Twitter Weekly Updates for 2009-12-06

  • Mcvities light chocolate digestives are rubbish. Biscuit too hard. #sundaylunchfail #
  • The instore asda radio started telling me about @asda today. Is Twitter too mainstream? Does it matter? Might as well 'subscribe' for now. #
  • Aiming a virtual kick at a London data centre. #
  • Stupid m6 and m1. All crawling #
  • Arrived in milton Keynes; I still couldn't find my way without the gps. Too many roundabouts. #
  • Number 2 is due for 11th June 2010. Now you all know. There will be no more. #
  • RT @greensql GreenSQL-FW: 1.2.0 has just been released! Now with #postgresql support. #security #
  • Daiseychain nursery fail. #
  • Haha <marquee> hahaha #
  • I hate hardware. Stupid motherboard with a broken SAta controller. Grrr #
  • Christmas shopping nearly complete. Thank —- #
  • Sleeping on a towel …. *sigh* stupid virus and sweat eager body #

wapiti – web application vulnerability scanner (super quick review/intro)

Today, I finally looked at Wapiti, which is a web application vulnerability scanner. It operates on a black box basis (i.e. it doesn’t see the underlying PHP/ASP/Java source code), and effectively tries to ‘break’ any forms on a page.

In order to get it to do anything useful, you’ll probably need to provide it with a cookie file to use. Unfortunately, I couldn’t originally get the provided ‘’ file to work, as the application in question just posted the login form details to ” (i.e. <form action=” method=’post’>)…. after a bit of hacking I fixed this, but it took some time.

Installation is relatively easy – download the .zip file, extract it and change directory into it (e.g. cd wapiti-2.0.X)

Anyway, given we have “webapp” installed at http://orange/webapp, and we wish to test it, we might do something like the following :

  1. cd src/net
  2. python ~/cookie.txt http://orange/webapp/login.php
  3. Enter username/password etc as required to complete the login form
  4. Script exists, check the contents of ~/cookie.txt – it will look something like :

Set-Cookie3: PHPSESSID=3d20841af5de43c718732d80e5d78fe3; path=”/”; domain=”orange”; path_spec; expires=”2010-01-04 22:42:47Z”; version=0

Now we can use wapiti to test any urls ‘behind’ the login screen (as it were) :

wapiti http://orange/webapp/search.php –cookie ~/cookie.txt -v 2 -o ~/report -x http://orange/webapp/logout.php

(We need to exclude the logout page, else our session will get destroyed when wapiti spiders that page…)

Depending on how good the application is, you may see output like :

Found permament XSS in http://orange/webapp/search.php
attacked by http://orange/webapp/search.php?area=on&client_id=on&county=on with fields county=crzbl79tqr&status=x57cjl7m14&website=vk59qqbgmp&name=<script>alert(’11byq04xd1′)</script>&client_id=on&region=on

and similar for the other vulnerabilities.

If I point my web browser at file:///home/david/report I’ll see a nice HTML report listing the vulnerabilites and so on – similar to the below…

report output etc
report output etc

Wapiti appears to detect:

  • SQL Injection holes
  • Cross Site Scripting (XSS) holes
  • File inclusion (local/remote)
  • Command execution vulnerabilities
  • and others

I’m a bit annoyed I’ve only found this tool now – but also glad I’ve finally found it. I’ve been looking for something that can pick up XSS holes for ages (SQL Injection stuff I could already test using SQLMap, and ensuring I only ever used prepared statements).

Update (July 2011) – cookie file format has changed to xml –

<?xml version="1.0" encoding="UTF-8"?>
  <domain name="uk">
    <domain name="co">
      <domain name="palepurple">
        <domain name="david">
            <cookie name="PHPSESSID" path="/" value="vmabdv5giph334aq33vb0add67" version="0"/>
            <cookie name="globdisc" path="/" value="yes" version="0"/>

