VT’s Tech Blog

Google has released a Web Application Security Scanner over at Google Code. This can be used to scan you site for possible security issues which might be lurking around. Skipfish prepares an interactive site-map for the targeted site by carrying out a recursive crawl and dictionary-based probes.

This scanner is easy to setup on an Ubuntu machine. You’ll need to have the packages for gcc and make installed on your system in order to compile Skipfish from it’s sources. Once you install these, download the Skipfish package from the project download page. Once you download it, unzip the files to a folder of it’s own and head over to that folder in your terminal window and issue a make command by just entering this in the terminal.

make

After the package compiles you can test to see if it was successful by issuing the following command in the terminal

./skipfish -h

This should show you a the Skipfish help screen. If you don’t get that, check the make output to see if there were any errors during the compile process.

Once you get Skipfish compiled and ready on your system, head over to their documentation pages to learn more on how to use this to tool to scan your site.

This tool creates a html report of the scan in the output directory you specify and the output looks like this:

Skipfish has a highly optimized HTTP handling which allows you to achieve up to 2000 requests per second on servers which can take that load. It also doesn’t depend on the technology you use to host and build your web application.

If you’re interested in what types of scans are currently implemented on this tool, here’s what it supports (from their documentation page):

• High risk flaws (potentially leading to system compromise):
  • Server-side SQL injection (including blind vectors, numerical parameters).
  • Explicit SQL-like syntax in GET or POST parameters.
  • Server-side shell command injection (including blind vectors).
  • Server-side XML / XPath injection (including blind vectors).
  • Format string vulnerabilities.
  • Integer overflow vulnerabilities.

• Medium risk flaws (potentially leading to data compromise)
  • Stored and reflected XSS vectors in document body (minimal JS XSS support present).
  • Stored and reflected XSS vectors via HTTP redirects.
  • Stored and reflected XSS vectors via HTTP header splitting.
  • Directory traversal (including constrained vectors).
  • Assorted file POIs (server-side sources, configs, etc).
  • Attacker-supplied script and CSS inclusion vectors (stored and reflected).
  • External untrusted script and CSS inclusion vectors.
  • Mixed content problems on script and CSS resources (optional).
  • Incorrect or missing MIME types on renderables.
  • Generic MIME types on renderables.
  • Incorrect or missing charsets on renderables.
  • Conflicting MIME / charset info on renderables.
  • Bad caching directives on cookie setting responses.

• Low risk issues (limited impact or low specificity):
  • Directory listing bypass vectors.
  • Redirection to attacker-supplied URLs (stored and reflected).
  • Attacker-supplied embedded content (stored and reflected).
  • External untrusted embedded content.
  • Mixed content on non-scriptable subresources (optional).
  • HTTP credentials in URLs.
  • Expired or not-yet-valid SSL certificates.
  • HTML forms with no XSRF protection.
  • Self-signed SSL certificates.
  • SSL certificate host name mismatches.
  • Bad caching directives on less sensitive content.

• Internal warnings:
  • Failed resource fetch attempts.
  • Exceeded crawl limits.
  • Failed 404 behavior checks.
  • IPS filtering detected.
  • Unexpected response variations.
  • Seemingly misclassified crawl nodes.

• Non-specific informational entries:
  • General SSL certificate information.
  • Significantly changing HTTP cookies.
  • Changing Server, Via, or X-... headers.
  • New 404 signatures.
  • Resources that cannot be accessed.
  • Resources requiring HTTP authentication.
  • Broken links.
  • Server errors.
  • All external links not classified otherwise (optional).
  • All external e-mails (optional).
  • All external URL redirectors (optional).
  • Links to unknown protocols.
  • Form fields that could not be autocompleted.
  • All HTML forms detected.
  • Password entry forms (for external brute-force).
  • Numerical file names (for external brute-force).
  • User-supplied links otherwise rendered on a page.
  • Incorrect or missing MIME type on less significant content.
  • Generic MIME type on less significant content.
  • Incorrect or missing charset on less significant content.
  • Conflicting MIME / charset information on less significant content.
  • OGNL-like parameter passing conventions.

You can get more information about Skipfish and download it from their project site on Google Code.

