Pixelated Words

Instant+

This snippet demonstrates how you can instantly search Google+ with the Google+ activities.search API.

It uses:

• jQuery for convenience and brevity.
• mustache.js for templating the markup.
• Google+ API for searching all public activities available on Google+.

If you want to play with the end result and see it running, check it out here!

Disclaimer: If you want to use this in an actual application, all fields emitted by the API should be sanitized & escaped appropriately! You probably want to proxy the API calls through your server, where they can be sanitized with the tool of your choice.

This post is meant for applications that want to use OAuth 2 and are able to use the Android AccountManager.  The  Android AccountManager gives you access to a registry of the user’s online accounts.

Your application needs to prompt the user with a list the available accounts by calling AccountManager#getAccountsByType(String) and allow the user to select their Google account. Once an Account is selected by the user, your application can ask the user for permission to access their data. If the user approves, Google will send your application an access token.

Getting a user’s permission:

Calling AccountManager#getAuthToken will prompt the user for permission to access their data. You need to pass getAuthToken a string containing the required OAuth scopes using the following syntax: oauth2:scope.

For example, if you want to use the Buzz scope, you will pass the string “oauth2:https://www.googleapis.com/auth/buzz“ to getAuthToken.

Example Code:

Cross Site HTTP Authentication seems to be one attack vector that’s often overlooked across the web.

The attack vector is quite simple.  When the WWW-Authenticate is presented to the browser, it will prompt the user for a user name and password and send it back to the requester. This is a problem because when a webpage is loaded, any external resource requested by that page can request HTTP Authentication and trigger this dialog.

There are two ways we can address this issue. Captain obvious says that we should only load trusted resources. This is excellent advice and should be done anyways for countless reasons.

We can also ask browser venders to disallow HTTP Authentication for external resources loaded by a webpage by following a variant of the same-origin-policy.

Proposed change in user agent behavior

When the page http://good.com/resource is rendered, the following table outlines how external resources (requiring Authentication) could be treated. RFC 2617 should be updated to account for these cases.

http://evil.com/auth.png

http://good.com/auth.png

ws://good.com/secure.html

http://good.com:99/auth.png

http://1.good.com/auth.png

References

• RFC 2616 (Hypertext Transfer Protocol – HTTP/1.1)
• RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication).
• Caja: http://code.google.com/p/google-caja/wiki/PhishingViaCrossSiteHttpAuth
• The Web Origin Concept: http://tools.ietf.org/html/draft-abarth-origin-06

This YQL execute table demonstrates how you can make basic DOM operations in YQL. The table also demonstrates how you can screen-scrape a website with jQuery in a YQL execute table.

You can test this example out on the YQL console right now!

Apparently we can generate OpenSocial gadgets with Yahoo! Pipes. Here’s how:

http://pipes.yahoo.com/pipes/igoogle.widget?pipe_id=INSERT_PIPE_ID&_btype=map&hideHeader=1&name=INSERT_GADGET_NAME&height=300px

pipe_id is your Yahoo! Pipe’s id. You can find it in the URL.

_btype depends on how you want to represent your pipe’s data. It can be map, list, or rss.

Here’s an example pipe exported as an OpenSocial gadget.

http://pipes.yahoo.com/pipes/igoogle.widget?pipe_id=_Ia89ose3BGMZ6YNlvXiAA&_btype=map&hideHeader=1&name=US+population&height=300px

The word proxy as defined by Merriam Webster means a person authorized to act for another. This meaning, when transposed to the Web is a bit similar. Wikipedia defines a proxy server as a “server that acts as an intermediary for requests from clients seeking resources from other servers.”

Problems arise when the proxy server acts as an intermediary to servers that it cannot trust.

Content

The city’s central computer told you? R2-D2, you know better than to trust a strange computer.
- Star Wars Episode V: The Empire Strikes Back

Don’t repeat something that you wouldn’t say yourself. Although this is a corollary to the golden rule we all learned in kindergarden, it also applies to proxies. You probably don’t care about evil content being spewed by random servers on the internet, but you should care when it comes from your servers.

1. XSS: The Cross Site Scripting Cheat Sheet is a good place to start learning about sanitizing untrusted data.
2. Malicious File Execution: If your proxy is serving files (music, images, video), you’ll need to take particular care when your proxy handles/streams arbitrary data.
3. MIME mishandling: If your proxy is serving images, you need to make sure it’s actually an image. OWASP has a good write-up on browsers mishandling MIMEs, which opens yet another XSS attack vector.
4. Authenticate: When the WWW-Authenticate is presented to the browser, it will prompt the user for a user name and password and send it back to the requester. This presents a phishing attack vector since your proxy on http://example.com isn’t asking for a user-name/password, but the proxied content is. So try to strip this header if possible.
   

Access Control

Whitelist a handful of ports that are absolutely needed, and deny all other ports. This is important because malicious users can use your proxy  in ways you never fathomed of. For example if you have port 25 open, spammers can start relaying thousands of emails about viagra through your proxy. Malicious users could also start hitting random ip addresses listening to port 11211 and start peaking into your memcached servers.

Bandwidth

Make sure you impose an upper-limit on the amount of data you’re reading from the origin server. If the origin server isn’t under your control, the data being proxied could very well be a high-definition version of Avatar.

You can set an object size limit in Apache Traffic Server by updating the following variable in the records.config file. proxy.config.cache.limits.http.max_doc_size

I published my cssmin Apache Traffic Server plugin on github a few months ago, but forgot to blog about it. This plugin will minify any css file encountered by traffic server when TS is configured to act as a reverse-cache-proxy.

Check it out and fork it on github!

Here’s a simple example showing how you can use OpenSocial Templates to easily make YQL queries:

Some books I liked this year:

• Even Faster Web Sites by Steve Souders
• Code Complete by Steve McConnell
• Coders at Work by Peter Seibel
• Autobiography of a Yogi by  Paramahansa Yogananda

Music

• Is This It by The Strokes
• Geogaddi by Boards of Canada
• Tum Mile by Javed Ali, K. K., Neeraj Shridhar, and Shafqat Amanat Ali