Wednesday 9 April 2014

JavaScript: YUI

This may be the last post (at least for quite a while) that I make in this blog. The thing was that all the posts that I made here were for a writing course that I was taking in the current semester (I kind of feel sad for this :`( ). I am in a dilemma that I feel so sad that I may actually continue this blog! (What's the point of writing a blog that no one reads anyways???!?!?)

In this final post I want to talk about a good but not very known library for JavaScript, namely YUI (Yahoo! User Interface). This is a very powerful library (perhaps at least as powerful as JQuery) developed by Yahoo! that is mainly used for making nice user interfaces.

APIs:
YUI has it's own APIs to interact with services provided by yahoo such as Yahoo! weather and Yahoo news.

YQL:
mmm...looks like something like SQL??!!? In fact YQL is a query language that allows you to search and retrieve data from some of services provided by Yahoo! such as Yahoo answers (so next time you were looking for the solutions to your homework you could try "select  * from answers where topic like '%chem 121%'")

Image Source: <https://www.servage.net/blog/wp-content/uploads/2012/05/yui3.png>


FIN :'(


Tuesday 8 April 2014

Choosing a good IDE

Although not visible to many, choosing a good IDE (Integrated Development Environment) before starting software development is a very important step. Most modern IDEs have features that allow the developer to build the UI (User Interface) with less or no effort.

For example, NetBeans IDE created by Oracle is a very good choice for creating real-world Java applications that require interactive and visually appealing user interfaces.

Microsoft has a very good reputation of creating good IDEs for everything in order to ease the process of software development. Visual Studio today can be used to make a variety of applications such as web or local apps using languages such as: ASP.NET, C++, C#.NET, Basic, JavaScript, F#, and even Python (IronPy).

In 2013 Google release its own IDEs for developing android applications, namely Android Studio.


Monday 7 April 2014

Android

In this post I want to briefly talk about Android (mobile phone OS, and applications).

First of all, it is not right to call it Android OS, as the operating system in Android phones and devices is not actually "Android". The operating system is Linux, which is an open-source operating system. For the same reason, the operating system that you see on different Android devices are not actually the same (at least in terms of looks)! And the reason for that is that each of the companies change the OS the way they want. For example, the OS in android devices that Sony makes look quite different than the ones created by Samsung. Furthermore, the operating system on Android devices is written in C language rather than Android langugage (just like Linux distros).

They why do they even call these "Android"? The second point is that Android is actually built on top of Java. Android applications are actually  in written a language with the same exact syntax with Java with a difference that Android apps use their own libraries (namely Android libraries), so in some sense, they are somehow different from Java (which is why they gave them a new name, Android!).

Image Source: <http://aasims.files.wordpress.com/2010/02/javaandandroid1.jpg>

Wednesday 2 April 2014

Object-oriented Design

I has been just quite recently that I have learned the principles of object-oriented design in so much details.

The idea is that you can break your program into objects and each object has its own perspective into the world. Suppose in the breaker game I talked about in the previous post, the game is divided into the following objects:

 Ball: has a width, height, dx (horizontal speed), and dy (vertical speed). It also has functions (methods) that detect whether or not the ball has had a collision with any given paddle. The ball does not know about paddle on its own but each time the main function passed a Paddle to this function and (literally) asks the ball if there has been any collision with that Paddle.

AIPaddle: Is a paddle that is controlled by AI (computer)and the user has no controls over its movements. just like ball, it has it's own width, height, and dx (no dy as the Paddles do not move vertically).

Paddle: I made this to be a child-class of AIPaddle. The reason for that was that regular paddles have all the features that AIPaddles have except that they can also (mainly) be controlled by the player.

Tuesday 1 April 2014

Making a Java Game is so fun!

