Zach Alexander

5 Easy Ways to Improve Web Accessibility

Zach Alexander — Mon, 04 May 2020 17:40:03 GMT

These days it's hard to conceive of life without the internet. We have come a long way since the early days of the internet as a hobbyist's retreat full of text bulletin boards and personal "web logs". People now rely on the internet to pay bills, shop for necessities and even earn an income. The world is at your fingertips... if you can use a mouse... and see the screen... and hear the audio.

For many many people this is not as simple as it sounds. One in four adults in the United States has a disability. This means that a huge number of Americans are limited in the way they can interact with a computer, and might use it differently than your average user.

The good news is that humans are clever and adaptible and we have created all kinds of fantastic assistive technology tools like screen readers, pointing implements and voice control that help make the digital world accessible to everyone. And they usually work great out of the box as long as the websites they visit follow a few simple best practices.

You don't have to be a screen reader master or have a team of professional accessibility testers to improve the accessibility of your website. Here are five easy steps you can take to make your website accessible without needing to be an accessibility expert:

1. Add alt text to your images

What happens when a non-sighted user encounters an image on a website?

If the content is a news article, the image might be a picture illustrating the scene. If its a how to listicle, it might be a diagram illustrating a particularly complicated step.

Screen readers aren't smart enough to be able to describe a picture on their own, so they rely on the information that the webpage gives them about that image. For example, if our webpage is displaying an article about penguins and we want to show an image of the penguin we're talking about, but we only include the bare image tag on the page, such as

all the screen reader user will hear is:

"image. eight four seven two two seven dot jpg."

This means the screen reader user is missing out on some of the information the page has to offer.

The good news is this issue is extremely easy to correct. Introducing the humble alt tag!

With the simple addition of this tag, the screen reader will switch from reading out the meaningless image file name, to reading:

"image. A penguin standing on a beach."

With this one line addition, screen reader users now have all the same information that visual readers do.

Adding alt tags to your images helps sighted users too! We've all had the experience of being in a place with such bad cell service that the images on the webpage we're trying to load time out. Alt text to the rescue! Most browsers will display alt text if they're unable to load the image, so users with bad cell signal can still get all the information the page has to offer, even if they're not able to download the images.

This kind of outcome - a design that's intended to help disabled users helps non-disabled users as well - is known as the "curb cut effect".

A curb cut is a depression in the sidewalk curb that leads down to the street. Curb cuts were designed to make public streets accessible to wheelchair users, but today everyone benefits. Curb cuts are useful to moms with strollers, delivery drivers, people with temporary injuries and anyone who has ever walked down the street with their eyes locked on their phone.

Many web accessibility fixes are curb cuts for regular users. We'll see many more examples in this article.

2. Fix your low contrast fonts

In the early and mid 2010's, lots of websites underwent redesigns to make them more aesthetically beautiful and "web 2.0":

Light font weights and delicate low-contrast accent colors were all the rage. The instinct was understandable - the web was shifting from a smaller, technical minded audience to a more general audience who businesses who businesses knew they could draw in with more attractive experiences.

Aesthetics are important but they aren't the ultimate goal of design. The most beautiful website is useless if the user can't read and interpret its content. And often poor readability doesn't get noticed during the design process. We developers and designers don't read the text the same way a visitor might.

Humans have done a lot of scientific research on what makes text on a background readable vs. not readable, and the W3C has actually published a document called Web Content Accessibility Guidelines (WCAG) 2.1 that covers successful contrast guidelines. They boil readable text down into a single mathematical formula: the contrast ratio.

The contrast ratio explains the difference between the lightest color brightness and the darkest color brightness in a given range. It’s the relative luminance of each color. This article is meant to be purely practical, so I'm not going to go into the details of the math here, but you can read this great CSS Tricks article for more information.

What we care about here is that the minimum acceptable ratio for readablility is 4.5:1 for most body text and 3:1 for larger text.

If your eyes just glazed over, don't worry. There are automated tools that can do this for you. The simplest way to look up the ratio between two colors is with the WebAIM contrast checker: https://webaim.org/resources/contrastchecker/

For the working web developer, I suggest the WCAG Contrast Checker extension for Chrome and Firefox.

It will automatically analyze your entire webpage for contrast problems and suggest fixes.

Just like alt text, better contrast is a curb cut. More readable color schemes mean less strain on the eyes, and more readable websites for users who might be trying to read your website on their phone while they're outside in bright sunlight.

3. Make clickable elements keyboard-friendly

Are the only interactive elements on your website ,

Things the user clicks to make something on the page are buttons, so call them buttons in your HTML.

Replace

Click here to go

with

Click here to go

Things the user clicks to navigate from the current page to another page are links, so call them links in your HTML.

"BUT ZACH!" you say, "I'm maintaing a legacy widget that renders a grid of clickable images and if I change them to buttons the 10,000 lines of spaghetti CSS I inherited break the whole page due to a browser bug!"

Ok. I get it. I'm also a working web developer. You should always try to use semantic HTML tags wherever possible, but if you can't for whatever reason, at least put tabindex on interactive elements so keyboard users can get to them.

4. Add accessibility audit tools to your build

No one can be an expert in everything. While I always encourage web developers to understand accessibility basic, I also understand that there's an infinite amount of interesting things to learn about computers, and its unrealistic to expect everyone to be an expert in every topic.

But, as with everything else in computing, you don't have to be an expert to benefit from the learnings of other programmers and computer scientists. You can approach it in the most programmer way possible: automate it!

There are a huge variety of excellent accessibility testing tools out there, and its almost guaranteed you can find one to fit your workflow.

I suggest that every software project have two levels of automated accessibility testing: a static code analyzer and an end-to-end system tester.

Static Code Analysis

Are you working with a modern JavaScript framework and using ESLint? Great, you're one npm install away from automated a11y code auditing. There are ESLint accessibility audit plugins for JSX and Vue.

There's a ton of great accessibility linting tools out there, here's a few I found in a 5 minute search:

Look around and be creative. If you don't see one for your specific use case, consider writing a plugin for your linter and putting it out there!

End to End System Tester

Only so many issues can be caught by statically reading code, so its also important to have a tool that loads your website in a browser and audits the actual page for issues.

I strongly suggest Axe. Its a fantastic accessibility testing toolkit that is already built into a lot of existing integration test solutions.

There's a Cypress integration, a Lighthouse integration, a Ghostjs integration and even a Py Selenium integration. Here's the full list of integrations, I can pretty much guarantee that at least one of these will work for your use case.

I use the Cypress integration and love it.

It gives you a clear printout of what went wrong, with a rule name ("heading-order in the screenshot) that's easily searchible, so you can look up what the fix is without being an accessibility expert.

5. Learn the basics of assistive technologies and empathize with your users

“The more you watch users carefully and listen to them articulate their intentions, motivations, and thought processes, the more you realize that their individual reactions to Web pages are based on so many variables that attempts to describe users in terms of one-dimensional likes and dislikes are futile and counter-productive. Good design, on the other hand, takes this complexity into account.”

― Steve Krug, Don't Make Me Think: A Common Sense Approach to Web Usability

We're all in this industry because we love using the web so much we wanted to be a part of shaping the experience. Apply that enthusiasm on behalf of your users. Ask them questions and listen to what they say. Seek diverse perspectives. Try interacting with your sites the way they do.

I have spent the past year gaining fluency in Apple's VoiceOver and it has been an exciting and humbling experience. I'm now able to articulate accessibility pain points in design discussions because I myself have felt those pain points. I know what frustrates screen reader users the most beacuse I've felt those very frustrations.