Links:
Skipfish Project on Google Code
Skipfish Documentation
Skipfish Downloads

I just came across a great tool for transcoding videos in Ubuntu. HandBrake is an open-source, GPL-licensed, multiplatform, multithreaded video transcoder, available for MacOS X, Linux and Windows. They’ve also got Ubuntu installers which make it easy to install this available in a GUI and a commandline version. Using handbrake you can convert your DVDs or most other video formats to the following outputs:

• File format: MP4 and MKV
• Video: MPEG-4, H.264, or Theora
• Audio: AAC, CoreAudio AAC (OS X Only), MP3, or Vorbis. AC-3 pass-through, DTS pass-thorugh (MKV only)

To install Handbrake you can either download the deb installer for Ubuntu from their download page. You can also add this to your apt sources so you get updates to the program automatically. To do this, type in the following into the terminal (works in Karmic)

sudo add-apt-repository ppa:handbrake-ubuntu/ppa
sudo apt-get update
sudo apt-get install handbrake-gtk

For more information on Handbrake, head over to their site handbrake.fr.

via WebDevOnLinux

If you’re using Linux as your primary OS, here’s a useful too to check for broken links on your websites. gURLChecker is a simple tool to check for broken links on any website. It can work on a whole site, a single local page or a browser bookmarks file.
If you’re using Ubuntu, it’s quite easy to install this tool, just head over to your Terminal and run the following command:

sudo apt-get install gurlchecker

Once the application is installed, you should be able to access it from Menu>Internet>gurlchecker

If you’re on another version of Linux, you can build from sources. Here’s how you can build gurlchecker for other version of linux by downloading the source from their svn:

svn co svn://labs.libre-entreprise.org/svnroot/gurlchecker/branches/stable
cd stable/
./autogen.sh --prefix=/usr
make
su -c "make install"
/usr/bin/gurlchecker

You can learn more about this software over at the project page at: gurlchecker.labs.libre-entreprise.org/

Here’s a chance for you all to win a free license for Gravity, a native S60 Twitter client with a really slick interface. MyNokiaWorld is holding a contest to giveaway 4 licenses to Gravity. All you have to do is to tweet or blog about the contest or subscribe to their RSS feed to enter the contest. Easy as that. You can even just follow them on twitter to enter.

For more information on this contest and how to enter, check out the site at: http://bit.ly/gkGp4

I’ve always wanted to know how the various opensource search engines performed when running head to head with each other. I’ve personally not had the time nor patience to setup such a benchmark. Luckily Vik Singh has done just that and blogged the results of the benchmark.

He’s benchmarked the latest versions of Lucene, sqlite, Xapian, zettair and sphinx while indexing twitter messages (968,937 tweets to be exact) and Medical data sets. I was not too surprised when Lucene came up as a winner from these benchmarks

Read the Blog post by Vik to get the details of the benchmarks.

Here is a plugin for Gimp which gives you a “Save for Web” option in GIMP. This plugin gives you the option of preparing your images for the web by optimizing it, adding additional compression, stripping EXIF information from the images to reduce it’s size. You can preview the resultant image before you save your final image.

You can get the deb files for this plugin over at GetDeb.net:
http://www.getdeb.net/app/GIMP+%22Save+for+Web%22+plugin

Just download the deb file for your version of Ubuntu and double click the deb file once downloaded to start the Package Installer.

Yesterday Nokia India had arranged for a blogger’s meet in Bangalore to familizarize us with the upcoming N97 mobile phone. The meet featured Axel Meyer, Nokia’s Global Design Head for Nokia Nseries, who took us through a presentation which showed what the Design team took into account while designing this phone.

What I liked about the design was the 30 degree tilt of the screen when the QWERTY keypad slides open. This allows the user to interact with the keyboard and the touch-screen at the same time. The tilt also allows the user to hold the phone with just the index finger – pretty comfortable – unlike the slide out of the E75.

One snippet which kind of surprised me in the presentation is that Axel mentioned that there  more than 1 billion users of Nokia phones. This particular model is targeted to users who are looking at having a personal experience with their mobiles – targeted towards people who share photos, videos, microblog, are active on social network and need a phone which doubles up as a personal computer on the go. During the Q&A session, one of the bloggers did ask about the high price of this model (expected to be around Rs. 35,000 during the launch). Axel answered that this mobile is meant for people who are looking a niche phone which provides the full online and social experience  the N97 provides.

After the presentations, I got to play around with the N97 for sometime – pics of the phone are at the end of this post.

Some of the points which caught my attention about the N97 are:

• A whopping 32GB of internal memory – which can be expanded to a maximum of 48GB. This is great for carrying around your media and there’s no need of another media player
• 16:9 screen ratio – perfect for viewing widescreen movies on the go – this unit’s got a TV out so you can project the movies on your phone on the big screen.
• A FM transmitter – to listen to your music on the car radio without the need of extra cables to hook it on.
• Home Screen Widgets – this allows you to have a pieces of the Internet on your home screen.
• The QWERTY keyboard had a good feel to it. Even though the keys on the N97 are smaller than the E75′s, they layout seems to just feel better laid out on the N97.
• The touchscreen also seems to perform better than the 5800′s.
• The phone comes bundled with the Facebook application, apart from other Social Media application like Hi5 and Qik. So you don’t have to hunt for these apps once you get your phone.
• The tilt of the screen when the keypad is open is a very useful feature allowing the user to place the phone on a table while typing out messages and emails, taking calls or surfing the web.

