Clickjacking is when someone loads your website / content in an iFrame without your consent. This may be part of a simple DDOS attack, or to spoof CPC traffic, or to embed your functionality or content without the visitor actually seeing your website.

Modern browsers offer a facility called CSP or “Content-Security-Policy”, which can be added as a HTTP header to prevent this sort of unauthorised activity.

You have different options, i.e.

To prevent all framing of your content use:

Content-Security-Policy: frame-ancestors 'none'

To allow for your site only, use:

Content-Security-Policy: frame-ancestors 'self'

To allow for trusted domain (my-trusty-site.com), do the following:

Content-Security-Policy: frame-ancestors my-trusty-site.com

and in order to add this to your ASP.NET page, (C#) you add the code

Response.Headers.Add(“Content-Security-Policy”, “frame-ancestors customer.website.com”);

P2P Marketing explained

Peer 2 Peer marketing is where the middle man is removed from the typical advertiser / publisher relationship.

By joining the P2P marketing portal http://www.freewebsitetraffic.club/, you choose to promote websites that are complementary to your own services or products, and in return you gain visibility, giving your website more chance to be discovered and promoted by other members of the club.

Member websites

Once you have registered your website with http://www.freewebsitetraffic.club/, in order to gain visibility, you will need to select one or more of the websites below to promote. The more unique visitors you send to other member’s websites, the more visible your website will become. To protect the impartiality of this service, we do not accept payment in order to promote yourself in this list, you can only do so by promoting other member’s websites.

http://www.vatapi.co.uk

 

The VAT API is an API that can look up a VAT number from the name of a company based in Europe, or list VAT registered companies within a town , city, or street. You can also use it to verify known VAT numbers,  using the VIES service.

JSON interface

Example: http://www.vatapi.co.uk/api.aspx?Name=Microsoft

Request VAT data via JSON

Parameters:

Name	Meaning
Name	The name of the company being searched Partial matches are ok
City	The address of the company being searched Partial matches are ok
Vat	The VAT number to be verified Optional, for verification only
Country	The ISO3166 Country code, i.e. GB Required only if VAT is provided

Sample response:

[
 {
   “VatNumber”: “CZ 47123737”,
   “LegalName”: “Microsoft s.r.o.”,
   “Address”: “Vysko\u010dilova 1561\/4a, Praha 4 – Michle, 140 00 Praha 4”
 },
 {
   “VatNumber”: “GB 724594615”,
   “LegalName”: “Microsoft Limited”,
   “Address”: “Fao Carolyn Cheney, Microsoft Limited, Microsoft Campus, Reading, RG6 1WG”
 },
 {
   “VatNumber”: “NL 007747366B01”,
   “LegalName”: “Microsoft B.V.”,
   “Address”: “Evert Van De Beekstraat 00354, 1118Cz Schiphol”
 },
 {
   “VatNumber”: “IT 08106710158”,
   “LegalName”: “Microsoft S.R.L.”,
   “Address”: “Via Lombardia 2\/A-1, 20068 Peschiera Borromeo (MI)”
 },
 {
   “VatNumber”: “FI 08974643”,
   “LegalName”: “Microsoft Oy”,
   “Address”: “FIN-02150 Espoo, Finland, Keilalahdentie 2-4”
 },
 {
   “VatNumber”: “IE 9811916F”,
   “LegalName”: “Microsoft Payments”,
   “Address”: “Carmanhall Road, Sandyford Industrial Estate, Dublin 18”
 },
 {
   “VatNumber”: “BE 0437910359”,
   “LegalName”: “NV Microsoft”,
   “Address”: “Da Vincilaan 3, 1930 Zaventem”
 },
 {
   “VatNumber”: “NO 991036156”,
   “LegalName”: “Microsoft Domains Norge AS”,
   “Address”: “NO-1366 Lysaker, Lysaker torg 45”
 },
 {
   “VatNumber”: “SI 63458756”,
   “LegalName”: “Microsoft D.O.O., Ljubljana”,
   “Address”: “Ameri\u0161ka Ulica 8, 1000 Ljubljana”
 },
 {
   “VatNumber”: “GB 642353552”,
   “LegalName”: “Microsoft Research Limited”,
   “Address”: “21 Station Road, Cambridge, CB1 2FB”
 }
]

XML interface

Example: http://www.vatapi.co.uk/api.asmx/Search?name=Microsoft&city=

Request VAT data via XML

If you are using a .NET environment, or are more familiar with XML / SOAP, then you can make a web service reference to the WSDL – here http://www.vatapi.co.uk/api.asmx?wsdl

There are two methods

• Search
  This is to look up the VAT number of a company when you only know its name, or location.
  
