Backward Engineering a File Parsing a MicroORM Solution

Backward Engineering a File Parsing MicroORM Solution

I love my work!

I’m given application code I’ve never seen and in a language I don’t code in often enough and asked to figure it out.

Luckily, I have access to business analysts and a DBAs to get details about the business processes and databases the code is related to.

From code and info resources, create working test environment and get familiar enough with application code and databases to have new updates in to production in 2-3 weeks.

No pressure, right?

I was fairly successful today and here are some of the resources that used to solve problems I encountered.

Massive MicroORM 

It’s a small MicroORM based on the Expando or dynamic type and allows you to work with your database with almost no effort. The design is based on the idea that the code provided to you in this repository is a start: you get up and running in no-time and from there edit and alter it as you see fit.

Video: Introduction to Object-Relational Mapping (ORM)

C# Code: Checking Array Length (See if array has X elements)

Test the length

int index = 25;
if(index < array.length)
    //it exists


C# ExpandoObject

C# Frequently Asked Questions:  Dynamic in C# 4.0 – Introducing the ExpandoObject

Video: Make Apps Dynamic using the ExpandoObject

Video: How to use Massive in Master – Detail (Micro ORM – .Net – C#

Video: ASP.NET Tutorial on ADO.NET

Arrow Functions in JavaScript / ES6

What are Arrow Functions in JavaScript / ECMAScript 6?

Arrow functions are a simplified short hand method for creating anonymous functions.

Older ES5 JavaScript example:

function setup() {
    createCanvas(600, 400);
    let button = createButton('press')

    function changeBackground() {

New ES6 JavaScript Example

function setup() {
    createCanvas(600, 400);
    let button = createButton('press')
    button.mousePressed(() => background(255)));

Anonymous Function written as Arrow Function:

() => background(255))

Video: ES6 Arrow Function

How to Prevent Page Reload with Javascript onclick Without Using “#”

Just a very short blog jot for today as I’m busy working on a data analysis tool / system.

Since this is a very low budget project, I’m hand coding everything using Notepad++ and VBScript to create a dynamic web application in old school Acitve Server Pages (ASP) that can consume the analytic data that my system stored on a MS Access database.

Again, low budget. Me and my wits pounding out code.

I ran in to an issue where the web page is calling a JavaScript that passes two variables to an Ajax call to load a Chart.js bar chart in a popup window. 

It was working great but the page that had the onlick event to load the popup chart was reloading as well when clicked instead of just loading the popup window with the chart.

What’s the fix?

Add “return false;” at the like in the example below and the page containing the onclick link should stop reloading when clicked.

Old Code

<a href="#" OnClick="getChart('John Smith', '2017-01');">John Smith</a>

New Code

<a href="" OnClick="getChart('John Smith', '2017-01');return false;">John Smith</a>

I always give credit to the people who helped me find the answer.  I had found the answer in the stackoverflow page below.

Razor Views in C# MVC – C# Code and HTML Coexisting Together

Razor Views in C# MVC

How C# Code and HTML Coexist Together

Tonight’s study topic is Razor Views in C# MVC 5.

Here are two good resources for this topic.

Paid access to Mosh Hamedani’s Complete MVC 5 Course. This is covered in video 16 of his course.

Also helpful, was this YouTube video that is part of a larger MVC tutorial that I really like and refer to often

VIDEO: Razor View Syntax

What are Razor Views and What Do They Do?

Specific to C# MVC, Razor Views are code snippets with special syntax made up of C# code and HTML/CSS. The C# logic can interact with and output HTML and CSS elements/attributes dynamically.

With Razor Views, we use the @ symbol to switch between C# code and HTML. 

Video: Razor Views in C# MVC

A simple example of printing numbers from 1 to 10 using Razor.

Sample Code

@for {int i = 1; i <=10; i++)

The Output would be: 1 2 3 4 5 6 7 8 9 10
Inside the brackets, Razor sees the <b>@i</b> and knows to render the C# variable i when its proceeded with an @ character then Razor sees the angle brackets and switches back in to HTML parsing mode.

If we didn’t want to use HTML we could change the <b> tag to <text> and output would just be text without the HTML.

The most important thing to understand and remember about Razor Views is the context switching in the parser is based on detection of specific characters.

@ character starts the C# parser but HTML & text won’t parse until Razor see a tag wrapped in angle brackets. We are just switching back and forth between to parsing modes. Make sense?

The loop is C# code but the output is HTML.
In ASP Classic and .Net, the Response Object would handle the HTML output to the browser from inside the loop.

