Backward Engineering a File Parsing MicroORM Solution
I love my work!
I’m given application code I’ve never seen and in a language I don’t code in often enough and asked to figure it out.
Luckily, I have access to business analysts and a DBAs to get details about the business processes and databases the code is related to.
From code and info resources, create working test environment and get familiar enough with application code and databases to have new updates in to production in 2-3 weeks.
No pressure, right?
I was fairly successful today and here are some of the resources that used to solve problems I encountered.
Massive MicroORM
It’s a small MicroORM based on the Expando or dynamic type and allows you to work with your database with almost no effort. The design is based on the idea that the code provided to you in this repository is a start: you get up and running in no-time and from there edit and alter it as you see fit.
What are Arrow Functions in JavaScript / ECMAScript 6?
Arrow functions are a simplified short hand method for creating anonymous functions.
Older ES5 JavaScript example:
function setup() {
createCanvas(600, 400);
background(0);
let button = createButton('press')
button.mousePressed(changeBackground);
function changeBackground() {
background(random(255));
}
}
New ES6 JavaScript Example
function setup() {
createCanvas(600, 400);
background(0);
let button = createButton('press')
button.mousePressed(() => background(255)));
}
Anonymous Function written as Arrow Function:
() => background(255))
Just a very short blog jot for today as I’m busy working on a Salesforce.com data analysis tool / system.
Since this is a very low budget project, I’m hand coding everything using Notepad++ and VBScript to create a dynamic web application in old school Acitve Server Pages (ASP) that can consume the analytic data that my system stored on a MS Access database.
Again, low budget. Me and my wits pounding out code.
I ran in to an issue where the web page is calling a JavaScript that passes two variables to an Ajax call to load a Chart.js bar chart in a popup window.
It was working great but the page that had the onlick event to load the popup chart was reloading as well when clicked instead of just loading the popup window with the chart.
What’s the fix?
Add “return false;” at the like in the example below and the page containing the onclick link should stop reloading when clicked.
Old Code
<a href="#" OnClick="getChart('John Smith', '2017-01');">John Smith</a>
New Code
<a href="" OnClick="getChart('John Smith', '2017-01');return false;">John Smith</a>
I always give credit to the people who helped me find the answer. I had found the answer in the stackoverflow page below.
Specific to C# MVC, Razor Views are code snippets with special syntax made up of C# code and HTML/CSS. The C# logic can interact with and output HTML and CSS elements/attributes dynamically.
With Razor Views, we use the @ symbol to switch between C# code and HTML.
Video: Razor Views in C# MVC
A simple example of printing numbers from 1 to 10 using Razor.
Sample Code
@for {int i = 1; i <=10; i++)
{
<b>@i</b>
}
The Output would be: 1 2 3 4 5 6 7 8 9 10 Inside the brackets, Razor sees the <b>@i</b> and knows to render the C# variable i when its proceeded with an @ character then Razor sees the angle brackets and switches back in to HTML parsing mode.
If we didn’t want to use HTML we could change the <b> tag to <text> and output would just be text without the HTML.
The most important thing to understand and remember about Razor Views is the context switching in the parser is based on detection of specific characters.
@ character starts the C# parser but HTML & text won’t parse until Razor see a tag wrapped in angle brackets. We are just switching back and forth between to parsing modes. Make sense?
The loop is C# code but the output is HTML. In ASP Classic and .Net, the Response Object would handle the HTML output to the browser from inside the loop.
Here are two more examples to help us cement the idea in our brains.
1. A simple date:
@{
int day = 24;
int month = 08;
int year = 2020;
}
Date is @day-@month-@year
Output = Date is 24-08-2020
2. Loop thru images in folder
@for (int i = 1; i <= 5; i++)
{
<img src="~/Images/@(i).png" />
}
Notice how in the sample above, we put the variable inside the parenthesis. Why, when we didn’t do this for the date example above?
Because if we don’t C# will try and read i. and an object with a property so we have to wrap it in parenthesis. This tell the Razor syntax that we are just trying to concatenate the values.
Razor View Code Blocks
In Razor Views we define code blocks using @{}.
@{
int SumOfEvenNumbers = 0;
int SumOfOddNumbers = 0;
for(int i=1; i<=10; i++)
{
if(i %2==0)
{
SumOfEvenNumbers = SumOfEvenNumber + 1;
}
else
{
SumOfOddNumbers = SumOfOddNumbers + 1;
}
}
}
<h3>Sum of Even Numbers = @SumOfEvenNumbers</h3>
<h3>Sum of Odd Numbers = @SumOfOddNumbers</h3>
Razor View Comments
Razor View multi-line code comments are very similar to JavaScript and CSS that use the asterisk and forward slash, /* */, to wrap comments.
Razor View multi-line comments use ampersand and asterisk in same way. @* to start a multi-line comment and *@ to end it. (See code example below)
What’s in the Razor View Example Below?
