won't find it.

Do not rely on expected values from a form or javascript security. Forms can be easily altered and send any possible data they want. I once had to alter a form to submit it because the form wasn't generated properly, the dropdown didn't have any options in it, so I made my own. Javascript can easily be disabled and values in a javascript program can be altered on the fly. Javascript should be used to make a site experience easier and interactive, not for security. When nyancat was going viral, I decided to alter some of the values when it was running for me just for some screenshots to amaze people that don't know how easy it is to fuck with that stuff. Also used it to turn off the music because it started bothering me after a while.

Now if you accept data, whether it be GET or POST, remember to make sure that both are secure. GET is very easy to alter because it's simple url modification. POST takes a little extra knowledge, but still not hard to do. Also, don't rely on hidden inputs. They can be viewed easily and altered. So do not rely on them to be secure either.

There are many other basics I could go into and get really in-depth, however I'll cut this off here with the bottom line. Sanitize all data coming from a user. That's the basic rule of thumb for a good portion of security.

Monday, March 19, 2012

NoScript URL Javascript

I've been messing around with javascript and helping someone learn it, and one thing I've noticed is a lot of people seem to have NoScript now. NoScript is an addon that can allow you to selectively run or block javascript. While this is great, there is one option I don't see openly on the options for it. Whenever trying to run javascript in the url bar, it's blocked. While this is good for people dumb enough to run javascript directly from someone not trustworthy (I have used url run javascript to get someone's cookie information and hijack their session), it can be a problem when just messing around with stuff for someone who knows what they are doing but doesn't know about the way to allow url run javascript.

So to find the option, first go to the about:config (enter about:config in your url). Then in the filter, enter noscript.allowURLBarJS. You can right click and select the toggle option or simply double click the result you get. Once set to true, should be able to run url javascript, but only on sites that the domain is allowed to run javascript. Running javascript in the url still sandboxes it in to whatever tab you're on.

Whatever you do, be careful what you run when using this, can lead to information being taken to breaking some stuff. Other times, can be just a way to mess around with a site you're on quickly and easily, like bookmarklets.

Saturday, March 10, 2012

Python list comprehension

I just recently figured out python list comprehension, so I figured I'd try to explain it because to me, it is one of the most complicated looking things in python. There are a few other confusing things, but I'll look at them more when I find a use for them.

List comprehension is a way to shorten creating a list when looping through some simple expression or conditional is needed. Due to how complicated it looks, I personally think an expanded notation should be used if you're nesting notations like this, for clarity sake.

The basic notation of this is along the lines of:

[itemBeingAdded for itemBeingAdded in iterableOrGenerator]

The itemBeingAdded is simply the value that will be in the list. Then there is a for loop, designed like any other python for loop. You use iterable or generators as they are the ones you can loop through (like range and xrange, where xrangs is a generator). You can also place an expression for the item being added, like so.

[x ** 2 for x in xrange(5)]

This will result in [0, 1, 4, 9, 16]. Conditionals can also be added.

[x ** 2 for x in xrange(5) if x % 2]

This will result in [1, 9] because it will only evaluate the condition if x can't be divided by 2 (x%2 is 0 on all even numbers and 0).

Now what I used it for was to create a list of a value from 2 dictionaries of objects where one dictionary was just where there was an object that failed, along with the error. That looks something like this.

[value for key, value in dict1.items() if key not in dict2]

This will pull out all the values from the unique keys in dict1. Expanded would look something like this.

x = []
for key,value in dict1.items():
  if key not in dict2:
    x.append(value)

The variable x would be the list resulting. So it's a quick and clean looking way to create a list without multiple blocks of code and can be nice when you understand how to read it. However for more complicated things, it could just be obnoxious.

Tag Cloud

.NET (1) A+ (2) addon (6) Android (3) anonymous functions (5) application (10) arduino (1) artificial intelligence (2) bash (4) c (7) camera (1) certifications (4) cobol (1) comptia (4) computing (2) css (2) customize (16) encryption (2) error (19) exploit (17) ftp (3) funny (2) gadget (2) games (2) Gtk (1) GUI (5) hardware (6) haskell (15) help (8) HTML (6) irc (2) java (5) javascript (21) Linux (19) Mac (4) malware (2) math (8) network (9) objects (2) OCaml (1) perl (4) php (9) plugin (7) programming (42) python (24) radio (1) regex (3) security (25) sound (1) speakers (1) ssh (3) story (1) Techs from the Crypt (2) telnet (2) tools (14) troubleshooting (5) Ubuntu (4) Unix (4) virtualization (1) web design (14) Windows (7) wx (2)