Category Archives: code

code security

Brocade brute forcer

During a pentest, I needed to test a Brocade SAN Switch. Since the Java webstart was quite slow, and I couldn’t find another script – I quickly coded this together to brute force passwords:

brocade_brute.rb

Javascript security

the state of Mixed Mode

browsersecurity
When a browser grabs a webpage over HTTPS, *nobody* (aside from revelations that governments can see our SSL traffic) can see what’s happening between your browser and the target webserver.  You are protected against the prying eyes of an evil network admin, proxy admin or even government.

Modern websites often import JavaScripts files from multiple sources, to have extra functionality (Facebook’s like button, widgets) or entire frameworks such as JQuery or YUI.  If these JavaScript resources are loaded form a non-SSL location, we refer to this usually as Mixed Content mode.  I did some research to find out how browsers handle these things; both on desktops as well as mobiles.

Please run the tests on https://bloat.io/mm/, it looks *very* rudimentary, but I am gathering some information from different browsers.  Let the page load for a few seconds, and everything gets logged in a database.  As a “visual”, the more “warning icons” you see, the more vulnerable your browser is.

Don’t worry, it won’t try to exploit anything or crash.

Javascript rails

Rails, what’s wrong with serving static JS and CSS files?

For a new web project, I’ve been looking at Rails 3.1, the latest update of the popular Ruby on Rails web application framework.

Although I just started on it, and haven’t seen all the goodness, one thing that raised my eyebrows is how static content a la CSS and JavaScript is handled, through an asset pipeline.

In a nutshell, since I’m doing the JQuery bit of the site now, wouldn’t it make much more sense to fetch the libraries from CDN’s, cache the remaining recurring libraries in Nginx (or Apache), and leaving the page specific bits in one big <script> tag, instead of pushing all in a bloated application.js page?

Then again, although I think Rails was what the web community needed, I always had my ideas about frameworks.

Thanks,
Michael

Javascript security web

JQlog: JQuery Keylogger, or why not to trust your proxy admin.

Note that this post is for awareness and educational purposes only. I do not encourage, and cannot be held responsible for malicious actions using these tools.

The Internet, as it is today, is a mash-up of JavaScript enabled services, often included from external websites. Internet companies offer so-called widgets, which are JavaScript tools that can be used in your own page. Popular examples of this are site analytics (Omniture, Google Analytics, etc) or share-abilities (AddThis, AddToAny, …). It’s by overwriting Javascript libraries on a page, that we can do other things, such as recording keystrokes.

“Overwriting” javascript libraries, or rather “inserting javascript” can be done in several ways. Cross Site Scripting is one of them, but for the sake of this blog post, I will act as a malicious proxy administrator, and overwrite the Google Analytics DNS entry (www.google-analytics.com) and “fake” the ga.js javascript file.

For this, you’d need only 2 files:

This javascript file, found here, holds 3 parts: JQuery, a base64 encoder and the keylogger code itself: read more »

code rails

JQuery AJAX with Rails’ authenticity token

In Ruby on Rails, authenticity tokens are generated to prevent CSRF (Cross Site Request Forgery) attacks. These tokens generate a unique “identifier” to prevent other website from making requests on your behalf, or so-called “session riding”.

In Ruby on Rails, to have this identifier available for you, you need to put <%= csrf_meta_tag %> in your view, usually in app/views/layouts/application.html.erb. This tag creates something like:

<meta name=”csrf-param” content=”authenticity_token”/>
<meta name=”csrf-token” content=”uDDuQj14CCJ…”>

If you create your own AJAX functions, say with JQuery, you would need these values in order to have rails handle your request. This can be done using the following:

var param = $(‘meta[name=csrf-token]‘).attr(‘content’);

Which you can use then in your AJAX requests

$.post(‘/post’, { body: $(‘#post_body’).val(), authenticity_token: param }, function(data){
var ret = jQuery.parseJSON(data);
if(ret.status==”ok”) {

rails

Spaces, or parentheses are important

In Rails,

    j = points.size -1

is not equal to

    j = points.size - 1

Wouldn’t it be easier if Parentheses were mandatory, so that we could see the difference between:

    j = points.size -1

and

    j = points.size(-1)
code misc rails

FacebookError: OAuthException – Invalid OAuth access token

On places.ae, we got notified of some issues with Facebook signups and logins. All of the sudden, when the Facebook OAuth service pushed us back to our redirect-page, the HyperGraph Gem threw the following error:

FacebookError: OAuthException – Invalid OAuth access token

This is often thrown because the Access Token could contain a | (pipe) character, which gets encoded to %7C, and this makes HyperGraph choke a bit. So a simple gsub(‘%7C’,’|’) will solve it, such as the code below:

at = HyperGraph.get_access_token(FB_ID, FB_SECRET, FB_RET, code)
at = at.gsub(‘%7C’,’|’)
g = HyperGraph.new(at)
me = g.get(‘me’)

