Monthly Archives: October 2017

Slack SAML authentication bypass

Antonio Sanso writes:

This means that if I present to a ServiceProvider A an assertion meant for ServiceProvider B, then the ServiceProvider A shoud reject it.

Well between all other things I tried this very really simple attack against a Slack’s SAML endpoint /sso/saml and guess what? It worked 😮 !!

To be more concrete I used an old and expired (yes the assertion was also expired!!) Github’s Assertion I had saved somewhere in my archive that was signed for a subject different than mine (namely the username was not asanso aka me) and I presented to Slack. Slack happily accepted it and I was logged in Slack channel with the username of this old and expired Assertion that was never meant to be a Slack one!!! Wow this is scary….

Scary indeed. And it isn’t a particularly sophisticated hack either. Slack has now patched the issue.

100s of useful AWK examples

Came across this nice cheatsheet with awk examples on Hacker News today: Github link

awk is a highly underrated Unix utility. I’ve seen very few developers use it, but it’s both powerful and useful. Awk is a language of its own, but you don’t need to master it to start using it.

Some time back, I moved a large bunch of files to a home directory in a server by mistake. I had used the following (naive) command to move them back to the original location (according to my notebook):

ls -ltr | grep '14:57' | awk '{print $8}' | xargs -I '{}' mv {} vftemp

Apparently I had exploited the fact that the moved files all had the 14:57 time stamp and filtered them with grep, and then used awk to get the 8th column of the list, which should have been the filenames and moved them back.

The State of Being Stuck

A high school mathematics teacher interviews Andrew Wiles. Wiles is one of the most famous mathematicians in the world today; best known for proving the 350-year-old Fermat’s Last Theorem.

Wiles explained the process of research mathematics like this: “You absorb everything about the problem. You think about it a great deal—all the techniques that are used for these things. [But] usually, it needs something else.” Few problems worth your attention will yield under the standard attacks.

“So,” he said, “you get stuck.”

“Then you have to stop,” Wiles said. “Let your mind relax a bit…. Your subconscious is making connections. And you start again—the next afternoon, the next day, the next week.”

Patience, perseverance, acceptance—this is what defines a mathematician.

Reading a User-Agent header

Tweet by @jschauma:

Whenever a browser makes an HTTP request to a server, the browser sends in a User-Agent header, so the server can know what kind of a browser/agent the request is coming from. I’m writing this post in a Safari browser in macOS and the string it sends is:

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38

It says Mozilla at the beginning, but it’s not Firefox.

Confusingly, the User-Agent string of Google Chrome has both Mozilla and Safari in addition to Chrome:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

These strings will change depending on both the browser version and the OS you are on.

While these strings seem cryptic, you can use this handy guide from MDN to identify the browser from User-Agent strings: https://developer.mozilla.org/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent#Browser_Name

Zawinski’s Law

I was reading Finish your stuff by Martin Sustrik (creator of ZeroMQ) today and stumbled upon Zawinski’s Law from The Jargon File.

“Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.”

Emacs comes to mind (you know what they say, it’s “a great operating system, lacking only a decent editor”).

However, we see that a lot of bloated software being replaced by leaner and minimal products, which might seem to be in contrary to this rule. Lots of people moved from WordPress to much simpler Medium. But Medium, in turn, has become a bloated piece of JavaScript by now, which aligns with Zawinski’s Law.

Quoting the Wikipedia article on the subject:

Eric Raymond comments that while this law goes against the minimalist philosophy of Unix (a set of “small, sharp tools”), it actually addresses the real need of end users to keep together tools for interrelated tasks, even though for a coder implementation of these tools are clearly independent jobs.

Splitting a text file into two

Today I was trying to open a text file with a Node.js script and failed, apparently because it exceeded Node’s maximum buffer size. The most straight-forward solution was to split the file in half and open the two new files separately.

How do you split a text file by two, though? With a quick hack using head and tail of course.

head -n 1000 input-file > output1
tail -n +1001 input-file > output2

The + in the tail command tells it to count lines from the top, instead of from the bottom which is the usual case of tail.

Source: unix.stackexchange

Re: Tools are not the Answer

I quoted Uncle Bob’s post two days back and Hillel Wayne has written a much comprehensive response to the original post. In summary, it says:

Uncle Bob gives terrible advice. Following it will make your code worse.

I see nowhere in the original article where it says the tools are bad for you. In fact, it maintains that:

I have nothing against tools like this. I’ve even contributed money to the Light Table project. I think that good software tools make it easier to write good software. However, tools are not the answer to the “Apocalypse”.

There’s a very interesting discussion on Hacker News as well and I urge you to go read it. Uncle Bob Martin himself has left a few (albeit succinct) comments. It’s very interesting to listen to all parts of the story, especially from people who have far greater experience than you.

Tools are not the Answer

Uncle Bob responds to an article in The Atlantic titled “The Coming Software Apocalypse”. The Atlantic article apparently proposes better tooling to avoid software bugs.

I disagree. Tools are fine; but the solution to the software apocalypse is not more tools. The solution is better programming discipline.

We have fancy IDEs, sophisticated build systems and what not, but a sloppy programmer is a sloppy programmer. If tools can make her a good programmer, probably this is a field that robots can fill up easily.

You don’t need multiple cursors in Vim

MasteringVim tweeted an article by Christoph Hermann:

There is a plugin for vim (vim-multiple-cursors) which allows you to mimic that behaviour, but it has some problems.

After using it for quite some time I came to the conclusion that there is no situation which can’t be addressed (IMHO even better) with “native” vim features.

Editing text in a non-Vim environment is a pain, so multiple cursors might seem a good idea (in fact, it was one of the major selling features of Sublime Text). But with all the modal editing features in Vim, you don’t need to go into the trouble of manipulating multiple cursors. Check out the article for some cool tips, including the powerful visual-at function.

Links to revoke app permissions from your social accounts

Over time, you end up having granted access to a lot of apps from your social accounts. It’s a good idea to go over these periodically and clean up any apps you don’t need.

Some providers make it really difficult to find where to revoke these apps (I’m looking at you, Micro$oft). So here’s a list of direct links to different services I use to check the permissions every now and then:

[1] If you have signed in to multiple Google accounts, change 0 to 1, 2, etc for other accounts.