- /me hopes tonight is peaceful and uninterrupted. #
- The toddler lost the battle. Now what do I so with no earphones on the sofa with him asleep on me? #
- Rowan isn't too keen on the idea of sleeping :-/ #
- Stupid woman. Trying to pay for the bus with an inadequate supply of what seems to ve 5p coins. #
- I wish $idiot would stop trying to recover the password for gingerdog @ gmail. While I'm at it – stop using my address to signup to stuff. #
- Well that rocked. Thanks dominion theatre and cast 🙂 #
- We will, we will…. Rock you. (waiting for the performance to start) #
- Well I jumped into the river, too many times to make it home, I'm here on my own, drifting all alone….. #gnr #
- Fuckit – water bottle has leaked in my bag; laptop + adaptor appears to have escaped TFFT. 2nd time for this to happen. Had better learn! #
- Support call with mr paranoid cookie hater *sigh*. #
- s/Firefox/Chromium/g perhaps…. seems much quicker at least, and now has required extensions. Shame it didn't import passwords from FF. #
- Wonders if anyone on bromsgrove freecycle passed GCSE English. #
- My nose should win an award for the volume, various colours,range of consistencies and stamina in snot production. #fedup #wanttransplant #
- Well at least rowan seems awake and happy this morning. #
- My iPhone is only 4(?) months old yet the case is cracked. Think I need to encase it in something rigid. #
- I hate post office queues #
- Right own up! Who gave Rowan speed? He's been hyper hyper super hyper toddler since being home from nursery. #
- Think I, or bromsgrove missed some heavy rain today. No great loss. #
- iPhone gun app discovered. Suspect we may not get to use our phones much when we next see the nieces. (literal) Banana gun vs bazooka…. #
- Good episode of stargate universe (s1e10). #
- Mcvities light chocolate digestives are rubbish. Biscuit too hard. #sundaylunchfail #
- The instore asda radio started telling me about @asda today. Is Twitter too mainstream? Does it matter? Might as well 'subscribe' for now. #
- Aiming a virtual kick at a London data centre. #
- Stupid m6 and m1. All crawling #
- Arrived in milton Keynes; I still couldn't find my way without the gps. Too many roundabouts. #
- Number 2 is due for 11th June 2010. Now you all know. There will be no more. #
- RT @greensql GreenSQL-FW: 1.2.0 has just been released! Now with #postgresql support. #security http://www.greensql.net/node/889 #
- Daiseychain nursery fail. #
- Haha <marquee> hahaha #
- I hate hardware. Stupid motherboard with a broken SAta controller. Grrr #
- Christmas shopping nearly complete. Thank —- #
- Sleeping on a towel …. *sigh* stupid virus and sweat eager body #
Today, I finally looked at Wapiti, which is a web application vulnerability scanner. It operates on a black box basis (i.e. it doesn’t see the underlying PHP/ASP/Java source code), and effectively tries to ‘break’ any forms on a page.
In order to get it to do anything useful, you’ll probably need to provide it with a cookie file to use. Unfortunately, I couldn’t originally get the provided ‘getcookie.py’ file to work, as the application in question just posted the login form details to ” (i.e. <form action=” method=’post’>)…. after a bit of hacking I fixed this, but it took some time.
Installation is relatively easy – download the .zip file, extract it and change directory into it (e.g. cd wapiti-2.0.X)
Anyway, given we have “webapp” installed at http://orange/webapp, and we wish to test it, we might do something like the following :
- cd src/net
- python getcookie.py ~/cookie.txt http://orange/webapp/login.php
- Enter username/password etc as required to complete the login form
- Script exists, check the contents of ~/cookie.txt – it will look something like :
Set-Cookie3: PHPSESSID=3d20841af5de43c718732d80e5d78fe3; path=”/”; domain=”orange”; path_spec; expires=”2010-01-04 22:42:47Z”; version=0
Now we can use wapiti to test any urls ‘behind’ the login screen (as it were) :
wapiti http://orange/webapp/search.php –cookie ~/cookie.txt -v 2 -o ~/report -x http://orange/webapp/logout.php
(We need to exclude the logout page, else our session will get destroyed when wapiti spiders that page…)
Depending on how good the application is, you may see output like :
Found permament XSS in http://orange/webapp/search.php
attacked by http://orange/webapp/search.php?area=on&client_id=on&county=on with fields county=crzbl79tqr&status=x57cjl7m14&website=vk59qqbgmp&name=<script>alert(’11byq04xd1′)</script>&client_id=on®ion=on
and similar for the other vulnerabilities.