  This works in Austria, Switzerland, Great Britain, Ireland, Italy, France, Belgium, Holland, Luxembourg, Denmark, Norway, Finland, Czech Republic, Hungary, Slovenia, Greece, and Malta

• Verify
  This is when you want to verify the VAT number of a company, and find it’s legal name and address. This works in all european countries.

Sample response:

<?xml version=”1.0″ encoding=”utf-8″?>

<ArrayOfOrganisation xmlns:xsd=”http://www.w3.org/2001/XMLSchema&#8221; xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xmlns=”http://vatapi.co.uk/”&gt;

 <Organisation>

   <VatNumber>CZ 47123737</VatNumber>

   <LegalName>Microsoft s.r.o.</LegalName>

   <Address>Vyskočilova 1561/4a, Praha 4 – Michle, 140 00 Praha 4</Address>

 </Organisation>

 <Organisation>

   <VatNumber>GB 724594615</VatNumber>

   <LegalName>Microsoft Limited</LegalName>

   <Address>Fao Carolyn Cheney, Microsoft Limited, Microsoft Campus, Reading, RG6 1WG</Address>

 </Organisation>

 <Organisation>

   <VatNumber>NL 007747366B01</VatNumber>

   <LegalName>Microsoft B.V.</LegalName>

   <Address>Evert Van De Beekstraat 00354, 1118Cz Schiphol</Address>

 </Organisation>

 <Organisation>

   <VatNumber>IT 08106710158</VatNumber>

   <LegalName>Microsoft S.R.L.</LegalName>

   <Address>Via Lombardia 2/A-1, 20068 Peschiera Borromeo (MI)</Address>

 </Organisation>

 <Organisation>

   <VatNumber>FI 08974643</VatNumber>

   <LegalName>Microsoft Oy</LegalName>

   <Address>FIN-02150 Espoo, Finland, Keilalahdentie 2-4</Address>

 </Organisation>

 <Organisation>

   <VatNumber>IE 9811916F</VatNumber>

   <LegalName>Microsoft Payments</LegalName>

   <Address>Carmanhall Road, Sandyford Industrial Estate, Dublin 18</Address>

 </Organisation>

 <Organisation>

   <VatNumber>BE 0437910359</VatNumber>

   <LegalName>NV Microsoft</LegalName>

   <Address>Da Vincilaan 3, 1930 Zaventem</Address>

 </Organisation>

 <Organisation>

   <VatNumber>NO 991036156</VatNumber>

   <LegalName>Microsoft Domains Norge AS</LegalName>

   <Address>NO-1366 Lysaker, Lysaker torg 45</Address>

 </Organisation>

 <Organisation>

   <VatNumber>SI 63458756</VatNumber>

   <LegalName>Microsoft D.O.O., Ljubljana</LegalName>

   <Address>Ameriška Ulica 8, 1000 Ljubljana</Address>

 </Organisation>

 <Organisation>

   <VatNumber>GB 642353552</VatNumber>

   <LegalName>Microsoft Research Limited</LegalName>

   <Address>21 Station Road, Cambridge, CB1 2FB</Address>

 </Organisation>

</ArrayOfOrganisation>

 

 

The other day, I got a notification of a paypal payment for £0.01, which was odd, but I didn’t realise the significance until a few days later, when I realised that someone had managed to buy 800 euros of credit for only £0.01

The hack was, that the user modified the payment link to change the price, by changing the amount parameter:

https://www.paypal.com/cgi-bin/webscr?…&amount=800

to

https://www.paypal.com/cgi-bin/webscr?…&amount=0.01

But left the “custom” field the same, which typically indicates the basket ID. When the IPN callback was called, it was passed the correct basket ID, but an incorrect mc_gross value. This lead to the user being credited with 800 euros worth, but only paying £0.01

A similar hack could have been done by changing the currency from GBP to JPY.

