Pavel Podlipensky

Kaggle competition aftermath

podlipensky — Tue, 09 Jun 2015 23:11:25 +0000

After taking Andrew Ng’s class and reading couple books about machine learning, I finally found time to do something with it. This was my first Kaggle competition and it was really fun! The problem was to find robots in some penny-like online auction. The data consists of a list of bid events (auction id, user […]

The post Kaggle competition aftermath appeared first on Pavel Podlipensky.

What’s Bitcoin good for, anyway?

podlipensky — Mon, 03 Mar 2014 16:46:08 +0000

The idea of using Bitcoins instead of “normal” monetary currencies has been getting a lot of attention lately, and a lot of people seem to be wondering why anyone would want to use Bitcoin in the first place. This is, of course, a question worth pondering, but I think it has been sufficiently addressed. Entrepreneur […]

The post What’s Bitcoin good for, anyway? appeared first on Pavel Podlipensky.

Escape unescaped

podlipensky — Mon, 18 Nov 2013 14:03:50 +0000

JavaScript has earned reputation of tricky and well, the most popular language nowadays. But in day-to-day programming life software engineers try to avoid any hacks, shortcuts and tricks. This make code simple, easy to maintain and even more reliable. Although there is a flip side of the coin – security, which requires more deep understanding […]

The post Escape unescaped appeared first on Pavel Podlipensky.

CSS-only: Load images on demand

podlipensky — Wed, 05 Jun 2013 14:40:32 +0000

The brain is a muscle, and as all muscles, it needs regular exercise to keep sharp. Thats why I decided to take very old (but efficient) web optimization technique and implement it in new crazy way. You most likely heard about loading images (and other resources) on demand – which is not only a common sense, but also […]

The post CSS-only: Load images on demand appeared first on Pavel Podlipensky.

Another scriptless clickjacking vector

podlipensky — Mon, 01 Apr 2013 14:15:49 +0000

Recently, one of my colleagues showed to me that Google do the following trick on their search results page. If you search for something, initially search results contains html with anchors we’d expect: <a class="l" onmousedown="return rwt(this,'','','','1','AFQjCNGGfyJjOyiWYPB3FW-h7Pt6A5uwlA','4k2v33QNU7tijpC6ZLriyQ','0CDIQFjAA','','',event)" href="http://en.wikipedia.org/wiki/Cross-site_scripting"><em>Cross-site scripting</em> - Wikipedia, the free encyclopedia</a> But have you noted onmousedown event handler? Let’s see what it […]

The post Another scriptless clickjacking vector appeared first on Pavel Podlipensky.

Unbound methods in JavaScript

podlipensky — Mon, 27 Aug 2012 21:51:41 +0000

In my previous blog post I described technique how to avoid context object exposure in Observer pattern. publish: function (publication) { for (var i = 0, len = subscribers.length; i < len; i++) { subscribers[i].call(undefined, publication); //hide context by specifying undefined as new execution context } } But foo.call(undefined, ...) may lead to assumption that context […]

The post Unbound methods in JavaScript appeared first on Pavel Podlipensky.

Third-party JavaScript API security

podlipensky — Mon, 13 Aug 2012 14:03:16 +0000

Third-party JavaScript is a pattern of JavaScript programming that enables the creation of highly distributable web applications. Many websites (publishers) embed untrusted JavaScript code into their pages in order to provide advertisements, social integration, user’s analytics and so on. Since JavaScript may change look and feel of the contained page, steal cookies or force user […]

The post Third-party JavaScript API security appeared first on Pavel Podlipensky.

Cursor spoofing and cursorjacking

podlipensky — Mon, 06 Aug 2012 14:03:59 +0000

Today I’d like to continue clickjacking topic and review another kind of attack named – cursorjacking. It was introduced last year by Eddy Bordi. Attack compromising pointer integrity – the guarantee that users can rely on cursor feedback to select locations for their input events. One of the advantages of such attack vector is that […]

The post Cursor spoofing and cursorjacking appeared first on Pavel Podlipensky.

Infinite loop as a way for DoS attack

podlipensky — Mon, 30 Jul 2012 03:48:30 +0000

An infinite loop is a sequence of instructions in a computer program which loops endlessly, either due to the loop having no terminating condition, having one that can never be met, or one that causes the loop to start over. For example, while(true){ //do nothing here } or for(;;); There are a few situations when […]

The post Infinite loop as a way for DoS attack appeared first on Pavel Podlipensky.

Clickjacking explained

podlipensky — Mon, 23 Jul 2012 15:03:02 +0000

Clickjacking attacks are an emerging threat on the web. Let’s consider first type of such attacks which compromising target display integrity – the guarantee that users can fully see and recognize the target element before an input action. First, let me explain clickjacking basics. Let’s say you added “Follow” button from Twitter. <a href="https://twitter.com/podlipensky" class="twitter-follow-button" […]

The post Clickjacking explained appeared first on Pavel Podlipensky.