-->
ROOM ZKE
USAComment.com
Zicutake USA Comment | Search Articles



#History (Education) #Satellite report #Arkansas #Tech #Poker #Language and Life #Critics Cinema #Scientific #Hollywood #Future #Conspiracy #Curiosity #Washington
 Smiley face
PROXY LIST

[Calculate SHA256 hash]
 Smiley face
Zicutake BROWSER
 Smiley face Encryption Text and HTML
Aspect Ratio Calculator
[HTML color codes]
 Smiley face Conversion to JavaScript
[download YouTube videos in MP4, FLV, 3GP, and many more formats]

 Smiley face Mining Satoshi | Payment speed
CALCULATOR DIMENSIONS AND RECTANGLE

 Smiley face
CREATE ADDRESS BITCOIN
Online BitTorrent Magnet Link Generator
[PERCENTAGE CALCULATOR]
JOURNAL WORLD:

SEARCH +8 MILLIONS OF LINKS ZICUTAKE STATE

Node.JS Security - the good, bad and ugly

At the moment, dev world is full of rave about Node and server side JavaScript (databases like MongoDB and the likes). There hasn't been a better time for front-end and JS developers. On the first look - it appears great, promising and exciting.

On the down side, as with most upcoming technologies, there isn't enough security analysis, consideration and advisory to reference and understand gotchas with server side JS. Nothing wrong with that - it's functions, coolness and innovation that brings business and not security (history/economics is a testimony).

In this post, I will share my security view point as I see it. This could be an ever growing list and the kind of things you can achieve with server side JavaScript - there is no early end to this.

Let's start with the good things. Node inherently introduces a great security benefit over
traditional server side programming paradigms and that is "secure by default" (reminds me of my NetBSD days). As highlighted in white below, your create your web server - a bare bone types and not a full blown with bells and whistles like Apache.



And then chose and pick what you want. Like define what your doc root will have - unlike anything and everything in a traditional web doc root. Like highlighted in yellow below - that is what your web server will respond to for requests. Rest needs to be caught by a 404.



Summarizing - your web server isn't configured and capable more than what you want it to be unlike Apache, Tomcat or IIS. I recall countless instances of Tomcat compromises due to default admin and manager apps that come installed and running with default passwords. And IIS getting exploited with WebDAV buffer overflow when in reality the web app never really needed it in first place. Typically web servers sent a false sense of security where developers mostly considered them to be secure. And we all know, more features, bigger the attack surface. Bigger the attack surface more chances of things going wrong. And something that can go wrong will go wrong!

On the flip side - the bad parts. Node carries over the known dangerous JavaScript APIs like the eval that can be trivially exploited to do server side injection (that were earlier only client side exploits like XSS).

Let's look at a PoC exploit where app evaluates the input and returns  an output like below


Abusing eval on client side would result an XSS but on server-side it induces a server side injection alike SQL Injection as seen below where we inject an HTTP response.


 The screenshot below highlights execution of server side injection.


To best of my knowledge, this issue was first brought to notice in context of Node by Bryan Sullivan at BlackHat. Not a brand new exploit. We know eval is evil. What is worth note here is most developers wouldn't imagine this happening at the first go. From that perspective this exploit vector server side is novel.

What do I see ugly? The ugly parts are the ones that introduce new attack vectors. There should have been default protection built-in ideally. The event driven single threaded programming model is not what web developers are used to. Node is single threaded and a simple error can create a denial of service condition as highlighted in the screenshot below.


As highlighted, hitting submit crashes the node server.


Similar DoS condition would result when messing with global variables - intentionally or unintentionally. Above scenarios are quite likely considering JS developers are usually quite used to errors. I see thousands of live sites day in and out that have a number of errors showing up in Firebug console and running absolutely ok which will not be the case as you go server side.

Another  ugly part is that web developers are not quite used to service permissioning. Web developers had it outsourced to Apache/IIS, would now end up running their node services as root, that earlier ran as nobody.

