Thursday, November 12, 2015
LiveReload with Sublime Text 3
So one extension I just heard about that I'll now be using going forward, especially since we use Sublime Text 3 in our department, is LiveReload. This extension auto updates your file in chrome, firefox, or safari to adjust for changes you've made to your code after you've saved it. You're welcome front end developers.
Wednesday, November 11, 2015
I'm going to try and recap more
I'm going to start cataloging more of the things that I'm learning on the job. One to chronicle it here for myself and others. Two so I can see the progress I'm making. Three so that I can see when I've stopped learning more and have mastered my skill set so that I can know to ask for more to stretch myself or to ask for a promotion within Red Bell or if neither of those happen then I'll know it'll be time for me to move on to somewhere else to get said experience and a raise.
I'll start to be more active here too as it pertains to my story and what my advice would be for others looking to get into tech.
I'll start to be more active here too as it pertains to my story and what my advice would be for others looking to get into tech.
Monday, April 13, 2015
Guesterly Info Night @ DevMountain
Conventional Web-To-Print Companies...
What you see is what you get
Traditional Web Application
New Web-To-Print Companies...
Online Preview
HTML
CSS
Convert to Print Ready
InDesign
Javascript
They're able to use InDesign, but they want to and are making a product that operates outside of it that closely mirrors InDesign. They're doing this through simple, yet powerful html/css manipulation. Pretty cool idea and definitely growth for this niche market.
What you see is what you get
Traditional Web Application
New Web-To-Print Companies...
Online Preview
HTML
CSS
Convert to Print Ready
InDesign
Javascript
They're able to use InDesign, but they want to and are making a product that operates outside of it that closely mirrors InDesign. They're doing this through simple, yet powerful html/css manipulation. Pretty cool idea and definitely growth for this niche market.
Wednesday, April 8, 2015
Security Talk hosted at Adobe
Jeff Walter - Adobe - Event Organizer
Brent Shaffer - Adobe - security basics 101 - Matrix Architect - He writes sdk's and the night's presenter
Framework/language does a lot, but not everything.
Your site is vulnerable.
Friends may embarrass you, bots, hactivists.
Many attacks easy to prevent.
Bot hacked github repository, spun up servers to mine bitcoin. brand new developer.
All inputs are evil! don't trust your users' cookies, parammeters, http headers.
All servers are evil - good assumption for end-users.
Whitelists better than blacklists (???). I need to learn more about this!
Don't store passwords in plain text.
Dont store your passwords in source code.
Dont leak error messages -
.Openwest conference -
Cross site scripting - xss
Javascript injected that will run on behalf of another user. steals cookies. exploits user's trust. 84% of all website vulnerabilities were this type. Chrome has dev tool ability to stop these types of attacks.
Defense?
Validate user input when storing. Escape when using variables in output - based off the content type its being used in. Escaping html for a variable in JavaScript will not save you.
Use templating language or markup language if you want user-input rich text, i.e. markdown, textile, rst(restructured text).
Code Injection - comes in many forms, i.e. command-line injection, sql-injection, html/javascript.
Access filesystem using "upwards" paths
Access everything if system commands are being used
Commands like exec, passthru, and system are often used to execute bash commands
Commands like eval are used to dynamically evaluate PHP code.
Defense?
Strip upwards paths
ensure all files are relative to a safe "root"
be strict on validation, output-escaping, use with extreme caution
SQL injection - sanitize your inputs! use "bound variables", use ORMs/Database Abstraction Layers when possible
cross site request forgery - csrf (pronounced sea surf)
Exploits the browsers running on the client, exploits a site's trust in its users
Victim is logged into vulnerable website. Attacker has victim make a request to vulnerable website without them knowing.
The infamous "Samy Worm" - Attack on myspace, w/in 20 hours over a million users ran the attack
Defense?
Validate the referrer. The http referrer header says which url initiated the request. this blocks any referrer that isn't you. only works if a whitelist can be constructed for where the requests will come from.
