Elixir vs Ruby – A Simple Test

A coworker of mine is really excited about Elixir and it’s performance.   So, I created a little program in both Ruby and Elixir to return an array containing the squares of numbers from 1 to 1000.

This is the Ruby version.   It uses a gem called Parallel that I found quickly from searching. It uses all available processors and uses threads.

require 'parallel'
Parallel.map(1..1000) do |i|
  i * i

Running this a few times gives results like this-

real	0m0.118s
user	0m0.090s
sys	0m0.059s

This is the Elixir version. It uses no external libraries. It uses all available processors and uses threads.

defmodule Parallel do
  def pmap(collection, func) do
    |> Enum.map(&(Task.async(fn -> func.(&1) end)))
    |> Enum.map(&Task.await/1)
Parallel.pmap 1..1000, &(&1 * &1)

Running this a few times gives results like this-

real	0m0.271s
user	0m0.258s
sys	0m0.176s

Ruby is considerably faster on this simple example.  Definitely going to experiment more…

Posted in Ruby | Leave a comment

Favorite Podcasts

I’ve been spending most of my commute these days listening to podcasts.  I’ve found a few good ones, but am looking for ideas.   Security/development is my vocation, but I like a variety of things to listen to.

Currently I’m listening to-

  • The Art of Charm
  • The Changelog
  • The Complete Privacy & Security Podcast
  • Entrepeneur On Fire
  • Greater than Code
  • How I Built This
  • The James Altucher Show
  • The Marie Forleo Podcast
  • Nutrition Facts by Dr. Greger
  • Residual Income Podcast
  • Risky Business
  • Side School Hustle
  • Soft Skill Engineering
  • Stuff You Should Know
  • SUCCESS Insuder
  • Team Never Quit Podcast
  • The Tim Ferriss Show
  • Why Are Computers
  • Advanced Persistent Security

Any other suggestions?

Posted in General | Leave a comment

Python – Day 1

Python or Ruby or PHP

Well…PHP isn’t really an option.  Only Ruby or Python  🙂

As many of you may know, I started off right out of college doing C/C++ programming and finished my software development days with Java.   Since then I’ve been doing application security.   When I do program now, it’s mainly for my own uses and it’s typically in Ruby.

I became interested in Ruby when Metasploit was ported to Ruby.   But in general, the prominent language for scripting related to security is Python.  So, I decided to experiment more with Python.

Right off the bat I’ve found a few things that are annoying

  • White-space scoping.   This is a common complaint if you’re used to languages that are more free-form and have explicit ways to scope.  But, in modern editors take care of it for you and it does enforce a consistent style.  It still bugs me some, though.
  • Library compatibly between versions.  There seem to be two major versions – 2.7X and 3.0.  I’ve not really done enough to know the difference, but there does seem to be a difference in community support for libraries between the two.
  • OO.  There are couple of interesting things about this.   First, why the explicit self parameter as the first parameter to every method?  Second, things like the len function.  It is used to determine the length of many different types of data.   But things like lists, should have a len method IMHO.  They do have a __len__ method, but nothing I’ve read talks about calling it.   It seems like the standalone len function expects it’s target to have a __len__ function so it knows how to get the length.  Why not just have len on the target?  It just seems not well thought-out.


Posted in Python | 2 Comments

Window.postMessage part 2 – an example

In Part 1 of the series, I talked about the basics of Window.postMessage and showed some sample code.  This post will show some real code with a demo link.   This code purposefully has some security issues which will be addressed in the third and final post of the series.

The demo code found at https://www.chs.us/pm/source.html is –
<iframe src="https://www.bitbucket.me/pm/target.html" style="width:100%; height:50%;"></iframe>
<script language="javascript">
function sendMessage()
var txt = document.getElementById("msg").value;
window.frames[0].postMessage(txt, "*");
return false;
<form method="#" method="post" onsubmit="return sendMessage()">
<input type="text" maxlength="128" name="msg" id="msg">
<input type="submit">

What it does is load https://www.bitbucket.me/pm/target.html in an iframe that is 50% of the height of the window and 100% of the width.  It then has a form where you can specify text and when you hit submit, it sends a message to the iframe with the text that is specified in the form.

The code for https://www.bitbucket.me/pm/target.html is –
<script language="javascript">
window.addEventListener("message", receiveMessage, false);
function receiveMessage(event)
var origin = event.origin || event.originalEvent.origin; // For Chrome, the origin property is in the event.originalEvent object.
var cont = document.getElementById('container');
cont.innerHTML = cont.innerHTML + event.data + "<br/>";
<div id="container" name="container" style="width:100%; height:100%;"></div>

It first creates registers a function(receiveMessage) to handle the “message” event and creates a div.  When a message is received it, it  appends the text to the div.

Posted in Javascript, Security | Leave a comment

Window.postMessage part 1 – the basics

What is Window.postMessage?
Window.postMessage is a way to safely communicate cross-origin between windows. Normally, pages are only allowed to interact with each other if they share the same origin(protocol+host+port matching). postMessage allows the a developer to get around that.


targetWindow.postMessage(message, targetOrigin, [transfer]);

The components are-

      • targetWindow – a reference to another window that you wish to send a message to. You can obtain a reference by a) the object returned by window.open, b) the contentWindow of an iframe, and c) using the numeric index on the Window.frames object
      • message – data sent to the window
      • targetOrigin – specify what the origin of targetWindow must be in order for the event to be dispatched. Either ‘*’ or the full origin. This is necessary because the origin of the window may have changed. It is advised not to specify ‘*’, otherwise you may be sending data to an unintended origin.
      • transfer (optional) – objects that are transferred with the message. After transferring, they are no longer accessible by the sender

What does it look like in practice?
The code in the target window (www.mytarget.com) would look something like this. This script lives on the default page for www.mytarget.com.

window.addEventListener("message", receiveMessage, false);
function receiveMessage(event)
  var origin = event.origin || event.originalEvent.origin; // For Chrome,
  if (origin !== "http://www.mysender.com")

The above code is based off of https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

This is what the sending code would look like (on http://www.mysender.com)

var wnd = window.open("http://www.mytarget.com);
wnd.postMessage("Test Message", "http://www.mytarget.com");

That’s basically what it looks like and how you use Window.postMessage to send messages cross-origin. This gets around the same origin policy which restricts how windows can interact with each based on having the same protocol, host, and port. Part 2 of the series will continue the discussion with the security implications of Window.postMessage and how using it improperly can lead to unintended security vulnerabilities in a page.

