This post outlines my efforts to bring in markdown focused workflow for creating presentations. The tool allows setting up automated workflow leveraging markdown and Reveal.js.
This post outlines my new tool which allows users to clone entire set of public repositories of a specific user or organization. This can also be used to create a backup of all repositories.
While experimenting with WordPress i was tasked with a situation where i am suppose to present some static text content on the website. However uploading a text file was out of question and the author wanted to keep everything controlled inside WordPress.
Many a times web application pen-testers are encountered with the presence of .svn folders. For those not aware .svn folder is used by SVN version control system to perform its operations. For a blackbox pentester this folder contains huge amount of information.
This was my first time attending Yahoo open hackday the event is all fun and a quick way to hacking onto the yahoo api’s.
I specifically focused on one API YQL, which basically claims to do the following
now that raises an eyebrow, in simpler term this is what is we can call a content scrapper’s dream, we get as less as 1000+ data tables which allow us to interact with various websites using well known sql standards.
here we can keep adding more and more tables if needed otherwise we can always revert back to generic tablees like
the thing that i like the most was they have given a direct access in the form of yql console you can check that by clicking the above link
I have been trying my luck to brew something for my self and a long lasting itch came back to me and i thought lets try solving the etch here.
so my hack for open hackday 2011 was : MY Life : a social content feed aggregation widget.
basically what i am doing is listed here in simplest terms.
1) take simple userid/username from users for various social networking sites.
2) create a unified feed based on user inputs
3) provide widget (HTML/JS) and PHP code to be used on site based on the user need.
So here is the hosted version of Hack
Note : YQL has rate limit and hence will only be able to fetch content for 10000 times a day. so if you do find output missing then its a good news for me basically my site has crossed 10000 users .
Tips for Db Security
Disclaimer : This post keeps in mind the web frontends and web applications based attacks on DB Servers in mind.
Any Userid used for web application connectivity should be clipped to specific ip addresses that could be localhost in case of same server usage for Db and App server. If two separate servers are used then clip the user id (s) with the application server ip address / hostname. Keep a strick log of who access the id and when.
1st entry in user /password data base should be a dummy entry with zero privilege and could be used to act as honeypot too.
Default accounts to be removed / blocked.
User Input validation should be a 3 step process.
Web Page / Client Side validation : Jscript.
Server (Application) : OWASP ESAPI or custom functions ocould be used.
DB: use PL/SQL functions to strip input data.
Another good utility to keep in mind is DBA_USERS_WITH_DEFPWD : contains list of users with default passwords, and with 11g all default accounts are locked.
Web application developers should be provided with 3 different user level access to be used inside web application.
Read Access : user with access to select query only.
Write access: User with select update and delete access
App_mod : access to write access plus drop and trunk.
Developers need to make sure the proper user access is used as and when required.
Note : I know a large number of developers might start crying on this that this will increase their headache but then in long run this could turn out to be a life saver.
Please share your opinion is this a good approach, is it going to help you. What do you thing should be added to this.
I am back with some more scripting fun.
I have been working on configuring my new debian machine and found one utility very lacking in debian and that was add-apt-repository.
So i set down and took my time out and finally i am able to mix match this simple script.
Disclaimer: I know adding ppa can have adverse effects on debian machines
At this point the work that this script performs is
- add the repository of the ppa. (here i am using lucid as the distribution of choice, coz i am using squeeze as my debian version)
- add the gpg key to the keyring.
- This script is at this pointed tested only on one machine. debian Squeeze (mint Flavoured.)
Steps to install this.
- Download file
$ wget http://blog.anantshri.info/content/uploads/2010/09/add-apt-repository.sh.txt
2. Save this file in /usr/sbin/
$ cp add-apt-repository.sh.txt /usr/sbin/add-apt-repository
3. Change permissions to execute
$ chmod o+x /usr/sbin/add-apt-repository
4. Change ownership to root
$chown root:root /usr/sbin/add-apt-repository
5. Now when ever you need to execute command type
$ sudo add-apt-repository ppa:ppa-name
Opening this script to larger audience so that we can crowdsource efforts if someone likes it.
hope this can help someone
7 – Jan – 2011 : Updated the tutorial to place the file @ /usr/sbin as suggested at various during comments.
6 – Aug – 2011 : Updated the script to deal with the security hole (although not easily exploitable) as suggested by 7eggert at comment no 23
10 Sep – 2011 : bin corrected to sbin in step 3 and 4.. : thanks toCraig for pointing that out
This plugin has one specific role and that is to find 404 error on your website and then notify it to you by RSS or E-mail.
But the e-mail generated are not of much use as it tells me only one part of story i.e. URL that was hit and got 404.
So i modified the code and now it makes a lot of sense and gives me some inside on what is actually happening.
So my latest code and send out messages with following details. (providing Pic of the sample message.)
If the link is not refereed by any page then it means that link is either marked as bookmark or some automated bot is trying to access the URL.
User Agents tells a lot more about who is accessing the link.
and just in case you don’t what to be irritated by a perticular user you always have his I.P. address to block him in htaccess.
So i have launched the modifed code at 404-notifier @ google code
hope this code can help someone.
While Surfing the web i came across a forum thread @ net builders asking for some wordpress optimization option.
So i went up and customized it as per the need as requested in forum and here we are :
A simple Tweets in post plugin with a brand new shortcode.