Capybara for automating Pen-Tests

After a successful penetration test a re-test is performed. The common approach is that the customer fixes the code and I perform the necessary steps to confirm that that initial security breach was closed. Sometimes it takes the customer a couple of tries to achieve that. Most security problems (XSS, CSRF, SQLi) can easily be automated tested, but I had problems automating server-side authentication and authorization problems. The test would have to emulate multiple parallel user sessions. The tests mostly consists of one session trying to access the resources of another user session. ...

September 9, 2014 · 3 min · 488 words · Andreas Happe

Migrating to Middleman

My blog has a history of migrations. It started as wordpress, then was converted Octopress. After Octopress was missing update-love and jekyll started to be actively maintained again it switched over to jekyll. And now, it finally is based upon Middleman. Sorry for any inconvinient bugs or layout errors that will happen during the migration. Why have I switched to middleman? as I’m a RoR devleoper it seems better suited for me. Jekyll always seemed to be the choice for “web designer that need to add some dynamic content” while middleman seems to incorporate the “web developer that needs some blog”-attitude nice integration with bundler existing plugins for deployment. This replaced a lot of custom cruft that I had to initially write for myself when I was using jekyll While in there I’ve switched from bootstrap to bourbon/neat/bitters. Let’s see how this works out. Wouldn’t mind the framework to be called Islay though. ...

September 9, 2014 · 1 min · 153 words · Andreas Happe

Linux: How to forward port 3000 to port 80

Another small tip: to locally forward port 80 to port 3000 use the following Linux iptables command: $ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000 You can use this command to allow customers to connect to your locally run Ruby on Rails setup (as long as you have some port forwarding set up on your local router). I am using this to develop facebook open graph apps as the application URL (that is configured within facebook’s app controll page) cannot include a custom port (like 3000). ...

November 18, 2012 · 1 min · 93 words · Andreas Happe

Moving OctoPress to Amazon S3 and CloudFront

OctoPress is embraced for its simplicity: write blog posts, save them, generate HTML pages and move those upon a web server. As no code is executed server-side every page can be cached and security risks are low. So far I’m hosting my blog on a rented hetzner root-server in Germany. While there’s no server-side security problem I’m still using a full blown server which imposes maintenance overhead on me. No peace of mind. An alternative would be moving to the cloud (Amazon’s S3 storage in my case), but is it worth it? ...

November 3, 2012 · 5 min · 994 words · Andreas Happe

Generating PDFs with wicked_pdf

Ruby on Rails is perfect for creating web applications but sometimes you just need to create some documents which can be stored or send through email. While printing is no problem with CSS not all users are able to “save/print page as pdf”. The ubiquitous Adobe PDF file format seems to be a perfect solution for this problem. The common solution for this is Prawn (also see the RailsCast about it). Alas prawn uses a custom DSL for defining and styling the document and I would rather prefer to reuse existing view partials. princeXML seems to solve this: it transforms existing HTML/CSS into pdf. This allows to reuse existing views and partials but comes with a hefty price-tag of $3500+. ...

May 1, 2012 · 4 min · 670 words · Andreas Happe