The internet is also full of passionate assistive technology users sharing their experiences with technology. Listen and reach out!

Here's one of the talks that got me excited about accessibility in the beginning. Hopefully it inspires you as well.

5 Steps to Clean Code

Zach Alexander — Wed, 20 Dec 2017 19:47:30 GMT

As a beginner developer working on pet projects at home, it's easy to argue that once code goes through the compiler, it's all the same. Right?

The flaw in this argument is that it assumes that all software developers do is write new code. The reality is that we actually spend much more time reading and modifying existing code than writing new code.

For this reason, code cleanliness and readability are paramount to project success. More important than your framework choice, test coverage percentage or project management solution, is the cleanliness and readability of your code.

The seminal MIT textbook Structure and Interpretation of Computer Programs sums it up perfectly:

Programs must be written for people to read, and only incidentally for machines to execute

Clean code matters to project success because starting a project quickly is rarely the problem; it's finishing quickly that's hard. As the cyclomatic complexity of your app increases, it becomes more and more difficult to add new features and diagnose bugs. It also becomes harder for programmers who are not specialists to make meaningful contributions to your project. Bad code compounds these issues. If you can't read the code, how can you understand what it's doing?

For this reason, the most important book I have ever read as a programmer is Clean Code by Robert C. Martin. Everyone who writes code should read this book.

I could write a second book just pointing out all the great parts of the first book. But for now, I'd like to reflect on my favorite five quotes from the first five chapters. I hope these quotes will inspire you to push yourself and your team towards better, more maintainable code.

Chapter 1 - Clean Code

"You know you are working on clean code when each routine you read turns out to be pretty much what you expected."

– Ward Cunningham (inventor of Wiki)

If I had to pick a favorite quote from the book, this would be it. Clean code does what you'd expect it to do. In many ways, every other sentence in the book is just an attempt to clarify this concept.

But how can you know what the reader expects your code to do? Grab a friend and do a code review.

Take note of what makes sense to them right away, and what makes them say "WTF". If you get a lot of "WTFs", your code is not clean. Let's look at some more quotes from the book to identify common causes of "WTF".

Chapter 2 - Naming

"Programmers must avoid leaving false clues that obscure the meaning of code... Do not refer to a grouping of accounts as an accountList unless it's actually a List. The word means something specific to programmers. If a container holding the accounts is not actually a List, it may lead to false conclusions. So accountGroup or bunchOfAccounts or just plain accounts would be better."

Most programmers know to stay away from poor variable names like one or two character names (e.g. a1) or undescriptive placeholders (e.g. mystring). But an overly descriptive name can be just as bad or worse. If you call a variable thingHashMap and a year later your team decides to model "things" as a tree map instead, all of a sudden the variable name isn't just useless, its actually harmful.

Choose names that describe what the content does, not what it is.

Chapter 3 - Functions

"Functions should do one thing. They should do it well. They should do it only."

Take a look at this example Spring MVC controller method:

@RequestMapping(value = {"/"})
public ModelAndView execute() {  
  ModelAndView mav = new ModelAndView();
  URL url = new URL("http://example.com");
  HttpURLConnection con = (HttpURLConnection) 
  url.openConnection();
  con.setRequestMethod("GET");
  con.setRequestProperty("Content-Type", "application/json");
  BufferedReader in = new BufferedReader(
  new InputStreamReader(con.getInputStream()));
  String inputLine;
  StringBuffer content = new StringBuffer();
  while ((inputLine = in.readLine()) != null) {
    content.append(inputLine);
  }
  con.disconnect()
  mav.add("content", content);
  return mav;

If you take 20 or so seconds, you can parse through this code block to understand the basic control flow:

Instantiate a ModelAndView object
Get content from example.com and put it into the ModelAndView object
Return the ModelAndView object

But when reading the code, there are all kinds of other details that distract from that main purpose, e.g.

Modeling the URL as a Java object
Casting the connection to the right type
Setting request method and headers
Setting up a BufferedReader to parse the response

etc etc.

A reader can understand the control flow once they figure out which lines are details and which lines are important, but that takes unnecessary effort, and someone who isn't well versed in Java might get bogged down trying to understand what's happening here.

Now consider this refactored version, which accomplishes the same thing:

@RequestMapping(value = {"/"})
public ModelAndView execute() {  
  ModelAndView mav = new ModelAndView();
  mav.add("content", getExampleContent());
  return mav;
}

Even though this refactored version looks radically different, it still accomplishes the same control flow:

Instantiate a ModelAndView object
Get content from example.com and put it into the ModelAndView object
Return the ModelAndView object

The difference is that it only explicitly describes the important parts. The name of the method getExampleContent() tells the reader what is happening without bogging them down with the details. If they need to know how it works under the hood, they can jump to that method definition.

A well written main method should read like a story. Just like each of the methods it executes, it should do one thing, do it well, and do it only: execute the right methods in the right order.

Chapter 4 - Comments

"When you find yourself in a position where you need to write a comment, think it through and see whether there isn't some way to turn the tables and express yourself in code."

Comments seem like a great way to make code more readable, but they can be dangerous as well. Why is this? Uncle Bob explains it best:

Because they lie. Not always, and not intentionally, but too often. The older a comment is, and the farther away it is from the code it describes, the more likely it is to be just plain wrong. The reason is simple. Programmers can't realistically maintain them."

My rule of thumb is as follows:

A comment is helpful if it describes what the code is used for. A comment is harmful if it describes how the code works.

Do write comments that describe what your class represents, what problems it solves, etc. Do not write comments explaining the control flow of your code. Comments that explain "how" your code works are an indication that your code isn't clean.

If you need to explain why you've defined a variable or what a for loop is doing, write a named function instead. Document your code with your code.

Chapter 5 - Formatting

"Code formatting is important. It is too important to ignore and it is too important to treat religiously. Code formatting is about communication, and communication is the professional developer's first order of business."

When different blocks of code in the same project look different, it causes the reader to wonder whether the differences are functional or stylistic. This is bad, because it increases cognitive overhead.

Imagine a legacy Javascript project with single quotes in one file and double quotes in another. When reading through that project for the first time, it’s natural to wonder whether the double quotes are there for a reason, or if one programmer just preferred them.

Your reader should never have to ask this question, because it unnecessarily increases the overhead required to understand the project. If you're constantly forced to manually separate style differences from functionality in your brain, you're wasting energy on making a distinction that should have been made by the author.

As an author, don't make your reader work any harder than they already have to. It doesn't really matter what your style rules are - just pick some and be consistent. The best way to do so is by codifying them into linter rules and enforcing them at build time.

I hope these tips have inspired you to push yourself and your team towards better, more maintainable code. If you haven't yet read Clean Code by Robert C. Martin, you should pick up the book as soon as possible. It made me a better programmer, and it can make you a better programmer too.

Switching to ZSH

Zach Alexander — Sun, 16 Apr 2017 00:39:00 GMT

Jeff Atwood once famously proclaimed "we are typists first, programmers second". While I think software development is a little more complicated than that, this quote brings up an important point: efficiency in software development hinges on the tooling we choose.

For the longest time I used Bash as my UNIX shell. It got the job done. I would occasionally feel frustrated by a repetitive command or a missing feature, but there was usually an alias or script I could apply like a bandaid to minimize the pain enough to keep going. I even switched to iTerm several years back to improve my terminal emulator GUI. I worked with Bash for long enough that I managed to amass a pretty fancy .bash_profile config. If you're curious about my config, you can check it out for yourself.

