Almost everybody nowadays has a Gmail/Google account. We use it for our email service, to read our feeds, store our bookmarks, edit our documents, and what not. This demands that we constantly log in to these services with our google account user and password. The most “paranoid” users, never check the “keep me logged in” checkbox, while the majority just checks it and doesn’t even bother anymore.

If you “worship” your google account, and the idea of losing it sounds catastrophic to you, because all your life is in it. You might just keep on reading this post.

What’s the problem?

The web is mostly an unsafe place, and having your google account logged while browsing “random” web sites, might be a russian roulette experience. Because with some recent techniques like clickjacking, an attacker might set up a web page with malicious code that uses your logged in google account session to perform actions on your behalf. And if you don’t believe this, you can try for your self in the following example.

You can try this using a dummy Gmail account if you feel insecure about it.

Log in to your dummy Gmail account, open a new tab and go to this website. Now click the “send” button on the page, and go check your dummy Gmail sent messages folder. You will see that you have just sent an email, without even noticing (well you did notice actually if you checked the status bar, but it was too late anyway).

The way to achieve a hack like this is not very complex. Quoting the author:

You get a copy of the generated HTML code of the target webpage, then you simply hide everything, except for the button you want to overlay.. you could draw other things using absolute positioning, but this is enough for most scenarios.

You can checkout the “ghost page” here: http://www.sirdarckcat.net/dad.html

This attack has it’s pros and it’s cons.. the most important pro is that it’s the best way of doing cross-browser exploits.. since you don’t depend on the sizes, margins, overflow rules etc.. that different browsers use.

Possible solutions?

The best way to prevent against these attacks, while it may not be the ideal solution, is by simply reducing the time you spend logged in on the browser. Actually, you can even use these services with no logged session on the browser.

The answer is simple: don’t use these services web interface on your personal computer. For Gmail, use a POP or IMAP client of your choice, for every other, use Prism. Prism lets you run web applications in a desktop/standalone mode. This way you have all your sessions encapsulated, in a kind of sandbox way. Leaving you free to use the browser in a more relaxed manner.

Why do I say “on personal computer” ? Because it’s in your daily use machine that you are more tempted to save login forms and such, leaving you vulnerable to the type of attacks I described. On other machines you are less tempted to do that, because it’s not your machine, or it’s a public computer, and you spend much less time on it.

While I’ve been talking about Google accounts and Gmail along this post, actually, every other service may be vulnerable to this type of attack, but generally Google services are usually more secured than the rest.

What can web developers do?

Not much really. For web developers, the way to prevent that your site gets opened in a iframe is the piece of code known as “the Framekiller“. This is a javascript code snippet to include in your HTML pages:

<script type="text/javascript">
if (top !== self) top.location.replace(self.location.href);
</script>

This works with the obvious javascript/client side limitations, so it shouldn’t be regarded as a reliable approach, but it definitely helps.

More on the subject

If you wish to know more about other similar techniques, you can check these links below:

CSS Attacks

Clickjacking

I’ve released this Friday a new version of the TwitterPHP library. In this version I’ve done some code optimization, removed some files and changed to Doxygen for class documentation.

First, all methods were returning a SimpleXML object, which is a mistake in terms of flexibility. I’ve changed them all to just return a XML string. Now its up to the user (programmer) to choose the way to access/parse the XML.

Second, TwitterPHP is a class, you can instantiate it several times, for let’s say, accessing multiple accounts. At least you should be able to do that, but since I was reading the Twitter username and password from a configuration file (naive, I know), multiple instances could only use the same account. Now the problem is solved by simply adding the username and password as arguments of the constructor method and removing the configuration file.

Third and last, I switched from PHPDocumentor to Doxygen. This was mainly because I found out that Doxygen is much more flexible, I can use it with any other project with any other language. And the resulting documentation is more fast and clean than PHPDocumentor.

So you can take a look at the new version of TwitterPHP here and the documentation generated by Doxygen here.

In future releases I’m planning to add OAuth support and implement more Twitter API actions.

Recently, I’ve been playing with Object Oriented Javascript. This language, besides it’s chaotic nature, can be very powerful when used with some best practices (humm, that’s funny, I’d swear I’ve heard this before).

One of the most interesting things about Javascript OO is the way to define a Class. Actually there is no keyword “class” at all. So here’s an example on how to create a class Book in Javascript:

/**this will be the constructor method,
that automatically creates the class**/

function Book (isbn, title, author) {
    this.isbn = isbn;
    this.title = title;
    this.author = author;
}

/** And now the getters **/

Book.prototype.getISBN = function () {
    return this.isbn;
}

Book.prototype.getTitle = function () {
    return this.title;
}

Book.prototype.getAuthor = function () {
    return this.author;
}

If your class has attributes that are not passed as constructor arguments, you can declare the attribute just like we did for the methods:

Book.prototype.numTimesRead = 5;

//a setter
Book.prototype.setNumTimeRead = function (n) {
    this.numTimesRead = n;
}

Now if we wish to instantiate our class, it’s identical to most OO languages:

var mybook = new Book("123", "Dive into Python", "Mark Pilgrim");

//I tried to output this the ugliest way possible :P
document.getElementsByTagName("body").innerHTML = "Title: "+mybook.getTitle();

This will (pwn your body element) print the Book title, you can add any other info as you wish.

You may find more on object oriented programming with Javascript at the Mozilla’s Developer site.

Some time ago, I’ve written a post talking about Agile Software Development methodologies, where I mentioned Extreme Programming (aka XP).