Twitter Weekly Updates for 2009-11-29

  • Perhaps I should clean the car more often – latest 'find' a delicious ripe Banana skin #
  • Webbs 'garden centre' – where you buy christmas tat which people don't want #
  • New mobile carrier – – free in-network calls? #
  • ASUS EeePC 900 – broken screen – extra battery+memory / spare parts? #
  • Beans on toast with marmite was surprisingly good last night. What else can i do with marmite? #
  • Cough cough cough …. Cough cough cough go the wife and toddler. #
  • Ah. Can now sign up for spotify. It didn't like me having a 1/1/1890 DoB tho the form allows it. No error msg given. #fail #
  • Hoping an excess of fruit will scare off this virus. #
  • RT @garywkfung *BLACK FRI SALE* Ping! iPhone-2-iPhone messaging is free. Get your friends pinging for FREE! #
  • What a crap night. Now to run and cough my guts up. #
  • I've got my tea sorted daddy! #
  • Spotify clearly doesn't want my money. Stupid signup form gives no error msg feedback but keeps redisplaying itself. #fail #
  • Look – proof I can cook (first time in 9+ months) #
  • #phpuk2010 tickets bought for all employees … 26th Feb 2010 … You should be there too – #php #london #
  • wishes $previous_developer had discovered fputcsv() rather than doing a /lot/ of unsafe string concatenation("," . $foo . "," is WRONG) #php #
  • Excessive screen estate ? 2×24" monitors – too much? #
  • RT @garywkfung Ping! 1.2 now live! Includes address book, in-app purchase for sending photos and other fixes #
  • Well trains at least you picked today to be crap, rather than one where I had less leeway. #
  • Hello White city. #
  • Stupid signal failure is causing trouble for this train. Good thing I've got loads of 'spare' time. #
  • RT @Openrightsgroup BBC: ORG supporters jump by 20% as protests grow: #threestrikes #
  • But I *had* to buy that massive bag of yummy licquorice and a triple choc muffin to have change for the bus!! #
  • My way, your way, anything goes tonight……. Hmm. Need more music. #
  • Confused. I thought rebooting iPhone jailbroken with blackra1n would result in it loosing jailbreak. This does not seem to be the case. :~/ #
  • Pondering trying spotify for a month or two. Thoughts lazyweb? #
  • Rowan is still asleep. 13 hours and counting. A new record. Shame it takes illness to cause this :-/ #
  • RT @Openrightsgroup No 10 petition now stands at 6.8k sigs thanks to @stephenfry @glinner #threestrikes #
  • failing to jailbreak my iPhone… (3gs v3.1.2 etc). Stupid tools. #


This will end my fit of blogging diarrhea. Honest.

On Saturday, I ran to Kidderminster (21 miles in total). It went quite well, although my left thigh ached a little and I got a sore groin. Afterwards I also noticed my feet were aching on the outside of my sole (they don’t normally)….

Yesterday morning I went running again, only for 30ish minutes and found my thigh seemed worse and my right knee was unhappy too. And my lower back aches a little.

I’m wondering if my new running shoes are responsible – or if it’s just because I somehow pushed myself too far on Saturday (considering my running routine has been a mess for the last month with me rarely managing to run more than twice a week (i.e ~8-10 miles if optimistic)). I was going to write “I read somewhere” but I ended up looking for the site instead. This article I read at talked about using cbd oils for certain pains that occur in runners. I’m not sure I want to take something for it just yet, there’s still a possibility I pushed myself to hard, as I mentioned. I hope it goes away on its own and I can find a good balance of time, distance, and rhythm to my runs. What would make me most unhappy is to find I have done some permanent damage to my back, my knees or my ankles by wanting to go out there and being healthy. I… well, you’d read a very angry blog post about it, that’s for sure.

Stay tuned. Or not. Today and tomorrow will be run-free days in the hope something will repair itself.

Random PHP CSV writing code fail

Why do some programmers not ensure data is escaped for the right output ‘layer’… today I came across some legacy code which appends strings together to create a CSV file – it went along the lines of  :

$line .= $foo . ‘”,”‘ . $bar . ‘”,”‘ . $etc…. . “\n”;

There was no attempt at escaping the data being embedded, so if it contained a ” (which I know some records do) it will/would fail (yes, one premises has “…” in it’s name, and it’s caused us problems already with similar code).

The easy answer in this instance is to use PHP’s fputcsv() function (which has been around since 5.1).

What other demons are lurking there waiting to cause trouble I wonder?

(See also my random tweet linked to this)

Ubuntu Karmic … my first impressions

Today, I installed Karmic on my desktop/server at work (aka orange). It was running Debian Lenny, but with the purchase of 2 24″ monitors and my subsequent failure to quickly configure them properly, I decided to jump ship to Karmic (which I knew would work thanks to the Ubuntu LiveCD).