But I'm not here to help you optimize Bash. I'm here to tell you there's a better way.

Why ZSH is better than Bash

After a few years working in the software industry, I kept noticing that the shells of senior programmers often looked much different than mine did.

Whereas my shell looked something like this:

Theirs tended to look more like this:

I had heard talk of alternative shells like ZSH before, but I always assumed that the difference was purely aesthetic. It wasn't until I started working for a company whose cloud machines all came pre-configured with ZSH that I realized what I was missing.

ZSH provides a huge number of improvements over other shells and I could write an entire post just comparing and contrasting the benefits and drawbacks. Instead, I'll provide you with this excellent slide deck about the benefits of ZSH over Bash:

Getting Started on Mac OS X

First let's cover the basics of getting ZSH set up on your Mac. The good news is that you probably already have ZSH on your system.

1. Install ZSH

Let's get started by running which zsh in whatever shell you're currently using. If you have the executable on your system, which should output /bin/zsh or something similar.

If which instead outputs zsh not found, you can install zsh easily with Homebrew. Just run brew install zsh.

I also strongly recommend using iTerm2 as your terminal emulator app on Mac OS X. You can download it here.

2. Set ZSH as your default shell

The actual process for changing your default shell from Bash to ZSH is extremely easy. Just run chsh -s /bin/zsh.

Note that you'll need to supply the correct path your ZSH binary which you can get with the which zsh command we used earlier. Click here for more information on the chsh command.

That's it! Close and reopen your terminal. You're now using ZSH!

3. Install a ZSH configuration manager

In the old days, configuring ZSH manually took a lot of time and effort. Thankfully, ZSH has a large and devoted user community which has produced a few tools to help with writing and sharing ZSH configurations.

The two big players are Oh My ZSH and Prezto.

tl;dr Oh My ZSH has a larger community, but Prezto performs better with a large number of modules installed.

I use Oh My ZSH since it has a wider variety of themes and plugins. Its also the most "standard" of all options, which means a larger community and better support. If you hit a wall early with Oh My ZSH, feel free to try out alternatives.

Installing Oh My ZSH is pretty easy. You can find CURL and WGET instructions here.

Run the command of your choice and that's it. One and done.

4. Choose a theme

Setting a custom theme with Oh My ZSH is simple. Oh My ZSH comes bundled with a bunch of themes by default. You can find a list with screenshots on their wiki. If you want to see the files on your local filesystem, they live in ~/.oh-my-zsh/themes.

Once you've picked a theme, open the file ~/.zshrc in the text editor of your choice. Towards the top of the file you should see a value ZSH_THEME. Change the value of the string to the name of the theme, save the file, and then run source ~/.zshrc to pick up the changes.

Check out the Oh My ZSH README for info on how to install custom themes.

5. Add plugins

Oh My ZSH's best feature is its ability to manage custom ZSH plugins. Setting up a list of custom plugins works just like changing themes. Open ~/.zshrc in a text editor and look for a line that looks something like plugins=(git). Check out the comment two lines up for an example of how to add to this list.

Just like with themes, you can browse bundled plugins in a list on the Oh My ZSH wiki, or you can browse the files locally at ~/.oh-my-zsh/plugins. Custom plugins can also be installed. Check out the Oh My ZSH README for more info.

I'm a relative newbie which makes me a bad resource, but here's a list of the plugins I'm currently using:

6. Customize your experience

Now that you've got ZSH and Oh My ZSH set up, the possibilities for customization are nearly endless. You can add custom themes and plugins, write your own custom aliases or configure advanced auto-completion for the tools you use most commonly. A couple good places to get started are zsh-lovers, the ZSH man page and the Oh My ZSH community page.

As a VIM lover, one addition I personally made was to add a command mode to my shell so that I could use VIM keybindings to navigate around the text of my commands. You can do this with bindkey -v.

Bonus shot of my terminal (PII grayed out):

Migrating from Mocha to AVA

Zach Alexander — Sat, 15 Oct 2016 21:45:42 GMT

Ever since I ditched jQuery soup and started writing proper JavaScript applications, I've written unit tests for my frontend code. And for as long as I've written JavaScript unit tests, I've used Mocha. Mocha has been the de facto test runner in the JavaScript community for a while now. If it gets the job done and everyone uses it, then I should use it too. Right?

This has been my philosophy for the past few years, and Mocha has been more or less fine. Recently, however, I've heard a lot of buzz about a new test runner called AVA. Wanting to see what all the fuss was about, I migrated one of my project's test suites from Mocha to AVA. Since then I haven't been able to go back.

What's wrong with Mocha anyway?

It wasn't until after migrating to AVA that I realized how much Mocha was holding me back. Mocha seems like a good enough tool until you realize its shortcomings:

Globals

Mocha implicitly depends on global variables like describe and it. Some assertion libraries even extend built-in prototypes! Implicit dependencies like this are confusing to new developers and make it a pain to properly lint your code without writing a bunch of exceptions.

AVA's dependencies are all explicit. Instead of writing:

describe('My Thing', () => {  
  it('should do a thing', () => {
    expect(true).toBeTrue();
  });
});

and praying that describe and it will be defined, instead you can explicitly declare your dependency to AVA at the top of your file and be sure it'll work:

import test from 'ava';

test('foo', t => {  
    t.true(true);
});

Aahhh. That's better.

Shared State

Most testing frameworks, Mocha included, provide beforeEach and afterEach hooks in addition to serial test running. The combination of serial tests and before/after hooks can sometimes encourage developers to share state between unit tests. This is a huge no no, because unit tests are supposed to be completely independent of one another. Shared state can cause tests to behave in unexpected ways.

AVA runs tests each test as a separate Node.js process. This means that you can change the global state of one test file without affecting another. AVA does allow you to run tests in serial if you have a good use case, but it can't be done by default. No more stateful gotchas.

Serial Test Running

Running things one after another is easy to understand for people who come from synchronous programming backgrounds. But JavaScript is async! There's no reason to force tests to wait for one another when JavaScript can run them concurrently. Mocha is slower than it needs to be.

AVA corrects this problem by running each test as a separate Node.js process. This means faster tests that take advantage of multi-core CPUs. The AVA devs provide a case study where switching from Mocha brought the testing time of a project from 31 seconds to 11 seconds.

Migration FAQ

How do I handle async code?

AVA is asynchronous by default. No more monkeying around with done().

import test from 'ava';

test('async test', t => {  
  return Promise.resolve(1)
    .then(result => {
      t.is(result, 1);
    });
});

It just works.

How do I setup mocking?

AVA doesn't have any built in mocking features, but mocking is trival to set up with Sinon.js. You can do all the same Sinon mocking with AVA that you can do with Mocha.

import test from 'ava';  
import sinon from 'sinon';

const myFunction = sinon.spy();

test('my function ran', t => {  
  myFunction();
  t.true(myFunction.called);
});

How do I report code coverage?

AVA unfortunately does not support vanilla istanbul due to the way it uses subprocesses. Thankfully you can just use NYC instead, which is a CLI wrapper for Istanbul with support for subprocesses. NYC is extremely easy to set up: just run npm i nyc --save-dev in your project and preface your test command with the nyc command.

{
  "script": {
    "test": "nyc ava"
  }
}

That's it. You'll get code coverage printed every time you run npm test, and NYC will also save the printout in a directory in your project's root.