A 1000 feet high apple to apple comparison between let's say PHP and Node tells me - it took a step back in security. At least, you would come to expect a sanitization/validation library for a new programming language, if not a fancy new auto-sanitization module like PHP Filter (aah yes - Filter isn't a complete auto sanitization in PHP but you get what I mean).

An honest look and I feel node isn't meant to be used as is.  With a strong framework, is how it should be used. There are many in the fray right now - Express probably is the most widely used. I haven't tried it yet but from what I see, security in node is a work in progress.

Being a Yahoo, how can I end without not mentioning Yahoo Cocktails. Haven't played around with it yet, but this is something I have super high hopes with. The engineers I met there are fabulous. Come Q1 2012 it would be there for all of us to play around. Yahoo is a great company, the best  I have worked for - no doubt I would love to see it scoring high.

Learning more and more of Node, I keep reminding myself "Node is powerful, and with power comes responsibility".

Back to December


Thanks Giving Breaks passed as well as Black Friday.
Hard to believe that I stayed at home playing Tetris from day to night and didn't go out for shopping. Pretty much regret as I forgot I still need a pair of sunglasses ! Everyone said I should get Ray-ban as Ray-ban FTW! I know it! But I tried few on they seems like not suit me and that's why I tend to choose Burberry now. I will get it after my finals, definitely.

So, I get my favorite cotton V-neck tee and long sleeve tee from Tommy Hilfiger ! I love them so much, they quite pricey but I don't care, I think they are worth for the materials.


Randomly snapshot of my favorite perfume - Anna Sui Flight of fancy. This is a gift from my best friends and I not really use perfume I just smell it. Kinda weird right but I will spray some when I go out for shopping.


And as my previous post said, bought a Honda Accord. I still like the Acura more as the engine power is 3.6 which is so powerful when speeding on highways. I guess Accord only 2.4 ? hmm. Anyway, quote from Honda - The Power of Dream.


Food! Randomly went to different places to have nice food ! slurrrppp



The people here are so kind and generous? I am not sure but I just get this Wooden like NEW study desk for FREE ! Yeah, it is free I didn't pay any cents for it. Freaking happy and I returned my previous desk which I bought at $32. Love this desk so much as it has 2 other spaces for me to put stuff. Thanks GOD.


Snapshot of babe & me !


Did a donation at Walmart and wtf I am so Short. == short.........


Lastly, get Louis Vuitton! This is the most expensive bag I get so far, bloody hell. Anyway, this is a present for my mum so never-mind as long as my mum like it.


Will only update after 15 December which my finals will be ended that day.
Need to work up my ass to study now.
I am so lazy.
=___=

~那些年,我們一起追的女孩~吉他谱


这年头如果不写一遍关于~那些年。。。。~,就会很OUT
华人影坛的一大奇迹,票房我就不说了。影响了一大班年轻人的话题 (我是老的)
开口闭口都是~那些年。。。什么什么的。。。

所谓天时地利人和,都被九把刀用完了。。
我个人是没多大感觉,反而是主题曲吸引了我,百听不厌的旋律,激起我~那些年 ,一起 弹吉它的日子~ 一起来玩玩吧!!!!




那些年
詞 :九把刀   曲:木村充利  KEY:F    PLAY:C    CAPO:5

             C                                G             E          Am                          Em
又回到最初的起點   記憶中妳青澀的臉    我們終於來到了這一天
             F         G        Em           Am             Dm7                         G7
桌墊下的老照片   無數回憶連結    今天男孩要赴女孩最後的約

             C                                G             E          Am                          Em
又回到最初的起點   呆呆地站在鏡子前    笨拙繫上紅色領帶的結
                 F             G                Em           Am             Dm7          G7        C
將頭髮梳成大人模樣    穿上一身帥氣西裝   等會兒見妳一定比想像美

F               E            Am7                            Dm7             G             C
好想再回到那些年的時光   回到教室座位前後 故意討妳溫柔的罵
F               E            Am7             D    Dm7                           G   G7
黑板上排列組合 妳捨得解開嗎    誰與誰坐他又愛著她

