Hackerific

last update:

Template Toolkit is an excellent and popular templating language for perl. Here’s a quick tip about how to avoid cross-site scripting vulnerabilities when using it to write web apps. Suppose you have a page in your app which takes some user input and displays it, like this: <input name="user_supplied_input" value='[% input | html %]'> The input could come from POSTing a form, or from a URL parameter, like: https://example.com/app?user_supplied_input=test You could be forgiven for thinking that because you’ve used the HTML filter your user supplied input will be safely encoded, but in this case you’d be wrong!

Over a year has now passed since I started playing with the Kippo honeypot, so a quick second post about my findings is long overdue! I ran Kippo on an overpriced cheap VPS with two-IPs pretty much continuously from between April and September 2013. That’s 5 months (154 days). I wrote a short post near the beginning of that time. In my original post on this subject I waffled a bit about how almost all of the attacking traffic I saw was from Chinese IPs and mentioned a few attempted passwords with high entropy.

Bed Against The Wall inspired me to try running kippo, an SSH honeypot on a spare CentOS VPS I ended accidentally paying for. So far, I’ve completed a very basic installation by using an iptables rule to redirect traffic from kippo’s default port of 2222 to 22 on the VPS’ second IP address, created an unprivileged user to run the kippo scripts then started kippo.sh as that user. At the moment, I’m just watching the logs and I’ve left the default kippo credentials in place (root/123456) for about a week.

I backed a recent Kickstarter project to allow Sabernetics to create and sell small I2C powered OLED displays – the small number of IO lines required by I2C makes it an excellent bus for embedded stuff, and I love things with blue LEDs so backing the project was a no-brainer :) The boards just arrived, so I decided to have a play by wiring one up to an Arduino and giving it a poke.

I’ve had a cacti server for some time, but I recently decided to experiment with collectd. In this post, I’ll talk about how I ported my CurrentCost monitoring code to work with collectd. What’s wrong with cacti? For a home user who just wants to monitor my router, power usage, and the odd arduino controlled thermometer, cacti is fine, but the limitations are fairly obvious: Cacti is buggy – really buggy.