Etikettarkiv: english

Twitter url injection exploit

The worm that appeared all over twitter today exploits a few features of the Twitter web site:

  • Twitter loads jQuery. This makes the life much easier for the exploit. Many websites do this. 
  • Twitter has a class named modal-overlay that creates a blocking overlay on top of the entire content. The class is display:none as default, i.e. invisible. Many websites has something similar. 
  • Twitter has a url linker that turns urls in people’s status updates into clickable links. Many websites do this too. This is the key to the exploit. 

The url linker looks for content in the status update that looks like a url. Anything that begins with http:// is a good candidate. It happily continues across quote characters (encoded/masked as &) and It puts the text inside an href attribute.

So if a link text continues with an onmouseover event attribute containing script that submits itself into the user’s status update textarea, Twitter’s url linker happily enters the script into the href of a link tag, but the browser stops at the quote charater and reads the rest as normal attributes, and since web browsers are tolerant for bad html it brings the script to life even if the resulting html is incorrect. Since one of the injected attributes is a class named modal-overlay which is specified as a blocking element that covers the entire web page, it is impossible to do anything without firing the onmouseover event which fires the script so it submits itself into the user’s status update. And then it spreads itself to the followers of that user. At least those who use the Twitter web site. 

Bild_48

This was just a quick explanation, maybe there are some details lurking that I’ve missed or misunderstood. 

Until Twitter fixes the exploit the best thing is to avoid using the Twitter.com web site and use a standalone Twitter client instead

 

Update: Twitter @safety comments the exploit http://twitter.com/safety/status/25118959058

Update 2: Twitter have plugged the XSS exploit now, @delbius of Twitter safety team reports http://twitter.com/delbius/status/25120366027

Update 3: It was apparently an old bug that showed up again. http://gigaom.com/2010/09/21/twitter-website-hacked-user-accounts-filled-with…

Posterous load times

This blog is powered by Posterous, a lovely free blog service that is incredibly simple to use so you can focus on content instead of technical details. Just send an email to post@posterous.com and you have created a blog! Attach photos, video and music and they are published with a nice gallery or a media player. It can’t be much easier.

 

But the pages on a Posterous site load way too slow. This is mostly caused by a chain of redirects that happens at every page load. No less than three redirects happen each time via posterous.com/sso/verify/… before the real page is loaded, and with a latency of about 0.5 seconds for each redirect the visitor spends 1.5 seconds waiting before anything useful happens. Add another 1-1.5 seconds latency for the actual page load and we’re up to almost 3 seconds wait before we get to the action and the page starts showing.

See the page load timing chart below.

Bild_39Bild_40Bild_41Bild_42Bild_43

The redirects only to affect blogs with custom domains such as this one. Blogs with URLs ending with .posterous.com aren’t affected so they enjoy much faster load times. Apparently the redirects are to verify Posterous users across different domains, as a single sign-on system (hence ”sso” in the redirect URL).

To be fair, Posterous suffered serious problems with a DoS attack during the last week so pages may have loaded unusually slow or not at all lately, but this doesn’t take away the fact that there are three time consuming redirects at each page load.

This needs to be fixed, Posterous! There must be other less obtrusive ways to handle single sign-on. And once a user is identified and verified (or found to be non-identified), he shouldn’t need to be verified again at each page load.

 

By the way, for Swedish site owners that are interested in optimizing page load times (everyone should, especially since Google has become more interested in response times as a factor to rank a page), Swedish consulting firm Fleecelabs offer a site trimming service called Trimlabb. If you want to do it yourself Yahoo has published Best Practices for Speeding Up Your Web Site which is a must read for web developers.

 

Data Versioning

Data Versioning, Temporal Data, Transaction Time Validity. Different names for maintaining snapshots of data that are consistent across multiple tables at any point in time. Just like Time Machine, but for data. 

This is a description of how it can be implemented with MySQL. 

The basic technique with the use of views is described and illustrated here (under ”The better plan”), we’ve just improved it a bit.

First of all a data table to store information about people. Every time a record is updated, a new record is created. 

The table will hold all historic versions of each people record, including the most current one.

CREATE TABLE people_data (

id_version BIGINT UNSIGNED,

Firstname VARCHAR(255),

Lastname VARCHAR(255),

moddate TIMESTAMP NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,

KEY id_version(id_version)

);

Then we have a table to keep track of versions and hold some meta data about each version. This table is common for all data tables that we want to enable versioning for. This is a variant of the Audit table on http://www.codeproject.com/KB/architecture/LisRecordVersioning.aspx but we use timestamp_start and timestamp_end instead of IsActive, to be able to get the historic state across all data tables of any point in time (this is picked up from http://www.paragon-cs.com/mag/issue7.pdf ).

CREATE TABLE version (

id BIGINT UNSIGNED auto_increment,

guid VARCHAR(20),

changedby_start VARCHAR(100),

changedby_end VARCHAR(100),

dt_start DATETIME,

dt_end DATETIME DEFAULT ’3000-01-01 00:00:00’,

PRIMARY KEY (id),

KEY guid(guid),

KEY dt_start (dt_start),

KEY dt_end (dt_end));

Läs mer

Adding to SVN without import

Add project files to svn without using import to be able to use ignore.

Since there is no svn meta info about the files yet before the files have been imported there is no way to use ignore to skip for example a huge media folder when using import. Hen and egg situation.

Instead we use svn add in a special way. Maybe you do like this all the time but it took me some head scratching to figure out.

In the example below we have a live webroot that will be ”svn enabled”. Don’t forget to block .svn directories in the web server when checking out a working copy to a live web folder!

1. Create an empty folder ”webroot” in the project repository, typically /trunk/webroot. Let it be empty.

2. Go to a level above the webroot folder on the live server, so webroot is listed when doing ls.

3. Check out the empty webroot folder over the live webroot

svn checkout svn://user@svnserver/Projekt/trunk/webroot webroot

Now the webroot is ”svn enabled” and a valid working copy on the live server, but no files are added yet since we checked out an empty folder from the repository.

Existing files in the live web root are untouched.

4. Get into webroot

cd webroot

5. Add the desired svn ignore (don’t forget the dot at the end, it says ”current directory”)

svn propset svn:ignore media .

Verify with

svn propget svn:ignore

It should list ”media”.

6. Add all live files form the web root.

svn add *

 

Here’s the catch: The problem is that this will also add all files in ignored directory since the asterisk overrides the ignore (explicit adding overrides ignore and the asterisk expands to a series of explicit adds). Verify with svn status to see that also media has A as in added, and it will be a heavy commit if the media directory is large.

7. Fix this by reverting the add of the directory we wanted to ignore.

svn revert –recursive media

Verify this with

svn status –no-ignore

Media is now listed with an I as in ignore. Great!

8. Commit the live web files from the webroot

svn commit -m ”Initial import from live server”

Read more here

http://episteme.arstechnica.com/eve/forums/a/tpc/f/6330927813/m/427002825931

Lock your Mac

Sometimes it’s nice to be able to lock the Mac screen instantly. 

This terminal command sends you directly to the login screen with a nice visual effect. No worries, you are still logged in, but to regain access to your Mac you have to enter your password again. 

/System/Library/CoreServices/Menu Extras/User.menu/Contents/Resources/CGSession -suspend

Use your favourite keyboard shortcut utility to define this script as a hotkey. I use iKey and have set ctrl-option-command-backspace to lock the screen. 

The command uses Fast User Switching to present the login screen.

This works even if you haven’t enabled Fast User Switching, and it should work at least from Mac OS X 10.4 and up.