So, installation was pretty simple – there appeared to be a language bug in the partitioner – where the text was telling me something different to the UI, but that wasn’t a real problem, and it seemed a bit tricky selecting the right time zone – the installer was adament that I would be It took about 20 minutes to install, I think, and then it was a case of reinstalling the various services/things needed on there (apache, bind9, dhcpd, postfix, mdadm, cron jobs [poo, lost some in the move], ftpd, ssh)…

Annoyingly, dotdeb packages don’t seem to install due to dependency issues, and there’s no php5-apc package, and I’m currently stuck with php 5.2.10 (until I can find 5.2.11 packages for Ubuntu somewhere).

The monitors work perfectly – a simple GUI click was required to stop cloning and turn them into two joined together monitors.

Empathy, the new Instant Messaging client doesn’t support FacebookChat, so it’s been given the boot – and I’ve ‘reverted’ to using pidgin (which works perfectly once you upgrade to using the .deb from here).

At last, my desktop effects seem to be working – I’m using the radeon kernel module – which appears to be open source, so that’s good.


  • I’m a little miffed that I can’t do alt+shift+tab to cycle backwards through the window selector, but I’ll cope.
  • The ‘Windows’ key still does nothing (FFS – windows key + D to show desktop, or windows key + E to open nautilus…). Such simple usage of it would be a huge improvement from a usability point of view.
  • When I get new IM messages, the ‘notification bubble’ that appears seems to persist for too long, can’t be dismissed (although at least it doesn’t interfer with any windows you may have open already)
  • The mess ‘they’ have made with /etc/ldap/slap.d; I can’t figure out how I’m meant to be able to configure this, so I copied my old slapd.conf file into place and changed the /etc/default/slapd file
  • Have problems ssh’ing to some external servers, with useless messages like “Max number of auth attempts exceeded”. I’m assuming this is somehow related to ssh trying every possible ssh key in ~/.ssh (is this new behaviour?). Oddly one lenny server has no problem – another won’t let me in, unless I go via a third party and don’t do authentication agent forwarding (-a).
  • pulseaudio is spamming /var/log/syslog with messages like :

Nov 25 21:17:01 orange pulseaudio[15064]: main.c: Module load failed.

Nov 25 21:17:01 orange pulseaudio[15064]: main.c: Failed to initialize daemon.

Nov 25 21:17:01 orange pulseaudio[15062]: main.c: Daemon startup failed.

I’ll guess this is file ownership related, as I dropped my old passwd and group files over the top of the ‘new’ Ubuntu ones. So far, however I’ve not found which file is to blame… reinstalling the package might be an option.


  • Zero configuration of attached hardware (network card, graphics card etc)
  • Monitors just work 🙂
  • Almost the config files from the previous install (Lenny) can be dropped in and work
  • Still debian like, so I know what to do
  • Finally ‘service $foo start|stop|etc’ is available
  • Pretty quick booting; I think.
  • Like the new login screen, and default backgrounds
  • UbuntuOne – had a quick meddle with this, better Nautilus integration could be achieved, but it’s not bad and seems easy to use. Not sure what I’ll use it for however….

So.. that was 2-3 hours of my morning wasted. Now I’m obviously so much more productive with massive(?) monitors…. and funky desktop effects.

Twitter Weekly Updates for 2009-11-22

  • Stupid body. Both thigh muscles should not be able to cramp at the same time twice :-/ Baths are clearly not relaxing or good for me. #
  • Back from a 21 mile run to Kidderminster – … took ages, but good fun. #
  • The driver on the bus says move on back, move on back…. #
  • Fail of the day , dodford style #
  • Time to run 20 something miles. Is my fat chocolate biscuit fed body up to it? #
  • Can haz internetz. Pondering perm move of hotel. #tetheringsucks #
  • Breakfast at 4am. The toddler demanded it. He has a shreddie addiction. #
  • Giving blood…. #
  • New monitors == configuration hell. 2×24" tho. #
  • Guess I ought to drag my lazy arse out of bed and go running. #
  • Time for sudoku and sleep I think. Until tomorrow. #
  • We've been dancing with Mr Brownstone. He won't leave me alone. #
  • Ebuyer no longer allow me to pay via google checkout and I have to login before I can use paypal. Grrr. #
  • I'm not the sharpest tool in the box tonight. Took 20+ mins to realise I was repeating one song over and over on this iPhone. Must not doze. #

