DEV Community: Gerald Nash ⚡️

Mixed Reality in Transit

Gerald Nash ⚡️ — Sat, 12 Sep 2020 01:31:44 +0000

A Background

The weekend was coming and I decided to save a bit of my free time after work for some creative expression. "Lemme get some practice in with these filters," I thought, referring to my starting to make Instagram filters around last month.

Nash (刘光瑞）

@aunyks

I started making IG filters last week. Here’s a running thread

00:54 AM - 02 May 2020

14 46

An Idea

I didn't really have a project idea, though. I laid in my bed for another thirty minutes before remembering that I had to go to DC in a few days to finish moving out of my dorm. That reminded me of the DC Metro and how the system was a bit tricky for me to navigate at times.

Then it hit me. I'm gonna make the Metro map pop up when the Metro card is in view. That's a cool thing that I'd use regularly if I were new to the system again. I opened up Spark AR and got to work on the core functionality. After adding some hints and animations, I tested the effect on my phone with an actual Metro card. My eyes lit up. I thought it was really cool! So, I quickly designed a logo, came up with a name, and submitted it to Facebook.

The following day I recorded a short demo video showing the effect and posted it to Instagram and Twitter since I thought the project was so cool.

Rejection

I logged back out of them to get some more work done only to check Facebook every couple hours to check on the status of the filter submission. At the end of the day, it was denied with feedback saying that there was "Too much text". "Too much text? It's an image of a map, and some published filters already have maps with more text in them". I instantly hit the resubmit button with examples of effects with the same amount of or more text.

The work day was coming to an end so I signed back in to Instagram and Twitter to see the posts getting lots of attention. A couple hundred likes, comments, and retweets were beyond the normalcy of my notifications tabs, so they certainly caught my eye. One last check on the resubmission status resulted in another rejection by Facebook citing the same issue.

I wasn't gonna change the filter, since it did exactly what I wanted. I was incredibly annoyed. I wanted to let people experience the filter, otherwise the effect in the video was indistinguishable from something made in software like After Effects. I slept on it and woke up to tell people what happened.

Nash (刘光瑞）

@aunyks

Facebook denied this filter so I can’t give it to you without sending a link smh twitter.com/aunyks/status/…

14:03 PM - 11 Jun 2020

Nash (刘光瑞） @aunyks
Smartmap Card https://t.co/xxGVrCHrp6

16 133

An Alternative

I remembered that Facebook/Instagram wasn't the only social platform that lets creators make AR effects, so I turned to Snapchat. I'd been a bit intimidated by the idea of making Snapchat filters, as I'd never understood how to use its Lens Studio software, and there wasn't as much easy-to-find content teaching people how to make stuff with it as for Facebook's Spark AR Studio. But, I was so focused on getting this idea in people's hands that I spent some hours learning how to use it so I could port my filter to Snapchat's platform.

By the end of the day, I'd overcome my fear and learned just enough of the platform to get my idea going.

Nash (刘光瑞）

@aunyks

I’m remaking it in Snapchat out of spite

00:48 AM - 12 Jun 2020

0 30

I finished it. By the end of the night, I'd successfully ported Smartmap Card from FB/IG to Snapchat. I submitted the filter and felt needed excitement when I saw that it was accepted and live in minutes, much faster than Facebook's hours to weeks. I went to sleep knowing I was gonna record a new demo video to show off the better marker tracking that Snapchat offered in addition to a link to the filter that people could use whenever they wanted to use the filter.

Nash (刘光瑞）

@aunyks

Smartmap Card works on Snapchat snapchat.com/unlock/?type=S…

16:33 PM - 12 Jun 2020

2871 8465

I posted the filter to Twitter in its new form, very satisfied that I got a really cool project out that people can actually use. I then edited the caption in my original Instagram post instructing people to DM me if they wanted to try the filter out on Snapchat.

Virality

About an hour passed and the tweet blew up with likes, replies, and retweets (with and without comment). The Instagram post was still garnering an unusually great amount of interest. My Instagram DMs were blowing up with people requesting access, so I just linked directly to the filter from my website and updated the Instagram caption to have people check the link in my bio to use the filter.

For the next week, both my posts reached some six figures in impressions per day, and with each passing day more people were recording themselves being wowed while trying the filter out on their Metro cards. A couple of TikToks (one, two), Reddit threads, and Instagram reposts came about. At this point, the filter was much bigger than me. Literally so, as accounts were now sharing and reposting without giving credit. It's part of the game, though.

In Conclusion

In the midst of all that, I'd gained a couple hundred new followers on Instagram and Twitter, saw some 3,000 visits to my website, and made a few more filters very similar to this one. These newer filters featured maps for the Bay Area's BART and Atlanta's MARTA, and they're exclusive to Snapchat. I'd been reminded that metro systems also have limited edition cards and that in some systems those who are disabled get cards with unique designs.

I learned that Snapchat's AR platform has much better technology than Facebook's with respect to marker tracking, face+hand tracking, segmentation, and more respects. Snap's Lens Studio and publishing workflow also provides a much better experience than that of Facebook's Spark. So the only ways that Facebook's platform beats Snap's are by providing a more approachable programming experience to creators through its Patch Editor, allowing creators to program shaders into their filters, and by having a larger user base.

In the end I don't quite know what's next for these projects, if anything, but it was certainly interesting getting a taste of Internet virality.

Substack Open URL Redirection / Reflected XSS Vulnerability Writeup

Gerald Nash ⚡️ — Sat, 04 Apr 2020 02:36:27 +0000

This post was originally featured on my blog.
NOTE: The content in this post is solely for educational purposes.

The Substack team was kind enough to allow me to disclose this vulnerability. As stated by the title, I found an Open URL Redirection vulnerability and a Reflected Cross-Site Scripting (XSS) vulnerability in the company's web application. If you want to learn more about the nature of these types of vulnerabilities and how they can relate in this case, here's an article that explains it.

