Dangerous use of express body-parser

December 18, 2015 — Chris Foster

Cross-Site Request Forgery, or CSRF, is a type of attack that developers are familiar with in traditional web applications, but often misunderstand or forget about when it comes to new REST API’s. Fortunately, much of this misunderstanding and lack of consideration occurs because full page applications often don’t need to worry about CSRF. While many architectural differences in REST reduce the risk of CSRF attacks, that doesn’t mean we can simply ignore them entirely. Express’s body-parser module is a great recent example of this.

Privilege Escalation via Docker

April 22, 2015 — Chris Foster

TLDR; Don’t use the ‘docker’ group

Docker, if you aren’t already familiar with it, is a lightweight runtime and packaging tool. It’s very similar to simply running a basic virtual machine, but with much less overhead. It’s extremely nice for deploying applications as you can guarantee that they will run in identical environments, and the commit-like image system is handy as well.

If you happen to have gotten access to a user-account on a machine, and that user is a member of the ‘docker’ group, running the following command will give you a root shell:

30 Days of Casual Soylent

January 06, 2015 — Chris Foster

During the month of September 2014 I experimented with a DIY version of soylent. I know that many people have started using the food substitute as a sole source of nutrition, but I wanted to focus on using soylent in a more casual manner. Specifically, as a student food on campus is often expensive and homemade lunches are often difficult to carry around, not nutritious, or require reheating. Soylent is none of those things, so for a student I was suspecting it might make an ideal lunch substitute.

Getting Started with WebRTC Data Channels

November 19, 2014 — Chris Foster

WebRTC data channels are in a strange state where many people are excited about them, but are not sure how to approach them due to their currently volatile nature. The standard has been rapidly changing, leaving many of the examples and resources regarding WebRTC outdated or incomplete. Unfortunately, a developer looking to get started with WebRTC data channels can be having a pretty bad time right now.

Data channels have especially been shadowed by the audio and video capabilities of WebRTC. Many documentation pages and tutorials feature incomplete examples, with the full demos being too complex to easily follow and understand. This article will approach WebRTC from the data channel only view.

So, in the spirit of supporting development, here is a complete example of working WebRTC data channels with the latest Google Chrome, version 43 (demo below).

Collections and Embedded Documents in MongoDB

October 22, 2013 — Chris Foster

When someone is approaching MongoDB from the SQL world, a very common confusion regarding database structure is when to use embedded documents, and when to create an entirely new collection. This distinction is very important because, although MongoDB is schemaless in nature, whether or not an element of your database is structured as embedded documents or a separate collection will change your code a fair amount. Making this change later on can represent a fair amount of work, so it helps to get this right the first time.

Creating a private CI with Strider

August 16, 2013 — Chris Foster

Continuous integration and deployment servers are vital to the development process. Especially for web applications, being able to immediately test your branches and automatically deploy them is invaluable. Strider is a new open-souce continuous deployment suite written in nodejs. While it is quite new and not without quirks, it features web hooks, email alerts, full Github integration, account management, Heroku deployment, and Sauce Labs integration.

This article is a quick tutorial on how to set up your own in-house installation of Strider on a Digital Ocean VPS as low as $5/month.

Exploiting Filepicker.io

October 11, 2012 — Chris Foster

EDIT: I received an email from Filepicker CEO, Brett van Zuiden email

Filepicker.io is awesome. It is damn easy to use, and saved me tons of time that would have been wasted trying to create my own (and worse) alternative image uploading support. The API is easy, but still extensively customizable when needed, and gives you all of this control directly from the Javascript call to getFile().

As fanastic as this service is, however, that last bit struck me as odd.

Modular rapid web application development

August 17, 2012 — Chris Foster

While at the KIC, I've been doing contract web development work. The project that I've been developing for has a launch goal of the start of the school year, meaning this up coming September. We are hoping to have a functional, operational verison to display by that time. I hope I can convoy the general size of this project when I say that this is a very signifigant undertaking.

Discovering explosive productivity

August 10, 2012 — Chris Foster

This friday is now my third week at the Kamloops Innovation Centre, and these last five days I have taken the time to reflect on how much more productive I have been since I've had the opportunity to set up here. Actually, not only productive, but how much more efficient.

Two weeks of awesome.

August 03, 2012 — Chris Foster

Hello!

I'm Chris Foster. I have a passion for code and technology, and in the coming fall I will be pursuing that passion professionally at Thompson Rivers University. In the mean time, I've been doing contract web application development to entertain myself.

View more posts (10)