If I point my web browser at file:///home/david/report I’ll see a nice HTML report listing the vulnerabilites and so on – similar to the below…
Wapiti appears to detect:
- SQL Injection holes
- Cross Site Scripting (XSS) holes
- File inclusion (local/remote)
- Command execution vulnerabilities
- and others
I’m a bit annoyed I’ve only found this tool now – but also glad I’ve finally found it. I’ve been looking for something that can pick up XSS holes for ages (SQL Injection stuff I could already test using SQLMap, and ensuring I only ever used prepared statements).
Update (July 2011) – cookie file format has changed to xml –
<?xml version="1.0" encoding="UTF-8"?> <cookies> <domain name="uk"> <domain name="co"> <domain name="palepurple"> <domain name="david"> <cookie name="PHPSESSID" path="/" value="vmabdv5giph334aq33vb0add67" version="0"/> <cookie name="globdisc" path="/" value="yes" version="0"/> </domain> </domain> </domain> </domain> </cookies>
- Perhaps I should clean the car more often – latest 'find' a delicious ripe Banana skin http://twitpic.com/rg16o #
- Webbs 'garden centre' – where you buy christmas tat which people don't want #
- New mobile carrier – http://giffgaff.com/ – free in-network calls? #
- ASUS EeePC 900 – broken screen – extra battery+memory / spare parts? http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=170413079158 #
- Beans on toast with marmite was surprisingly good last night. What else can i do with marmite? #
- Cough cough cough …. Cough cough cough go the wife and toddler. #
- Ah. Can now sign up for spotify. It didn't like me having a 1/1/1890 DoB tho the form allows it. No error msg given. #fail #
- Hoping an excess of fruit will scare off this virus. #
- RT @garywkfung *BLACK FRI SALE* Ping! iPhone-2-iPhone messaging is free. Get your friends pinging for FREE! http://bit.ly/eKD52 #
- What a crap night. Now to run and cough my guts up. #
- I've got my tea sorted daddy! http://twitpic.com/r176k #
- Spotify clearly doesn't want my money. Stupid signup form gives no error msg feedback but keeps redisplaying itself. #fail #
- Look – proof I can cook (first time in 9+ months) http://twitpic.com/qxd11 #
- #phpuk2010 tickets bought for all employees … 26th Feb 2010 … You should be there too – http://www.phpconference.co.uk #php #london #
- wishes $previous_developer had discovered fputcsv() rather than doing a /lot/ of unsafe string concatenation("," . $foo . "," is WRONG) #php #
- Excessive screen estate ? 2×24" monitors – too much? http://twitpic.com/qv3ye #
- RT @garywkfung Ping! 1.2 now live! Includes address book, in-app purchase for sending photos and other fixes http://bit.ly/5kkUj #
- Well trains at least you picked today to be crap, rather than one where I had less leeway. #
- Hello White city. #
- Stupid signal failure is causing trouble for this train. Good thing I've got loads of 'spare' time. #
- RT @Openrightsgroup BBC: ORG supporters jump by 20% as protests grow: http://bit.ly/protestgrows #threestrikes #
- But I *had* to buy that massive bag of yummy licquorice and a triple choc muffin to have change for the bus!! #
- My way, your way, anything goes tonight……. Hmm. Need more music. #
- Confused. I thought rebooting iPhone jailbroken with blackra1n would result in it loosing jailbreak. This does not seem to be the case. :~/ #
- Pondering trying spotify for a month or two. Thoughts lazyweb? #
- Rowan is still asleep. 13 hours and counting. A new record. Shame it takes illness to cause this :-/ #
- RT @Openrightsgroup No 10 petition now stands at 6.8k sigs thanks to @stephenfry @glinner http://bit.ly/dontdisconnect #threestrikes #
- failing to jailbreak my iPhone… (3gs v3.1.2 etc). Stupid tools. #
This will end my fit of blogging diarrhea. Honest.