Discovery

While setting up a newsletter for LetterMatch, I noticed that a visitor to a Substack newsletter's subscribe page will sometimes see a next URL query parameter that describes where they'll be redirected after subscribing. The URL would follow the form lettermatch.substack.com/subscribe?next={target_endpoint}, where {target_endpoint} is the location to which the visitor will be directed after subscribing. Note that this applies to any Substack newsletter, not just LetterMatch's.

Exploitation

Because redirection schemes that look like this are, at times, susceptible to Open URL Redirection, I tried visiting the URL lettermatch.substack.com/subscribe?next=https://example.com and subscribing. After doing so, I was redirected to example.com. Now that this case was validated, I tried finding methods of obscuring the destination URL. This is because a victim may notice the second, potentially malicious URL and choose not to visit the link. With that said, I tested several different ways to encode an URL and saw that most of the variations worked in place of the plain https://example.com.

Impact

Vulnerabilities of this type are typically used in a chain with others to exploit victims, but conceptually this can be used to redirect users to phishing sites or sites that exploit browsers to install malware on a victim's device, like when hackers exploited an Open Redirection vulnerability in a U.S. Department of Health & Human Services web page to install malware on visitors' machines. A bit more detail here.

Increasing the Impact

Some Open Redirect vulns can also lead to Cross Site Scripting (XSS) attacks, most often Reflected XSS attacks, if the payload or, in this case, the destination URL is valid JavaScript.

Interestingly, injecting script tags as the parameter value didn't have an effect, but injecting JavaScript "URLs" of the form javascript:{some-code-here} as the parameter value results in the injected code being executed. An example of this can be found in the demo below, where I inject a window alert.

Demo

Here's a video demo of the this vulnerability being exploited before the patch. I don't consider it a proof of concept, as I demonstrate the exploitation with a benign redirection location and injected code.

In Conclusion

I raised this issue with medium severity because of the Reflected XSS that's involved. The Substack team was very considerate in finding time to fix this vulnerability so quickly. They're a relatively small team with a lot of responsibilities, so their diligence was appreciated, especially as we all adapt to the circumstances of current events.

Timeline
Jan 28, 2020 - Initial email disclosing vulnerability details
Jan 31, 2020 - Response from Substack and patch of XSS
Mar 26, 2020 - Notification of full patch (Open Redirect and XSS)
Mar 26, 2020 - Request to fully disclose findings
Mar 30, 2020 - Permission to fully disclose findings granted

Repl.it Open URL Redirection Vulnerability Writeup

Gerald Nash ⚡️ — Sat, 04 Apr 2020 02:28:44 +0000

This post was originally featured on my blog.
NOTE: The content in this post is solely for educational purposes. Do NOT attack entities that did not provide consent beforehand.

The Repl.it team was kind enough to allow me to disclose this vulnerability. As stated by the title, I found an Open URL Redirection vulnerability in the company's web application. If you want to learn more about the nature of this type of vulnerability, here's an article that explains it.

Discovery

In the Computer Science department at my university, we regularly use Repl.it for rapid testing of ideas for our programming assignments, and in some classes we use it for official assignment submission. While logging in to the platform one time, I took note of a goto parameter in the login URL. The URL followed the form repl.it/login?goto={target_endpoint}, where {target_endpoint} is the location to which the user is redirected after logging in.

Exploitation

Because post-authentication redirection schemes that look like this are, at times, susceptible to Open URL Redirection, I tried visiting the URL repl.it/login?goto=https://example.com and logging in. To my surprise, I was redirected to example.com! Now that this case was validated, I tried finding methods of obscuring the destination URL. This is because a victim may notice the second, potentially malicious URL and choose not to visit the link. With that said, I tested several different ways to encode an URL and saw that most of the variations worked in place of the plain https://example.com.

Impact

(Not) Increasing the Impact

Some Open Redirect Vulns can also lead to Cross Site Scripting (XSS) attacks if the payload or, in this case, the destination URL is valid JavaScript. Fortunately, injecting script tags or javascript:{some-code-here} as the parameter value didn't appear to have an effect.

Demo

Here's a video demo of the this vulnerability being exploited before the patch. I don't consider it a proof of concept, as I demonstrate the exploitation with a benign redirection location.

In Conclusion

I raised this issue with medium severity, as opposed to the typical low severity, given the nature of Repl.it's REPL sharing feature and the ease of a user mistaking a malicious login link for shared REPL or other asset. The Repl.it team was very considerate in finding time to fix this vulnerability. They're a relatively small team with a lot of responsibilities, so their diligence was appreciated.

Timeline

Oct 24, 2019 - Initial email asking for preferred means of disclosure
Dec 31, 2019 - Response from Repl and disclosure of vulnerability details
Unknown - Full patch
Mar 03, 2020 - Discovery of patch and request to fully disclose findings
Mar 04, 2020 - Permission to fully disclose findings granted

How'd I Get Here? Exploiting Redirection

Gerald Nash ⚡️ — Sat, 04 Apr 2020 02:15:36 +0000

This post was first featured on my blog.
NOTE: The content in this post is solely for educational purposes. Do NOT attack entities that did not provide consent beforehand.

In this post, we'll cover what Open URL Redirection Vulnerabilties are, how to exploit them, and how to prevent them. I was motivated to write this, because I've lately been discovering these vulnerabilities in the wild, and I want to increase developers', users', and security researchers' awareness of them.

What is URL Redirection?

URL Redirection is a method used by web applications to manage a user's navigation throughout the app. This is often seen during authentication, where a user is registering for or logging into an application, and the application wishes to redirect the user to another page once they've been authenticated.

So, what's the problem?

What happens when we set the location to which a user will be redirected to a completely different website? If the application still redirects us to the website, its URL redirection logic could be too "open". If we can have it redirect us to any website we'd like, we might be able to use this to attack users of the website.

What does this look like?

Sometimes when you're at a login page for some website like hackus.now.sh, you might see the URL looks like hackus.now.sh/login?next=/dashboard. That URL communicates that, once you've logged in, you'll be redirected to the dashboard page, which looks like hackus.now.sh/dashboard.