Recently I have been learning Java to develop games. It is so fun to play a game that you make! I learned the main principles of making a Java game from website "edu4java.com", and made this game based on their single-player breaker game. I am very thankful to their awesome website :) I had previously tried a few Java game tutorial but each time I got repelled because of their lack of good explanation. Here is a screenshot of my 2-player game:

Tuesday 25 March 2014

Server-side: 'POST' Method

Unlike the get method, values passed over post method are not shown in the URL, which is why this method is chosen for most login/signup fields on the web. Another advantage of this method is that users cannot do malicious things by manipulating the URL. However, one disadvantage that it has is that this high security can sometimes make it hard to debug a web application. When working on a web application it is always a good practice to passed the values through 'GET' method first and then use 'POST' method once you are sure everything is ok.

Saturday 22 March 2014

Well Known Hacks II: XSS (Server-side: 'GET' Method)

In this post I briefly talk about how some people take advantage of security flaws in server-side scripts. One very common way is by passing some variables to a script. Before getting to talk about this, I need to talk about 'GET' and 'POST' methods in form submissions. In this post talk about 'GET' method, and in next post I will post things about 'POST' method :).

Once you submit a form on a webpage (such as Login form, sign up form, etc.)  the data you entered in each of the text fields are passed to a script (could be the same script, or another script on the same domain), and that script handles your data. The data passed to the script are usually transferred using either of the 'GET' or 'POST' methods. The main difference (in terms of their behaviour) of these two is that if the field data are passed using 'GET' method, all the variable values can be seen in the URL. To make this clear let me show you an example. Let's inspect the following link that searches a query in Bing.com:

http://www.bing.com/search?q=behnam+azizi+cgi

As you saw, after you clicked on the link, it searched the query "behnam azizi cgi" using Bing search engine. This is obviously done using 'GET' method as you can see the value of the variables passed to the script (In this case variable q has value "behnam azizi cgi". In other words q="behnam azizi cgi"). Now what the script on the server does is that it reads the value of the variable 'q' and uses the search engine to search for this query.

Of course, in my opinion, this is an advantage of Bing (As far as I know Google does not allow you to do this probably because of security issues), that you can search something using 'GET' method. One advantage that it has is that if you are working on an application and inside the application you want to allow the user to search the web, you can easily use Bing search engine (I bet Microsoft did this on purpose so at least some developers use Bing).

It is true that no one would use Bing transfer user's private data (such as username, password, etc.) using 'GET' method (sorry for the scratch. I forgot to write in pencil :) ). But it is always useful to know about the existence of such a thing (I know from now on you will be using Bing as your favorite search engine :D ).

In the next post I will talk about post method, and (possible) ways that it could be exploited.



Tuesday 18 March 2014

Well Known Hacks II: XSS (Client-side Examples)

As promised previously, in this post I am going to give some XSS attack examples. I will present here 2 simple examples with actual JavaScript code that you can try in your browser. Examples that I present here are done using Google Chrome or Chromium (The open-source version of Google chrome on Linux). If you have any other browsers like FireFox or Opera you could still try these examples as I am quite sure they have their own JavaScript debuggers (For example: An extension named FireBug that enables you to debug JavaScript in FireFox browser).

First Example: Changing the background of Facebook!



Change your Facebook background with these 4 easy steps:

1) If using Chrome, right click on an empty spot on the page and then click on 'Inspect Element' (alterntively, you can press Ctrl+shift+j). In other browsers procedure is quite similar.

2) From the available tabs that you can see select the 'console' tab
3) Paste the following JavaScript code into the console:

var imgdiv = document.getElementsByTagName("body");
var bg = prompt("Enter image URL:", "http://static.freepik.com/free-photo/abstract-seamless-floral-pattern-background_50-15060.jpg");
imgdiv[0].style.backgroundImage = "url(" + bg + ")";
imgdiv[0].style.backgroundAttachment = "fixed";


4) At this point you can either enter the URL to your own image on web OR just press enter

Second Example: Changing Google logo!
This example is quite similar. Open JavaScript console and paste the following code into it. Once it asks for image URL you can enter the URL to your own image (OR just press enter if you really like to see my name you Google home page! :D).

var bg = prompt("Enter image URL: ", "https://lh5.googleusercontent.com/-55mfElJWy1w/Ux6GrxX8u-I/AAAAAAAAAow/KXQy3DtaEBI/w323-h110-no/Behnam.gif");

document.getElementById("hplogo").style.backgroundImage = "url(" + bg + ")";



Friday 14 March 2014

Well Known Hacks II: XSS (JavaScript Injection)

In this topic I am going to talk about a new (and pretty exciting in fact), type security breach, namely XSS attacks. For your information, XSS stands for Cross Site Scripting (so the 'X' in XSS is not actually an 'x' but a cross!).

