Protecting Your Cookies: HttpOnly

A very good and funny writeup on fighting XSS attacks with HttpOnly cookies. I prefer to set session.cookie_httponly = 1 right in the server's php.ini file (for PHP projects). If a project depends on JavaScript access to cookies, then fix the project and not the other way around. Smile

Using Charles Web Debugging Proxy with a custom CA SSL certificate

  1. Generate a new private key and certificate:
    openssl req -x509 -newkey rsa:1024 -keyout charles.key -out charles.crt -days 3650 -nodes
  2. Convert it to PKCS12 format:
    openssl pkcs12 -export -out charles.pfx -inkey charles.key -in charles.crt
  3. Select the *.pfx file in Charles for the custom CA certificate and enter the password (that you specified while converting to the PKCS12 format).
P.S.: note that Charles asks for the certificate's password during every startup, but if you use Charles's builtin certificate, it won't ask you for a password. The builtin certificate is stored in a "keystore" file in charles.jar and the keystore (and key) passphrase are embedded/built into Charles. But if you specify your own certificate and key in a PKCS12 format file, it's passphrase will not be known to Charles (you cannot specify it in Preferences or in the config file itself). And you cannot create a PKCS12 file without a password. And an empty password (/ string) is still a password. Smile Btw. Charles doesn't accept an empty string for the PKCS12 file's password ... thus you've to specify a non-empty password!

Insight on how Google Handwriting works

"Google recently added handwriting recognition capabilities to their web search interface thus giving users an option to scribble search queries without opening the keyboard. Once you turn on the Handwriting mode, the entire Google page turns into a scratch pad – you can write anywhere on the screen and Google will instantly convert your freehand drawing into digital text.

The results are accurate and though the conversion happens on Google’s servers, you won’t notice the delay. Google suggests using block letters but cursive writing works as well."

MP4Creator - a tool to combine video, audio, text and other media to create MPEG-4 streams

"MP4Creator creates and modifies MP4 files. It combines previously encoded video or audio tracks, as well as subtitles, chapter information and meta data. While supporting many formats, the number one choice for video is H.264 and for audio is AAC. Both formats play on a wide range of devices and are supported by most software players including Quicktime, Flash and VLC.

MP4Creator can also be used to delete tracks from a .MP4 or .MOV movie for whatever reason or to demultiplex tracks to use them somewhere else. It has a rich set of features accessable from the command line as well as the graphical frontend (GUI) MP4Muxer."

AtomicParsley - reading, parsing and setting metadata in MPEG-4 files (and showing the MPEG-4 atom tree)

AtomicParsley is a lightweight command line program for reading, parsing and setting metadata into MPEG-4 files supporting these styles of metadata:
  • iTunes-style metadata into .mp4, .m4a, .m4p, .m4v, .m4b files
  • 3gp-style assets (3GPP TS 26.444 version 6.4.0 Release 6 specification conforming) in 3GPP, 3GPP2, MobileMP4 & derivatives
  • ISO copyright notices at movie & track level for MPEG-4 & derivative files
  • uuid private user extension text & file embedding for MPEG-4 & derivative files

I use it to display the tree structure of MPEG-4 container atoms.

How to fix a broken MP4/MOV video (ffmpeg reports "moov atom not found")

Let's assume your video recorder (phone, camera, etc.) died while recording an MP4 (or MOV or 3GP ... they are mostly the same container format). If you try to read/analyze it with ffmpeg, it'll tell you that "moov atom not found". The problem is that recorders put the most important part of the video (this so called moov atom) at the end of the video file. It contains the index of the video and the metadata (like codec, etc.). So everything that a video player needs to know to be able to play it back. The reason for this is simple: while you're recording the video, you don't have the full index yet. You only have it, when the recording is finished. And you don't know in advance how long the video is going to be so you cannot simply reserve some space for the index at the start of the recording.

dumpsys - an Android tool that dumps interesting information about the status of system services

Obvious benefits:
  • Possibility to easily get system information in a simple string representation.
  • Possibility to use dumped CPU, RAM, Battery, storage stats for a pretty charts, which will allow you to check how your application affects the overall device!
If you run dumpsys you would see a ton of system information. But you can use only separate parts of this big dump.
To see all of the "subcommands" of dumpsys do:
dumpsys | grep DUMP

How to debug/examine data usage leaks in Android using iptables

First of all, you'll need a rooted device. I guess that's not much of a surprise after all. Wink Then you'll need the iptables executable.

Tomcat default context.xml vs. webapp specific context definitions

From the official documentation it might not be fully clear: for each webapp the server default context.xml is parsed first (which is at /etc/tomcat7/context.xml for Debian and Ubuntu servers) and if a webapp specific context definition exists (either at /META-INF/context.xml in the webapp's bundle/directory or at $CATALINA_BASE/conf/[enginename]/[hostname]/ in a *.xml file), then the latter is "merged" with the global default. I.e. if the global default specifies a flag that the webapp's context definition does not, then the flag will be set as specified by the global default context config.

Syndicate content Syndicate content