How do I configure AVA to write tests in ES2015?

Its really easy. Just follow the steps in the README on how to hook up Babel and you're done.

Hopefully this convinces you to at least give AVA a try! Now that I've migrated my JavaScript projects to AVA, I can't see why I would choose Mocha again.

Your Referer Is Showing

Zach Alexander — Fri, 08 Jul 2016 19:54:31 GMT

Did you know that every time you click through to a new webpage, you're voluntarily telling that new webpage where you came from?

This isn't a trick by the NSA, its just the way the web works. As most people know, whenever you click a hyperlink, the browser sends a request to the resource on the other end of the link. What most people don't realize is that by default the request contains the referrer field, which indicates the page where the user clicked the link.

Visible referer headers can lead to all kinds of privacy problems. The information contained in a referrer can be abused to track website visitors across the internet, especially when combined with cookies and other tracking techniques. Search engines in particular are especially bad when it comes to giving away information through referer headers since they often include the search terms used to find a web page:

Remember kids, when you embed other people’s stuff in your page, they see the referer header.
— Nick Craver (@Nick_Craver) April 30, 2015

Oookay so http://t.co/Cp0u2ghdIf sends your personal info to third-party sites via the Referer header... https://t.co/ixy1nZjB2v
— Chris (@leftside) January 22, 2015

In addition to privacy concerns, leaky referer headers can also lead to all kinds of nasty security exploits:

"Referer Header Based Blind SQL Injection Explained With Example"
Haider Mahmood.https://t.co/pICnVm0TZr
— KS7000 (@ks7000) March 25, 2016

WP Slimstat = 4.1.5.2 - Referer Header Cross-Site Scripting (XSS) #wordpress #websecurity http://t.co/1B1I6aMiAB
— eXploit.By (@exploitby) July 26, 2015

As a side note, before you flip out about my misspelling of the word "referer", be aware that I'm not spelling it wrong by accident - this is how browser implementations spell it:

4 hours of debugging later: The HTTP spec INTENTIONALLY misspells the "referer" header with 3 R's instead of 4. https://t.co/qT1M27yXOb
— Chris Johnson (@CJcodes) April 30, 2016

Now that we've got linguistics out of the way, let's talk about how to solve this problem.

Disabling Referer Headers in Firefox

Firefox provides the easiest method for disabling referer headers:

Type about:config in the URL bar and hit enter. You may need to click through the "I'll be careful, I promise!" warning if you haven't visited this config page before.
In the search bar, type network.http.sendRefererHeader
Double click on the preference's "Value" text box when it appears and set the value to either 0, 1 or 2.

The value you enter determines how Firefox will handle your Referer Headers in the future:

Value 0 - completely disables the Referer Header. This provides the most privacy, but may break some websites (more on this later)
Value 1 - Sends a Referer Header when clicking on a link, but not when loading images on a page. This will prevent
Value 2 - Default setting which sends all Referer Headers

Disabling Referer Headers in Chrome

Chrome unfortunately doesn't provide the same easy configuration as Firefox, but that's not to say that disabling referer headers on Chrome can't be done.

The easiest way to disable referer headers in Chrome is to head over to the Chrome Store and grab the Referer Control browser extension.

If you don't want to bloat your browser with additional extensions, you can also launch the Chrome app with the --no-referrers flag. If you're on Windows, you can do this by editing the Browser's shortcut icon execution path, e.g. "C:\Users\Username\AppData\Local\Google\Chrome\Application\chrome.exe" --no-referrers.

Other Browsers

I was unable to find information on how to block referer headers in Opera, Safari and Internet Explorer. As such, I feel that it is not sensible for a privacy-conscious user to perform personal browsing via any of these web browsers.

If anyone has information on how to disable referer headers on any browsers aside from Mozilla Firefox and Google Chrome I'd be very interested to know about it. Drop me a line on Twitter at @zpalexander.

Side Effects

Disabling sending of header referers can break some sites. Some web developers use header referers to prevent Cross Site Request Forgery:

If you want to disable the Referer header, do it in a way that still sends it within the domain. Otherwise you break many CSRF protections.
— Paul McMillan (@PaulM) June 4, 2015

In my opinion, those developers are wrong to rely on an easy to forge header in such a way that potentionally breaks accessibility. Nevertheless, its important to remember that disabling your browser's referer headers can cause problems such as these.

In conclusion, remember that referer headers are only passed on when you click through a link. Cutting and pasting a web address into a browser’s URL bar, or typing it out manually, will also prevent any referer headers being sent to the visited website. For more information, check out this comprehensive article on the subject.

Unit Testing In Java Play

Zach Alexander — Wed, 06 Apr 2016 02:59:00 GMT

The Java Play framework is a Java development framework built on top of Akka that makes it easy to write scalable web services in either Java or Scala. It is fully RESTful and comes with a number of great features such as hot reloading, type safety and in-browser errors. If you are a Java developer who hasn’t yet tried Play, you are missing out on one of the best web frameworks ever developed for the language.

The advent of Play Version 2.4 brought with it some significant architectural changes. Most notably, version 2.4 introduced dependency injection via Guice as the new default architecture for managing dependencies between Play classes. Dependency injection is great in that it allows developers to write less tightly-coupled code. From Wikipedia:

This means the client code does not need to know about the injecting code. The client does not need to know how to construct the services. The client does not need to know which actual services it is using. The client only needs to know about the intrinsic interfaces of the services because these define how the client may use the services. This separates the responsibilities of use and construction.

Play depends on Google’s Guice library for resolving dependency injection. If you want one class of your Play code to depend on another, you simply annotate the classes constructor, pass the dependency you want to inject in as an argument, and Guice takes care of the rest. For example:

public class DataSaver {

    private ApiClient apiClient;

    @Inject
    public DataSaver(ApiClient apiClient) {
        this.apiClient = apiClient;
    }

    public int getAndSaveData() { 
        ArrayList data = apiClient.getData();
        // Do data saving operation here 
        int itemsSaved = saveData(data); 
        return itemsSaved;
    } 
}

In this example, the ApiClient is passed as a parameter to the DataSaver class, which means that we can pass in anything to serve as the ApiClient instance. No more tightly coupled dependencies! Let’s see an example of how this makes unit testing easier. We’re using JUnit for test assertions and Mockito for mocks / stubs:

public class DataSaverTest {  
    @Mock
    private ApiClient mockApiClient;

    private DataSaver dataSaver;

    /**
     * The setup block creates a mock instance of ApiClient
     * that we subsequently inject into DataSaver
     */
    @Before
    public void setup() {
        // Mock the ApiClient so that we're
        // not actually querying the API
        mockApiClient = mock(ApiClient.class);

        // Make up some fake data
        ArrayList fakeData = new ArrayList<>();
        fakeData.add("point 1");
        fakeData.add("point 2");

        // Use Mockito to stub out method responses
        when(mockApiClient.getData()).thenReturn(fakeData);

        // Set up test module that injects mocks 
        // instead of actual classes
        dataSaver = new DataSaver(mockApiClient);
    }

    /**
     * Once the mock version of ApiClient has been injected,
     * we can call the .getAndSaveData() method without having
     * to worry about our unit test interacting with the actual API
     */
    @Test
    public void canSaveData() {
        int expectedResult = 2;
        int actualResult = dataSaver.getAndSaveData();
        assertEquals(actualResult, expectedResult);
    }
}

Using dependency injection makes mocking out the ApiClient instance so easy. No more fighting with integration tests just to make your dependencies work. Simply create the mock instance of the class as on line 15, mock whatever method results you need to and feed in the mock as on line 27. Writing tests has never been easier. Now get out there and test your code!

