Archive for the ‘IT’ Category

Backbone Patterns JSON preloading XSS vulnerability

Friday, February 10th, 2012

I was skimming through Backbone Patterns by Rico Sta. Cruz to see if I could learn something from the Backbone practices and apply it to our own in house systems that achieve pretty much the same things in a bit different manner.

The following code caught my eye as we at have been bitten by the same problem in the past:

<script> = new Photos(<?php echo json_encode($photos); ?>);

The data in $photos is usually pretty arbitrary and it is hard to make sure that it does not contain something like this:

{ "name" : "</script><script>alert(\"xss\")</script>" }

The way we at have solved this XSS vulnerability is by URI encoding the JSON on the page and then decoding it with decodeURIComponent before passing it to a JSON parser. Here is a quick (completely untested ) example with jQuery: = new Photos( jQuery.parseJSON( decodeURIComponent(
    <?php echo rawurlencode( json_encode( $photos ) ); ?>
) ) );

It would be nice to see at least a note of this on the Backbone Patterns page as this vulnerability is not an easy one to catch and might end up in many places.

This vulnerability was at first brought to our attention by Harry Sintonen so huge thanks to him for it.

Root domains with Amazon Elastic Load Balancer

Saturday, July 23rd, 2011

Root domain, also know as top level domain, naked domain or DNS zone apex, is your domain name without any subdomains. In our case our product web site and blog can be found at the www subdomain but our web application is being hosted at the root domain, namely just “”.

Amazons Elastic Load Balancer (ELB) has seemed like a very tempting offer for a long time since providing IP level fail-over on the web application front-end is a lot of work to achieve reliantly. Unfortunately it was previously impossible to use ELB to serve root domains because it would have required one to point the root domain to the ELB by a CNAME DNS entry and there is practically no sane way of using CNAMEs for root domains. For us that meant the service was of no use.

As of May 24 2011 Amazon seems to have found a way to fix this problem by adding a special ‘Alias’ entry to their own Route 53 DNS service. This allows you to set your root domain to return the A record associated with the ELB.

Currently it seems like using Amazons Route 53 DNS to serve your domain’s DNS requests is the only off the shelf way for serving root domains with ELB. I believe it would be technically possible for other DNS service providers to achieve almost the same level of service by implementing a similar ‘Alias’ functionality for mirroring the A records returned for an another domain with a small TTL but I’m not sure if it makes business sense. The only other product I know which would benefit from this is Google App Engine as it suffers from the same problem of not being able to serve root domains due to reliance on CNAMEs to point domains. Other cloud load balancing providers (at least Rackspace and GoGrid) seem to be doing load balancing tied to an actual IP address instead of a domain CNAME.

Also as a note for people trying this out: At this date Amazon Route 53 does not seem to have a graphical user interface on the AWS management console. It took me a while to figure out that you really have no other way of controlling it than using the Perl script they provide to send XML to their web service. Ouch. Hopefully a graphical interface will be added in the near future!

Validating Facebook Connect API cookies in perl

Thursday, July 29th, 2010

I didn’t find a sample code for validating the Facebook Connect API cookies in perl from Google so here is one. The CGI::Cookie interface is a bit tricky to use with the Facebook cookie parsing as it wants to split the cookie contents automatically on each ampersand, but here is how we translated the given sample PHP code to perl:

use CGI::Cookie;
use URI;
use Digest::MD5;

my $app_id = "136913766343238";
my $secret = "dbct84ca3d1fbs44428r02bdbag9193e";
my $cookie_header = $ENV{COOKIE};

my %cookies = CGI::Cookie->parse( $cookie_header );
my $cookie_object = $cookies{'fbs_' . $app_id};

die unless $cookie_object;

my $cookie = join "&", $cookie_object->value;
$cookie =~ s/^[\\"]*(.*?)[\\"]*$/$1/;

my $uri = URI->new("", "http");
$uri->query( $cookie );
my %params = $uri->query_form;
my $sig = delete $params{sig};
my $payload = join '', map { $_ .'='. $params{$_} } sort keys %params;

die unless Digest::MD5::md5_hex( $payload . $secret ) eq $sig;

my $valid_facebook_user_id = $params{uid};

Splitting the query parameters would have been pretty easy to do with a regexp but as the sample PHP code uses it’s query parser, I thought using a valid query parser from URI would be a safe and easy bet.

Opening the gates to a new religion

Thursday, December 4th, 2008

I picked up my new shiny MacBook today. I’m also contemplating on building an altar for Steve, so that I could pray for a good user experience.

Connectivism in the grassroots of ITK 07

Thursday, April 19th, 2007

I’m in ITK 07 conference and Karsten Wolf just gave a good keynote presentation. I think it brought together most of the relevant concepts that I would like to see all ITK participants grasping as the common basis for communication in other presentations.

I’m writing this blog entry briefly just to point out that while Wolf mentioned that the answer to the question “What is the role of collaborating and sharing in succesfull online learning?” is still largely unknown and under research, there exists a paradigm called connectivism which in my opinnion tries to answer to this question from a better point of view than could be easily possible using constructivism (or one of its various extensions) as a basis of thinking.

I’d also add on the subject that while Wolf pointed out that changes in the internet enable constructivistic learning to emerge from the grassroots, this has already been true from the beginning of the internet. The social transformation of the web (to which some refer as Web 2.0) does also enhance the possibilities for constructivistic learning but in my opinnion it enhances far more the ways of handling information and knowledge which connectivism touches on.

BTW. As this is a social conference, I’d be very interested if Wolf himself has something to add to this – so please join the conversation Karsten!