Friday, 11 April 2014

From Azure to Firebase: Could not establish trust relationship for the SSL/TLS secure channel.

UPDATE (16/Apr/2014):  Following a lead from the Firebase Support it looks like the problem could be inside Azure for all SSL, since "https://www.google.pt".GET(); also doesn't work.

Just had a really weird scenario happen to me in the last couple hours, which could be somebody hacking Azure (but I think there is a more benign explanation)

The new version of TeamMentor (currently in 3.4.1 RC0) has a really cool real-time log/activity log viewer which uses Firebase to push data and pull data (from a 'configured TM server' into 'multiple browser-based viewers').

For a while all was good (both locally and in Azure), but in the last couple hours, I noticed that the 'data push' stopped working (i.e. my test version of TM running on Azure was not pushing Activities, DebugMsg and RequestUrls into the assigned Firebase account).

Here is what the viewer looks like (with new messages not being received):

On the unrealistic expectations on OWASP board members, and the 'myth of the OWASP Board member'

Following Michael's original OWASP.next post to the leaders list (regarding his OWASP.next post on the OWASP blog), Dennis replied with a number of examples of rotten leadership  which I don't really agree with and posted the text bellow as my reply

For a while I have been saying that putting such 'expectations and requirements' on board members was going to cause a lot of friction and this is just another example of it

I don't actually agree with Dennis analysis. But the reason I don't agree is not due to the fact that he is correct (or not) in his analysis. My view is that it is completely unrealistic to put  such a high level of expectation on OWASP board members, specially in terms of their: behaviour, morals, actions and words. My biggest problem with current/past board members is on lack of action, decisions and delegation of duties :)

Thursday, 10 April 2014

RIP 'Belly Cruz', 12 year old Labrador

Today was a sad day :(

We had to put our 12 year 'belly' to 'sleep'

She got hit by a brain tumour a couple weeks ago, which left her without being able to walk and without any quality of life.

But what we have to remember, is that she had a great life, fully of joy and happiness (although she never managed to catch the squirrel, even after hundreds of attempts).

She was able to keep a mental map of every single plate/pot/pan that had not been licked (yet), and was always super excited to find our house (after going our for a walk).

She will be missed ... our silly dog....

Tuesday, 8 April 2014

OpenSSL Heartbleed Bug (read server side memory anonymously)

Wow, this is a pretty nasty vulnerability:

"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). 

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
(from http://heartbleed.com/)

See if your website is vulnerable using: http://filippo.io/Heartbleed/ 

PoCs:
References



Monday, 7 April 2014

Published Beta version of "Practical O2 Platform Tools" eBook

After releasing the "Practical AngularJS",  Practical Git and GitHub,  Practical Jni4Net and Practical Eclipse books, here is an equivalent book containing the O2 Platform Tools related blog posts.

This new eBook has 113 pages and is made of 23 blog posts published in the last couple years.

The posts are grouped by topic and represent a number of mini-tools created by the O2 Platform

This eBook is available at https://leanpub.com/Practical_O2Platform

Sunday, 6 April 2014

Monday, 31 March 2014

Published Beta version of "Thoughts on OWASP" eBook

After releasing the "Practical AngularJS",  Practical Git and GitHub,  Practical Jni4Net and Practical Eclipse books, here is an equivalent book containing my OWASP related blog posts.

This new eBook has 165 pages and is made of 67 blog posts published in the last couple years.

The posts are grouped by topic and represent a lot of my thinking about OWASP, the current AppSec industry and other philosophical ideas.

This eBook is available at https://leanpub.com/Thoughts_OWASP

Sunday, 30 March 2014

Programmatically configuring an WCF service without using .config files (using FluentSharp REPL)

This post will show how to consume an WCF service directly, firstly using VisualStudio and secondly using the O2 Platform C# REPL environment.

The VisualStudio example will use the FluentSharp – C# REPL NuGet package (which will also show how to dynamically program the WCF service in a REPL environment

Part 1) The WCF test service

In VisualStudio start by creating a new WCF Service Library project called WcfServiceLibrary1

Monday, 24 March 2014

E2E testing AngularJS links and routes using NCrunch, VisualStudio and FluentSharp.WatiN

In order to have real TDD while developing AngularJS inside VisualStudio, I needed a way to write C# Unit Tests that could be executed in the background by NCrunch (i.e. in real-time during coding).

Since I wanted to do E2E (End-to-End) testing of the AngularJS app, I needed either a good mocking environment (like the one provided by KarmaJS/AngularJS Mocks) or the real thing (i.e. actually running the app on a local IIS/Cassini server).

If I have the choice, I always prefer to run my tests without mocking (or with as least amount of Mocks as possible), since that allows for a much more realistic test environment, and promotes much better engineering and coding practices.

This post shows how I created such environment and provides a couple examples of C# tests written to check if links created by AngularJS directives and routes are being correctively set.

Sunday, 23 March 2014

Problem with AngularJS ng-view, it doesn’t work when inside a directive

I hit an interesting problem yesterday with AngularJS views. They (the views) where working when clicking on a link, but not working when accessed directly, or when the back button was used (which broke the idea of AngularJS routing, since it is supposed to handle those to key scenarios).