Debugging "Unknown Provider" In Minified Angular.js

Zach Alexander — Thu, 28 Jan 2016 04:09:00 GMT

For the past few months I’ve been working on an AngularJS app that makes use of Angular Material as a Bootstrap-like front-end library. I recently had to solve one of the hardest bugs I’ve ever faced in Angular, and I’d like to share my debugging technique with anyone who might encounter the same problem down the road. While the bug was related to the use of Angular Material in my case, it could occur in vanilla Angular as well, so don’t stop reading just yet!

The Problem

Angular Material has an extremely useful directive called mdDialog. It allows developers to provide interactive modal dialog boxes to their users without all of the painful boilerplate usually associated with building your own from scratch.

Seems great, right? It honestly is, and my team and I have been using this directive throughout our app with no problems. That is, until QA discovered a bug in our staging environment that was keeping one of our dialog boxes from opening and throwing a cryptic error in the console:

Useless, right? While seasoned Angular developers will be able to catch what is happening here, most of them will also readily admit that this error is cryptic and unhelpful. Thankfully Angular has a feature that creates a custom docs page for you based on your error. You can see the URL for my custom error page on the first line. My page read:

I’m certain that anyone reading this who has put in their time with Angular is nodding their head right now. This is the dreaded Error: $injector:unpr Unknown Provider error.

For anyone who doesn’t know, this is a commonly seen Angular error that means Angular’s dependency injection can’t resolve one or more dependencies somewhere in your code. Explaining dependency injection is outside the scope of this post, but you can read more about it here if you don’t fully understand what I mean.

Dependency injection is great for writing explicit and testable code, but it runs into a hiccup during minification. The quirk is as follows. Suppose your app looks like this:

// Don't actually build apps like this, its just an example
// In real life follow this: https://github.com/johnpapa/angular-styleguide
angular.module('myModule', []); // Declare the module

angular.module('myModule')  
  .service('myService', function() {
    return {
      saySomething : function() { console.log('Something'); }
    }
  });

angular.module('myModule')  
  .controller('myController', function($scope, $http, myService) {
    //We included $scope, $http, and myService into the controller as dependencies
    myService.saySomething() //"Something"
  });

… then the minified version of myController will partially look like this:

var myController = function(a, b) {  
  //This will throw an error at runtime because 'a' is not a valid dependency
}

Angular developers know that the way to fix this is to tell Angular what your minified dependencies actually refer to like so:

myModule  
  .controller('myController', 
    ['$scope', '$http', 'myService',
    function($scope, $http, myService) {
    //We included $scope, $http, and myService into the controller as dependencies
    myService.saySomething() //"Something"
  }]);

So I had my problem laid out. Somewhere in this app a dependency injection was going wrong.

Debugging

I spent almost an hour scouring the code related to my mdDialog box looking for a dependency that I had mis-declared or forgotten about, but I couldn’t find anything of the sort. Defeated, I started to look at the rest of the stacktrace that Angular had provided in the error, but I quickly realized that I’d need to use an un-minified version of the Angular library if I wanted to get anywhere. I swapped out the script tag and checked the stacktrace once more:

Equally useless. Feeling hopeless, I decided to step into the Angular source to see if I could find anything useful there. I clicked the first line number given by the stacktrace which brought me to the function that Angular uses to actually create the custom docs URL that gets printed in the console. Interesting… I decided to set a breakpoint on it to see what I could grok from the arguments:

Now I had something. Looking through the call stack on the right side of the developer tools, I noticed that minErr() makes a call to a function called invoke(). Invoking an error creator message must require some information about what error is occurring, so I stepped into it:

What’s that? I recognized that the arguments being passed in looked a lot like my code. I did a project wide Find for the snippet in Sublime Text and lo and behold: I had found bug.

While what’s causing the DI problem might not be immediately clear, I knew right away. I had declared this code within a controller. As such, the $scope variables being referenced in the controller function that is passed into mdDialog on line 96 belong to the controller in which this is declared. Angular dependency injection does NOT allow developers to inject one controller into another, as per the docs:

Declaring a separate controller for the mdDialog solved the problem.

tl;dr if you get a weird unknown provider error only when you minify your code, set a breakpoint on the line that generates the error docs URL, step into its call to invoke(), and check its arguments to find what part of your code exactly is breaking.

I hope this helps you avoid painful hours of fruitless debugging. Happy hacking!

JavaScript Promises With Node.js

Zach Alexander — Mon, 21 Sep 2015 00:56:00 GMT

JavaScript is a non-blocking programming language, which means that one chunk of JS code will not necessarily wait for the lines above it to execute before beginning itself. In many cases this is a pretty awesome feature of the language. Imagine if your website was only able to run one window.onload call at a time. If your page needed to perform a number of calculations or data insertions in order to render correctly, things would take forever to load and users would see a bunch of unstyled content and blank boxes at the beginning of every page load. Yuck.

While non-blocking is a very desirable feature of JavaScript in the browser, the paradigm shifts when writing server code with Node.js. Servers often need to wait for a data response so that they can manipulate and serve that data correctly. This requirement most commonly arises during data read and write operations. In these cases, code executing out of order can cause serious problems with application logic.

The most commonly used solution to this problem in the JavaScript community has been callbacks. A callback is a piece of executable code that is passed as an argument to other code, which is expected to call back (execute) the argument at some convenient time. Here’s an example of a callback that almost all Node.js developers have seen:

mongodb.connect('mongodb://localhost:27017/mydb', function(err, db) {  
    if (err) {
        throw err;
    } else {
        console.log('Successfully connected to the database');
    }
    var contentCollection = db.collection('content');
    contentCollection.find({}).toArray(function(err, result) {
        if (err) {
            throw err;
        } else {
            res.status(200).json(result);
            db.close();
        }
    });        
});

In this example, we’re using the MongoDB native driver to connect to the database, grab all the data from a collection called “content” and return that data as JSON. Due to JavaScript’s non-blocking nature, however, we can’t make the .find({}) call until we’re sure we have connected successfully to the database, so we pass a callback into mongodb.connect();. Similarly, we cannot reliably return the data via res.json() until we are sure the .find({}) operation has completed successfully, so we pass a second callback into .find({}).toArray().

Why Do Callbacks Suck?

This doesn’t look so bad, but what happens if you need to pass a third, or fourth or fifth callback in order to manipulate the data further? A relatively simple algorithm can quickly turn into something Node.js developers term “callback hell”.

Code like this can be very hard to understand at first glance, and looks extremely unwieldy in a text editor. Callbacks are essentially an inelegant hack for getting around JavaScript’s non-blocking nature. There has to be a better way…

Enter JavaScript Promises

Promises are a better way to write asynchronous JavaScript. A promise is essentially an object that, when returned from a function, represents an operation that hasn’t completed yet but is expected to in the future. Because that definition didn’t make sense to me the first time I read it either, here’s an example of the above MongoDB code written using promises instead of callbacks:

mongoClient.connectAsync('mongodb://localhost:27017/mydb')  
    .then(function(db) {
        return db.collection('content').findAsync({})
    })
    .then(function(cursor) {
        return cursor.toArrayAsync();
    })
    .then(function(content) {
        res.status(200).json(content);
    })
    .catch(function(err) {
        throw err;
    });

Pretty cool, right? This code is cleaner-looking and way easier to understand than its callback-infested cousin. “But”, you may be asking, “where did you get connectAsync() from? When I run that with Node I just get an error!”