Use a csrf-token
a token that is generated for each request based on the client's session ID. Each form submits this back to the website. Very difficult for an attacker to spoof.
<input type="hidden" name="csrf" value="eanorsytnoiarenstoiearnst">
session hijacking
similar to csrf
Attacker obtains the victim's cookie, and is then able to perform actions on their behalf. Typically done for websites not secured with SSL/HTTPS. Open networks and insecure networks (WEP) commonly found in public areas make it possible to view other traffic on the same router. Plugins make this incredibly easy, like FireSheep, Cookie Cadger, DroidSheep. Sniffing is easy with tools like WireShark.
Defense?
use ssl/https throughout all site
Honeypot is a secret field that a normal user wont see/use, but a bot will and if used the whole request would be rejected.
Rate limiting helps to block Denial of Service (DOS).
Brent Shaffer - Adobe - security basics 101 - Matrix Architect - He writes sdk's and the night's presenter
Framework/language does a lot, but not everything.
Your site is vulnerable.
Friends may embarrass you, bots, hactivists.
Many attacks easy to prevent.
Bot hacked github repository, spun up servers to mine bitcoin. brand new developer.
All inputs are evil! don't trust your users' cookies, parammeters, http headers.
All servers are evil - good assumption for end-users.
Whitelists better than blacklists (???). I need to learn more about this!
Don't store passwords in plain text.
Dont store your passwords in source code.
Dont leak error messages -
.Openwest conference -
Cross site scripting - xss
Javascript injected that will run on behalf of another user. steals cookies. exploits user's trust. 84% of all website vulnerabilities were this type. Chrome has dev tool ability to stop these types of attacks.
Defense?
Validate user input when storing. Escape when using variables in output - based off the content type its being used in. Escaping html for a variable in JavaScript will not save you.
Use templating language or markup language if you want user-input rich text, i.e. markdown, textile, rst(restructured text).
Code Injection - comes in many forms, i.e. command-line injection, sql-injection, html/javascript.
Access filesystem using "upwards" paths
Access everything if system commands are being used
Commands like exec, passthru, and system are often used to execute bash commands
Commands like eval are used to dynamically evaluate PHP code.
Defense?
Strip upwards paths
ensure all files are relative to a safe "root"
be strict on validation, output-escaping, use with extreme caution
SQL injection - sanitize your inputs! use "bound variables", use ORMs/Database Abstraction Layers when possible
cross site request forgery - csrf (pronounced sea surf)
Exploits the browsers running on the client, exploits a site's trust in its users
Victim is logged into vulnerable website. Attacker has victim make a request to vulnerable website without them knowing.
The infamous "Samy Worm" - Attack on myspace, w/in 20 hours over a million users ran the attack
Defense?
Validate the referrer. The http referrer header says which url initiated the request. this blocks any referrer that isn't you. only works if a whitelist can be constructed for where the requests will come from.
Use a csrf-token
a token that is generated for each request based on the client's session ID. Each form submits this back to the website. Very difficult for an attacker to spoof.
<input type="hidden" name="csrf" value="eanorsytnoiarenstoiearnst">
session hijacking
similar to csrf
Attacker obtains the victim's cookie, and is then able to perform actions on their behalf. Typically done for websites not secured with SSL/HTTPS. Open networks and insecure networks (WEP) commonly found in public areas make it possible to view other traffic on the same router. Plugins make this incredibly easy, like FireSheep, Cookie Cadger, DroidSheep. Sniffing is easy with tools like WireShark.
Defense?
use ssl/https throughout all site
Honeypot is a secret field that a normal user wont see/use, but a bot will and if used the whole request would be rejected.
Rate limiting helps to block Denial of Service (DOS).
Tuesday, April 7, 2015
In the beginning were 1's and 0's
We all know that computers operate in binary and that is about the extent of our knowledge. This blog will take you through my musings on coding. This will range from past, current, and future things I want to learn. It will discuss things I've done to learn to code including free sites, bootcamps, and meetups.
Enjoy!
Enjoy!
Subscribe to:
Comments (Atom)