First of all, I divided the whole thing into two sub-types: JavaScript injection (client-side vulnerability), and server-side vulnerability. In this post specifically I talk about client-side vulnerability. In the next post, I give some AMAZING examples, and in later posts I will talk about server-side vulnerability as well.

The main idea before JavaScript injection is that you write a JavaScript code and then you can use various tricks to execute you code along the code sent to your browser by a website. At first glance this may seem quite normal and safe, however, IT IS NOT! Accoring to Symantec Security Threat Report, XSS attacks included more than 84% of all security threats in year 2007. You can view the article here.

By executing your own code along with the script sent to your browser by the server, you can manipulate the webpage the way that YOU want. It may be partially safe in a sense that this only changes the client-side view of the webpage and have no effect on the server (and this is in fact true). But there are other vulnerabilities that are important concerns:

1) Self-XSS Attacks: This basically means that by injecting code into a webpage you can access user's private data, where user is anyone who uses the browser. For example: A few months ago, I wrote a JavaScript code that stores usernames, and password of users who use my own computer to login into popular websites such as: Facebook, Gmail, etc (If you are a friend of mine, you don`t want to use my computer to browse the web). This is probably one of the most prevalent (and quite annoying) type of XSS attack. Facebook itself was a target of Self-XSS attacks long time ago. Remember it or not, there was type when you received links from your friends like: "99% of people can't watch this video for more than 10 seconds". And once you clicked on the link, the same link got sent to all your friends (Quite annoying and embarrassing huh?). Facebook itself has a page that talks about such attacks:  
Matt Jones - Self-XSS attack explained | Facebook 
But There are also useful types of JavaScript injections, example? AdBlock is one of them!.But again, even in this case you should be very careful! Such applications can access not only all your browsing data, but also they can keep track of your many other activites (including login into webpages using user/password)! To see what information each of these applications can access in your browser you should ALWAYS look at their permissions. For example, if using Chrome, you can look at permissions of your applications by going to Tools->Extensions

2) Brute-Force Guessing: Using this technique you can inject different values into online forms and submit them automatically over many iterations. For example, I have may have an online homework that requires putting numbers or words and clicking on 'submit' (or something similar) button. If there are no limited number of trials, and considering that the whole page does not refresh after each submit, you can write a JavaScript code that injects many different values into the form and automatically clicks on 'submit' button until you get the correct answer!




Changing the design of a webpage (in these cases FB, and Google) using JavaScript injection. In these examples some images are changed by entering my username, and a specific password into the login form (In the FB image above) or by adding 'u=behnam' in the URL field (The modified Google above).
Image Source: My computer screenshot

Wednesday 12 March 2014

Well Known Hacks I: SQL Injection (Examples)

Now in this post I will briefly mention some of the common SQL Injection attacks. Please note that none of the examples presented here are mine, and they are taken from Steve Friedl's Unixwiz.net Tech Tips (You can visit the webpage for more detailed instruction).

Suppose there is a login form where you enter some data. The main methods of SQL injection involve entering values into the forms such that they make statements which are acceptable by the SQL parser.

Exploiting Using a Trivially True Logical Statement:


SELECT fieldlist
  FROM table
 WHERE field = 'anything' OR 'x'='x';
As you can see in the above example: We have a logical statement which is always true. No matter what you put there instead of 'anything', the comparison 'x'='x' is always true (Note the exploitation of quotations. We put there <'x'='x> as input, but from the machine's point of view, the value to be parsed is <'x'='x'>)! Therefore, if the victim program or application were not secure enough, you will be granted access to the system!