Using the Bluebird Promise Library with Node.js

Bluebird is a fully-featured promise library for JavaScript. The project’s NPM package means that integration with a Node.js app is fairly simple. Bluebird’s strongest feature is that it allows you to “promisify” other Node modules in order to use them asynchronously. After running npm install --save bluebird on your Node project, you can use the following code to “promisify” the MongoDB module and use it asynchronously:

/* Dependencies */
var Promise = require('bluebird');  
var mongoClient = Promise.promisifyAll(require('mongodb')).MongoClient;

mongoClient.connectAsync('mongodb://localhost:27017/mydb')  
    .then(function(db) {
        return db.collection('content').findAsync({})
    })
    .then(function(cursor) {
        return cursor.toArrayAsync();
    })
    .then(function(content) {
        res.status(200).json(content);
    })
    .catch(function(err) {
        throw err;
    });

Just use Bluebird’s .promisifyAll() method to create an async version of every method the module provides. It really is that easy.

Returning Promises From Other Functions

In the course of writing more sophisticated Node.js apps it sometimes becomes necessary to return a promise from your own function. Let’s extend our example above by hypothesizing that we want to be able to perform CRUD operations on the data that our DB call returns. In this particular instance, let’s implement a separate delete function that calls the code we wrote to get all content from the database, then looks through it for a specific value and deletes that value if it exists.

/* Dependencies */
var Promise = require('bluebird');  
var mongoClient = Promise.promisifyAll(require('mongodb')).MongoClient;

/* Functions */
var getAllContent = function() {  
    return mongoClient.connectAsync('mongodb://localhost:27017/mydb')
        .then(function(db) {
            return db.collection('content').findAsync({})
        })
        .then(function(cursor) {
           return cursor.toArrayAsync();
        })
        .then(function(content) {
            // This is how we return the data to the next .then() call
            return content;
        })
        .catch(function(err) {
           throw err;
        });
    });
};

var deleteItem = function(itemID) {  
    getAllContent()
        .then(function(content) {
            var itemExists = false;
            for (var i = 0; i < content.length; i++) {
                if (content[i].itemID === itemID) {
                    itemExists = true;
                    break;
                }
            }
            if (itemExists) {
                // Delete the item from the DB here
            }
        })
        .catch(function(err) {
            throw err;
        });
};

And there you have it. Your getAllContent() function returns a promise, which you can use in your deleteItem() function.

Creating Your Own Promises

You’ll almost never need to do this, but here’s how to wrap something in your own promise.

/* Dependencies */
var Promise = require('bluebird');  
var mongoClient = Promise.promisifyAll(require('mongodb')).MongoClient;  
var unpromisifiedLib = require('upl');

/* Functions */
var readFileAsync = function() {  
    return new Promise(function(resolve) {
        // Do some IO stuff which you'll almost defintely
        // be able to promisify without having to do this manually
        var contents = unpromisifiedLib.doSomething();
        resolve(contents);
    });
};

var consumeHomemadePromise = function(itemID) {  
    readFileAsync
        .then(function(contents) {
            console.log(contents);
        })
        .catch(function(err) {
            throw err;
        });
};

Keep in mind, you’ll be able to use the Bluebird library to promisify basically anything, so its usually unnecessary to do this.

Those are the basics of how to use Bluebird promises in Node.js. For more information, check out the Bluebird API.

Responsive Sprites With SASS And Compass

Zach Alexander — Mon, 13 Apr 2015 03:15:00 GMT

I came across an interesting problem over the weekend and I thought it might be a good idea to share my solution. I was working on a site using SASS plus Compass and I had a number of images that I needed to set up as sprites in order to increase page load performance.

Setting up sprites with Compass is normally very easy. You simply add your sprite .png files to a directory within your project’s assets directory and point your config.rb file there with the following line: images_dir = "assets".

For the purpose of this post, let’s say that your sprite assets have the following paths:

assets/icons/new.png
assets/icons/edit.png
assets/icons/save.png
assets/icons/delete.png

Once you’ve placed your icons and set your config.rb file correctly, you simply create a new SASS partial called _sprites.scss and add the following three lines:

@import "compass/utilities/sprites";
@import "icons/*.png";
@include all-icons-sprites;

This will give you the following classes, which you can then apply to your site’s markup:

.icons-sprite,
.icons-delete,
.icons-edit,
.icons-new,
.icons-save   { background: url('/images/icons-s34fe0604ab.png') no-repeat; }

.icons-delete { background-position: 0 0; }
.icons-edit   { background-position: 0 -32px; }
.icons-new    { background-position: 0 -64px; }
.icons-save   { background-position: 0 -96px; }

This is a great feature of Compass, but it falls short for responsive sites that need fluid-size sprites. On my project, I needed sprites that would resize to fill their fluid size containers. I did some digging, and ended up coming up with the following mix-in. Simply add this mixin to your _sprites.scss file and then use it within a selector for the container element. Here’s the mixin:

@mixin responsive-sprite($map, $icon) {
  $icon-file: sprite-file($map, $icon);
  $icon-width: image-width($icon-file);
  $icon-height: image-height($icon-file);

  $sprite-file: sprite-path($map);
  $sprite-map: sprite-url($map);

  $sprite-width: image-width($sprite-file);
  $sprite-height: image-height($sprite-file);

  $space-top: floor(nth(sprite-position($map, $icon), 2));
  @if $space-top == 0 {
    $space-top: 0px
  }

  width: percentage($sprite-width / $icon-width);
  display: block;
  height: 0;
  padding-bottom: percentage($icon-height / $icon-width);
  background: $sprite-map;
  background-size: 100%;
  background-position:0 percentage(-1 * $space-top / ( $sprite-height - $icon-height ) );
}

Once you have this in place, you can use it as such:

.my-sprite-wrapper-div {
  @include responsive-sprite($icons-sprites, save);
}

And voila, you now have responsive sprites which are auto-generated for you by Compass.

Beijing's Garage Cafe: An Ad-Hoc Startup Incubator

Zach Alexander — Sat, 07 Feb 2015 15:23:00 GMT

Peking University went on holiday last month in observance of Chinese New Year. As such, I knew I would be logging quite a few extra programming hours over the course of February. While I don’t mind working part-time from the comfort of my apartment’s bedroom, I actually kind of hate working from home full time. There are benefits of course: fewer interruptions, more comfortable and configurable workspace and no commute. Nevertheless, I start to go a little crazy when I spend over 16 hours a day in the same 10′ x 10′ space.

I started looking for coworking spaces in Beijing right away. Despite whatever misconceptions most Westerners might have about China’s backwardness, Beijing actually has a thriving tech sector who’s physical heart lies just south of Peking University campus in a neighborhood called Zhong Guan Cun (中关村). Quite a few tech giants call Zhong Guan Cun home, including SINA Corp, Microsoft China, Tencent, Youku, Tudou and Qunar.

What really makes Zhong Guan Cun interesting, however, is it’s thriving start-up scene. There are actually hundreds of start-ups that call Beijing home. The concentrated nature of both established and start-up tech companies has recently earned Zhong Guan Cun the title “China’s Silicon Valley”. The industry boom has lead to a massive influx of coworking spaces and incubators designed to produce the next Weibo or WeChat. Most of these spaces follow the traditional business model, requiring either invitation or a hefty monthly fee or both. Recently, however, a new class of coworking spaces has arrived in Zhong Guan Cun. These places may call themselves “cafes”, but they offer much more than just coffee.