H2 tag class name is dynamically selected based on logic, if Model.Customers.Count is greater than 5 then change the CSS class of the H2 element to “popular”.
Also, inside the <ul> tags, Razor View code loops through the list of customers and outputs the name.
Sample C# Code Example:
@model Vidly.ViewModels.RandomMovieViewModel
@{
ViewBag.Title = "Random";
Layout = "~/Views/Shared/_Layout.cshtml";
}
@*
This is a comment
on multiple lines
*@
@{
var className = Model.Customers.Count > 5? "popular": null;
}
<h2 class="@className">@Model.Movie.Name</h2>
@if (Model.Customers.Count == 0)
{
<text>No one has rented the movie before.</text>
}
else
{
<ul>
@foreach (var cusomter in Model.Customers)
{
<li>@cusomter.Name</li>
}
</ul>
}
In August of 2021 GitHub no longer accepted user name and passwords and replaced with user based authentication tokens.
I believe GitHub for Desktop was not affected but all other 3rd party tools were affected by this change.
Steps to Generate and Install a GitHub Authentication Token on Your Repository
Step 1: Generate a GitHub token for your account
Important to note that you can create more than one GitHub token or just one for all repositories under that account. This is up to you, the developer.
To generate a GitHub user authentication token, start by clicking on Developer settings and select Personal access tokens.
On the next screen, You’ll configure the scope and access options for your new GitHub token. Click the Green Generate token button at the bottom of the screen.
Make sure to copy and save this new GitHub token somewhere safe as you’ll only get one chance to copy it when you create it. If you mess this part up, you can just delete the old token and easily generate another.
Video: Creating GitHub Token Authentication
GitHub Token Authentication Requirements for Git Operations
Step 2: Configure GitHub to Use Your Authorization Token
Configure GitHub to Use Your Authorization Token with your repository with the Git remote command. Use the set-url argument and pass are URL with the following parts.
https://
Your GitHub Account name that appears in your GitHub URL
A colon
The GitHub Authentication Token you generated on Step 1.
“@github.com”
Same as # 2 (Account Name from URL)
Forward Slash
Your Repository Name
I used Git for Windows Git bash command line to execute this command.
My First Attempt at Creating a Homemade Media Web App that Works on a Samsung Smart TV
I’ve been thinking about building a media web app for a while now and today was the first day I tested it on a Samsung Smart TV to see if it would work.
There are lots of ways you can do this but I’m trying to take the path of least resistance. For background, the MP4 file format now plays without plugins in most modern web browsers.
For my early “Alpha” tests, I just made a local web server with folders that could be browsed and put some media in there. This works for Chrome, Firefox etc. You can click and watch the video no problem.
Does the Samsung Smart TV Play MP4 Files?
The answer is a bit frustrating as it is Yes and No. WTF!
First, let’s deal with the No. The Samsung native web browser will not play a MP4 file if you link directly to it in my testing.
Next is the Yes. This happens when you add a USB Mass Storage Device to the TV. My Samsung Smart TV had 3 USB ports. I used one for a wireless Mouse / Keyboard combo device and one for a simple 10GB USB stick I had laying around for testing.
Once I added the USB Mass Storage Device to the Samsung TV USB port the Smart TV web browser would let me download the MP4 files to the USB stick then I would watch them by choosing the Mass Storage Device as the media data source.
I’m come back to add some screenshots soon.
If you found this, I hope it helped you solve your issue. 😉
I’m a professional software developer who likes to dabble in hacking.
I recently started spending time seeking out information security enthusiasts and hacking professionals who publish reports on their bug bounty work.
If you’re not familiar with bug bounties, the simplest explanation is someone putting up a prize or bounty for bugs found on a specific application / website.
Most of the time, bug bounties are official events where you register and are given guidelines in order to collect the bounty and that typically includes a good write up or report on how your discovered and exploited the bug and what type of bug it would be classifieds in to, like a “reflected XSS” cross-site scripting bug.
As a software developer interested in creating secure applications for our users, we should always be aware of what tactics and techniques a bad actor might use against the products and features we are building.
With persistence, Vedant kept at it and found a bug in the password reset functionality where the password was reset feature was resetting the password to a brand new password on every forgot password attempt.
Also, rate limiting seemed to be missing as 88 password reset attempts went unchallenged so we guessing there was no rate limiting at all.
As a developer with a focus on security, I highly recommend adding reading bug bounty reports to your professional reading list. It will be a big eye opener for you if you’ve never tried hacking a web application before.
I’m on day 5 of chemo treatment for skin cancer and I think this is all I have in the tank tonight but I’m glad I got this blog post out before I have to put another round of chemo on my face for the night. It’s not pleasant. :-\
Many blogs and web applications are being hosted on cloud based web servers. Of those web servers, many are running some flavor of the Linux operating system (OS).
