Donald's Bacon Bytes | bytes of information as tasty as bacon

Half Marathon

Topic: Fitness | Tags: Fitness, running

May
04
2013

Exactly 1 year after struggling through a 5k I made it through a half marathon! I ran the Eugene 5k race last year in 32:55 for a pace of 10:36 per mile. That was a pretty good pace considering I had just started running 2 months before that and could barely go a couple minutes without stopping when I had started running. One year later I was able to complete the half marathon in 2:18:23 for a pace of 10:34 per mile. I had beaten my 5k pace and ran over 4 times further!

What now? Run a full marathon? Hang up my running shoes? Not really sure. It took a lot of time to train for this. Some weeks I was running over 25 miles a week and it was hard to get that many miles done. For a marathon, that isn’t very much. It would be cool to have a marathon under my belt but the time commitment for training is a bit of a hurdle. For now though I am going to scale done the running and hit the weight room.

donald at hayward

XSS & HTML Data

Topic: Development | Tags: asp.net

Mar
27
2013

At work we recently went through a security audit on our application. Even though our application is behind a firewall, internal only and requires authentication, we still needed to make sure our application was protected. One of the things that came up has to do with being vulnerable to XSS. There are currently 2 places in the application that allows a user to create, save and view HTML. If an attacker got into a user’s computer, they could then post some HTML on this application and when another user ran the page with this HTML, that other user could get infected.

As a side note (which is relevant when talking code below), this application is built upon .Net and using C#.

We couldn’t just take away the ability to post HTML either. This was a widely used feature. We could do a search for a <script> tag but there are different variations and attributes someone could use to try and get it past our search and we could miss something. Besides the script tag, someone could post a link to a website that would infect a user and we can not block links either. So, what can you do about this? Here are the first ideas that I had come up with:

Not allow HTML
Use something like Markdown and convert that to allowed HTML
Parse the HTML and compare against a whitelist

Like I said, #1 was not an option for us. We could do #2 but with a lot of our users not being very technical, this would make it difficult for them to use. We could do #2 and provide some kind of wysiwyg editor. This is probably a good option but we also wanted to give the people who knew HTML the ability to write HTML and not have to learn a new markup language. So, we opted for #3.

When I started researching this I came across something from called the AntiXssLibrary. Everythign I read suggested this was exactly what I was looking for. There was a function called GetSafeHtmlFragement which promised to do a lot of what I wanted. After playing around with this library I noticed that it wasn’t doing what it should. I thought I was doing something wrong so I kept trying different things.

Frustrated, I turned to the web some more. After further research, it turns out that Microsoft broke the functionality contained in that method and no word on when (or if) it would be fixed.

The next idea was to use the Encode method of HttpUtility and then replace the encoded values of allowed tags with the actual tag. So, something like this:

string encodedHtml = HttpUtility.Encode(htmlText);

StringBuilder sb = new StringBuilder(encodedHtml);

sb.Replace(“<b>”,”<b>”);

sb.Replace(“</b>”,”</b>”);

And so on. I liked this idea because it meant I was only allowing a whitelist set of HTML tags. As I started down this path some more, it got rather complicated. What about attributes? What about bad code inside of attributes? Well, maybe regular expressions could help with that!

My next test code looked like this:

Regex reg = new Regex(“<table\\s(((.+)="((?:.(?!"(?:\\S+)=|">))*.?)")|((.+)='((?:.(?!'(?:\\S+)=|'>))*.?)'))*(>)?”);

Match m = reg.Match(data);
if (m.Success == true)
{
string matchVal = m.Value;
string matchValReplaced = matchVal.Substring(4, matchVal.Length – 8);
string decoded = System.Web.HttpUtility.HtmlDecode(matchValReplaced);
data = data.Replace(matchVal, “<” + decoded + “>”);
}

Again, that seemed to work. I could create multiple regular expressions for the valid tags (or roll it into one expression or something like that). It still seemed rather complicated and like it could be prone to error or could be a hassle to maintain.

Before settling on this solution I wanted to check the web some more. I then came across a blog article (http://eksith.wordpress.com/2012/02/13/antixss-4-2-breaks-everything/) by eksith who was in the same boat. They needed to solve the same problem for the same reasons. And they solved it with a lot better code than I hacked together!!

This didn’t require much modifcation for our use. I did modify a few things though. I added a few more ValidHtmlTags to the dictionary as well as some other attributes that were being used by our users. I also still had to solve the issue of not allowing users to link outside of our website. To do that, I created a variable containing a list of strings that were valid strings for the href attribute.

Then I added this (after line 143 of the original code):

if (a.Name == “href”)
{
a.Value = a.Value.ToLower();
var validCount = ValidBaseUrls.Select(s => a.Value.StartsWith(s)).Where(r => r == true);
if (validCount.Count() <= 0)
a.Value = “#”;
}

If a user added an anchor tag that linked to somewhere other than our valid list, that href attribute would get replaced with a pound sign.

One of the cool things about this class is that everything other than the allowed HTML tags and attributes will get encoded. That way, when you display them on your page, only allowed tags will get rendered as HTML.