             C                                G              E
那些年錯過的大雨   那些年錯過的愛情
       Am7              G             D
好想擁抱妳 擁抱錯過的勇氣
             F             G                Em          Am7
曾經想征服全世界   到最後回首才發現
           Dm7                          G
這世界滴滴點點全部都是妳
             C                                G              E
那些年錯過的大雨   那些年錯過的愛情
       Am7              G             D
好想告訴妳 告訴妳我沒有忘記
             F             G                 E           Am7
那天晚上滿天星星   平行時空下的約定
           Dm7                          G                    C
再一次相遇我會緊緊抱著妳   緊緊抱著妳


摘自:无名小站 




WU/FSC【角斗士王国】【2011最新美国奇幻冒险】中字


◎译  名 角斗士王国
◎片  名 Kingdom Of Gladiators
◎年  代 2011
◎国  家 美国/意大利
◎类  别 动作/奇幻/冒险
◎语  言 英语
◎字  幕 中文
◎IMDB评分
◎文件格式 DVD-RMVB
◎视频尺寸 592 x 320
◎文件大小 1CD 404MB
◎片  长 81 Mins
◎导  演 Stefano Milla
◎主  演 
Maurizio Corigliano
Sharon Fryer
Leroy Kincaid ….Kayne
Suzi Lorraine ….Hel
Bryan Murphy ….King Wolfkahn
Matt Polinsky ….Gunnar
Annie Social ….Teela
◎简介
国王为了国家的和平和古老的恶魔打成了协议,在和平统治王国几十年后,恶魔前来兑现协议。一群角斗士们必须为了王国的存亡而战斗。





◎下载地址:

WU

http://www.wupload.com/file/2530509162
http://www.wupload.com/file/2530500637

FSC

http://www.filesonic.com/file/3952609324
http://www.filesonic.com/file/3952634804

Busy Week

Busy as usual. Enrolled 5 subjects for Spring 2012 semester. Checked my uni academic calendar and found that my summer holidays start on 5th May. Will come back to Malaysia but just don't know how many days should I stay.

I am more and more in love with my babe now, yea we called her babe. At the first few weeks she came, she so aggressive and afraid of people, she ran around and made some 'piggy noise' which was so annoying. Sometimes she bite us. Thats the past. Now she turned to so feminine and adorable. She like to stick with anyone in the house, sit beside you while you are eating or online. So so so cute and I seriously so love her.


Then I dyed my hair to a darker shade. It suppose to be a Burgundy shade but it turn like very bright than the color I expected. Well this is a DIY hair dye so I didn't expect it to be perfect. Just to cover my black root. And I think in my entire life I will not dye any light color to my hair anymore. I feel like dark shade more nice looking on me.


Crazy in gym once I reached US. I have a really healthy lifestyle here. My breakfast only consists of 2 half-boiled eggs, 1 cup of milo ais and 1 small cupcakes. I calculated my calories per day that I can take is around 1350 calories. Basically I follow the calories table to choose on food now. I don't know why I turn like this, I just want to cut weight and turn slim. Many people wonder why I look slim in picture and they doubt me I was photoshop-ing my picture and so on. SO? Can you imagine your life without food after 10pm and walked back from uni to house 3 days per week(around 30 mins) for 2 months? I bet you will definitely slim down!! 

By the way, I gym around 5 times a week. And each day I set some target for myself to achieve. And so far I am glad that I didn't give up. LOL. Never give up exercise. 


Fall season is so awesome! Started to adopt to the weather. Normally during afternoon-evening the weather will be below 10 degree and the lowest temperature so far was -3 degree.
I love the scene, don't you ?!!


Been driving around like crazy to look for houses. Is planning to move out from this super expensive apartment with my friends. Drive until mad and I am so NOOB in recognizing roads! Hopefully can move out by December then we can save some $ on the rental. Nevertheless, we are planning to sell this car and buy another car,perhaps Honda Accord. Wish to buy Volkswagen though, OMG or Audi XD joke....joke...