On Saturday, I ran to Kidderminster (21 miles in total). It went quite well, although my left thigh ached a little and I got a sore groin. Afterwards I also noticed my feet were aching on the outside of my sole (they don’t normally)….
Yesterday morning I went running again, only for 30ish minutes and found my thigh seemed worse and my right knee was unhappy too. And my lower back aches a little.
I’m wondering if my new running shoes are responsible – or if it’s just because I somehow pushed myself too far on Saturday (considering my running routine has been a mess for the last month with me rarely managing to run more than twice a week (i.e ~8-10 miles if optimistic)).
Stay tuned. Or not. Today and tomorrow will be run-free days in the hope something will repair itself.
Why do some programmers not ensure data is escaped for the right output ‘layer’… today I came across some legacy code which appends strings together to create a CSV file – it went along the lines of :
$line .= $foo . ‘”,”‘ . $bar . ‘”,”‘ . $etc…. . “\n”;
There was no attempt at escaping the data being embedded, so if it contained a ” (which I know some records do) it will/would fail (yes, one premises has “…” in it’s name, and it’s caused us problems already with similar code).
The easy answer in this instance is to use PHP’s fputcsv() function (which has been around since 5.1).
What other demons are lurking there waiting to cause trouble I wonder?
(See also my random tweet linked to this)
Today, I installed Karmic on my desktop/server at work (aka orange). It was running Debian Lenny, but with the purchase of 2 24″ monitors and my subsequent failure to quickly configure them properly, I decided to jump ship to Karmic (which I knew would work thanks to the Ubuntu LiveCD).
So, installation was pretty simple – there appeared to be a language bug in the partitioner – where the text was telling me something different to the UI, but that wasn’t a real problem, and it seemed a bit tricky selecting the right time zone – the installer was adament that I would be It took about 20 minutes to install, I think, and then it was a case of reinstalling the various services/things needed on there (apache, bind9, dhcpd, postfix, mdadm, cron jobs [poo, lost some in the move], ftpd, ssh)…
Annoyingly, dotdeb packages don’t seem to install due to dependency issues, and there’s no php5-apc package, and I’m currently stuck with php 5.2.10 (until I can find 5.2.11 packages for Ubuntu somewhere).
The monitors work perfectly – a simple GUI click was required to stop cloning and turn them into two joined together monitors.
Empathy, the new Instant Messaging client doesn’t support FacebookChat, so it’s been given the boot – and I’ve ‘reverted’ to using pidgin (which works perfectly once you upgrade to using the .deb from here).
At last, my desktop effects seem to be working – I’m using the radeon kernel module – which appears to be open source, so that’s good.
- I’m a little miffed that I can’t do alt+shift+tab to cycle backwards through the window selector, but I’ll cope.
- The ‘Windows’ key still does nothing (FFS – windows key + D to show desktop, or windows key + E to open nautilus…). Such simple usage of it would be a huge improvement from a usability point of view.
- When I get new IM messages, the ‘notification bubble’ that appears seems to persist for too long, can’t be dismissed (although at least it doesn’t interfer with any windows you may have open already)
- The mess ‘they’ have made with /etc/ldap/slap.d; I can’t figure out how I’m meant to be able to configure this, so I copied my old slapd.conf file into place and changed the /etc/default/slapd file
- Have problems ssh’ing to some external servers, with useless messages like “Max number of auth attempts exceeded”. I’m assuming this is somehow related to ssh trying every possible ssh key in ~/.ssh (is this new behaviour?). Oddly one lenny server has no problem – another won’t let me in, unless I go via a third party and don’t do authentication agent forwarding (-a).