Posted in Javascript, Security | Leave a comment

The Hustle

Found this cool new list called “The Hustle” that sends tech and business news each day.   It’s had some really interesting stuff so far.

Check it out here!

Posted in Other | Leave a comment

Playing with Content Security Policy (CSP) today…

Playing around with Content Security Policy (CSP) today.  Found these resources so far that I like.

Any other suggestions?

Posted in Security | Leave a comment

Injection on Windows

So, I’ve been playing around a bit with DLL injection on Windows. The basic process is-

  • Identify the process
  • Open the target process
  • Create a buffer in the target process that’s large enough to hold the path to the DLL to inject
  • Write the path to the DLL to the buffer
  • Create a remote thread in the target process using LoadLibrary as the thread function and the buffer created as the parameter

That’s it in a nutshell. Will show in-depth soon!

Posted in Security | Leave a comment

The Witchcraft Compiler Collection by @endrazine

In case you missed Defcon 24 or were there and happened to miss this talk, this is some amazing stuff. It’s called the Witchcraft Compiler Collection (WCC) by my co-worker and friend, Jonathan Brossard.

Some things you can do with WCC:

  • Transforming ET_EXEC ELF executables into shared libraries (id est: transforming an executable into a shared library !) Demoed this by patching proftpd into a shared library and then calling functions in it from C.
  • Unlinking ELF binaries into relocatable object files, then relink them back using gcc and verify they still work !
  • Running OpenBSD binaries natively on linux by relinking it. 0 patching required !
  • Using ET_DYN executables as shared libraries (Used /usr/sbin/apache2 as a shared library ! Called internal functions from C code)
  • Prototyping exploits from symbolic execution partial traces (did a live exploit from an old version of Samba)
  • In memory JIT translation from ARM to Intel x86_64 + debugging : did a demo on running a ARM library natively on amd64 linux with inprocess JIT binary translation.

Abstract of the talk : https://defcon.org/html/defcon-24/dc-24-speakers.html#Brossard

The slides are available here : https://github.com/endrazine/wcc/blob/master/doc/presentations/Jonathan_Brossard_Witchract_Compiler_Collection_Defcon24_2016.pdf

The codebase is available here : https://github.com/endrazine/wcc under MIT License (proper open source).

The code for all the demos is available here : https://github.com/endrazine/wcc/tree/master/doc/presentations/demos_defcon24_2016

Check it out!

Posted in Open Source, Security, Uncategorized | 1 Comment

An Overview of HSTS

What is HSTS?

HSTS stands for HTTP Strict Transport Security.  It’s a web security policy that allows a web server to inform a web browser that it should only be accessed over HTTPS and never HTTP.  It also helps prevent things like downgrade attacks (switching from HTTPS to HTTP).

How do you set it up?

HSTS is a response header that is set by the web server and sent back to the web browser.   In the HTTP section of your web configuration, you need to configure it to redirect the client to access via HTTPS.  In the HTTPS section of your web configuration is where you set the HSTS header.   From that point on (until the header times out), your browser will only access your site via HTTPS automatically.  Even if you try to access via HTTP, it will enforce you accessing via HTTPS.  This way of doing it allows a client browser to access via HTTP once.

HSTS can also be enforced by being in the browsers’ HSTS preload list.

Web server setup for chs.us

This is what the relevant part of the HTTP VirtualHost would look like-

#Redirect to HTTPS if requested via HTTP
<IfModule mod_rewrite.c>;
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

This is what the relevant part of the HTTPS VirtualHost would look like-

Header always set Strict-Transport-Security "max-age=108000; preload"

This is what a response from a request to chs.us over HTTPS looks like-

HTTP/1.1 200 OK
Date: Thu, 23 Jun 2016 13:32:23 GMT
Server: localhost
Strict-Transport-Security: max-age=108000; preload
Last-Modified: Thu, 23 Jun 2016 13:32:24 GMT
Pragma: public
Cache-Control: max-age=7200, public
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: chs.us
Content-Length: 64416
Connection: close
Content-Type: text/html; charset=UTF-8

What does the header look like?

Strict-Transport-Security: max-age=<seconds>; includeSubdomains; preload

The parameters are-

  • max-age is the number of seconds you want the browser to cache the header.  Keep in mind that every time time you get a response over HTTPS, the max-age in the client browser is reset
  • includeSubdomains informs the browser to also enforce HTTP on subdomains by default
  • preload is a tag that announces the fact that your site can be added to the default preload list that the browsers have built-in.  If your site is in this list, any time a browser access the site it will be over HTTPS.  You can add your site to the list by going to http://hstspreload.appspot.com.  Most browsers use this shared list, so it will be included in future browser updates.   The reason the preload tag exists is so that not just anyone can add a site to the preload list.   If they could, they would be able to deny service to sites that don’t have HTTPS, but are in the pre-load list.
Posted in Security | Leave a comment