Two Cross Site Scripting Cheat Sheets

I love cheat sheets. They jog my memory about things I need to do or should test for – especially when I have not done it for awhile.

From a test perspective, my favorite test value cheat sheet for cross site scripting (XSS) is http://ha.ckers.org/xss.html. If you have not tried out these samples (and variations on the themes) in your own web application, you need to do it now.

From a developer perspective, OWASP’s (Open Web Application Security Project) XSS (Cross Site Scripting) Prevention Cheat Sheet provides a set of rules to implement.

 

March 2011 mensming Twitter Posts

Follow mensming on Twitter

RT RKHilbertSpace Q: How to generate a random string? A: Put a fresh student in front of vi and tell him to quit.
Wed Mar 30 2011 11:46:55 (Pacific Daylight Time)

"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." – Larry Wall
Tue Mar 29 2011 07:56:57 (Pacific Daylight Time)

10 things I miss about old school Linux – http://tek.io/grwXii
Fri Mar 25 2011 06:58:07 (Pacific Daylight Time)

Social media sites explained in terms of pee – http://bit.ly/ftQB3y
Thu Mar 24 2011 05:29:35 (Pacific Daylight Time)

Internet Explorer versions 1 through 9 compared, signs of progress found (video) – http://engt.co/eAncXZ
Wed Mar 23 2011 08:12:20 (Pacific Daylight Time)

Posted – Tool – blindtextgenerator,com – http://bit.ly/hWFIJJ
Tue Mar 22 2011 07:24:32 (Pacific Daylight Time)

Welcome David and Ricardo to the @conenza development team.
Mon Mar 21 2011 07:00:17 (Pacific Daylight Time)

Finished reading _Rework_ by Jason Fried and David Heinemeier Hansson – Recommended – http://amzn.to/hlpFkk
Fri Mar 18 2011 07:04:23 (Pacific Daylight Time)

Funny – The History of Twitter As Ken Burns Would Tell It – http://gizmo.do/dYuSOA
Thu Mar 17 2011 06:57:39 (Pacific Daylight Time)

A Tangled Web of Shortened Links – http://bit.ly/g2sOr5
7:30 AM Mar 16th

I need to work on this – The Cult of Busy – http://bit.ly/hbkEX8
6:56 AM Mar 15th

Retro browser war: IE6 vs. Netscape in 2011 – http://bit.ly/eJ4mCo
8:28 AM Mar 14th

Snooping on Social Networks to Vet Jurors and Hire Employees – http://bit.ly/hnXRBv
9:27 AM Mar 11th

Visualized: US smartphone market share, by manufacturer and platform, made pretty – http://engt.co/ekqlGo
7:58 AM Mar 10th

10 Most Insightful Infographics About Internet – http://bit.ly/hMH78X
7:56 AM Mar 9th

2010 In Movies, As Seen On Foursquare [Graphic] – http://tcrn.ch/e1VN6X
7:27 AM Mar 8th

Read _Core JAVA Interview Questions You’ll Most Likely Be Asked_ – http://amzn.to/huLH7R – NOT recommended
7:46 AM Mar 7th

Microsoft It’s not often that we encourage you to stop using one of our products, but for #IE6, we’ll make an exception: http://bit.ly/g0wt4m
12:24 PM Mar 4th

Innovate Or Execute? – http://bit.ly/galL0t
7:53 AM Mar 4th

Conenza is looking for Community Manager http://jobvite.com/m?3n0b2fwk #job
5:42 PM Mar 3rd

A Better Filing System for Public Speakers (and Writers) #Evernote – http://bit.ly/fvkODD
7:38 AM Mar 3rd

Secure Erase Methods Probably WonÂ’t Work on Your Solid-State Drive – http://lifehac.kr/gMVQXv
9:11 AM Mar 2nd

Encrypting Cookies in the Browser – http://bit.ly/e7i9cQ
7:51 AM Mar 1st

 

Velocity 2010: Tom Cook, “A Day in the Life of Facebook Operations”

Here are my notes from the the Velocity 2010 lecture "A Day in the Life of Facebook Operations"

A Day in the Life of Facebook Operations
Tom Cook, Facebook
Velocity 2010
June 22-24, 2010
(40 minutes, 48 seconds)

  • Description of the size of Facebook in terms of minutes on site, pieces of new content, etc.
  • User growth curve
  • Server footprint growth curve
  • Bay area and Virginia (and soon Oregon)

The stack:
Load Balancer -> (assigns a web server)
Web Server -> (assembles data)
Services (fast, complicated), Memcashed(fast, simple), Databases (slow, persistent)

Web server (HipHop for PHP)

  • source code transformer
  • converts PHP to C++, compiled with gcc

Memcached

  • 300+ TB live data in RAM

MySQL

  • persistent store
  • lots of sharding
  • facebook.com/MySQLatFacebook

Services

  • news feed, search, chat, ads, media, etc.

Operations is supplying a platform for the Facebook developers to deploy
So, below the stack, we have:

Deployment, Monitoring
Systems Management
Core Operating System

Operating System

  • Linux
  • CentOS 5 variant with custom kernel

Systems Management

  • Configuration management
    • Facebook uses CFengine
    • Update every 15 minutes, about 30 sec run on each machine
  • On demand tools
    • No open source solution that meets Facebook needs (used to use DHS)
    • Wrote their own internal tool

Deployments

  • Push for frontend code (web push)
    • At least once a day, frequently multiple times a day (bug fixes, etc.)
    • New features at least once a week
    • Built on top of on-demand control tools
    • Code distributed by BitTorrent (1 minute to push code to all servers)
  • Backend deployments
    • Formal QA process removed, QA is responsibility of engineers
    • Engineers deploy their own code
    • No ‘commit and quit’ mentality
    • Ops ’embedded’ into engineering teams
    • Change logging (every change, who, start time and end time)

Monitoring

  • Ganglia (systems focus, graphing), (http://ganglia.sourceforge.net/)
  • ODS (application focus), written by Facebook
  • Nagios (ping, ssh, server up, etc.), alerting feeds into internal tools
  • Aggregate alarms, drilldown capabilities

What Facebook operations deals with…

  • Constant Growth
  • Constant Failures

Look at network as logical units and dependencies

  • Servers
  • Racks
  • Clusters (some thousand # of hosts)
  • Data centers

Constant Communications

  • IRC
  • Internal news updates
  • Banners on top of lots of tools with alerts as to current status
  • Change logs / feeds
  • Small teams

Recap

  • Version control everything
  • Optimize early
  • Automate
  • Use configuration mangement
  • Plan to fail
  • Instrument everything