Here are two more examples to help us cement the idea in our brains.

1. A simple date:

   int day = 24;
   int month = 08;
   int year = 2020;
Date is @day-@month-@year

Output = Date is 24-08-2020

2. Loop thru images in folder

@for (int i = 1; i <= 5; i++)
  <img src="~/Images/@(i).png" />

Notice how in the sample above, we put the variable inside the parenthesis. Why, when we didn’t do this for the date example above?

Because if we don’t C# will try and read i. and an object with a property so we have to wrap it in parenthesis. This tell the Razor syntax that we are just trying to concatenate the values.

Razor View Code Blocks

In Razor Views we define code blocks using @{}.

 int SumOfEvenNumbers = 0;
 int SumOfOddNumbers = 0;

 for(int i=1; i<=10; i++)
  if(i %2==0)
    SumOfEvenNumbers = SumOfEvenNumber + 1;
    SumOfOddNumbers = SumOfOddNumbers + 1;

<h3>Sum of Even Numbers = @SumOfEvenNumbers</h3>
<h3>Sum of Odd Numbers = @SumOfOddNumbers</h3>

Razor View Comments

Razor View multi-line code comments are very similar to JavaScript and CSS that use the asterisk and forward slash, /*  */, to wrap comments.

Razor View multi-line comments use ampersand and asterisk in same way. @* to start a multi-line comment and *@ to end it. (See code example below)

What’s in the Razor View Example Below?

H2 tag class name is dynamically selected based on  logic, if Model.Customers.Count is greater than 5 then change the CSS class of the H2 element to “popular”.

Also, inside the <ul> tags, Razor View code loops through the list of customers and outputs the name.  

Sample C# Code Example:

@model  Vidly.ViewModels.RandomMovieViewModel
    ViewBag.Title = "Random";
    Layout = "~/Views/Shared/_Layout.cshtml";
    This is a comment
    on multiple lines

    var className = Model.Customers.Count > 5? "popular": null;
<h2 class="@className">@Model.Movie.Name</h2>
@if (Model.Customers.Count == 0)
    <text>No one has rented the movie before.</text>
        @foreach (var cusomter in Model.Customers)

GitHub Authentication Token Setup for Your Local Repository

Are you Getting 403 errors when pushing updates to your GitHub repo?

If you are getting 403 (forbidden) errors when pushing updates to your GitHub repo then you might need to use a GitHub user authentication token for GitHub Authentication.

GitHub Authentication Changes July 2020

In July of 2020 GitHub announced the deprecation of user passwords for all Git operations.

In August of 2021 GitHub no longer accepted user name and passwords and replaced with user based authentication tokens.

I believe GitHub for Desktop was not affected but all other 3rd party tools were affected by this change.

Steps to Generate and Install a GitHub Authentication Token on Your Repository

Step 1: Generate a GitHub token for your account

Important to note that you can create more than one GitHub token or just one for all repositories under that account. This is up to you, the developer.

To generate a GitHub user authentication token, start by clicking on Developer settings and select Personal access tokens.

On the next screen, You’ll configure the scope and access options for your new GitHub token. Click the Green Generate token button at the bottom of the screen.

Make sure to copy and save this new GitHub token somewhere safe as you’ll only get one chance to copy it when you create it. If you mess this part up, you can just delete the old token and easily generate another.

Video: Creating GitHub Token Authentication

GitHub Token Authentication Requirements for Git Operations

Step 2: Configure GitHub to Use Your Authorization Token

Configure GitHub to Use Your Authorization Token with your repository with the Git remote command. Use the set-url argument and pass are URL with the following parts.

  1. https://
  2. Your GitHub Account name that appears in your GitHub URL
  3. A colon
  4. The GitHub Authentication Token you generated on Step 1.
  5. “”
  6. Same as # 2 (Account Name from URL)
  7. Forward Slash
  8. Your Repository Name

I used Git for Windows Git bash command line to execute this command.

$ git remote set-url origin https://[GitHub Account Name]:[Token][GitHub Repo Name]/[my-secure-repo-name]

Video: Setting the Token on a Local Repo

How to set a GitHub Authentication Token on a Local Repository

Playing MP4 Files on Samsung Smart TV

My First Attempt at Creating a Homemade Media Web App that Works on a Samsung Smart TV

I’ve been thinking about building a media web app for a while now and today was the first day I tested it on a Samsung Smart TV to see if it would work.

There are lots of ways you can do this but I’m trying to take the path of least resistance. For background, the MP4 file format now plays without plugins in most modern web browsers.

