Carter Cole LinkedInCarters Twitter PageCarter Cole on Facebook Carter Coles RSS

Sunday, January 24, 2010

tweets inline any webpage with Blackbird Pie - Twitters new embedding service


RE: @venturebeat i totally wrote this service way before them so lame twitter stole my idea :( but … than a minute ago via DISQUS

its a pretty simple service called Blackbird Pie you just paste in tweet url and boom embed code is ready... so ends my development on this but i may stell make my conversation embed code... we will have to see

Heres the original... i readdy did make it first (look at the dates)

Everyone is going nuts for twitter... everyone has an account and everyone seems to be tweeting... and something that i noticed was that news stories are staring to have more and more screen shots of interesting or news worthy tweets and not including links to the original tweet... i think this is kinda lame because we cant see where it came from and taking a screenshot of tweet to just include it in a post is a waste of time in my opinion. So i went looking for an easy way to embed tweets into websites and surprisingly i came up empty handed :( thats where being a programmer has its advantages... i looked up the twitter API and got to work. i wanted something that would still look like a tweet so mimicked the layout of tweets from a stream and had it do some neat stuff like pull the users profile link text and colors so it was styled correctly and such and now when cool people like @mattcutts tweet about you you can show off the tweet without even having to take a screenshot

thats one of the reasons i think witter is so cool... its like you can just reach out and talk to companies and celebrities to interact with people who you probably would have never met. so after that way cool demonstration above heres the code
<script src=""></script>
its that easy! tid is the tweet id from the tweets url like the one aboves url is the part after /status/ is what you want. thats the unique id for that tweet and should be the tid=someidhere parameter that tells the javascript which one to pull...

please dont forget to tweet this like id like to get some good visibility on this gadget so we can stop seeing screenshots of tweets Original post on Easily embeding tweets

i also added some other cool features into it:

tid= is a required parameter for which tweet to pull but you can also use

width= is an optional parameter for how wide the div that is written should be

showreply=t is an optional parameter that adds a reply link so you can respond to the embedded tweet (also accepts showreply=true)

bgclr= is an optional parameter that is the background color of the tweet div. default is white so use bgclr=transparent to turn it off or to another color

showbdr=f is an optional parameter that turns top and bottom borders off (also accepts showbdr=false)

here is an example of the different parameters being used:

and then there was code...
<script src=""></script>

i intended this gadget to be used for people writing webpages and blogs and you usually have the ability to write a <script> but if you dont you can use the iframe version (for things like google sites)
heres an example:

and again the code:
<iframe src="" height="66" scrolling="no" frameborder="0" width="570"></iframe>
it takes all the same arguments as javascript version but you pass the parameter &iframe=t and use an iframe tag instead of script... id also recommend turning off borders and scrollbars. the default tweet height is about 66 but you may have to adjust as iframes cant resize themselves (note &iframe=true works too)

i had a few challenges when coding this... i wanted to make it super small and efficient without having to load a bunch of external javascript of css so i used code to emulate the a:hover pseudo-class and used all inline CSS. i also compressed the code with Google's Closure Compiler to get the javascript as tiny as possible. also twitter api returns the tweet text plain so i hacked up some regex i found so it would properly display the @username and #hashtag as well as whatever urls happen to appear. last problem i had was making the time messages that say like "about and hour ago" but an article i found had a good idea to steal some js from the twitter gadget so i borrowed and modified a small snippet of that so my time codes looked like twitters... i hope you find it useful and enjoy!

you may also like my script to embed all tweets about an url too

Wednesday, January 20, 2010

The persistent XSS hole I found in

I like to dabble in security... xss holes are fast and easy. The first one i ever found was on the online editor Aviary when i was a beta tester... it was a small one. They had scrubbed html in every field (.net had done it for them) but they had forgotten to sanitize the input from the filename in their flash app and i got my tags in! woohoo XSS holes. I happen to be checking my Wells Fargo account and you can nickname your accounts... and i thought to my self. self i wonder if i could put some html in my account nickname and have it render... lets try it :)


We got tags

but i was dealing with a character limit... a common problem with cross site scripting attacks but no matter i decided to try for the long shot... i used chrome to change the max length of the text field to something i could really put some code in fully not expecting it to work and then boom i got an entire script tag with a javascript alert... and its persistent!

