Alex Muller

Yesterday I was at the Hackspace to learn about web exploits and security testing from Darren McDonald. The following is a write-up of what we did and learnt that afternoon.

The brief warning we were given at the beginning went something like this: if you try and compromise somebody’s machine without their permission, you stand a decent chance of being prosecuted under the Computer Misuse Act. Which probably means never getting a job involving computers again. All the hardware we were trying to break yesterday was owned by Darren.

To start, we were pointed to the (free) Burp Suite and shown how to intercept HTTP requests by proxying traffic through 127.0.0.1:8080. Every request and response is shown in Burp before being passed on, with the option to modify any part of the request before it reaches the server.

As a web developer, I’d always heard that relying on client-side validation was A Bad Idea, but I’d never seen just what can happen if you don’t validate input server-side. The moral of the story?

If you’re relying on the browser to provide decent, well-formed information (including from things like hidden fields): don’t.

We were shown a purposefully badly written online store as an example, where the cost of a product was a parameter in the request (!). Using something like Burp, it’s easy to set a GET or POST parameter (the cost, in this case) to whatever you want.

And then it was time to talk about XSS. The simplest test for a cross-site scripting vulnerability on this site was to enter <script>alert(1)</script> into an input field. The example we were given was a guestbook, and we ended up with dialog boxes, JavaScript redirects and XKCD comics galore. I was reminded of the #cashgordon incident last year.

An hour after the session began, I was thinking about how session cookies are actually a huge headache, and one I hadn’t considered before Firesheep got everybody thinking. Using Darren’s session ID, it was easy to steal his session and abuse his “10% staff discount”.

We worked through some examples of pages with progressively better and better input sanitation, thinking about what the developer had done to protect their site and how we could get around it.

Moving on, we looked at SQL injection attacks and how you can then tell which kind of database the site is using. I’ve been working on limiting the permissions on, for example, the WordPress database user here, and this reinforced just how important it is.

Apparently 10—20% of sites have some kind of SQL injection vulnerability, which is a worryingly large number.

It was great to get a broad overview of the basics of web security, and it’s given me plenty to think about for past and future projects. Brilliant to see a couple of people interested in joining the Hackspace after attending the session, too. Many thanks to Darren for taking the afternoon to share his expertise, and I’m looking forward to the next one.

One Click Orgs is a service to allow organisations to virtualise the way they’re run, providing a legal structure to make it easy to do things like open group bank accounts and organise the decision-making process.

It’s a Ruby on Rails app with the source available on GitHub, and I’ve been working with the team since last April. Chris and Martin have given me so much help with Rails and Git, and I’ve learnt so much over the course of the last year.

While everyone else has been focused on making the service actually work, I’ve been messing around with the way things look; in this case, using Haml and Sass.

It’s been such a great project to be involved in, especially for an open source first-timer. Everybody has answered every stupid question I’ve had, and the local monthly meetings have made things really easy.

This week version 1 was released and it’s giving me great satisfaction to see something I worked on actually out there. Being used.

Here’s some screenshots of what I helped to sort out, with Charles, Colin and the rest of the team. It begins with version 0.6, which was the latest version when I started, and continues through to the 1.0 that was released last night:

I’m very much looking forward to seeing the progress and refinement as we move on.

I received this by email, from somebody trying to plan when to book a train journey:

This illustrates something that’s become really clear to me since I started work: people don’t get links. Being able to quickly dissect a link is something I (and, I suspect, most geeks) have definitely taken for granted.

The solution is pretty clear: at any point in your app, a user should be able to copy the URL and share that exact screen with anybody who should have access.

I’d change that ticket-booking link to be something link:

…combinedmatrix.aspx?command=timetable&from=kgx&to=yrk&datetime=2011-01-12-1915

I don’t know where to start with this.

YouTube recently announced an HTML5 beta. Here’s the numbers, using Safari 4.0.4 on a 2.2GHz MacBook with 4GB of RAM:

If you’re a brand strategy/web development/whatever we’re calling it today company and your homepage (and therefore, my first impression of your company) looks like this, please change it. Like, right now.

(I use the very excellent and very open source ClickToFlash by Jonathan Rentzsch.)

Peter Rojas and Ryan Block make a good point on the gdgt podcast, one that made me stop and think:

• I think the tell will be a year from now, how many people at Google are running Chrome OS as their primary, or say sole, operating system at work. And I think that that number will actually be relatively low. I think that most people will still be running a more fully functioning install of Linux.
• I don’t think you could develop code in Chrome OS.
• There isn’t really a good, at least that I’ve heard of, a good web-based IDE, web-based code developing. You can’t substitute a terminal in the browser.

I’ve seen nothing so far that makes me want to get rid of TextMate (my text editor of choice on the Mac). But like I’ve said (somewhere, possibly on Twitter?) before, there’s nothing to stop this from being a secondary machine.

Listen to it »