For my early “Alpha” tests, I just made a local web server with folders that could be browsed and put some media in there. This works for Chrome, Firefox etc. You can click and watch the video no problem.

Does the Samsung Smart TV Play MP4 Files?

The answer is a bit frustrating as it is Yes and No. WTF!

First, let’s deal with the No. The Samsung native web browser will not play a MP4 file if you link directly to it in my testing.

Next is the Yes. This happens when you add a USB Mass Storage Device to the TV. My Samsung Smart TV had 3 USB ports. I used one for a wireless Mouse / Keyboard combo device and one for a simple 10GB USB stick I had laying around for testing.

Once I added the USB Mass Storage Device to the Samsung TV USB port the Smart TV web browser would let me download the MP4 files to the USB stick then I would watch them by choosing the Mass Storage Device as the media data source.

I’m come back to add some screenshots soon.

If you found this, I hope it helped you solve your issue. 😉

~Cyber Abyss

Improve Your Developer Skills by Reading Bug Bounty Reports

I’m a professional software developer who likes to dabble in hacking.

I recently started spending time seeking out information security enthusiasts and hacking professionals who publish reports on their bug bounty work.

If you’re not familiar with bug bounties, the simplest explanation is someone putting up a prize or bounty for bugs found on a specific application / website.

Most of the time, bug bounties are official events where you register and are given guidelines in order to collect the bounty and that typically includes a good write up or report on how your discovered and exploited the bug and what type of bug it would be classifieds in to, like a “reflected XSS” cross-site scripting bug.

I’m going to use this bug discovery report from Vedant Tekale also known as “@Vegeta” on Twitter as an excellent bug bounty type of report where you can see the steps a hacker / attacker or bug bounty hunter would take to see if your website has a vulnerability that can be exploited.

As a software developer interested in creating secure applications for our users, we should always be aware of what tactics and techniques a bad actor might use against the products and features we are building.

Vedant’s write up is basically a step by step of what hackers would be looking for. First, look for bugs like XSS, open redirect, server-side request forgery (SSRF), Insecure direct object references (IDOR) but they found nothing.

With persistence, Vedant kept at it and found a bug in the password reset functionality where the password was reset feature was resetting the password to a brand new password on every forgot password attempt.

Also, rate limiting seemed to be missing as 88 password reset attempts went unchallenged so we guessing there was no rate limiting at all.

As a developer with a focus on security, I highly recommend adding reading bug bounty reports to your professional reading list. It will be a big eye opener for you if you’ve never tried hacking a web application before.

I’m on day 5 of chemo treatment for skin cancer and I think this is all I have in the tank tonight but I’m glad I got this blog post out before I have to put another round of chemo on my face for the night. It’s not pleasant. :-\

Hope this helps somebody. 😉

How to Transfer Files from Windows PC to Linux Server Using Putty’s PSCP Command

Many blogs and web applications are being hosted on cloud based web servers. Of those web servers, many are running some flavor of the Linux operating system (OS).

If you’re a Windows PC user who is using a Linux web server for your online project then you have unique challenge that comes with being a dual OS user.

How will we transfer our files from our Windows development PC to our Linux cloud hosted blog or web app? Enter Putty and the PSCP command line tool!

What is Putty?

Putty is a Client application that handles connections to remote computers via the Telnet, SFTP and SSH protocols.

Putty Screenshot

What is PSCP?

PSCP is a command line application that is typically included in the Putty installation. PSCP transfers files between two computers from the Windows command line as long as firewalls allow the traffic on the designated ports for each type of traffic.

Transferring Files with PSCP from the Command Line

If you’ve installed Putty in the default directory, it will be here.

C:\Program Files\PuTTY

Open a Windows command line by clicking on the Windows start menu icon then entering “cmd” in the search field then find and click on the cmd icon.

Navigate to the Putty Directory by entering the command below.

C:\>CD c:\Program Files\Putty

Let’s look at an example PSCP command to transfer a file from a Windows PC to a Linux cloud web server with a fake user named root, IP of and a target folder of /var/www/html

PSCP Copy Files from Windows PC to Linux Web Server Example

PSCP Command Line Example:

c:\>C:\Program Files\Putty\pscp c:\temp\sample.txt root@

Copying Files from Linux Web Server to Window PC

C:\Program Files\PuTTY>pscp root@* c:\temp
 >root@'s password: [Enter Your Password]

That’s all you should need to know about connecting to a Linux cloud based web server from a Windows PC using the Putty SSH client.

Hope this helps you on your Cyber journey!