If you’re a Windows PC user who is using a Linux web server for your online project then you have unique challenge that comes with being a dual OS user.
How will we transfer our files from our Windows development PC to our Linux cloud hosted blog or web app? Enter Putty and the PSCP command line tool!
PSCP is a command line application that is typically included in the Putty installation. PSCP transfers files between two computers from the Windows command line as long as firewalls allow the traffic on the designated ports for each type of traffic.
Transferring Files with PSCP from the Command Line
If you’ve installed Putty in the default directory, it will be here.
C:\Program Files\PuTTY
Open a Windows command line by clicking on the Windows start menu icon then entering “cmd” in the search field then find and click on the cmd icon.
Navigate to the Putty Directory by entering the command below.
C:\>CD c:\Program Files\Putty
Let’s look at an example PSCP command to transfer a file from a Windows PC to a Linux cloud web server with a fake user named root, IP of 45.99.99.99 and a target folder of /var/www/html
PSCP Copy Files from Windows PC to Linux Web Server Example
I’m sharing this story as it is something you might encounter when using Internet Explorer 11 with Google’s CAPTCHA service (code).
This came up in UAT testing recently for a web product I work on so I thought I would share. It might save you some time explaining to your customers about cross browser compatibility testing.
First off, Google has a free service for trying to detect bots on your site called “CAPTCHA”. CAPTCHA is an acronym for “Completely Automated Public Turing Test to tell Computer and Humans Apart”.
I’m really simplifying this but to render the reCAPTCHA you would insert their code snippet. Make sure the code is loading from a a page using the HTTPS protocol or else it might not work.
Once the reCAPTCHA is loading on the page, it will be loading its contents in an IFRAME. This is really important to our story!
There are links in the Google CAPTCHA that point to a privacy page and terms of service page on the Google.com domain which both have a “target =_blank” attribute on the link. This means these links should open in new windows or tab depending on other pressed keys.
The links are working just fine in Chrome and Firefox and opening in new windows but not IE 11.
What is the issue here?
It could have been earlier than IE 11 but, Microsoft implemented a security feature to restrict links loading in IFRAMES from linking out to a domain other than the one it originally loaded from.
The CAPTCHA code is loading from your WhatEverDomain.com but all the links in the IFRAME are pointing to the Google.com domain are now all disabled.
Today marks my first week of owning a WordPress blog.
I figured a week should be ample enough time to have the web server run and let the bad guys and bots take a swing at it. A review of my Apache web server log should show me what type of WordPress hacks would be attempted first.
My site is really new so I don’ t expect a lot of traffic. I downloaded my Apache web server log and noticed that apparently I had a lot of traffic for a brand new site that had not yet been promoted.
Once I downloaded and looked through the web server log file, a pattern quickly appeared. Lots of requests for a specific file called xmlrpc.php.
What the hell is xmlrpc.php?
I had found this in depth article about the xmlrpc file. For a more in-depth dive please check it out.
The super short version is, that XML-RPC is a WordPress feature enabling transmission of XML messages between systems using HTTP as the transport mechanism.
WordPress being an open system, occasionally needs to communicate with other systems, xmlrpc.php is supposed to handle that job.
My understanding is that xmlrpc.php is being deprecated in future versions of WordPress so why leave an artifact that can be used to enable a brute force attack on your site. Get rid of it ASAP!
Block Access to the xmlrpc.php file using Apache’s .htaccess file
.htaccess files are used by Apache web servers to allow or deny access to resources on your web site. We can allow or deny based on things like IP addresses or file names.
Your WordPress installation on Apache has a .htaccess file included by default.
You won’t see it using the >ls command as files beginning with a dot are hidden files. You can’t see it in the directory but we can open it.
In the screenshot below, I’ve opened the default WordPress .htaccess file using the nano text editor after connecting via SSH using PuTTY.
Setting an Access Restriction to the xmlrpc.php file using .htaccess file
Blocking access to the xmlrpc.php file to all users can be done using an entry in the .htaccess file that the Apache web server uses to grant or deny access to web resources.
When a request comes in to the Apache web server for the xmlrpc.php file, the server will apply this access rule which states that only local request will be granted and all others will be denied.
Navigate to your WordPress root folder. Mine was in: /var/www/html
I opened the .htaccess file by entering the command >sudo nano .htaccess
In the screenshot below, you see the special entry for <Files xmlrpc.php>.
.htaccess code for Denying Access to xmlprc.php
#Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
Order deny,allow
deny from all
</Files>
One More Thing: Check Your Apache Config AllowOverride Setting
Of course I did not realize for 24 hours that my .htaccess settings were not actually working. There was one more thing we had to configure on the Apache web server.
Double check your Apache2.conf file to see if the AllowOverride setting is set to All for you WordPress public html directory. Mine was in the /var/www directory.
My AllowOverride setting was set to None by default as you can see the /srv/ is still set to None. Your installation maybe different.