We established earlier that URLs that contain the location to which we'll be redirected are potentially vulnerable to Open URL Redirection. This is because the target doesn't perform adequate verification or sanitization of the values of the next parameter. With that being said, what happens if we instead set the destination to example.com? To see that, we can visit hackus.now.sh/login?next=https://example.com. If, after logging in, we're redirected to example.com, our target is definitely susceptible to Open URL Redirection.

How can we craft an attack?

As with many high-impact attacks, we can chain our exploitation of this vulnerability with other exploits to achieve certain effects on a target or targets. For example, we can utilize social engineering and a CVE that lets us break out of the browser sandbox and execute code on the host computer to take control of a target's device.

In theory, this could be achieved by using the social engineering to have our target visit hackus.now.sh/login?next=imdangerous.com and log in. In this case, our target's visit to imdangerous.com will cause our exploitation of the aforementioned CVE to take place, allowing us to run code on the target's machine and likely take control of it.

What if there's no `next` parameter?

These redirect parameters vary across web applications and frameworks. In my experience, I've seen next, goto, redirect, and redirect_to. They could take so many forms that you could even use a wordlist and fuzz for valid redirection parameters to test for openness.

How creative can we get with this?

Very! If we wanna get creative with the redirection payload, we can change the form of the URL. For example, if the payload looks like ?next=/dashboard and we want to redirect to example.com, we can try the URL with protocol included (?next=https://example.com), just the host (?next=example.com / ?next=/example.com), URL without protocol (?next=//example.com), or even URL-encoded versions of any of the previous examples (?next=%2F%2Fexample.com et al.).

Another creative approach is to try different protocols in the payload! Some browsers support FTP and IPFS URLs, so we could plug those kinds of URLs in the payload and observe effects. A payload that often increases the impact of vulnerabilities of this type is using JavaScript as the payload's protocol. Using payloads of the form ?next=javascript:{some-code} can sometimes be used to perform DOM-based XSS.

The Attack in the Wild
An Open Redirect vulnerability was exploited in the United States Department of Health and Human Services' Departmental Contracts Information System during the novel coronavirus disease (COVID-19) pandemic. In short, attackers sent crafted a URL of the form https://dcis.hhs.gov/cas/login?service=malicioussite.com&gateway=true that redirected victims to a website that has a victim unknowingly download and execute malware. More information on this particular attack can be found here.

In Conclusion

Open URL Redirection is a type of vulnerability where an application redirects users to any location provided in its URL. This type of vulnerability is typically used in a chain of exploits to achieve higher impact attacks. At times, these vulnerabilities could even lead to XSS! To mitigate the risk of an application's vulnerability to Open URL Redirection, developers and security engineers must ensure that their applications whitelist and/or sanitize the values of their redirection parameters.

I typically report these vulnerabilities with low severity, although depending on the nature of the application or range of allowed payloads I might give medium or high severity to my findings.

Thanks for reading. If you have any questions for me about this post or anything else, please feel free to message me on Twitter!

The Anatomy of ERC20

Gerald Nash ⚡️ — Tue, 03 Oct 2017 00:03:42 +0000

This article was first published to 21.co's blog.

In light of today’s ICO launches, digital token sales during which companies and organizations raise millions of dollars instantly while giving out digital assets, it’s important to recognize the underlying technology that nearly all of these tokens possess: ERC20.

Ethereum Request for Comments 20, or ERC20, is an Ethereum Improvement Proposal introduced by Fabian Vogelsteller in late 2015. It’s a standard by which many popular Ethereum smart contracts abide. It effectively allows smart contracts to act very similarly to a conventional cryptocurrency like Bitcoin, or Ethereum itself. In saying this, a token hosted on the Ethereum blockchain can be sent, received, checked of its total supply, and checked for the amount that is available on an individual address. This is analogous to sending and receiving Ether or Bitcoin from a wallet, knowing the total amount of coins in circulation, and knowing a particular wallet’s balance of a coin. A smart contract that follows this standard is called an ERC20 token.

The Original ERC20 Proposal

All of the previously described functionality is able to exist by defining a set of functions that allow a smart contract to emulate a digital token. But how does that work?

ERC20 defines the functions balanceOf , totalSupply , transfer , transferFrom , approve , and allowance . It also has a few optional fields like the token name, symbol, and the number of decimal places with which it will be measured.
Note: This is a concise declaration of an example ERC20 contract.

ERC20 defines the functions balanceOf , totalSupply , transfer , transferFrom , approve , and allowance . It also has a few optional fields like the token name, symbol, and the number of decimal places with which it will be measured.

Note: This is a concise declaration of an example ERC20 contract.

// Grabbed from: https://github.com/ethereum/EIPs/issues/20
contract ERC20 {
   function totalSupply() constant returns (uint theTotalSupply);
   function balanceOf(address _owner) constant returns (uint balance);
   function transfer(address _to, uint _value) returns (bool success);
   function transferFrom(address _from, address _to, uint _value) returns (bool success);
   function approve(address _spender, uint _value) returns (bool success);
   function allowance(address _owner, address _spender) constant returns (uint remaining);
   event Transfer(address indexed _from, address indexed _to, uint _value);
   event Approval(address indexed _owner, address indexed _spender, uint _value);
}

An overview and example of each field within the contract is as follows.

totalSupply()

Although the supply could easily be fixed, as it is with Bitcoin, this function allows an instance of the contract to calculate and return the total amount of the token that exists in circulation.

contract MyERCToken {
  // In this case, the total supply
  // of MyERCToken is fixed, but
  // it can very much be changed
  uint256 _totalSupply = 1000000;

  function totalSupply() constant returns (uint256 theTotalSupply) {
    // Because our function signature
    // states that the returning variable
    // is "theTotalSupply", we'll just set that variable
    // to the value of the instance variable "_totalSupply"
    // and return it
    theTotalSupply = _totalSupply;
    return theTotalSupply;
  }
}

balanceOf()

This function allows a smart contract to store and return the balance of the provided address. The function accepts an address as a parameter, so it should be known that the balance of any address is public.

contract MyERCToken {
  // Create a table so that we can map addresses
  // to the balances associated with them
  mapping(address => uint256) balances;
  // Owner of this contract
  address public owner;

  function balanceOf(address _owner) constant returns (uint256 balance) {
    // Return the balance for the specific address
    return balances[_owner];
  }
}

approve()

When calling this function, the owner of the contract authorizes, or approves, the given address to withdraw instances of the token from the owner’s address.