Meet Beijing's Garage Cafe

Garage Cafe (车库咖啡馆）can be difficult to find as a non-local. Its nestled in an alley called “Innoway” near the northwest corner of Zhong Guan Cun. According to one of the area’s natives, this alleyway used to be one of the largest book-seller streets in all of Beijing. Its only appropriate, therefore, that as the knowledge economy transitioned from paper to digital media, this information hub made the transition from literati bazaar to start-up haven.

The cafe itself sits on the second floor of an otherwise innocuous looking building. I walked around in circles and had to ask a few people on the street before I finally figured it out. Upon entering the building, it can almost feel like you’ve walked into a private apartment building rather than into one of the most important spots in the Chinese start-up scene:

Nevertheless, once you head up the back stairs and through the door, you’re greeted by a massive space humming with energy and excitement.

The floor space of the cafe measures to 800 square meters, and has seating for about 150 people. The decor is sleek and industrial; minimalist black furniture, exposed fixtures and extension cords hanging down from the ceiling. Unlike most cafes, which seem to despise laptop users, Garage Cafe’s message is clear: grab a seat, plug in and get coding. Every table has a charging station with enough plugs for laptops, cell phones and even external monitors. The internet is also quite fast, which is a rarity at Chinese cafes. They even go so far as to provide monitors for people to plug into while they work.

Garage Cafe boasts a pretty solid library of programming books in both English and Chinese. No matter where you sit in the cafe, you can catch wisps of conversation about product optimization, unit testing, market share, etc. As a foreigner who speaks Chinese, I already had several job offers after just my first visit to the cafe. People go to Garage to network, brainstorm and build. There’s also a huge bulletin board of job listings that can be great to check out if you’re looking for a position in a Beijing start-up.

Keep in mind that Garage Cafe is much more “Chinese” than most cafes in Beijing. The staff most definitely does not speak English, and in the 20 or so times I have visited so far, I have only ever seen one other non-Han patron. Nevertheless, if you can speak Chinese and are looking for an awesome space to get some work done or network with like-minded programmers, Garage Cafe is a great option. The coffee isn’t half bad either, at least by Chinese standards.

In case you want to check it out for yourself, here is the address of Garage Cafe in English and Chinese:

Haidian District,
Zhongguancun, Haidian Qiao,
Dong Nan Haidian Tu Shu Cheng Bu Xing Jie

北京市海淀区中关村海淀桥东南海淀图书城步行街 (鑫鼎宾馆2层) – 车库咖啡

You can also find the cafe on Weibo here.

Binary Bomb Lab :: Phase 6

Zach Alexander — Sun, 11 Jan 2015 01:49:00 GMT

A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post.

If you're looking for a specific phase:

This phase is definitely the trickiest out of all of the other bomb lab phases. Prepare for data structures…

This phase is a doosey. Let’s go through everything step by step to figure out what we need to do.

First things first, our friend from Phase 2 is back again. So, our input should be six integers. That one is a gimmie.

Next, we’ve got some loops happening. Firstly, is making sure that each number in our password is less than six. Now we have two criteria for our password. It needs to be six integers separated by spaces, and each integer needs to be less than or equal to six.

The final constraint on our input occurs in the nested loops between and . We have a loop with iterators %ebx and %edi. Essentially what happens is that we compare each number with every other number, and we only jump on line if the comparisons are not equal. In other words, all six of our integers need to be distinct.

Let’s summarize what we know so far about our input for this phase:

six integers separated by spaces
each integer should be less than or equal to 6
no integer should be the same as any other integer

Now that we have a better idea of what our input should look like, let’s use the test string 1 2 3 4 5 6 and head on down towards the call at to see if we can find out more.

Here is the conditional statement by itself. First, the contents of %esi + 8 get moved into %edx. Subsequently, %esi itself gets moved into %eax. Then, %eax gets compared to %edx. If the value of %edx (which is %esi + 0x8) is less than the value at %eax (which is %esi) then the bomb explodes.

So, what are these values we’re comparing anyway? Let’s take a look:

When we take a look at the contents of %esi and %esi + 0x8, we get a couple of structures called and . Each node has three elements. The second element here obviously corresponds to the node number itself: 1 for , 2 for , etc. The third element of the node looks like a pointer. As we check out the contents of %esi + 0x8, and then ((%esi + 0x8) + 0x8), and so on, we see that these pointers are decreasing 0x8 at a time. Given that the first column of values seem to be arbitrary, this is starting to look like a common data structure: a (singly) linked list. Column one is the value of the node, column two is the node’s position in the list, and column threee is the pointer to the next node in the list.

So now we know, when we compare %edx and %eax at , what we’re actually doing is comparing the value of the current linked list node to the value of the next node in the list. If the next node’s value isn’t lower than the present node’s value, the bomb explodes. In other words, we need to put the nodes in order from largest value to smallest value. How do we do this? With our input.

Here’s a table of the values for reference:

And here they are in order from largest to smallest:

So there you go. That’s the answer right there.

Phase 6 complete! We did it!

Wrap Up

I hope you had fun working through the six levels of the bomb lab with me. I certainly enjoyed it. There’s nothing like quite like some crunchy reverse engineering goodness to get your brain in gear again. For the record, I do know there is a secret phase. While I solved it correctly for my class, I am not going to go through the steps here. If you reallllly need a tutorial, you can find one pretty easily with the search engine of your choice.

Thanks for reading, and I hope you found this tutorial helpful.

Binary Bomb Lab :: Phase 5

Zach Alexander — Sat, 10 Jan 2015 01:40:00 GMT

A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post.

If you're looking for a specific phase:

Ok, let’s get right to it and dig into the code:

So, what have we got here? First things first, we can see from the call to at and subsequent jump equal statement our string should be six characters long.

Next, as we scan through each operation, we see that a register is being incremented at , followed by a jump-less-than statement right afterwards that takes us back up to . Remember this structure from Phase 2? A loop is occurring. And, as you can see at structure, the loop iterates 6 times. Given that our string is 6 characters long, it makes sense to assume that the function is iterating over each character in the loop and presumably doing something to them.

Finally, we can see down at the bottom of the function that is being called after the contents of %eax and the fixed address 0x804980b have been pushed onto the stack. This looks just like phase 1. The code is comparing the string (presumably our input) stored in %eax to a fixed string stored at 0x804980b.

So, what do we know about phase 5 so far?

our input has to be a string of 6 characters
the function accepts this 6 character string and loops over each character in it
the result of the loop is compared to a fixed string, and if they’re equal, the bomb doesn’t explode

As a next step, let’s input the test string “abcdef” and take a look at what the loop does to it. Then, we can take a look at the fixed value we’re supposed to match and go from there:

Woah. “srveaw” is pretty far off from “abcdef”. On the bright side, at least now we know that our string should come out of the loop as “giants”. Given this info, it looks as though the loop is implementing a cypher. From here, we have two ways to solve this phase, a dumb way and a smart way. The dumb way is to simply input all characters from a-z into the cypher and create a mapping table. From this mapping table, we can figure out the un-cyphered version of “giants”. This works just fine, and I invite you to try it.

The smart way of solving this phase is by actually figuring out the cypher. Once we understand how it works, we can reverse engineer “giants” into its pre-cypher form without having to waste time doing trial and error.