how i changed the max length of the text field:

the next morning i tried to find the correct people to call and got to the phishing department but not the real web guys... then i was really impressed... i got a call from their online fraud department they had detected that html was being posted from my account and I quickly offered up that it was me who was inserting the HTML and told them about the hole (this was months ago and im sure they fixed the hole by now so i dont think im hurting anything by posting this im sure i will know if they think otherwise) but anyways the cool part is that even though they weren't aware of the hole their system detected the XSS anyways... way cool and props to you security guys at wells fargo! i was asked not to try and attack the account portal anymore (so i wouldn't set off alarms again) and was thanked for letting them know about the hole... it was a small one but some javascript left by an attacker to send balance to remote server and then steal cookies (im sure stealing cookies wouldn't work but for the sake of this argument) if there was a large enough balance alert the attackers. also because it is a persistent attack and html doesn't render on the screen the script could sit there for a long time without the user ever knowing

so how do you protect the applications you write from XSS attacks? the answer is simple... its the same as protecting against SQL injection... sanitize all user input before anything is written to the screen. Strip html with regular expressions is always a good start and for god sakes please force character limits at the server side and dont expect the HTML maxlength="20" to do your job for you

below is my javascript alert with the cross site scripting hole in those guys do a great job and ive been a customer for like 7 years. Wells Fargo is awesome and i hope they dont make me take this down because it is a great example of this attack and they did catch it so there really wasn't that bad of a security problem...

id love to hear your questions / comments / concerns about this article, bother me on twitter im @cartercole and i love to answer any of your questions...

Sunday, January 3, 2010

Consuming Google Data APIs with ASP

recently i did a post about a forum spamming attack that I analyzed and included some exports from my Google analytics create this report I used a HTTPhelper i created that wraps the WinHTTP object in ASP that makes it really easy to make external requests and pull data from the Google Data API. Its easy to pull different segments and data if you use the data feed query explorer to create the request url (the second test.url in the code below) then just parse the xml and output as desired... unfortunately i haven't found a good asp oauth (recommend one to @cartercole)

the code is here but i also have included it below in this post...

this post contains code see it here

its easy to pull data from the other APIs but its sometimes hard to find the correct service string tp pass so heres my cheat sheet. im all for helping / suggestions so please leve your comments they are always appreciated (and so are links)

Google APIService name
Google Analytics Data APIsanalytics
Google Apps Provisioning APIsapps
Google Base Data APIgbase
Google Sites Data APIjotspot
Blogger Data APIblogger
Book Search Data APIprint
Calendar Data APIcl
Google Code Search Data APIcodesearch
Contacts Data APIcp
Documents List Data APIwritely
Finance Data APIfinance
Gmail Atom feedmail
Health Data APIhealth
Maps Data APIslocal
Picasa Web Albums Data APIlh2
Sidewiki Data APIannotateweb
Spreadsheets Data APIwise
Webmaster Tools APIsitemaps
YouTube Data APIyoutube
and here is my HTTPhelper class... it does some cool stuff like build post data from a dictionary object and has all the stuff to do Authentication and setting headers for the request (much easier for me because i forget the methods and have to look them up) so if its helpfull for you please feel free to use it :) woohoo open source!

thanks for reading and i hope this helps you do more with the data APIs and get to your data more easily...

Friday, January 1, 2010

Analysis of Forum Spam Attack - My Spam Trap

Hi guys its Carter again... I recently found a forum of my friend had been spammed when i was checking site links with my SEO Tools and i wanted to share some of my findings after i had analyzed the attack on his site. His domain had 863 links from 350 unique domains so i went to go see what was going on... i found his phpbb forum had been spammed. oh noes! We had turned off CAPTCHA and didnt expect many people to join the forum but security through obscurity failed and a Russian spammer got us. so when i went to fix it i thought id run a quick experiment... because the forum had little activity we decided to pull the whole thing out and i used a redirect to catch the visits the spam would have received

This Is My Spam Trap

The spam trap has received
194 visits
since 2009-12-19 which is crazy because it means these spam campaigns are probably worthwhile at least for awhile until they get caught... because forums let you create links that are of value (not nofollowed) ive seen this campaign do stuff from installing malware to affiliates for adult sites and heres my wall of shame... i know its not their fault :) im in the process of contacting the webmasters of these sites so they can get cleaned up and this list isn't all inclusive (if the referrer isn't past it wont show in this list)

Wall of Spam

Visit the article [script disabled]
iono i just wanted to share some of my findings... id love to hear from anyone on their thoughts or ideas on how to combat this thanks for your time and i hope you liked the article...