Here, and in later snippets, you may see a variable msg. This is an implicit field provided by external applications such as wallets so that they can better interact with the contract. The Ethereum Virtual Machine (EVM) lets us use this field to store and process data given by the external application.

In this example, msg.sender is the address of the contract owner.

contract MyERCToken {
  // Create a table so that we can map
  // the addresses of contract owners to
  // those who are allowed to utilize the owner's contract
  mapping(address => mapping (address => uint256)) allowed;

  function approve(address _spender, uint256 _amount) returns (bool success) {
    allowed[msg.sender][_spender] = _amount;
    // Fire the event "Approval" to execute any logic
    // that was listening to it
    Approval(msg.sender, _spender, _amount);
    return true;
  }
}

transfer()

This function lets the owner of the contract send a given amount of the token to another address just like a conventional cryptocurrency transaction.

contract MyERCToken {
  mapping(address => uint256) balances;

  // Note: This function returns a boolean value
  //       indicating whether the transfer was successful
  function transfer(address _to, uint256 _amount) returns (bool success) {
    // If the sender has sufficient funds to send
    // and the amount is not zero, then send to
    // the given address
    if (balances[msg.sender] >= _amount 
      && _amount > 0
      && balances[_to] + _amount > balances[_to]) {
      balances[msg.sender] -= _amount;
      balances[_to] += _amount;
      // Fire a transfer event for any
      // logic that's listening
      Transfer(msg.sender, _to, _amount);
        return true;
      } else {
        return false;
      }
   }
}

transferFrom()

This function allows a smart contract to automate the transfer process and send a given amount of the token on behalf of the owner.

Seeing this might raise a few eyebrows. One may question why we need both transfer() and transferFrom() functions.

Consider transferring money to pay a bill. It’s extremely common to send money manually by taking the time to write a check and mail it to pay the bill off. This is like using transfer() : you’re doing the money transfer process yourself, without the help of another party.

In another situation, you could set up automatic bill pay with your bank. This is like using transferFrom() : your bank’s machines send money to pay off the bill on your behalf, automatically. With this function, a contract can send a certain amount of the token to another address on your behalf, without your intervention.

contract MyERCToken {
  mapping(address => uint256) balances;

  function transferFrom(address _from, address _to, uint256 _amount) returns (bool success) {
    if (balances[_from] >= _amount
      && allowed[_from][msg.sender] >= _amount
      && _amount > 0
      && balances[_to] + _amount > balances[_to]) {
    balances[_from] -= _amount;
    balances[_to] += _amount;
    Transfer(_from, _to, _amount);
      return true;
    } else {
      return false;
    }
  }
}

Token Name

This is an optional field, but many popular tokens include it so that popular wallets like Mist and MyEtherWallet are able to identify them.

contract MyERCToken {
  string public constant name = "My Custom ERC20 Token";
}

Token Symbol

Another optional field used to identify a token, this is a three or four letter abbreviation of the token, just like BTC, ETH, AUG, or SJCX.

contract MyERCToken {
  string public constant symbol = "MET";
}

Number of Decimals

An optional field used to determine to what decimal place the amount of the token will be calculated. The most common number of decimals to consider is 18.

contract MyERCToken {
  uint8 public constant decimals = 18;
}

The total source code of ERC20 token that we just created can be found here.

In the end, the original ERC20 proposal is somewhat unappreciated. It opened up avenues for a new set of smart contracts that could be created and distributed in the same fashion as Bitcoin or Ethereum. This proves to be very enticing for young companies, as the entire ERC20 ecosystem is hosted on the Ethereum blockchain, a large pre-existing network of computers. This means that developers and young companies don’t have to attract miners in order to sustain their tokens, something that can save a lot of money. And, these tokens can be hosted on exchanges to be traded like other assets, so investors can easily buy and sell these tokens like more popular currencies.

Let’s Make the Tiniest Blockchain Bigger

Gerald Nash ⚡️ — Wed, 26 Jul 2017 14:50:44 +0000

Note: This article assumes you’ve read part one.
The tiniest blockchain was extremely simple, and it was relatively easy to make. But, with its simplicity came a few flaws. First, SnakeCoin only ran on one single machine, so it was far from distributed, let alone decentralized. Second, blocks could be added to the chain as fast as the host computer could create a Python object and add it to a list. In the case of a simple blockchain, that’s not a problem, but we’re now going to let SnakeCoin be an actual cryptocurrency so we’ll need control the amount of blocks (and coins) that can be created at a time.

From now on, SnakeCoin’s data will be transactions, so each block’s data field will be a list of some transactions. We’ll define a transaction as follows. Each transaction will be a JSON object detailing the sender of the coin, the receiver of the coin, and the amount of SnakeCoin that is being transferred. Note: Transactions are in JSON format for a reason I’ll detail shortly.

{
  "from": "71238uqirbfh894-random-public-key-a-alkjdflakjfewn204ij",
  "to": "93j4ivnqiopvh43-random-public-key-b-qjrgvnoeirbnferinfo",
  "amount": 3
}

Now that we know what our transactions will look like, we need a way to add them to one of the computers in our blockchain network, called a node. To do that, we’ll create a simple HTTP server so that any user can let our nodes know that a new transaction has occurred. A node will be able to accept a POST request with a transaction (like above) as the request body. This is why transactions are JSON formatted; we need them to be transmitted to our server in a request body.

pip install flask # Install our web server framework first

from flask import Flask
from flask import request
node = Flask(__name__)

# Store the transactions that
# this node has in a list
this_nodes_transactions = []

@node.route('/txion', methods=['POST'])
def transaction():
  if request.method == 'POST':
    # On each new POST request,
    # we extract the transaction data
    new_txion = request.get_json()
    # Then we add the transaction to our list
    this_nodes_transactions.append(new_txion)
    # Because the transaction was successfully
    # submitted, we log it to our console
    print "New transaction"
    print "FROM: {}".format(new_txion['from'])
    print "TO: {}".format(new_txion['to'])
    print "AMOUNT: {}\n".format(new_txion['amount'])
    # Then we let the client know it worked out
    return "Transaction submission successful\n"

node.run()

Awesome! Now we have a way to keep a record of users when they send SnakeCoins to each other. This is why people refer to blockchains as public, distributed ledgers: all transactions are stored for all to see and are stored on every node in the network.