~Cyber Abyss

Google reCAPTCHA Privacy and Terms of Service links not Working in Internet Explorer 11 (Explained)

I’m sharing this story as it is something you might encounter when using Internet Explorer 11 with Google’s CAPTCHA service (code). 

This came up in UAT testing recently for a web product I work on so I thought I would share.  It might save you some time explaining to your customers about cross browser compatibility testing.

First off, Google has a free service for trying to detect bots on your site called “CAPTCHA”. CAPTCHA is an acronym for “Completely Automated Public Turing Test to tell Computer and Humans Apart”.

Google’s free CAPTCHA service called reCAPTCHA requires developers to register your website to get an API key which you will use along with some code to call the API from your site.  Pretty cool stuff, right?

I’m really simplifying this but to render the reCAPTCHA you would insert their code snippet. Make sure the code is loading from a a page using the HTTPS protocol or else it might not work.

    <title>reCAPTCHA demo: Simple page</title>
     <script src="" async defer></script>
    <form action="?" method="POST">
      <div class="g-recaptcha" data-sitekey="your_site_key"></div>
      <input type="submit" value="Submit">

Once the reCAPTCHA is loading on the page, it will be loading its contents in an IFRAMEThis is really important to our story!

There are links in the Google CAPTCHA that point to a privacy page and terms of service page on the domain which both have a “target =_blank” attribute on the link. This means these links should open in new windows or tab depending on other pressed keys.

The links are working just fine in Chrome and Firefox and opening in new windows but not IE 11.

What is the issue here?

It could have been earlier than IE 11 but, Microsoft implemented a security feature to restrict links loading in IFRAMES from linking out to a domain other than the one it originally loaded from.

The CAPTCHA code is loading from your but all the links in the IFRAME are pointing to the domain are now all disabled.


Here is a video on how to install Google reCAPTCHA for your website. Good luck and happy coding!

Video: Google reCapthca 2.0

WordPress Security: How to Fix xmlrpc.php Attacks

Today marks my first week of owning a WordPress blog.

I figured a week should be ample enough time to have the web server run and let the bad guys and bots take a swing at it. A review of my Apache web server log should show me what type of WordPress hacks would be attempted first.

My site is really new so I don’ t expect a lot of traffic. I downloaded my Apache web server log and noticed that apparently I had a lot of traffic for a brand new site that had not yet been promoted.

Once I downloaded and looked through the web server log file, a pattern quickly appeared. Lots of requests for a specific file called xmlrpc.php.

What the hell is xmlrpc.php?

I had found this in depth article about the xmlrpc file. For a more in-depth dive please check it out.

The super short version is, that XML-RPC is a WordPress feature enabling transmission of XML messages between systems using HTTP as the transport mechanism.

WordPress being an open system, occasionally needs to communicate with other systems, xmlrpc.php is supposed to handle that job.

My understanding is that xmlrpc.php is being deprecated in future versions of WordPress so why leave an artifact that can be used to enable a brute force attack on your site. Get rid of it ASAP!

Block Access to the xmlrpc.php file using Apache’s .htaccess file

.htaccess files are used by Apache web servers to allow or deny access to resources on your web site. We can allow or deny based on things like IP addresses or file names.

Your WordPress installation on Apache has a .htaccess file included by default.

You won’t see it using the >ls command as files beginning with a dot are hidden files. You can’t see it in the directory but we can open it.

In the screenshot below, I’ve opened the default WordPress .htaccess file using the nano text editor after connecting via SSH using PuTTY.

Setting an Access Restriction to the xmlrpc.php file using .htaccess file

Blocking access to the xmlrpc.php file to all users can be done using an entry in the .htaccess file that the Apache web server uses to grant or deny access to web resources.

When a request comes in to the Apache web server for the xmlrpc.php file, the server will apply this access rule which states that only local request will be granted and all others will be denied.

Navigate to your WordPress root folder. Mine was in: /var/www/html

I opened the .htaccess file by entering the command >sudo nano .htaccess

In the screenshot below, you see the special entry for <Files xmlrpc.php>.

.htaccess code for Denying Access to xmlprc.php

#Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
Order deny,allow
deny from all

One More Thing: Check Your Apache Config AllowOverride Setting

Of course I did not realize for 24 hours that my .htaccess settings were not actually working. There was one more thing we had to configure on the Apache web server.

Double check your Apache2.conf file to see if the AllowOverride setting is set to All for you WordPress public html directory. Mine was in the /var/www directory.

My AllowOverride setting was set to None by default as you can see the /srv/ is still set to None. Your installation maybe different.