After quite a bit of debugging, I was able to track the problem to the fact that if I placed the ng-view directive inside another directive, the refresh and back button would break (although it would work ok for links and direct browser url manipulation).

What is really nice, is that I was able to use the .NET C# based Unit Test infrastructure to confirm this problem and test for it :)

Thursday, 20 March 2014

Somebody doesn't like me at /r/netsec sub-reddit (updated with moderator's feedback)

UPDATE: this is most likely a misunderstanding from my part, and lack of coffee in the morning (see reddit moderator image at the end of the post):



Again I had a link (this one) removed from http://www.reddit.com/r/netsec which is very weird.

In most (sub)reddits what happens is that the links I (and others) post are given a couple hours to get up-votes and comments. If they don't they get relegated to the archives (i.e. not on the first couple pages) and forever forgotten (which is how it should be).

But /r/netsec is the only one that I actually see the posts 'disappear' from both Hot and New pages, which means that there is somebody out there that probably doesn't like me and is actively blocking those posts.

This is a shame since it should be the community that decides what is interesting and valuable, and in this case the XStream/XmlDecoder/REST issues deserve to be known and fixed.

Updated presentation of 'RESTing On Your Laurels will Get YOu Pwned' (RSA version)

At the last RSA conference, Abe and Alvaro presented an updated version of the RESTing On Your Laurels will Get YOu Pwned presentation (originally delivered by me and Abe at DefCon 2013).

Here is the description
Public REST APIs have become mainstream. Now, almost every company that wants to expose services or an application programming interface does it using a publicly exposed REST API. This talk will give participants the skills they need to identify and understand REST vulnerabilities. The findings are a result of reviewing production REST applications as well as researching popular REST frameworks.   
By Abraham Kang, Alvaro Muñoz and Dinis Cruz
In addition to the original demos we did, Alvaro added a nice Metasploit PoC which really should drive home the problem with XStream and XMLDecoder.

Monday, 17 March 2014

Published Beta version of "Practical Eclipse Plugin Development" eBook

After releasing the "Practical AngularJS",  Practical Git and GitHub and Practical Jni4Net books, here is an equivalent book containing my Eclipse related blog posts.

This new book has 363 pages and is made of 33 blog posts published in the last 9 months.

As with the first release of the other books, I'm starting with the original chronological/published order, and will try later to figure out a better logical way to group these posts together.

The article's Html was converted by LeanPub into Markdown, who also created the eBook versions linked below (pdf, mobi, epub and online)

Sunday, 16 March 2014

Published Beta version of "Practical Jni4Net" eBook

After releasing "Practical AngularJS" and Practical Git and GitHub, here is an equivalent book containing my Jni4Net related posts.

This new book has 74 pages and is made of 13 blog posts published in the last 16 months.

As with the first release of the other books, I'm starting with the original chronological/published order, and will try later to figure out a better logical way to group these posts together.

The article's Html was converted by LeanPub into Markdown, who also created the eBook versions linked below (pdf, mobi, epub and online)

Saturday, 15 March 2014

Google Location tracking is a step too far for me (but its good they expose it)

Today, I was looking at my  Google Dashboard 'Account Activity', when I noticed the 'Location Tracking' section, which when I realised what it really meant, was quite freaky (and Big Brotherish).

The good news is that at least Google exposes this information, and provides a way to say 'no please' (which as you can see below I exactly what I did).

What would be really good/important, is if everybody that currently holds/collects this type of data (from other businesses/startups, telecom companies, GCHQ/NSA/Other-3-letter-gov-agency, XSS infected websites, owners of compromised browsers, etc...) would at least expose the fact that they are collecting and storing it (ideally there would also be a way to op out).

Another worrying behaviour that missing from the Google Dashboard is the mapping of 'who has current access to this information' and 'who had access to it in the past (both human and bots)'. This is relevant not just for Location Tracking data, but also for the other types of data/information/knowledge Google stores about me (and you, and your kids).

Of course that the fact that I asked Google not to track this information (and that they don't show it to me anymore), doesn't mean that they still not capturing it.

Ironically given the current 'everybody is potentially guilty' mentality of the security agencies today, I bet that asking for the location data NOT to be stored, is seen as a 'red flag' and most likely will meant that others WILL indeed start tracking my location (if they are not already).

Friday, 14 March 2014

Interesting validation problem on new user's email, caused by a TLD in caps (and using NCrunch to test it)

While working on this issue and improving the Unit Test coverage of TeamMentor's user creation code, I noticed that:
    a) these emails worked:
    abc@def.ghi , ABC@def.ghi , abc@EDF.ghi
    b) but these ones didn't:
    abc@def.Ghi , abc@def.gHi , abc@def.GHI

Wednesday, 12 March 2014

Managing LeanPub book's Markdown content using Git and GitHub (synced to back to LeanPub via DropBox)

The original releases of my Practical AngularJS and Practical Git books were made using LeanPub's DropBox model, which was OK, but lacked two massive features: version control and interface for community interactions.