Brute-Force Password Guessing:
SELECT email, passwd, login_id, full_name
  FROM members
 WHERE email = 'bob@example.com' AND passwd = 'hello123';
Suppose another case where there is a form which asks for a valid email. Given that you know bob's email (bob@example.com), you can enter the above value as shown in the box over many iterations to find Bob's password using an efficient brute-force algorithm. What you do is that you run the above statement over many iterations but each time give a different value as the password (preferably trying combinations of different words in a dictionary as passwords). Once the system confirms that your email valid, that actually means that you have managed to hack Bob's password! Because otherwise the above statement would be false and from the point of view of machine's logic, as long as the password is wrong the whole statement becomes wrong (look at the AND operator), and finally the email is not considered as a valid email.

There are countless of more SQL injection examples that I am not going to talk about here, but you can definitely find articles on the web. Besides, SQL injection can be prevented very easily (I know it's sad, but you will never become a grey-hat hacker by solely knowing about SQL injections).

In my next blog post I will talk about a more practical type of hacking (namely XSS Attack).
P.S. It never hurts to follow my blog by clicking the follow button on top-right side of the page.

Friday 7 March 2014

Well Known Hacks I: SQL Injection (Introduction)

In this topic and a few next topics, I am going to talk about some of the well-known hacks that hackers use to breach into information systems. In this blog post specifically, I am going to talk about what SQL  is, and I briefly talk about SQL Injection. In next blog post I give examples of famous SQL injections.

To begin with, SQL is a programming language, firstly developed by IBM, that enables computers to store, and retrieve data fairly efficiently (at least in terms of the amount of coding that programmer have to do SQL is very efficient). SQL is used by many companies worldwide. SQL is categorized into a type of  DBMS (Data Base Management Systems) known as Relational Databases. Relational database query languages (e.g., SQL, MySQL, YQL etc) are very easy to learn, and fairly efficient.

One disadvantages that Relational databases have, however, is that once the amount of data is so huge, they do not scale well. For the same reason, some big companies such as Google, Facebook, etc. do not use SQL or any other DBMS because of this lack of scalability.

Now I think I have gave you enough information about SQL. Let`s get to the main topic (i.e., SQL injection). SQL syntax, although very efficient, is in a way that can be abused by using special characters such as dashes, quotations and sometimes even logical operators (such as AND, OR, etc.). Of course, you should note that an application can be made secure enough to be immune against such attacks, but for that matter, the programmer has to actually know about the existence of such security threats and how to prevent them. I will mention SQL injections by example in my next post. But just to make your mind ready, I start with an example:

SQL injection starts with inputs that you give to a form in a website or application. For example, the (web) application has a form with separate fields that ask you for your name, password and/or email. SQL injection is basically values that you can enter in these fields to trick the application into granting you access to data that you should not normally be able to access.

In my next posts I will mention a few SQL injection commands and their usage.

Image Source: 
<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZw5EevVeVkf5EL0V5w5kdexNwPB3NWwCGCuRUagW-C7m5YPtAPNAGIwIU3yBmYirQldalj4TlMzC5yn1SC3TprTUeDnQaXXSWghgaJLaiVM_oxgA-LdSikMp_Psz4ZwG45iyjC_BD9Rqf/s1600/sql_injection.gif>


Wednesday 5 March 2014

Unit Testing, and programming test cases

Here I am going to talk about a fairly different aspect of programming, namely unit testing. The idea is that once you write a program or a piece of code, you can write another program that gives arbitrary inputs to your program to test it against bugs and issues. In other words, it is like you make a bot that tests your program against bugs (Instead of you tesing them on your own). There are various methods to do this, and there are various packages (e.g., JUnit for Java) that enable you to test your program. Here I am going to talk about a very simple one.