But, a question arises: where do people get SnakeCoins from? Nowhere, yet. There’s no such thing as a SnakeCoin yet, because not one coin has been created and issued yet. To create new coins, people have to mine new blocks of SnakeCoin. When they successfully mine new blocks, a new SnakeCoin is created and rewarded to the person who mined the block. The coin then gets circulated once the miner sends the SnakeCoin to another person.

We don’t want it to be too easy to mine new SnakeCoin blocks, because that will create too many SnakeCoins and they will have little value. Conversely, we don’t want it to be too hard to mine new blocks, because there wouldn’t be enough coins for everyone to spend, and they would be too expensive for our liking. To control the difficulty of mining new SnakeCoins, we’ll implement a Proof-of-Work (PoW) algorithm. A Proof-of-Work algorithm is essentially an algorithm that generates an item that is difficult to create but easy to verify. The item is called the proof and, as it sounds, it is proof that a computer performed a certain amount of work.

In SnakeCoin, we’ll create a somewhat simple Proof-of-Work algorithm. To create a new block, a miner’s computer will have to increment a number. When that number is divisible by 9 (the number of letters in “SnakeCoin”) and the proof number of the last block, a new SnakeCoin block will be mined and the miner will be given a brand new SnakeCoin.

# ...blockchain
# ...Block class definition

miner_address = "q3nf394hjg-random-miner-address-34nf3i4nflkn3oi"

def proof_of_work(last_proof):
  # Create a variable that we will use to find
  # our next proof of work
  incrementor = last_proof + 1
  # Keep incrementing the incrementor until
  # it's equal to a number divisible by 9
  # and the proof of work of the previous
  # block in the chain
  while not (incrementor % 9 == 0 and incrementor % last_proof == 0):
    incrementor += 1
  # Once that number is found,
  # we can return it as a proof
  # of our work
  return incrementor

@node.route('/mine', methods = ['GET'])
def mine():
  # Get the last proof of work
  last_block = blockchain[len(blockchain) - 1]
  last_proof = last_block.data['proof-of-work']
  # Find the proof of work for
  # the current block being mined
  # Note: The program will hang here until a new
  #       proof of work is found
  proof = proof_of_work(last_proof)
  # Once we find a valid proof of work,
  # we know we can mine a block so 
  # we reward the miner by adding a transaction
  this_nodes_transactions.append(
    { "from": "network", "to": miner_address, "amount": 1 }
  )
  # Now we can gather the data needed
  # to create the new block
  new_block_data = {
    "proof-of-work": proof,
    "transactions": list(this_nodes_transactions)
  }
  new_block_index = last_block.index + 1
  new_block_timestamp = this_timestamp = date.datetime.now()
  last_block_hash = last_block.hash
  # Empty transaction list
  this_nodes_transactions[:] = []
  # Now create the
  # new block!
  mined_block = Block(
    new_block_index,
    new_block_timestamp,
    new_block_data,
    last_block_hash
  )
  blockchain.append(mined_block)
  # Let the client know we mined a block
  return json.dumps({
      "index": new_block_index,
      "timestamp": str(new_block_timestamp),
      "data": new_block_data,
      "hash": last_block_hash
  }) + "\n"

Now, we can control the number of blocks mined in a certain time period, and we can issue new coins for people in the network to send to each other. But like we said, we’re only doing this on one computer. If blockchains are decentralized, how do we make sure that the same chain is on every node? To do this, we make each node broadcast its version of the chain to the others and allow them to receive the chains of other nodes. After that, each node has to verify the other nodes’ chains so that the every node in the network can come to a consensus of what the resulting blockchain will look like. This is called a consensus algorithm.

Our consensus algorithm will be rather simple: if a node’s chain is different from another’s (i.e. there is a conflict), then the longest chain in the network stays and all shorter chains will be deleted. If there is no conflict between the chains in our network, then we carry on.

@node.route('/blocks', methods=['GET'])
def get_blocks():
  chain_to_send = blockchain
  # Convert our blocks into dictionaries
  # so we can send them as json objects later
  for block in chain_to_send:
    block_index = str(block.index)
    block_timestamp = str(block.timestamp)
    block_data = str(block.data)
    block_hash = block.hash
    block = {
      "index": block_index,
      "timestamp": block_timestamp,
      "data": block_data,
      "hash": block_hash
    }
  # Send our chain to whomever requested it
  chain_to_send = json.dumps(chain_to_send)
  return chain_to_send

def find_new_chains():
  # Get the blockchains of every
  # other node
  other_chains = []
  for node_url in peer_nodes:
    # Get their chains using a GET request
    block = requests.get(node_url + "/blocks").content
    # Convert the JSON object to a Python dictionary
    block = json.loads(block)
    # Add it to our list
    other_chains.append(block)
  return other_chains

def consensus():
  # Get the blocks from other nodes
  other_chains = find_new_chains()
  # If our chain isn't longest,
  # then we store the longest chain
  longest_chain = blockchain
  for chain in other_chains:
    if len(longest_chain) < len(chain):
      longest_chain = chain
  # If the longest chain wasn't ours,
  # then we set our chain to the longest
  blockchain = longest_chain

We’re just about done now. After running the full SnakeCoin server code, run the following commands in your terminal. Assuming you have cURL installed.