Twitter Weekly Updates for 2009-11-15

  • Orange breakfast, toddler style #
  • Interviewing nearly done. One last group. Students seem better this year at least. #
  • Cv's reviewed. Whiskey drunk (not by me). Bed soon. #
  • In Wales, it is wet. #
  • My minions seem to not want their work monitors upgraded from 19" to 24". Strange employees. #
  • Stuck in traffic outside Newtown (powys). Grr. #
  • WordPress update time (2.8.6); svn update ftw. #
  • And another night of sweating like a pig in bed. Am I ill again or did @ChairmumMiaow leave the heating on? #
  • The toddler is now eating play dough. Tasty! #
  • First adventures with openid. Shame Zend_openid_consumer doesn't work with google. Wasted time *sigh* #zf #php #fail #
  • Hotel seem to be including free drinks and sweets. Now where are the people? #phpwm #
  • Php Training complete for this week. Now to get the train to @phpwm meeting in bham. Ajax server side push stuff. Greek to me #phpwm #comet #
  • And it's hard to hold a candle in the cold November rain. #
  • Via many… RT @mikebutcher: UK O2 iPhone people: unlock yours tomorrow o2++ #
  • RT @nixgeek Now hiring a Systems Admin at work (@GradwellTweets) — go see if interested and RT please! #
  • I've totally forgotten what I was going to say/tweet. Old age sucks. V 2009 looks good. #
  • Failed to resist buying ms Swiss chocolate. Again. Soon I will not fit through doorways. #

Initial foray into OpenId (Zend_OpenId_Consumer / PHP etc)

While updating some security training materials, I thought I’d include some more information on OpenId – with the hope of demonstrating how the typical username/password mess which web applications create can be countered (for example see here )

So, being a PHP type, and having seen that the Zend Framework supports OpenId, I thought I’d create a simple demo. The documentation looked good, and I quickly got a test script online (see below). So – to test it, I thought I’d try using Google as my OpenID provider (afterall StackOverflow does) and I obviously have a Google account.

So, the Zend Framework gives the following test code :

require_once(dirname(__FILE__) . '/Zend/OpenId/Consumer.php');
require_once(dirname(__FILE__) . '/Zend/OpenId/Extension/Sreg.php');
$sreg = new Zend_OpenId_Extension_Sreg(array(
 'fullname'=>false), null, 1.1);
//echo file_get_contents('');
$status = "";
$consumer = new Zend_OpenId_Consumer();
if (isset($_POST['openid_action']) && $_POST['openid_action'] == "login" && !empty($_POST['openid_identifier'])) {
 if (!$consumer->login($_POST['openid_identifier'], null, 'http://*', $sreg)) {
   //echo $consumer->getError();
   $status = "OpenID login failed.";
} else if (isset($_GET['openid_mode'])) {
 if ($_GET['openid_mode'] == "id_res") {
   if ($consumer->verify($_GET, $id, $sreg)) {
     $status = "VALID " . htmlspecialchars($id);
   } else {
     $status = "INVALID " . htmlspecialchars($id);
 } else if ($_GET['openid_mode'] == "cancel") {
   $status = "CANCELLED";

<?php echo "$status<br>" ?>
<form method="post">
<legend>OpenID Login</legend>
<input type="text" name="openid_identifier" value=""/>
<input type="submit" name="openid_action" value="login"/>

Which doesn’t work if you try to use [Google’s OpenID provider URL]. It just fails with a hopeless “Discovery Failed” error message. I spent an hour or two poking it, and making fruitless Google searches (or so it seemed). Then I gave up and tried using a different provider – success.. it all works.

Various postings imply there is/was a problem with the Zend Framework’s OpenId consumer – although to start with I thought it might have been due to my local PHP configuration (E.g. lacking support for openssl/mhash or something else, but this wasn’t the case). See also this and this

Thankfully the code does work when using other providers – e.g. MyOpenId. One nice feature of OpenId, which I wasn’t aware of, is that you (the web client application) can also request e.g. nickname, name, date of birth and country of residence from the OpenID provider (which is what the Zend_OpenId_Extension_Sreg stuff is all about – I’ve made the request parameters all optional, otherwise you get an auth failure when the provider doesn’t return the data you require).

Anyway, it’s really, really, easy to do. Shame about the poor support for Google though.