Archive

Archive for October, 2011

Configuration Registry 0.2

October 29, 2011 Leave a comment

I am now calling the 0.2 version of the configuration registry released! The configuration registry is now almost completely useable. In this revision, I’ve implemented loading/storing to local browser storage ( ie a cookie ); as well, clearing and JSON serialization were implemented in this revision. The new features are backed up by rigorous ( more or less 🙂 ) unit tests.

The only thing left to implement is loading using xhr. Due to the lack of a good way to unit test xhr, I’ve been hesitant to start writing this feature in. Version 0.3 of this bug will include xhr loading.

Since only xhr loading is left, I plan to start working on other bugs/other projects for the 0.3 release.

I look forward to my code being reviewed. If you have the time, come over to the pull request thread and drop a word or two 🙂

Pull request: https://github.com/alankligman/gladius/pull/52#issuecomment-2563950
Issue thread: https://github.com/alankligman/gladius/issues/21

core.autocrlf

October 27, 2011 Leave a comment

<rant>

I just finished tearing apart my git repo and putting it back together. The reason for this undertaking was that a number of lf/crlf EOL errors had crept into my commits somehow. The culprit, as I found out yesterday, was git config’s core.autocrlf configuration option. Initially, it was set to true, meaning that files checked out from a repo are translated from lf to crlf and files committed back in are translated from crlf back to lf. Problem is, I had some files that needed to be checked out as lf in another repository. Foolishly, I set core.autocrlf to false globally. This set in motion a set of events that led to some of my files in the paladin repo being checked in with all the line endings set to crlf. As you may guess, this absolutely destroys any chance of a meaningful review diff being produced. Clearly, this was my fault and I had to own upto it.

This is when I set out to export my commits to patches, clean up the line endings in the patches, remove any nit-picky changes ( ie a change hunk where only trailing whitespace was removed ), shove the changes back into my repo, updated the old branch pointer to look at my shiny new commits, forced github to forget my old history and finally my repo was sanitized.

What I’ve learned from this is to not let anyone or any thing handle things like line endings for me in the future as I may blow it up inadvertently while trying to do something unrelated. core.autocrlf will stay permanently set to false. The solution? My favourite text editor is now set to produce lf line endings by default; let the chips fall as they may.

</rant>

Back in Action on Paladin, XSS Me for 0.3

October 26, 2011 Leave a comment

It’s Wednesday, October 26, 2011. I’ve been on something of a hiatus for a week or two as I’ve been mostly preoccupied with EJB605. It’s time to get back to work on OSD and not just because 0.2 is due tomorrow. Luckily, my particular project involves a steady linear progression towards completion at some point. I imagine that 0.2 will be the last release that I do for the Configurator Registry.

With that in mind, let me take a minute to point out how awesome it has been to work on Paladin. Coming from a background with a lot of interest in game development as well as a sizeable amount of work invested in other game engines over the past 2 or 3 semesters, I found Paladin to be very nicely written. The organization and enthusiasm of its volunteers and project leads is quite refreshing. This is why I will be going back to Paladin to help them out whenever I can in the near future. However, for my 0.3 release, I thought that I would like to change course a little bit.

XSS Me is an explicitly open-source FF add-on that tests sites for XSS vulnerabilities. It is a tool used and loved by many web devs around the world to test their sites for XSS flaws. For the uninitiated, an XSS flaw ( Cross-Site Scripting, shortened to XSS ) is a type of security flaw that allows an attacker to execute arbitrary Javascript on a website by submitting specially crafted user-data to that site. This can be something like a Facebook post or a user blog on a blogging site. This is very dangerous on websites like Facebook that thrive on user-submitted data. The results of a successful XSS attack can be devastating considering that the browser of each user viewing the attacker-submitted data will be executing whatever Javascript the attacker desires.

XSS Me partially mitigates this threat by doing the attacker’s work for you, thereby giving a webdev some indication as to whether their website is vulnerable to XSS attacks. I had the chance to work on XSS Me when I worked for Security Compass ( also see SecCom Labs ) as a part of Seneca’s coop program. What makes XSS Me interesting is that it does its work fast, really fast. XSS Me will send many requests to a target website, encoding an XSS attack vector into each request; it will then analyze each response, scanning for evidence that the attack vector had caused the site to execute specific Javascript encoded in each attack vector. Since Javascript is single threaded, one would think that this process is quite slow once you factor in the hundreds of attack vectors that have to be sent to the site.

To achieve its speed however, XSS Me gets clever. Since XSS Me is an FF Add-on and not a web-page Javascript, it gets more privileges as it executes in the browser’s context. XSS Me leverages this power by opening up multiple tabs and executing Javascript code in each one. In this way, XSS Me fakes real threading into Javascript.

This mostly works. However, some nasty bugs have emerged from this construct that are difficult or impossible to diagnose; one heisen-bug in particular caused me much grief as I tried to squash it, failing time and time again despite numerous attempts. With the advent of HTML5 and web workers, I saw a chance to update the core threading component of XSS Me to utilize web workers. I find this to be an exciting opportunity because I like concurrency J

None of this is for certain as I still have to discuss this plan with Humph; should it pan out however, I think that it would be an exciting way to enter the world of HTML5 threading. As well, if anyone else is interested in working on XSS Me, there’s plenty of work to go around.

My First Pull Request

October 1, 2011 Leave a comment

Just now, I’ve submitted my first github pull request for the Mozilla/Paladin initiative and already I made some mistakes! The workflow to submitting a pull request is clearly outlined in their workflow page (which I read ages ago and forgot about entirely :P).

Luckily, things are mostly OK but I should have done some make tests before throwing my branch into the fray. I am currently performing those tests post-request submit…

Next time, hopefully the order of things will have improved 🙂