Create a transaction.

curl "localhost:5000/txion" \
     -H "Content-Type: application/json" \
     -d '{"from": "akjflw", "to":"fjlakdj", "amount": 3}'

Mine a new block.

curl localhost:5000/mine

Check out the results. From the client window, we see this.

With a little bit of pretty printing we see that after mining we get some cool information on our new block.

{
  "index": 2,
  "data": {
    "transactions": [
      {
        "to": "fjlakdj",
        "amount": 3,
        "from": "akjflw"
      },
      {
        "to": "q3nf394hjg-random-miner-address-34nf3i4nflkn3oi",
        "amount": 1,
        "from": "network"
      }
    ],
    "proof-of-work": 36
  },
  "hash": "151edd3ef6af2e7eb8272245cb8ea91b4ecfc3e60af22d8518ef0bba8b4a6b18",
  "timestamp": "2017-07-23 11:23:10.140996"
}

And that’s it! We’ve made a fairly sized blockchain at this point. Now, SnakeCoin can be launched on multiple machines to create a network, and real SnakeCoins can be mined. Please feel free to tinker with the SnakeCoin server code as much as you’d like, and ask as many questions as you need! In the next part, we’ll discuss creating a SnakeCoin wallet, so users can send, receive, and store their SnakeCoins.

Thank you very much for reading!
Twitter, Github, Snapchat, Medium, Instagram

Let's Build the Tiniest Blockchain

Gerald Nash ⚡️ — Mon, 17 Jul 2017 22:28:44 +0000

Note: This article was originally published to Crypto Currently.

Although some think blockchain is a solution waiting for problems, there’s no doubt that this novel technology is a marvel of computing. But, what exactly is a blockchain?

Blockchain

a digital ledger in which transactions made in bitcoin or another cryptocurrency are recorded chronologically and publicly. >

In more general terms, it’s a public database where new data are stored in a container called a block and are added to an immutable chain (hence blockchain) with data added in the past. In the case of Bitcoin and other cryptocurrencies, these data are groups of transactions. But, the data can be of any type, of course.

Blockchain technology has given rise to new, fully digital currencies like Bitcoin and Litecoin that aren’t issued or managed by a central authority. This brings new freedom to individuals who believe that today’s banking systems are a scam or subject to failure. Blockchain has also revolutionized distributed computing in the form of technologies like Ethereum, which has introduced interesting concepts like smart contracts.

In this article, I’ll make a simple blockchain in less than 50 lines of Python 2 code. It’ll be called SnakeCoin.

We’ll start by first defining what our blocks will look like. In blockchain, each block is stored with a timestamp and, optionally, an index. In SnakeCoin, we’re going to store both. And to help ensure integrity throughout the blockchain, each block will have a self-identifying hash. Like Bitcoin, each block’s hash will be a cryptographic hash of the block’s index, timestamp, data, and the hash of the previous block’s hash. Oh, and the data can be anything you want.

import hashlib as hasher

class Block:
  def __init__(self, index, timestamp, data, previous_hash):
    self.index = index
    self.timestamp = timestamp
    self.data = data
    self.previous_hash = previous_hash
    self.hash = self.hash_block()

  def hash_block(self):
    sha = hasher.sha256()
    sha.update(str(self.index) + 
               str(self.timestamp) + 
               str(self.data) + 
               str(self.previous_hash))
    return sha.hexdigest()

Awesome! We have our block structure, but we’re creating a block chain. We need to start adding blocks to the actual chain. As I mentioned earlier, each block requires information from the previous block. But with that being said, a question arises: how does the first block in the blockchain get there? Well, the first block, or genesis block, is a special block. In many cases, it’s added manually or has unique logic allowing it to be added.

We’ll create a function that simply returns a genesis block to make things easy. This block is of index 0, and it has an arbitrary data value and an arbitrary value in the “previous hash” parameter.

import datetime as date

def create_genesis_block():
  # Manually construct a block with
  # index zero and arbitrary previous hash
  return Block(0, date.datetime.now(), "Genesis Block", "0")

Now that we’re able to create a genesis block, we need a function that will generate succeeding blocks in the blockchain. This function will take the previous block in the chain as a parameter, create the data for the block to be generated, and return the new block with its appropriate data. When new blocks hash information from previous blocks, the integrity of the blockchain increases with each new block. If we didn’t do this, it would be easier for an outside party to “change the past” and replace our chain with an entirely new one of their own. This chain of hashes acts as cryptographic proof and helps ensure that once a block is added to the blockchain it cannot be replaced or removed.

def next_block(last_block):
  this_index = last_block.index + 1
  this_timestamp = date.datetime.now()
  this_data = "Hey! I'm block " + str(this_index)
  this_hash = last_block.hash
  return Block(this_index, this_timestamp, this_data, this_hash)

That’s the majority of the hard work. Now, we can create our blockchain! In our case, the blockchain itself is a simple Python list. The first element of the list is the genesis block. And of course, we need to add the succeeding blocks. Because SnakeCoin is the tiniest blockchain, we’ll only add 20 new blocks. We can do this with a for loop.

# Create the blockchain and add the genesis block
blockchain = [create_genesis_block()]
previous_block = blockchain[0]

# How many blocks should we add to the chain
# after the genesis block
num_of_blocks_to_add = 20

# Add blocks to the chain
for i in range(0, num_of_blocks_to_add):
  block_to_add = next_block(previous_block)
  blockchain.append(block_to_add)
  previous_block = block_to_add
  # Tell everyone about it!
  print "Block #{} has been added to the blockchain!".format(block_to_add.index)
  print "Hash: {}\n".format(block_to_add.hash)

Let’s test what we’ve made so far.

There we go! Our blockchain works. If you want to see more information in the console, you could edit the complete source file and print each block’s timestamp or data.

That’s about all that SnakeCoin has to offer. To make SnakeCoin scale to the size of today’s production blockchains, we’d have to add more features like a server layer to track changes to the chain on multiple machines and a proof-of-work algorithm to limit the amount of blocks added in a given time period.

If you’d like to get more technical, you can view the original Bitcoin whitepaper here. Best of luck and happy hacking!