Thanks to Nokia India and Songita B. Verma & team for getting this event organized! It was great having to hear direct from the Design Team on the rationale behind the various features which are packed in the N-Series phones.

Learn more about the Nokia N97:
The Nokia N97 Datasheet
Nokia NSeries Background
Nokia N97′s product page

Some of the Pictures from the Event:

The N97 Presentation

Home Screen Widgets

Axel Meyer during his presentation

Q&A Session

First look at the N97

Trying out the Handwriting Recognition

30 Degrees Tilt of the Screen when the keypad's open

More pictures from the event are available on Flickr.

Google has brought out their Google Mobile App for Nokia S60 Phones. You can get the application by visiting m.google.com on your mobile browser. This application provides a shell for Google applications and services. When you start the app, you get a search screen, and the app detects your location to give you area specific suggestions.

As you start typing in a search term, you get search suggestions. Performing  a search opens up the mobile browser to continue browsing. The app provides a shortcut key to quickly jump to Google search from the Home screen on your mobile. This cuts down the number of keystrokes required to startup a Google search.

Apart from the quick access to Google Search and mobile apps, this app provides little else for Indian users, as the suggestions I saw while using the search were hardly relevant to my location.

Link : http://www.google.com/mobile/nokia_smart/app.html

Web developers have to check out Google’s new Firefox + Firebug addon called Page Speed. This addon inspects your webpage to see how you can optimize the load time. Yahoo’s YSlow was good, but Google takes it a few steps further to even inspect your html and styles to see what can hider the render time of the page once it’s loaded.

Apart from the standard tests on if your content is gzipped, server headers are correct and enable client side caching and parallelizing downloads from differnent host names, this addon also does the following:

• Inspect your CSS files for unused styles
• Inspect your Cookie size – the bigger the cookie size, the bigger the request sent to the server everytime, since every request will send your cookies from the browser to the server
• Checks image compression ratios to see if you’re running on the optimal compression.
• Checks to see if your Javascript is minified, if not, it’ll show you how much you can save if you minify your javascripts
• Inspects the execution of Javascript on the page on load to show which Javascript files can be deferred in loading, by placing the Javascript loads at the end of the page instead of the head. This can drastically increase the page render times.
• If you load multiple Javascripts and CSS files, Page speed will give you recommendations to merge these into a single file.

Page Speed helps you improve your site’s performance based on the following categories of best practises:

• Optimizing caching — keeping your application’s data and logic off the network altogether
• Minimizing round-trip times — reducing the number of serial request-response cycleshttp://code.google.com/speed/page-speed/
• Minimizing request size — reducing upload size
• Minimizing payload size — reducing the size of responses, downloads, and cached pages
• Optimizing browser rendering — improving the browser’s layout of a page

Get Google Page Speed at: http://code.google.com/speed/page-speed/

Screenshots:

Google Page Speed Recommendations

CSS Optimization Recommendations

Javascript Minify Savings

Suggestion to Defer Javascript Loading

If you’re looking for a free native Twitter client for your S60 device, you’ve got to check out Tweets60. It’s works on S60 3rd and 5th Edition phones. As with most Twitter clients you can view your Timeline, Replies, DMs and Favorites and follow/unfollow Tweeple.  The interface is good and simple with the actions to post, reply or retweet in the Option menu.

One cool functionality in Tweets60 is that you can configure multiple access points and prioritize them. Useful when you’ve got Wifi access and then default to GPRS/3G connection when you’re not in Wifi range. If you’re on a tight data plan, this application also comes with an option to save your bandwidth by allowing you to set the refresh frequency to manual or set it to 5, 10 or 30 minutes.

For a basic twitter client – Tweets60 does it’s job pretty well. According to Ravensoft’s tweets, it looks like a pro version is in the making. I just hope the free version doesn’t get too crippled to promote the sales of the pro version.

A few missing functionalities in the current version of Tweets60 are (in my order of my preference):

• Delete & Mark Tweets as Favorites
• Custom Twitter Search Timelines
• Post images from phone to twitpic ( hopefully will be out in a future version)
• Multiple Twitter Accounts
• Theme support – A darker theme ( like Gravity? )

Get Tweet60 from : http://www.tweets60.com/