If your operating system is Unix, you can use Unix pipes for unit testing (If you do not already know, in short words a pipe is a method to give the output of a file or script to the input of another script). Similarly if you have windows you can do the same with windows pipes. Here is a very simple example from one of my old facebook posts:

with Unix pipes you can write test cases for your program. For example:
"$ echo 34 | ./main"
gives the integer "34" to executable file "main" as an input ('|' is the pipe operator).

For example I have an executable pw.cpp which gives the output "unlocked" if a certain password is given as input once the program is run (password is 'hello' in this case). As follows:

//================ START ===========
#include <iostream>
#include <string>
using namespace std;

int main(){
string x;
cout << "Enter password: ";
cin >> x;

if (x == "hello")
{
cout << "unlocked\n";
}else{
cout << "Wrong\n";
}

return 0;
}
//============== END ============

But in case I have no access to the actual source code, it seemed impossible for a normal human to run the above program many times and try all passwords ...

However, the following Python script reads a set of English words from a dictionary file containing most common English words ('dict_MC.txt' in below) and gives them as input to the above program, until the desired password is found (and as you can see it makes use of Unix pipes to give inputs to the above program):

#========== START ==========
import os, sys, subprocess

words = [lines.strip() for lines in open("dict_MC.txt")]

for x in words:
f = os.popen('echo "' + str(x) + '" | ./pw')
#print "input given: " + x
if (f.read() != "Enter password: Wrong\n"):
print "password is " + str(x)
break
#=========== END ================

Of course if the password were more complicated it would take up to hours to find it.

Saturday 1 March 2014

More about security: Same-Origin Policy

In this topic I am going to talk about same-origin policy. In one of the previous posts I talked about AJAX (i.e., a method to communicate with the server without the need to refresh the whole web page page); Now one question that may arise is that:

'What if someone sends many AJAX requests to a login script in a website (e.g., Facebook, Yahoo! etc.) and try all different combinations of usernames and passwords to hack into users accounts?'

Fortunately, for security reasons modern-day client-side languages such as JavaScript do not allow AJAX requests to be sent from a script to another script on a different domain. For example, in order to send AJAX requests to "https://www.facebook.com/login.php" (Script that handles user log-ins to Facebook.com) you need to have your own script put on the 'Facebook.com' domain. In other words, you can only send AJAX requests to scripts that are located on the same domain where your own file (script) is located. This rule is known as same-origin policy.

However, it does not end all here. What if you are one of the creators of programming languages such as JavaScript? or what if you can somehow manipulate these languages or create a new browser-side language that can violate this policy?

If you did not already know, you should know that your information in the world wide web it is by no means secure ...


Tuesday 25 February 2014

myChecklist: A simple application for chrome II

Now in this part I am going to talk about in a very high level manner how myChecklist (The application I mentioned in my previous post) is made using JavaScript and JQuery. Here are the basic ideas behind each functionality:

Adding new items to table: There is a basic JavaScript code snipped that adds columns to tables. You can Google it for more information but the basic syntax is something like this:

                var table = document.getElementById("myTable");
                var row = table.insertRow(-1);
  var cell0 = row.insertCell(0);
  cell0.innerHTML = task;

User interface: As you can see there are special dialog boxes, as well as a datepicker that I used in the application. They are all part of JQuery UI library that you can download form here and use.

Storing information in a database: I used localStorage functionality of JavaScript to store user information on hard-drive. localStorage is similar to cookies, but unlike cookies they are not get expired, nor can they be deleted by simply clearing cache, history, or cookies. They are basically stored in a JSON (JavaScript Object Notation which is a format to store JavaScript objects. It is similar to XML) formatted file somewhere on user`s computer and remain there forever unless damaged or deleted by the user.

Changing wallpaper: I used JavaScript id selector to change the background image to the image located in the URL you enter. This may not be a very good idea because some users are not even familiar with URIs/URLs. I may change it in later versions.