Thank you very much for reading!
Twitter, Github, Snapchat, Medium, Instagram

I Chose TypeScript For the Nostalgia

Gerald Nash ⚡️ — Wed, 21 Jun 2017 13:46:40 +0000

Back when I was 13 years old and beginning my freshman year of high school, I wasn’t sure what programming language I wanted to learn first. After browsing a lot of fora and viewing a few old YouTube videos, people almost always recommended Java as a practical and profitable first language. So, that’s what learned.

Fast forward to Junior year and I’ve had my fair share of class files, NullPointerExceptions, and a gamut of compilation errors. I’m breezing through my AP Computer Science course (which, as you guessed, teaches Java), and I’m starting to look into open sourcing my work and building more practical projects.

I decided to write a web server with Java EE and Apache Tomcat, and, since I grew tired of what felt like writing more syntax than semantics, let’s just say I got much too frustrated with Java at this point, so I ventured into a different ecosystem.

After some Google searches, I discovered Node.js and Express. After seeing an example Hello World server, I fell in love with the conciseness and abstraction that these technologies provided.

var express = require('express')
var app = express()

app.get('/', function (req, res) {
  res.send('Hello World!')
})

app.listen(3000, function () {
  console.log('Example app listening on port 3000!')
})

And so, I kind of became a JavaScript developer. I starting learning about callbacks, prototypes, and other cool stuff JS provides new developers. I started using Javascript for projects of all kinds: front end, back end, desktop, command line, etc. I fell in love with JavaScript’s ubiquity and simplicity (dynamic typing and not having to use semicolons seemed so awesome…at first).

But, now I graduated high school and I’ve written thousands of lines of JavaScript. The things that originally brought me over to the language are now reasons for me to dislike it. I’m starting to see the flaws in dynamic typing, non-strict syntax, and other facets of the language. I’m starting to look for a compile-to-JS language to keep my faith before I (maybe) leave the ecosystem. Java’s syntax and typing never looked so attractive…

And, that’s when I found TypeScript, a typed superset of JavaScript. Coming from ES5, I liked that TypeScript automatically included ES6 and beyond features (like that sweet, sweet class syntax) without needing complicated Babel configurations. At this point, I was happy to see some syntax that somewhat reminded me of my Java days.

But, ES6 doesn’t natively provide great typing functionality: that’s where TypeScript’s true advantages come out. In the same way that Java’s types are enforcements, TypeScript’s types are suggestions. So, you have the opportunity to see how types semantically flow throughout your application similar to compiled languages like Java and C#, but you don’t necessarily have to abide by type inconsistencies, because it’s still JavaScript under the hood. And that’s good enough for me.

The syntax is essentially JavaScript as you know it, except for type declaration files. Take a look at the example code below. Borrowed from this page.

var burger: string = 'hamburger',     // String 
    calories: number = 300,           // Numeric
    tasty: boolean = true;            // Boolean

// Alternatively, you can omit the type declaration:
// var burger = 'hamburger';

// The function expects a string and an integer.
// It doesn't return anything so the type of the function itself is void.

function speak(food: string, energy: number): void {
  console.log("Our " + food + " has " + energy + " calories.");
}

speak(burger, calories);

Like I said before, it looks just like normal JS, except you optionally define the types of each variable and function return with colon syntax. No trouble!😉

Although TypeScript’s typing is more of a recommendation, it’s close enough to remind me of a more strictly typed language like my starting point, Java. It helps provide a bit of needed structure when building large scale projects and applications by adding typing, which is what keeps languages like C#, Java, and C++ in use.

Although I grew tired of the forced verbosity that compiled languages require of their developers, it turns out that I may have taken it for granted. When given the freedom of dynamic typing, optional semicolons, and the rest of the works, it seems that it gets noticeably harder to build and debug large applications because of the lenience. TypeScript’s illusion of static typing provides that bit of structure that one might need to keep code clean and readable. As you can see, I chose TypeScript for the nostalgia. What might you choose it for?

Thanks for reading this! Feel free to give me some feedback on how it was and whether or not you would ever use TypeScript, and why.

Twitter, Github, Snapchat, Medium, Instagram

How do you pronounce "PostgreSQL"?

Gerald Nash ⚡️ — Tue, 20 Jun 2017 15:25:43 +0000

I've heard POAST-GREH-SEE-QUEL, POST-GER-ESS-CUE-ELL, and so many others. How do you pronounce it?

The Importance of Open Sourcing Innovation

Gerald Nash ⚡️ — Sun, 18 Jun 2017 22:50:26 +0000

Now that I've finished my first week at my internship at Cinchapi, I've learned so much already. I've gotten a taste of a lot of skills and platforms that a software engineer may come across in their career. I finally have the opportunity to use Jira and other Atlassian products, I use Slack much more often, and I'm becoming much more aware of Git and the Github workflow.

But, in addition to learning of the non-development sides of the position, I'm learning more about database technologies and how to augment antiquated practices. One interesting thing that I've learned is the technology behind one of Cinchapi's core products, ConcourseDB. Concourse is extremely innovative, because it has features such as granular just-in-time locking, self-tuning, buffered storage, and other cool stuff. Although, I think that most important feature of ConcourseDB is that it's open source. Concourse's open source nature has come to remind me of the importance of open sourcing technological advances whether they're in computing or not.

Open sourcing innovation is important, first, because it opens doors to further innovation. This is the "standing on the shoulders of giants" that one person can do when another reaches a technological advancement. It has been the release of knowledge and innovation by an innumerable amount of people in thousands of fields that has gotten us to where we are today, and we shouldn't stop sharing these ideas for the sole purpose of accruing profit. Look back at greats like Sir Isaac Newton, Richard Feynman, Nicola Tesla, and many others whose contributions in their respective fields have accelerated the technological development of society.

Open sourcing innovation is also important because it makes life easier. Without open innovation, we quite literally wouldn't be able to experience life in the same fashion. Open innovation has allowed society to advance in a unified manner, as opposed to a small group of individuals and corporations leading the advancement.