Simple fix:

In the IPN callback check that the mc_gross and mc_currency matches the expected total in the basket, or include a salted hash of the amount and currency in the custom field

PS: This issue has now been fixed on our website, don’t even bother trying this hack! 🙂

 

This may be a long shot, but if anyone ever searches for this string, I know exactly what you are looking at – It’s a base64 encoded zipped string.

Want to see what it actually it, base64 decode the sting, and unzip the result, here’s the code you need in c#

public static void CopyTo(Stream src, Stream dest)
{
byte[] bytes = new byte[4096];

int cnt;

while ((cnt = src.Read(bytes, 0, bytes.Length)) != 0)
{
dest.Write(bytes, 0, cnt);
}
}

public static byte[] Zip(string str)
{
var bytes = Encoding.UTF8.GetBytes(str);

using (var msi = new MemoryStream(bytes))
using (var mso = new MemoryStream())
{
using (var gs = new GZipStream(mso, CompressionMode.Compress))
{
//msi.CopyTo(gs);
CopyTo(msi, gs);
}

return mso.ToArray();
}
}

public static string Unzip(byte[] bytes)
{
using (var msi = new MemoryStream(bytes))
using (var mso = new MemoryStream())
{
using (var gs = new GZipStream(msi, CompressionMode.Decompress))
{
//gs.CopyTo(mso);
CopyTo(gs, mso);
}

return Encoding.UTF8.GetString(mso.ToArray());
}
}

If your application stores data in SQL server as a JSON value, you will find it difficult to read out individual properties on this data. This means that you can’t do joins on fields that are held within the data, or any aggregate queries. It’s just not flexible at all.

So, as the name suggests, I’ve used a C# CLR UDF (User defined function) to do this, where it takes in the string, processes it within the CLR and returns it to SQL server.

To give you a few “anti-patterns” of things that don’t work. You may find that SQL server only supports a limited set of .NET assemblies, so you can’t import Newtonsoft to handle the JSON, nor can you use System.Runtime.Serialization, which is not allowed by SQL server either. So I had to use a home grown JSON parser, by Procurios (http://techblog.procurios.nl/k/news/view/14605/14863/how-do-i-write-my-own-parser-(for-json).html) – thanks @procurios

So, creating a new CLR Project in Visual Studio, I added the procurios JSON class, and this code;

[Microsoft.SqlServer.Server.SqlFunction]
public static SqlString CLR_ReadJSON(string json, string property)
{
var o = JSON.JsonDecode(json) as Hashtable;
return o[property].ToString();
}

I compiled the DLL, transferred it to the server, and added a new Assembly, which I’ve called CLR_DataTools (The above code was in a namespace called StoredProcedures)

Then I wrote the following SQL code to define the UDF

CREATE FUNCTION [dbo].[CLR_UdfReadJson]
(
@json [nvarchar](4000),
@property [nvarchar](4000)
)
RETURNS nvarchar(max)
WITH EXECUTE AS CALLER
AS
EXTERNAL NAME [CLR_DataTools].[StoredProcedures].[CLR_ReadJSON]
GO

And that’s all you need! (Although this took me a few hours to figure out)

As an aside, here’s some code I wrote to handle XPath queries on XML within SQL server, but I am aware that there are better ways to do this;

[Microsoft.SqlServer.Server.SqlFunction]
public static SqlString CLR_ReadXML(string xml, string xPath)
{
XmlDocument xdoc = new XmlDocument();
xdoc.LoadXml(xml);
var xn = xdoc.DocumentElement.SelectSingleNode(xPath);
var strXml = xn.InnerXml;
return strXml;
}

and then defined the SQL UDF as follows;

CREATE FUNCTION [dbo].[CLR_UdfReadXML]
(
@xml [nvarchar](4000),
@xPath [nvarchar](4000)
)
RETURNS nvarchar(max)
WITH EXECUTE AS CALLER
AS
EXTERNAL NAME [CLR_DataTools].[StoredProcedures].[CLR_ReadXML]
GO

 

WTF?, why the hell is every PHP developer saying my webservice is returning Uncaught SoapFault exception: [Sender] SOAP-ERROR: Encoding: Violation of encoding rules – and there’s no problem with those using .NET, or parsing the XML response over HTTP GET/POST

Ok, let’s break down the problem.
1. It’s not a problem with PHP,it’s your WSDL, so here’s how to diagnose it.