Asp.net Custom Error Page and HttpRequestValidationException

Topic: Development | Tags: asp.net, custom error, iis

Mar
08
2013

I was starting to pull my hair out at work today. I have a website that is running in IIS 7.5 and uses custom 500 error pages. It is running with Integrated Pipeline and the web.config looks like this:

<customErrors mode=”On” defaultRedirect=”Error500.aspx” redirectMode=”ResponseRewrite” xdt:Transform=”Replace”>

<error statusCode=”404″ redirect=”Error404.aspx”/>

<error statusCode=”500″ redirect=”Error500.aspx”/>

</customErrors>

…

<httpErrors existingResponse=”PassThrough”>
<remove statusCode=”500″ subStatusCode=”-1″ />
<remove statusCode=”403″ subStatusCode=”-1″ />
<remove statusCode=”404″ subStatusCode=”-1″ />
<error statusCode=”404″ prefixLanguageFilePath=”" path=”/Error404.aspx” responseMode=”ExecuteURL” />
<error statusCode=”403″ prefixLanguageFilePath=”" path=”/Error404.aspx” responseMode=”ExecuteURL” />
<error statusCode=”500″ prefixLanguageFilePath=”" path=”/Error500.aspx” responseMode=”ExecuteURL” />
</httpErrors>

Everything was working fine. An error would happen, the status code of 500 would get set and the user would get redirected to my custom error page. Then something weird came up. Through a security audit, it was brought up that adding <!–> into the query string would throw an application error with a 500 status and show server information. My custom error page was not getting fired. This was a bit strange.

Turns out, 2 things needed done to catch this.

First, I had a base class that ALL my pages derived from. In this base class I had to override the OnError method so that I could catch the error that was happening. I was using Server.Transfer to send users to my error pages already when my code needed to throw an error so I then called the method that was doing this error handling and thus calling Server.Transfer.

Unfortunately, that in itself wasn’t enough.

When I started investigating further, I noticed an overload for Server.Transfer that I didn’t notice before. It is called preserveForm. Since .Net was complaining about the query string having dangerous values, doing a Server.Transfer would transfer the request to another page and still have those dangerous value. By default, preserveForm is set to true and with it being true the get/post values are maintained. Setting this to false cleared out the bad querystring and allowed my custom error page to function properly.

Hopefully that helps someone else out there.

Bacon Roses

Topic: Cooking | Tags: Bacon

Feb
14
2013

BaconRoses

This year I decided to do something different for Valentine’s Day. My wife loves bacon. Maybe not as much as I love bacon but it is pretty high up there. So, I decided to make her some bacon roses instead of some real roses that would die soon. How do you make bacon roses you might ask. It was actually pretty easy.

I started out by getting some fake roses from Walmart. They had 2 different types of fake roses. One type didn’t look like they came apart very easy so I opted for the ones that did. If you look closely at the photo of the one still assembled, you can see that the rose bud should just pop off. The other roses didn’t look like this.

To start out making these, turn your oven on and preheat it to 375. While it is preheating, get a mini muffin pan out and line each hole with tin foil. You don’t have to do this but it helped with cleanup when I was done.

Next, lay a piece of bacon out on a place and roll it up starting at the wider end of the bacon. Place it in the muffin pan fat side down.

After you get them all rolled up and in your muffin pan, put the pan in the oven and let it back for about 40 minutes.

After they are done, let them cool a while. Get a vase out and fill it with rocks or marbles or something along those lines. The bacon is going to be a little heavy and it will tip the vase over.

Now, make sure you have all your fake roses disassembled and the pieces sorted out. Discard the rose petals and the orange plastic pieces. Slide the leave piece back onto the stem and push it down a little. Then place a bacon rose on it and put the whole thing into the vase.

As you see from my photo, the bacon is heavy and pulls things down a little. If I had more time and would have thought about it earlier, I would have used some wire cutters and shortened the stems. I also would have used the red ribbon that came with the fake roses and tied the stems together at the top to get them bunched up better.

Pretty simple over all and they tasted good!

Are you a threat?

Topic: Christianity | Tags: Journal Entry

Oct
24
2012

Acts 19:13-16

13 A group of Jews was traveling from town to town casting out evil spirits. They tried to use the name of the Lord Jesus in their incantation, saying, “I command you in the name of Jesus, whom Paul preaches, to come out!” 14 Seven sons of Sceva, a leading priest, were doing this. 15 But one time when they tried it, the evil spirit replied, “I know Jesus, and I know Paul, but who are you?” 16 Then the man with the evil spirit leaped on them, overpowered them, and attacked them with such violence that they fled from the house, naked and battered.

Paul was doing a lot of miracles at this time. He was overflowing with the Holy Spirit so much that even handkerchiefs he had touched would heal people. God was doing some amazing things through him. Evil spirits surely knew who he was and what he was doing. These priests tried to leverage that. Figuring the evil spirits would tremble at the name of Jesus or the name of Paul. It didn’t work though. The evil spirit’s were not afraid of these priests who really didn’t believe in Jesus. These priests really presented no threats to the evil spirits.

It isn’t enough to just know about Jesus. It isn’t enough to read the Bible. Satan knows who Jesus is after all. Just knowing about Jesus doesn’t give you power over evil.

When I read this it makes me think about my own life. Am I a threat? Does Satan and his demons know who I am? Have they conspired to bring me down or am I like these priests, someone they don’t consider a threat. Am I doing enough to further the Kingdom of God to be on their hit list?

Going through life and being a “good” person isn’t enough to a threat. Just because I am nice to people isn’t enough. Just because I sit here in the morning, reading some scripture and writing about it, doesn’t mean I am a threat if I am not doing anything with what I read. It doesn’t mean anything if I am not sharing this with other people.

I want to be a threat to Satan. I want him and his evil spirits to know who I am.

Lord, I pray for your Spirit to fill me. I pray for your strength to empower me. I pray for the courage to share with others about who you are. I pray that I would have the huevos to talk to others about you and not be afraid of what they might say.