Click events: There are several click events. For example when you click on 'add' button a dialog window pops up. These events where made using JQuery powerful functions such as 'on'. Something like this:
$("#buttonId").on('click',  function(){
  //Add code here
});

Conclusions:
JQuery is very powerful when making client-sided web applications. Even using AJAX is much simpler using JQuery. It has many amazing features. You may want to have a look at them here in their documentation.


Saturday 22 February 2014

myChecklist: A simple application for chrome I

I developed this simple application during the break I had after the last academic term.  Last term I felt I was being unorganized in studying for my exams and doing my homework, so I decided to make a simple application that helps me manage my time.Here I am going to talk about features that it has. In the next topic I will talk about how it functions.

This is an application that can be used to enter tasks that you are going to do in the future. It has several features that make it easy to store your information:

- It has a date picking feature that enables you to enter date just by a single click on calendar without the need to actually enter date in text
- You can modify or delete your previous entries one by one, or by checking a group of them or deleting them all at once
- There is a cross/check mark next to each item that you can toggle to indicate whether or not the task is done (This functionally apparently has some bugs, I will work on it during my next term break)
- You can clear all the entries at once
- You can customize the wallpaper of the application
- The tasks you enter are automatically sorted based on the due date of each task
- since the information is stored on your own computer, it is safe and secure and no one else has access to them on the internet
- Finally, it works offline so you do not need to have internet connection to use this application

In below, you can see a screenshot of my own tasks that are stored in the application (I use it myself as well!)

Again, if you have Chrome, you can downlad this application from here
Source: screenshot of my computer :)

Saturday 15 February 2014

A simple chatroom

Here, as I previously mentioned, I am going to talk about a simple chatroom that I made using MySQL, PHP, and JavaScript.
b-chat
Note that here I am not actually going to talk about 'how' to make a chatroom, nor will I present any code. I am just going to talk about it in a very high level manner. I try to explain things as much as I can, but if there are things that are not very understandable, I am pretty sure that you can find out about them just by a few searches in the internet. I am also quite sure that if you do enough research, based my explanations you can make your own chatroom! So let' begin:

First of all,  once you enter the website there is a JavaScript 'alert' message that asks for your name. Once you enter your name, it is stored in a cookie (cookie is just a file stored on your computer that holds some information) on your own computer.

Second, each time you send a message, your message is stored in a mySQL remote database. So are the messages sent by the person you are chatting with. Now the issue is: How can you get to see the messages sent by you friend? Here was my solution: Do you remember in the last topics I talked about AJAX requests? (Just to remind you, AJAX is a method of communication with the server without the need to refresh the whole page).

There is a client-sided JavaScript code that sends a request to a PHP script on the server every 3 seconds and using AJAX method (Therefore the webpage will not be refreshed each time). Now, the request that is sent to the PHP script includes some information such as the name of the person who has sent that AJAX request (The name of the person is read from the cookie). The the PHP sends back all messages store in the database EXCEPT the ones that were by the sender of that request. This way you can get too see your friends messages as well.

Note that these were just very brief descriptions of the procedure ... If I want to explain everything about this it will probably take me at least 5-6 blog posts. But since I know it is going to be boring for some of you, I will not be doing it here :)

In the next topic I am going to talk about another application that I made with JavaScript. Namely myChecklist that you can use to schedule your future plans. This is an application that runs offline (no internet connection needed for it). And finally, if you are using Google Chrome, you can install it before I get to talk about it in my next post.


Image Source: <Chrome Web Store - myChecklist . Available in: https://lh3.googleusercontent.com/g0G64-L84uNn8mDfpqA2aJcH5_HtAxWT_pQ69QV2UFtELGVRI09fsg0N6cDP3Zr2qHKp0K20Mw=s640-h400-e365-rw>


Saturday 8 February 2014

A simple Chatroom powered with php and MySQL: AJAX

A I mentioned in the previous post, in this post I am going to talk about a simple chatroom I made using php and MySQL. But before talking about how that works, I need to talk a little about AJAX (Asynchronous Javascript and Xml). The basic idea behind AJAX is reloading part of a webpage without the need to reload the whole script. Let me give you an example: A good example would be several actions that you do in Facebook. Everytime you post a comment under someone's post, you see that your comments get added to the list, and that person receives a notification (if s/he is online). Both of these functionalities (commenting, and receiving a notification) are powered by AJAX technology. As you can see the whole webpage is static while you can see that notification or comment in part of the webpage (without the need for the whole page to be reloaded).

- But how does that happen?
Now even more interesting is the way this actually happens. Every couple of seconds, your computer sends a request (known as XmlHttp request) to the server  and asks the server whether there are more notifications or messages to show, and the server responds in the same way! Isn't this amazing? It is just like humans talking to each other!

But there is one more question left to ask: Can everyone send XmlHttp requests to remote server (like the one for Facebook) and get access to user's password and usernames? Or read their messages?

In the next topics I will talk about security in AJAX requests and finally the simple chatroom I made with this technology.

Monday 3 February 2014

A little bit about security

Now we get to security. As previously mentioned, webpages made only in HTML are not secure enough and the reason for that is that the user has access to the whole source HTML and JavaScript codes of the webpage. To resolve this issue, server-sided languages are made. In general, the way server-sided scripting works is that there is a script (piece of code that usually can be run without the need to be compiled. Like JavaScript, PHP, or Python) that is run on the server. Once the script is run, it sends the HTML+Text output back to your own browser. Of course, you can see the HTML source code sent to your browser, but you do not have access to the main script that created this HTML code (the reason that you don't have access to it is because it is run on the server side). The idea behind server-sided scripting is very interesting, and in fact once you start writing server-sided code, you have to put yourself in the shoes of the server to realize what is actually happening there. In the next topic I am going to talk about a simple chatroom that I created using PHP (my favorite server-sided language).
Image Source: <http://gkaanalkim.files.wordpress.com/2012/04/php-dili.jpeg>

Sunday 2 February 2014

What is happening there every time you visit a webpage?

As we previously discussed, all webpages opened in your browser are in HTML codes which can be viewed by everyone who has access to those webpages. But the question is that how can they be secure enough? Before I answer this question I should I first show you briefly what is actually happening every time you visit a webpage, consider the following scenario:

- You enter a link in your browsers URL field. Once you do this, your browser sends a request (known as HTTP request) to a server in some part of the world that holds the data of that website. Basically all this means is that your browser asks the server to send it a file (could be and HTML file, image file, or any other file format)
- The server looks through a database of files to find the file you requested. The server returns back a status code along with the file (if found) to your browser. Now, several situations may happen based on the status code the server returns back to your browser. A few of them are the following:

 404: File was not found on the domain. 
    for example: you entered: www.sfu.ca/images, but in the domain sfu.ca there is no such directory
403: Permission Denied
   File exists on the domain, but the permissions deny your access to the file (for example when the files can be accessed only locally and not through the web)
200: ok
   This means that the file was found. In this case the server sends back the requested file to your browser.

In later posts I will talk about security and different server-sided languages

Thursday 30 January 2014

You are not alone out there!

Now that you have become familiar with the basics of HTML5 I am going to give you some references that you can learn to extend your knowledge. One good thing about web development is that you can always find useful resources on the web itself! There are billions of webpages on the internet that you can see at any of them and learn. In other words, you have a book with billions of example for learning! Besides seeing the creativity used in websites created by other people, organizations, etc. you do actually have access to the HTML source code of all these webpages! Try the following:
If you are using Google Chrome as a browser you can press and hold 'Ctrl+U' to see the HTML source code of any webpage. Another way to do just the same thins is that you right-click on the webpage then click on 'View page source'.
   But doesn't this seem very insecure that you have access to the source code of any website???In the next topic I will answer and discuss these security issues further.
Image Source: 
<http://www.gannett-cdn.com/-mm-/788fd70a1894fdda76d2d844335fe2d901c071f3/c=63-53-719-546&r=490x368/local/-/media/USATODAY/GenericImages/2013/08/29/1377793382000-Sh-ThumbLock.jpg>