Content-Type: RST

No, this time isn't about me writing my blog. Not... really. I
challenged `jwalsh <http://www.selectivelysane.com>`_ to hack
my blog. Which, I'm sad to say, he successfully accomplished. 

.. figure :: http://blog.opensourcenerd.com/upload/hacker-inside

How did this happen? Well, jwalsh looked at the code which rendered
the <a> tags in the comments, and saw something like this: 

.. sourcecode :: python

    pos = findoc.find("&lt;a href='")
    while pos>-1:
        pos2 = findoc.find("'&gt;",pos)
        if pos2>-1:
            findoc=findoc[:pos] + "<" + findoc[(pos+4):(pos2+1)] + ">" + findoc[(pos2+5):];
        pos = findoc.find("&lt;a href='",pos2)
    findoc = findoc.replace("&lt;/a&gt;","</a>")

For those who don't like my Python, I sympathize, but don't empathize. jwalsh empathizes though. I had to explain my code to him for him to be able to hack it. So, pseudocode!

.. sourcecode :: pseudocode

   (findoc is the "FINal DOCument")
   pos = the first place this occurs in findoc: &lt;a href='
   pos = -1 if it doesn't occur
   while pos > -1:
       pos2 = find the first place '&gt; occurs in findoc after pos
       pos2 = -1 if it doesnt occur
       if pos2 > -1:
           replace the entire link sequence with the stuff found between
             &lt;a href=' and '&gt; and the proper link format
       pos = the next place &lt;a href=' occurs after pos2
   repeat the above

As both he and I realized as I was explaining this, this allowed him
to insert an arbitrary malicious piece of code in between the two
requirements, as long as the anchor tag ended in '&gt;. His best
example?


.. sourcecode :: html

   <a href='http://tjhsst.edu/~jwalsh' 
      onmouseover='eval(String.fromCharCode(
          119,105,110,100,111,119,46,108,111,99,97,116,105,111,
          110,61,39,104,116,116,112,58,47,47,116,106,104,115,115,
          116,46,101,100,117,47,126,106,119,97,108,115,104,39))' 
      style='display:block; position:absolute; left:0px; top:0px; 
             height: 10000px; width: 10000px; background:white;
             color:white;'</a>

It made a huge blank bage, on top of which, if you moved your mouse,
it redirected to his website. Pretty sweet. Of course, by the time he
built the little javascript beauty above, I had quickly patched the
code to fix this horrendous hole. I had to set up a temporary
contained instance in which he could try his magic
out. **Edit**: Link removed. jwalsh did an excellent job at
breaking Google Reader on the iGoogle page for people, as well,
apparently. 

So, congrats to jwalsh! He is off to a bright and wonderful future!

.. figure :: http://blog.opensourcenerd.com/upload/fat-nerd
   Level up! He is now a level 6 h4><><0r/paladin.

I'm not bitter at *all* that I was just hacked, nono. Especially since
it was becacuse of my own plain stupidididty that this
happened. Here's how it worked. 

The night I was writting comments I was bored and tired (much like I
am now), and I wanted to just get it over with, so when I wrote the
link functionality I went for the cheap and dirty way (as you saw
above). At the moment, I knew it was vulnerable and that it would
break someday, but I meant to fix it later. To remind myself, I stuck
a ``"# XXX: insecure. must fix."`` comment onto my code.  

So far so good. Then I remembered that I wanted to publish my code,
and a comment like that would be just an invitation for someone to
come along and do what jwalsh did. So I took the comment off. 

And promptly forgot about it.

.. figure :: http://blog.opensourcenerd.com/upload/einstein-duh

Anyway, I am glad my code was available for viewing, though, and that
it was found by a nice white-hat person (read: noob) like jwalsh,
who warned me of the hack attempt before doing it. Had I kept the
source secret and a true  evil black-hat hacker (read: 1337) who
didn't need the source figured out my vulnerability, I would have been
well and truly screwed. At least until I restored my site from the
terminal. 

... Don't you all start trying to hack me now, too.