I was thinking about writing a post on Extreme Programming, but I’ve just found a very good video of a lecture on the subject by Richard Buckland, that explains it the best way possible and with some humor. So here’s the video:

This is a highly recommended video for those that want to learn about Extreme Programming and Unit Tests.

Video Link: http://youtube.com/watch?v=XP4o0ArkP4s

TinyURL is a online service that shortens long URL’s so that they can save space in services like Twitter and others.

This is definitely a tool of great convenience, but like almost everything in life, has a drawback. Actually, two drawbacks. First, spammers, phishers and alike are using this service to mask the URL of their malicious website so that when someone sees the link, feels comfortable about clicking it, and unaware of what’s coming. And second, it’s slowly building a “broken” web, because if this kind of services disappear, a good portion of links on the web won’t work anymore. And this can’t be good.

Against the first drawback, TinyURL has a feature that allows you to send a preview link instead of an instant redirection one, but it’s hardly used by anyone.

Some time ago, I developed a small online tool that unveils every tinyurl that is sent to it. But its usefulness is almost none, since no one will bother to visit another website just to unveil the tinyurl’s target. So, to simplify that process, I’m developing a Firefox Extension that integrates with the tool, so that when you visit a tinyurl, before that url is loaded, is passed trough the reverser and the target is shown on a confirmation popup or just a tooltip.

While the extension is not ready, I leave you here a small example of how to reverse a tinyurl in PHP. It’s very simple, and straightforward:

function reverse_tinyurl($url){
	$url = explode('.com/', $url);
	$url = 'http://preview.tinyurl.com/'.$url[1];
	$prev = file_get_contents($url);
	preg_match('/redirecturl" href="(.*)">/', $prev, $res);
	return $res[1];
}

Well, or maybe if you prefer Ruby:

require 'rubygems'
require 'net/http'

def reverse_tinyurl(url)
    url_parts = url.split('.com/')
    preview_url = "http://preview.tinyurl.com/#{url_parts[1]}"
    response = Net::HTTP.get_response(URI.parse(preview_url))
    original_url = response.body.scan(/redirecturl" href="(.*)">/)[0][0]
end

Or if you are more of a Python guy/girl:

from lxml import etree

def reverse_tinyurl(url):
    hash = url[url.find(".com/")+5:]
    preview_url = "http://preview.tinyurl.com/"+hash
    parser = etree.HTMLParser()
    tree = etree.parse(preview_url, parser)
    elem = tree.findall('.//a[@id="redirecturl"]')
    if len(elem) == 1:
        return elem[0].get("href")
    return None

This examples should get you started on developing something around this.

I decided to upgrade the ram of my black macbook. I was noticing it getting slower on some more demanding apps, so I upgraded it from 1Gb to 4Gb (2×2Gb) Kingston RAM. Damn it’s fast now! :D

By the way, I decided to post this on the blog and not on Twitter just for a change :P

Allot of people think that a PHP file without a closing tag, is not also strange but wrong and won’t compile. But that’s far from the truth. In fact, even Zend (the company behind the PHP language) forbids its use in the Zend Framework.

Here’s an example:

<?php

function foobar ($foo) {
    echo $foo;
    return 0;
}

Most programmers in a file like this, would put a ?> in the end. It’s ok. But in PHP-only files, it’s not recommended.

How come this is a good practice? Well, first of all, the PHP interpreter won’t complain about a missing closing tag. And second, the most important, is that leaving the file without a closing tag will avoid accidental injection of trailing whitespace into the response.

Quoting Zend manual:

The closing tag of a PHP block at the end of a file is optional, and in some cases omitting it is helpful when using include() or require(), so unwanted whitespace will not occur at the end of files, and you will still be able to add headers to the response later. It is also handy if you use output buffering, and would not like to see added unwanted whitespace at the end of the parts generated by the included files.

Off course that there are people radically disagreeing with this. They point out that leaving the PHP tag open is programming lazyness (although I don’t see how anyone can be lazy about writing two characters) and they also state that it’s fear, it’s an “easy and safe solution”. Well the “easy” part it makes some sense, but the “safe” one?! Oh, ok… let’s just fire all the security conscious programmers! Who needs security? Security is bad. Not. PHP already has a very bad reputation because of his kind of attitude.

I’m sure there are better arguments against this, but my opinion is to leave it open, don’t close the tag, it can bring unnecessary problems. It won’t harm your PHP code and won’t make you lose hours trying to debug some invisible white spaces.

I’ve created this project in order to simplify the process of interacting with the Twitter API on a project I’m working on. So I decided to release it as open-source so that others could use it if they find it useful.

What is TwitterPHP? It’s an object-oriented and easy to use PHP library to interact with the Twitter API. It is still in development but it has almost every API feature implemented, which makes it the most complete of it’s kind (at least from what I’ve seen out there, please correct me if I’m wrong). You can do lots of stuff with TwitterPHP, you can write your own client, or bot, or even just use it to display twitter info on your blog or website.

You can check out the Google Code project page and soon I will host the phpdoc online, to make it easier (but it’s already included in the zip file).

Link: twitterphp.googlecode.com

Image taken from here

I’ve been away from this blog for some days because I’ve been busy changing jobs. I’m now working in a new place in a full-time job and left the part-time one at Faculdade de Ciências. My new workplace is now at Mr.Net as a Web Developer.

In the meantime I’ve also been developing some toy apps, that are almost done. One is a tool to use with Filebuster, that downloads every file linked on a web page and the other one is a twitter bot that alerts you (by sending a direct message) when a specified web page has changed (aka gets updated). All basic stuff, but proved to be useful in certain situations.