Inspired by Dennis Groves' idea and workflow described in OWASP Press and using LeanPub with GitHub and DropBox, I was able to use Git and GitHub to track changes on these books.

Which means that from now, not only can I use the GitHub repositories to track/document changes I make, but you can also submit your ideas/problems directly as GitHub issues and fixes as Pull Requests :)

Here is the GitHub repo for the AngularJS book: https://github.com/DinisCruz/Book_Practical_AngularJS

Here is the GitHub repo for the Git/Hub book: https://github.com/DinisCruz/Book_Practical_Git

For an example of how to use GitHub to submit and fix an content problem see this issue https://github.com/DinisCruz/Book_Practical_Git/issues/1 which was fixed by this commit https://github.com/DinisCruz/Book_Practical_Git/commit/7c53c396f4209bb2521dccadbfcfbe8c90318ba7

Published Beta version of "Practical Git and GitHub" eBook

After releasing "Practical AngularJS", here is an equivalent book containing my Git and GitHub related posts.

The book has 411 pages and is made of 60 blog posts published in the last 18 months.

As with the first release of the AngularJS book, I'm starting with the original chronological/published order, and will try later to figure out a better logical way to group these posts together.

The article's Html was converted by LeanPub into Markdown, who also created the eBook versions linked below (pdf, mobi, epub and online)

Tuesday, 11 March 2014

Thank you message send to all readers of the "Practical AngularJS" book

After publishing the Beta version of "Practical AngularJS" Book (in both digital and print format) I was very pleasantly surprised by:
    a) the number of readers who got the book for free
    b) the number of buyers  
    c) the general positive kudos of the reddit threads that I started about the book

Using the Leanpub system available on https://leanpub.com/Practical_AngularJS there were 567 downloads/registrations and 24 purchases (which is a really great, if we take into account that the book is still in a early beta format, and they 'choose to buy', since there was the option available to get it for free).

Sunday, 9 March 2014

Published Beta version of "Practical AngularJS" Book (in both digital and print format)

I just released a book based on the 23 AngularJS posts currently published in this blog (as a public beta).

The article's Html was converted by LeanPub into Markdown, who also created the eBook versions linked below (pdf, mobi, epub and online). The printed version was created at lulu.

At the moment the book can be downloaded for free and the book has a small markup (you can also chose to pay for the digital version).

Please take a look and let me know what you think of the structure, font, layout, order, content, voice, idea, etc...

Here are the links to the multiple places you can get the book:
  • eBook (PDF, EPub or MOBI) at Leanpub (I've set the minimum price to zero so you can download it for free)
  • Printed book (Paperback, 163 pages) at Lulu.com 
  • Online : LeanPub also publishes the entire book available in one long HTML page (note that there are LOTS of images to load in this page)

Sunday, 2 March 2014

Why doesn't Eclipse community stand-up more to IntelliJ?

When I posted to reddit a link to my recent Eclipse Groovy script to remove the 'busy' image from the WebBrowser Editor  post, the thread what I hoped would happen would be one around the idea of 'fixing in real time minor (but-very-annoying) issues that exist in the IDEs that we use everyday'

After all, there are very few IDE environments that allow that kind of real-time programatic access to the current running IDE (which allows the creation of new 'plugin-like functionality' without needing to run an 'IDE dev instance' on the background).

For reference, the reason why I took the time to develop the Eclispe Grovy REPL Scripting Environment, was because I did the same on this VisualStudio C# REPL extension, and knew how powerful (and useful) it was to have the ability to 'script the IDE'

Saturday, 1 March 2014

Programatically changing an AngularJS scope variable and adding Firebug Lite to an AngularJs app

In this post I'm going to show two really nice tricks that help when developing AngularJS applications:
  • adding Firebug Lite to the current browser
  • changing the scope value outside a normal AngularJS controller, service or module
Let's say that we are inside Eclipse and have this simple AngularJS app (gist here)

Eclipse Groovy script to remove the 'busy' image from the WebBrowser Editor

Now that I'm doing AngularJS and Firebase development inside Eclipse, there was a little 'thing' that was starting to drive me crazy: The animation icon on the top right of the Eclipse WebBrowser!

Apart from the mosaic 2000s look (which is kinda ok), there is a big problem with pages that keep running for a while: the animation doesn't stop!

This means that if you are developing inside Eclipse, there is this 'thing' (i.e. the top right icon) that keeps moving and demand my brain's attention:

C# example of using Firebase REST API

Once I got my head around how Firebase worked (see here multiple Firebase related posts), my next step was to figure out a way to send data to it from C#, namely from TeamMentor.

To try it out, I used the Web C# REPL that is part of TeamMentor's admin section (which gives me a great interactive environment to quickly test new APIs).

Friday, 28 February 2014

Using AngularJS in Eclipse, Part 4) Create Components

This is the last of four posts on how to run (inside Eclipse) the examples provided in AngularJS's home page:
The example covered on this post is the Create Components: