Latest posts

Levi Gross

Security Concerns With Python’s urllib and urllib2

Applications written in Python should not use urllib and urllib2 for the following reasons.

  1. External proxy support isn’t trivial to implement, which usually means it isn’t implemented at all.
  2. The urlopen functionality does not implement ANY SSL verification.
  3. Many types of URL’s are supported, including file://.

For ...

Levi Gross

How to find XSS in Knockout.js applications

Knockout is an easy to use Javascript MVC framework. Honestly it is one of my favorite to work with. I find the barrier to entry to be minimal and it still packs quite a punch in functionality.

Knockout works by making use of the data-bind HTML tag attribute and replaces ...

Levi Gross

How to write an encrypt and decrypt API for data at rest in Node.JS

The following code can be used to encrypt data at rest using Node.JS. The snippet is self contained and should be slightly modified so that key generation doesn’t happen every time the code is executed.

/*
 Copyright 2014 Levi Gross. All Rights Reserved.

 Licensed under the Apache License, Version ...

Levi Gross

Spot the vulnerability

I wrote some code today to extract ZipFiles in Go. The code includes a security issue, can you spot it?

Not for use in a real environment!

package main

import (
    "archive/zip"
    "flag"
    "fmt"
    "io"
    "log"
    "os"
    "path"
    "path/filepath"
)

var file_name = flag.String("file_name",
    "", "This is the zip file ...

Levi Gross

Constant Time Comparison Functions in… Python, Haskell, Clojure, Java etc..

Here is a list of constant time comparison functions to protect yourself against side-channel timing attacks.

Clojure

; Taken from https://github.com/weavejester/crypto-equality/blob/master/src/crypto/equality.clj

(ns crypto.equality
  "Securely test sequences of data for equality.")

(defn eq?
  "Test whether two sequences of characters or bytes ...

Levi Gross

Django Security Interview Questions

I feel that every Django developer should know the answer to the questions below. If you don’t, look it up.

  • What is wrong with the following template snippet?
<a href="http://www.google.com/" class={{ user_class }} >Google</a>
  • Identify the security vulnerability in the following code. What is it ...

Levi Gross

37 Tips For Interviewing a tech company

This is a list of things that I look out for when joining companies that I don’t know much about. You may not agree with everything listed here. I welcome your feedback and counter arguments.

What to avoid

1. Avoid companies that are obsessed with a specific technology stack ...

Levi Gross

Welcome to My new Blog

Welcome to the new version of LeviGross.com

I have decided to move off of tumblr (because no one likes fighting with their blog to display content). I am going to move everything from Tumblr within the next few days (hopefully), so please be patient.

I will import the items ...