Take this simple code snippet

$client = new SoapClient(“http://www.regcheck.org.uk/api/reg.asmx?wsdl&#8221;);
$params = array (
“RegistrationNumber” => “TNZ6972”,
“username” => “**Your Username**”
);
$response = $client->__soapCall(‘Check’, array($params));
print_r($response);

Now, take a copy of the WSDL, and save it as a text file, so you can edit it easily, i.e.

http://www.regcheck.org.uk/php.wsdl , then using HTML style comments, take out everything you can until you get a minimum working version. – i.e. a call that returns “something“, not all the data, but “something”

<s:complexType name=”Vehicle“>

<s:element minOccurs=”0“ maxOccurs=”1“ name=”vehicleJson“ type=”s:string“/>

<s:element minOccurs=”0“ maxOccurs=”1“ name=”vehicleXml“ type=”s:string“/>

<s:element minOccurs=”0“ maxOccurs=”1“ name=”numberOfSeats“ type=”s:string“/>

<s:element minOccurs=”0“ maxOccurs=”1“ name=”carValue“ type=”s:string“/>

<s:element minOccurs=”0“ maxOccurs=”1“ name=”immobiliser“ type=”s:string“/>

<!– <s:element minOccurs=”0“ maxOccurs=”1“ name=”vehicleData“> … –>

I had a hunch it was the VehicleData object, since it was the most complex type in the response, so I commented that out – and I now had a minimum working version.

After that, I progressively commented out elements within the VehicleData type, until I got my maximum working version – i.e. as much data as possible without it breaking.

At that point, I hit upon this:

<s:element minOccurs=”0″ maxOccurs=”1″ name=”CarModel”> <s:complexType> <s:simpleContent> <s:extension base=”s:integer“> <s:attribute name=”type” type=”s:NCName” /> </s:extension> </s:simpleContent> </s:complexType> </s:element>

Which was the point at which the webservice stopped returning data, and starting throwing the Uncaught SoapFault exception: [Sender] SOAP-ERROR: Encoding: Violation of encoding rules – and it did look odd, since I new that “CarModel” should be a string, not an integer.

Looking at the underlying C# code, the error was obvious

[System.Xml.Serialization.XmlTextAttribute(DataType=”integer“)]
public string Value {

There is no way that Value could both be a string and an integer, so I changed it to

[System.Xml.Serialization.XmlTextAttribute()]
public string Value {

Base64 is a way to encode data into a limited character set, that can allow binary data to be displayed using print-friendly text. For example, if you wanted to represent an image as text, and store it in a database. It does bloat data, but it’s certainly handy when it comes to passing data around.

SQL server doesn’t have a handy function to convert base64 text back into it’s original form, so I decided to write this UDF below;

CREATE FUNCTION dbo.Base64Decode (@Base64 varchar(max))
RETURNS varchar(max)
WITH SCHEMABINDING AS
BEGIN
DECLARE @TEXT AS varchar(max) ;
SELECT
@TEXT = CAST( CAST( @Base64 as XML ).value(‘.’,’varbinary(max)’) AS varchar(max) );

RETURN @TEXT ;
END;
GO

Stuck is a new app for Australian drivers which you can download for iOS or Android via their website here;https://stuck.com.au/

Stuck is an on-demand service which calls local automotive experts to the rescue, saving you an annual insurance-style roadside assistance membership. Here’s how it works:

1. Share your required service and location with local, accredited automotive experts. The nearest available expert will arrive to help as soon as possible.

2. You are given the price upfront, which is usually about half the cost of a normal annual membership. Any extras can be added on if required (such as a new tyre).

3. Once your car problem is resolved, payment happens automatically without paperwork. Finally, you provide feedback to the automotive expert and get going!

From a technical point of view, it uses our Australian Car Registration API http://www.carregistrationapi.com/

 

 

Me: Azure , what is 1 + 1 ?

Azure: It’s 1.999999999992212

Me: No it’s not.

Azure: Come on, I’m almost right!

I’ve just been playing with the Azure Machine Learning Studio, to see if it could be accurate enough for practical applications. The most simple example I could think of was a model where it was given 1,000 examples of one number, followed by a second number which was one greater.

1,2
2,3
3,4

You can see the model in the Cortana Intellegence Gallery here
https://gallery.cortanaintelligence.com//Experiment/Plus-one-webservice-1

Interestingly, the result is not perfect as would be expected, but it goes wrong in a way that only a machine would think is close to the correct answer.