In love with this earrings when I saw them in the Juicy Couture. Freaking cute right! I am planning to get it once I get extra $. Just wait. teeheee


Lastly, I bought a Burberry tote for my beloved sister. I knew she loves Burberry and this is a present for her. She no need to pay back me one :) Bought something for mum too, will review once I have time to take picture. teehee, I miss my family so much now.


That's all. 1 more month to my finals !! I want to finish this semester quickly !!

Shopping Spree !


Ola ! After a lot of hard work, finally found that I slim down.
This is a good news though, can really notice my waist size is turning smaller.

Anyway, I don't plan to update this post now. Think to write a really long post about my shopping days but I found so lame as no one will be interested on the process of the day. So I will just post what I bought. Seriously I spent a lot but I am happy afterwards, so  I DON'T CARE !

I randomly entered some shop. For Tommy Hilfiger, I like this Polo T but didn't buy at the end. So regret now and I will go back to get it one day later.


DKNY Skinny jeans and cardigan.


The DKNY watch I posted before said it will in my wish list. Lol, I get it though. I cannot wait even longer.

Fall is coming and the weather started to cold. A pair of boots is needed !
Comfy boots from Skechers and this is the first ever pair of boots I bought in my entire life.


My legs look slim at here, guess the hard work paid off.


From GAP but doesn't have XS size..This is S size and it is so big ==


Leather bag from Coach too.


That's what I get so far. And there were 3 times earthquake in a row within one week. Freak me out, so scary. Hope everything will fine. Till here, byebye. My life is pretty simple here. Shopping when free and study during school time. I really miss Malaysia, another half year, I WILL BACK !

PantherAds

PantherAds (pantherads.com) - Is it a Scam or Legit?



 
 
 
 
Pays  
Min To Cashout 
 Wait Time $
Payout Methods 
Averages around 
$0.025 CPC
70% ad revenue
$20 
1st Week of 
Each Month
 
 
 

 
Number of Ads
 Referral Program
 Accepted Countries
Accounts Deleted 
After Inactivity ? 
NA
1 LEVEL 
NO Direct Limit
ALL 
 ?

PantherAds is a site where bloggers and site owners can earn from receiving clicks from their text or banner ads. As of now we are testing this ad agency and the site will be placed on the Ongoing Investigations List till we have fully tested this site. Here are the pros and cons of this site:

PROS:

1. Forum - This site does have a forum. Forums are great for communication between members and staff. Members can post payment proofs, get support, and stay up to date on changes made to the site. You can find their forum here: http://pantherads.imoneylink.com/

2. Unlimited Direct Referrals - There are no limits on how many referrals you can have. Great for promoters and those who can refer a lot of people.

3. All Countries Accepted - So far there are no restrictions and all can join and earn from this site. Will update if this changes.
4. Fixed Minimum Cashout -  $20 is the set minimum cashout. From what we can see the minimum cashout will not increase after your first cashout. 

CONS:

1. Is it still paying ? - Well that is what we are going to find out. Finding proofs is not that easy, which is why it is on the Ongoing Investigations List till we see recent proof of it paying. .We did find one proof on another blog from August:


2. Forum Spam - While on the upside they have a forum, you will find it full with spam. I would suspect that they are not keeping up with it. Their twitter account is also outdated and no new info has been posted on it for over a year. 

Some Things You Should Know About This Site...



  • Referral Earnings : 5% from publishers and advertisers you refer.
  • You can transfer your publisher account balance to Advertiser account balance.
  • You can restrict domains from being displayed in ads via publisher account panel.
  • Script: Custom (MoneyScript)
  • Contact Email/Link:  Email
  • Site Created: August 26, 20110   Launched: September 2010


  •  October 13, 2011
    • Full Review completed and site added to the Ongoing Investigations List

As of now we are testing PantherAds and will report our results once we have concluded our investigation. For the time being the site will remain on the Ongoing Investigations List. Will update when we know more.


We will continue to monitor this site. If anyone would like to share their experience that they had with this site, whether it is good or bad, feel free to do so in our comment section at the end of this review.