Thanks,
Michael

code misc sysadmin

nnscfgmaker.sh: a nagios/nsclient++ cfg maker

Dear all,

We are in the process of changing the monitoring system on part of our network from Zenoss to Nagios. This is not a Zenoss vs. Nagios debate, as both products are awesome and do the things they are designed for very well. We (Christian and myself) use a combination of Cacti for bandwith monitoring and Zenoss for server and device monitoring. Now, recently we decided to change the latter to Nagios. It is know for its “great deal of flexibility when integrating Nagios into their environment” (Galstad, 2005)

As Zenoss was configured using SNMP Informant to grab information about the MS Windows servers (available disk space, CPU load, etc) and Nagios uses NSClient++; one of the time consuming tasks was getting the client on the server (thank you domain 🙂 ) and configuring each and every server on the Nagios server. I guess there should be some sort of discovery tool for Nagios, but I couldn’t directly find one.

In order to tackle the copy-pasting for a few dozen config files, and to brush up my bash scripting again, I wrote the Nagios Nsclient++ cfg maker read more »

code

Find “similar things” in Ruby

rubyFor several Ruby on Rails projects I had to come up with “similar” results. These are often results (video’s, products,places, hobbies, etc) with the greatest number of tags.

Say, you are tagging car pictures on a website, and have the following:

image1.jpg -> [“honda”,”s2000″,”convertible”,”black”]
image2.jpg -> [“honda”,”civic”,”blue”]
image3.jpg -> [“lexus”,”is300″,”blue”]
image4.jpg -> [“s2000″,”honda”,”convertible”,”silver”]
image5.jpg -> [“toyota”,”starlet”,”black”]

Seeing this, you’d know that image1.jpg and image4.jpg are similar pictures. Or rather “more similar” than , say, image1.jpg and image3.jpg. For this, I wrote below snippet of code. This goes in the model file, and can be called as “object.similar”. It returns an array of similar “things”, sorted on most similar to less similar (hence the results.reverse at the end)

For example:

  img = Image.find(params[:id])
  @similar_images = img.similar[0..10]

Will give you the 10 “most similar” images as img. Well, it gives you the files with the most similar tags.

def similar
  tags = self.tags
  results = []
  tags.each do |tag|
    results = results + tag.pictures # or tag.things, tag.products, ... 
    results.delete(self)
  end

  # make array into hash
  h = Hash.new
  results.each do |r|      
    h[r] = h[r].to_i + 1
  end

  # sort on values    
  tmp = h.sort {|a,b| a[1]<=>b[1]}
  results = []
  tmp.each do |t|
    results << t[0]
  end
    
  results.reverse # return all items, products, ...
end

This was written for a new project coming up, and will be used to do better "similarities matching" for places.ae, though for the latter we also had to sort on distance. (For it's vicinity)

code sysadmin

Tar based incremental backups

A small bash script I wrote to have incremental backups done on a unix server, and then pushed to a Windows File system. On the fileserver, we add this directory to the normal backup.

This is on a mail server, where emails are stored in MailDir format. We create weekly full backups on sunday, and daily incremental. This script is called daily at night from a cron job. Gotta love the scripting abilities of bash.

It might help you out, so here goes:

#!/bin/bash
# backup script is doing following items
# dump all incremental email into a backup file, gzip the backup file and
# move the file to an external file server

START_TIME=`/bin/date`
echo "backup started at: ${START_TIME}"

DOW_N=`/bin/date +"%w"` # number, 0 (sun), 1 (mon)
DOW_T=`/bin/date +"%F"`

TO_BACKUP="/opt/maildata/"
TEMP_FILE="/tmp/${DOW_T}_mail_backup.tar"
BACKUP_LOG="/tmp/mail.backup"
FILE_SERVER="/mnt/fileserver/" # mounted over SMB

# if it's a sunday, delete the incremental file and take a full backup
if [ ${DOW_N} -eq "0" ]; then
  /bin/rm ${BACKUP_LOG}
fi

/bin/tar -c -f ${TEMP_FILE} --listed-incremental=${BACKUP_LOG} ${TO_BACKUP}
/bin/gzip -f ${TEMP_FILE}
FILE_SIZE=`/bin/ls -lah ${TEMP_FILE}.gz | awk '{ print $5 }'`
/bin/mv ${TEMP_FILE}.gz ${FILE_SERVER}

## report, this goes in an email through cron
END_TIME=`/bin/date`; export END_TIME
echo "backup ended at: ${END_TIME}"
echo "data moved: ${FILE_SIZE}"