- pulseaudio is spamming /var/log/syslog with messages like :
Nov 25 21:17:01 orange pulseaudio: main.c: Module load failed.
Nov 25 21:17:01 orange pulseaudio: main.c: Failed to initialize daemon.
Nov 25 21:17:01 orange pulseaudio: main.c: Daemon startup failed.
I’ll guess this is file ownership related, as I dropped my old passwd and group files over the top of the ‘new’ Ubuntu ones. So far, however I’ve not found which file is to blame… reinstalling the package might be an option.
- Zero configuration of attached hardware (network card, graphics card etc)
- Monitors just work 🙂
- Almost the config files from the previous install (Lenny) can be dropped in and work
- Still debian like, so I know what to do
- Finally ‘service $foo start|stop|etc’ is available
- Pretty quick booting; I think.
- Like the new login screen, and default backgrounds
- UbuntuOne – had a quick meddle with this, better Nautilus integration could be achieved, but it’s not bad and seems easy to use. Not sure what I’ll use it for however….
So.. that was 2-3 hours of my morning wasted. Now I’m obviously so much more productive with massive(?) monitors…. and funky desktop effects.
- Stupid body. Both thigh muscles should not be able to cramp at the same time twice :-/ Baths are clearly not relaxing or good for me. #
- Back from a 21 mile run to Kidderminster – http://favoriterun.com/286539 … took ages, but good fun. #
- The driver on the bus says move on back, move on back…. #
- Fail of the day , dodford style http://twitpic.com/qcbch #
- Time to run 20 something miles. Is my fat chocolate biscuit fed body up to it? #
- Can haz internetz. Pondering perm move of hotel. #tetheringsucks #
- Breakfast at 4am. The toddler demanded it. He has a shreddie addiction. #
- Giving blood…. #
- New monitors == configuration hell. 2×24" tho. #
- Guess I ought to drag my lazy arse out of bed and go running. #
- Time for sudoku and sleep I think. Until tomorrow. #
- We've been dancing with Mr Brownstone. He won't leave me alone. #
- Ebuyer no longer allow me to pay via google checkout and I have to login before I can use paypal. Grrr. #
- I'm not the sharpest tool in the box tonight. Took 20+ mins to realise I was repeating one song over and over on this iPhone. Must not doze. #
- Orange breakfast, toddler style http://twitpic.com/plrmc #
- Interviewing nearly done. One last group. Students seem better this year at least. #
- Cv's reviewed. Whiskey drunk (not by me). Bed soon. #
- In Wales, it is wet. #
- My minions seem to not want their work monitors upgraded from 19" to 24". Strange employees. #
- Stuck in traffic outside Newtown (powys). Grr. #
- WordPress update time (2.8.6); svn update ftw. #
- And another night of sweating like a pig in bed. Am I ill again or did @ChairmumMiaow leave the heating on? #
- The toddler is now eating play dough. Tasty! #
- First adventures with openid. Shame Zend_openid_consumer doesn't work with google. Wasted time *sigh* #zf #php #fail #
- Hotel seem to be including free drinks and sweets. Now where are the people? #phpwm http://twitpic.com/p0st7 #
- Php Training complete for this week. Now to get the train to @phpwm meeting in bham. Ajax server side push stuff. Greek to me #phpwm #comet #
- And it's hard to hold a candle in the cold November rain. #
- Via many… RT @mikebutcher: UK O2 iPhone people: unlock yours tomorrow http://bit.ly/1jX9i7 o2++ #
- RT @nixgeek Now hiring a Systems Admin at work (@GradwellTweets) — go see http://tinyurl.com/yfe7uv2 if interested and RT please! #
- I've totally forgotten what I was going to say/tweet. Old age sucks. V 2009 looks good. #
- Failed to resist buying ms Swiss chocolate. Again. Soon I will not fit through doorways. #
If you want to allow WordPress to pass it’s HTTP requests through Squid (for security or whatever), edit wp-includes/class-snoopy.php and set the necessary details.
Shame WordPress doesn’t just have a configuration option or something for it. (