Posts

Showing posts from November, 2012

Setting default encoding to UTF-8 in Python

After a long struggle for fixing up an error thrown by my Python script, I finally figured out an easy way to do it. As we know, Python's default encoding is ASCII (0-127), anything beyond that , Non-ASCII characters throws UnicodeEncode exception. To fix it up, we need to use UTF-8 encoding, which suits most of the characters. The easiest way to do that is: Go to your Python setup directory and then go to lib: C:\Python27\lib Look for site.py file, used for site specific configuration Edit it: Go to 'setencoding()' function and change the line: encoding = "ascii" to encoding = "utf-8" That's it!
I don't know other implications of editing it right in site.py file but it worked for me, and I found it the easiest way to change the encoding!

URL rewriting and CSRF

Is url rewriting a mitigation of CSRF? Though, almost sure it's not a foolproof solution, I put up this query before all security gurus out there on webappsec.

The application in question was replacing all the urls with some randomized and unique long strings in this format:

https://mysite.com/myportal/b1/04_SjzQ0NTYyNzS2MLTUj9CPykssy0xPLMnMz0vMAfGjzOJDfU19LNxMTQwsAoydDDyNXb0cnc2dDA2czfRzoxwVAVLe6h0!/

The url was long enough and sufficiently randomized.

The argument in favor of randomized url as csrf mitigation is, even an attacker is able to grab the url, it won't be valid for next session. So, the attacker can't exploit it by sending/ embedding in link/ images etc as it would stand invalid. Thus csrf mitigated.

But let's consider the scenario wherein an attacker goes to logged in victim's machine, applied his social engineering tricks and note down the url , convince user to click the forged link sent to him. If the user stays at the same page, he gets exploited. Th…