Open innovation also induces competitive pressure among individuals and organizations. This competition leverages the aforementioned idea that a technological breakthrough in a field leads to more subsequent innovation, which in turn causes more advancement. In short, open sourcing new technology starts a recurring cycle that lets the industry move faster than if it were kept secret.

So, ultimately I'm proud of the Cinchapi team for open sourcing ConcourseDB, as I'm sure its technological advances will further the computing industry and, hopefully, society as a whole. But Cinchapi's not the only one doing this: Facebook open sourced buck, OpenAI and others are publishing new advancements in AI research, and Google kind ofopen sourced VR a while back. It's open innovation like this that lets this industry move as fast as it does. I hope to see more of it as time passes!

Thank you for reading!

Twitter, Github, Snapchat, Medium, Instagram

So I Graduated High School, Now What?

Gerald Nash ⚡️ — Sat, 17 Jun 2017 15:22:43 +0000

It’s done…finished…over. I’ve finally finished an unforgettable 4 years of my life. 4 years full of smiles, stress, sweat, and software. Throughout all of this I’ve made a few small achievements: I made the varsity soccer team in my freshman year, managed to keep straight A’s while playing three sports in one year, made my first 100-star project on Github, started a tech blog, and many more.

I graduated high school, now what?

Well, I’m continuing my education. After thoughtful consideration, I’ve decided to attend Howard University in Washington, DC. At Howard, I’ll be majoring in Computer Science and minoring in a study that is to be determined. I’m beyond excited to join the Bison family!

What does all this mean for me as a software developer?

Well, I got access to the Github Student Pack, so that’s kind of cool 😉. Lol but now that I’m a university student, I have access to a lot of opportunities that were previously not available to me: I can attend as many hackathons as my heart desires, apply for internships, and actually study computing in school. I’m extremely excited for what’s to come.

So, what am I doing now?

I’ve been blessed with the opportunity to work with Jeff Nelson and the Cinchapi team as a Software Engineer Intern this summer before I start college. I’m incredibly happy to be working here and I thank everyone who’s helped me become a better developer leading up to this opportunity!

Now that I’m finished with high school, I can’t wait to see all that is to come! I can’t thank everyone enough, and I thank you for reading this piece.

Connect with me on social media:

Twitter, Github, Snapchat, Medium, Instagram

How I Built a Serverless Function Without Knowing It, I Think*

Gerald Nash ⚡️ — Sun, 09 Apr 2017 15:06:29 +0000

It’s the weekend after a week full of exams. I’m exhausted and am just waiting to graduate high school. But, like any other developer I feel the urge to go ahead and start another weekend project. I’m learning some pretty interesting stuff in AP Calculus, but I get tired of doing algebra during homework at times. I think to myself: Why not build something that does my math homework for me?

That’s where I got the idea to build Newton, a really micro micro-service for math. I wanted to make it easier for developers to do math without being constrained by codebase sizes or non-existant APIs in their preferred language.

So what makes it interesting? Other then being super cool and functional, of course, Newton requires no storage space other than its source files. It doesn’t access or modify a database, and it doesn’t even dynamically create configuration files or any of the matter. Each request and response is protected by Zeit Now’s HTTPS encryption. Plus, it runs solely on simple GET requests.

I didn’t think much of those characteristics, but after a bit of interaction with the tech community I think Newton is a serverless function.

Explain "serverless architecture" to me like I'm five years old. #DevDiscuss
— The Practical Dev (@thepracticaldev ) April 5, 2017

@ThePracticalDev Very small machines on a network; LOTS of them work at the same time. But their brains are very small, they can't remember what they did!
— Eric Elliott (@_ericelliott) April 5, 2017

Eric Elliott gave an unexpected yet informative response. Newton fits those characteristics. Zeit abstracts global hosting for Now, so that satisfies the machines on a network. Newton is a relatively small package (~3.3kB), so that fits the small brain, and like I said it doesn’t access or process persistant memory. Seems like serverless to me.

Anything else?

@ThePracticalDev Write code as a bunch of function and then pretend infrastructure doesn't matter.
— Elliot Blackburn (@elliotblackburn ) April 5, 2017

That seals the deal. I use Now, because I don’t have to worry about anything other than how my code runs. And, Newton does one thing: math.

Wait, math is a lot of things.

We get the point. But just to be sure, I took to r/serverless.

Eh, that answer is good enough for me.

So, in the end I built a small serverless function as a weekend project to help me do my math homework and help others make cool things. Newton has grown to become more popular than I initially expected, and I‘d love to witness its expansion and see what others make with it.

And don’t forget: it’s serverless, I think.

Thanks for reading! As always, you’re awesome.

For more information on serverless architecture, start here.

DEV Community: Gerald Nash ⚡️

Mixed Reality in Transit

A Background

An Idea

Rejection

An Alternative

Virality

In Conclusion

Substack Open URL Redirection / Reflected XSS Vulnerability Writeup

Discovery

Exploitation

Impact

Increasing the Impact

Demo

In Conclusion

Repl.it Open URL Redirection Vulnerability Writeup

Discovery

Exploitation

Impact

(Not) Increasing the Impact

Demo

In Conclusion

Timeline

How'd I Get Here? Exploiting Redirection

What is URL Redirection?

So, what's the problem?

What does this look like?

How can we craft an attack?

What if there's no next parameter?

How creative can we get with this?

In Conclusion

The Anatomy of ERC20

totalSupply()

balanceOf()

approve()

transfer()

transferFrom()

Token Name

Token Symbol

Number of Decimals

Let’s Make the Tiniest Blockchain Bigger

Let's Build the Tiniest Blockchain

I Chose TypeScript For the Nostalgia

How do you pronounce "PostgreSQL"?

The Importance of Open Sourcing Innovation

So I Graduated High School, Now What?

I graduated high school, now what?

What does all this mean for me as a software developer?

So, what am I doing now?

Connect with me on social media:

How I Built a Serverless Function Without Knowing It, I Think*

What if there's no `next` parameter?