I don’t want to go through either solution all the way here, since the first one is a no-brainer and the second one is a little complicated. In order to solve the cypher, take a look at %esi and you’ll find an array of characters stored there, where each character has an index. Essentially what is happening is, each character from our string is ANDed with 0xf, and the result is used to get the character with the corresponding index from the array. If you solve the phase this way, you’ll actually notice that there is more than one correct solution.

Either way, eventually you’ll find that the pre-cyphered version of “giants” is actually “opekmq”.

On to the last phase!

Binary Bomb Lab :: Phase 4

Zach Alexander — Fri, 09 Jan 2015 01:33:00 GMT

A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post.

If you're looking for a specific phase:

Phase 4

In my opinion, this is where things start to get tricky. In this phase, it is not enough to simply understand the assembly. Some pattern-recognition will be required. As usual, let's start by taking a look at the code for this phase's function to see if we can find a vector through which to understand what's happening. I'm going to do so by running gdb with a test string and using disas:

On line , the function is pushing a fixed value stored at memory address 0x8049808 onto the stack right before a call to scanf is made. As we have learned from the past phases, fixed values are almost always important. Lo and behold, when we dump the contents of the memory address we get “%d”, which tells us that the answer to this phase should be a single integer

The second important feature of this code occurs on line . Our input value, which is stored in %eax, is getting input into this other function called . Right now is a black box, so we will need to dig into it using si to figure out what it is doing to our integer

The last thing we need to consider is that, after gets called and returns our potentially altered input back to %eax, %eax then gets compared to the hex value 37, which in decimal is 55. This means that, whatever our input is to begin with, it needs to be turned into 55 by .

So, now that we know what is generally happening in , let’s dig into to figure out what we need to input in order to generate 55.

Ok, before we do anything else, let’s recognize that this function is calling itself, which makes it recursive. All recursive functions have a “base case”, which terminates the loop, and then a series of instructions to follow in order to continue the loop if the base case is not met.

Let’s first identify our base case. It should occur early in the function as a conditional check. In , our base case occurs at . The function compares its input to 1. If the input is less than or equal to 1, it jumps down to , where the return value is set to one. Finally, it returns this value.

Now that we understand that the base case occurs when input=1, let’s identify what happens when the base case is not met. The first thing to note is that the function calls itself twice, once at and once at . The first time it calls itself, it feeds the new function call its input-1. Similarly, the second time it calls itself, it feeds the new function call its input-2. Once the two recursivelly called functions return, it sums their return values at and returns the result.

Here’s what the corresponding C code would look like:

int test(int n) {  
  if (n<2)
    return n;
  else
    return test(n-1) + test(n-2);
}

Now comes the part where we have to do some abstracted, big-picture thinking. We’ve got recursion, we’ve got a pattern, and we’ve got a function where F(x) = F(x-1) + F(x-2). What famous pattern fits these three parameters? The Fibbonaci sequence!

We should note that does not exactly return the Fibonacci number of the input. returns 1 if the input is 1 or less. For example, if our input is x=2, will return 1 for both x-1 = 1 and x-2 = 0.

So, now that we know all this stuff, how do we solve the stage? Remember that, in order to avoid the bomb blowing itself up, whatever gets spit out has to equal hex 37, which is 55 in decimal. Keeping in mind that func4(0) = func(1) = 1, func4(2) = 2, we will actually need to input the Fibonacci number for 55 with 1 subtracted from it. I find that taking a look at a table of the sequence makes this a little less confusing:

As we can see in the table above, the Fibonacci number for 55 is 10. So given our logic, 10-1= 9, so 9 should be the solution for the fourth phase.

Rock and roll.

Binary Bomb Lab :: Phase 3

Zach Alexander — Wed, 07 Jan 2015 14:33:00 GMT

A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post.

If you're looking for a specific phase:

By now you know the drill. Off to our objdump file!

Woah. There are a lot of conditionals here. Maybe you’re an IA32 warrior who can take one look at this code and immediately tell what is going on, but for the rest of us, an iterative approach might work better here.

The first interesting thing we see here is the call to scanf which occurs at memory address 8048bb7 in my objdump output file. There are two values that are pushed onto the stack right before scanf is called. After the call to scanf is made, the two pushed values are compared, and the bomb explodes if they’re not equal. Let’s use gdb to figure out what they are.

As usual, we will set a breakpoint at our phase, phase_3, and then run the bomb using answers.txt as an argument. After that, we can input a test string and when our breakpoint hits, we can use the gdb command x/s [memory-address] to print whatever string we find at that memory address:

From this we see that our test string is stored in register %eax, while the format being asked for follows the format %d %c %d. In case your C is rusty:

From this, we know that our input will have to be an int, followed by a char, followed by an int again. This is a good first step. Let’s update our test input to 1 a 2 and run our bomb through gdb again.

When we do this, you’ll notice that after passing the format check, the next call to gets passed over as well. We could dig into why 1 is correct as the first integer, but let’s take the freebie and use our time to continue on.

Once we arrive at the next test, we see that the value $0xd6 is being compared to the value stored at -0x4(%ebp).

As you should certainly know, d6 in hexidecimal is equal to 214 in decimal. When we check the value stored in -0x4(%ebp), it should be apparent that the program has jumped past our char input for now (its using a case statement for all of you A+ students), and is checking our second integer here. Since the jump statement to miss the next call requires equality, this means that our second integer must be 214.

Finally we come to our character. This one is just as simple as the last:

From the move statement on line <+240> its clear that our char is stored at -0x5(%ebp) and the value to compare against is coming from %bl. When we print out the value to be compared against, we get a hexidecimal value of 62, which in decimal is 98:

In other words, our character should be a lowercase ‘b’. Lo and behold, when we put our three answers together:

Looks like the bomb squad is in town!

Binary Bomb Lab :: Phase 2

Zach Alexander — Tue, 06 Jan 2015 14:48:00 GMT

A note to the reader: For explanation on how to set up the lab environment see the "Introduction" section of the post.

If you're looking for a specific phase:

Ok, now things get a lot more interesting a lot more quickly. Let’s get started the same way we did last time, by looking at our objdump file for clues:

The first thing to notice here is that is calling a function by the name of . If we really wanted to be pedantic, we could go take a look at this function, but for the sake of brevity in this already very long tutorial, I’m going to go ahead and tell you that it looks to make sure the stdin input has six integers in it, each separated by a space. So there’s our first big clue: our answer takes the format a b c d e f where a-f are integers.

Now that we know roughly what our input should look like, let’s fire up gdb and do a little reverse engineering to figure out which six integers we should be inputting.

Sidenote: Typing in every passphrase every time we run the bomb gets really annoying really quickly. The bomb is written in such a way that it accepts a text file as an input. You can add your passphrases to this text file, separating each by a newline, and pass it to the bomb binary as an argument to avoid typing everything out every time you run the program. That’s what I’ll be doing from now on. See the lab handout for more information.

Now that we’re stopped at our breakpoint, let’s run disas to take a look at the assembly code and see if we can’t figure out exactly what’s going on. The output will look something like this:

Assuming you know assembly language basics (if you don’t, stop now and study up), a few things should jump out at you right away. Before anything else happens, a number is getting compared to 1, and the bomb is going off this number isn’t also 1. This means that the first integer in our secret phrase is undoubtedly 1.

The second thing to note is that the function is looping over its input. After %eax is compared to (%esi, %ebx, 4) at <+54>, %ebx gets incremented and, as long as its less than 5, the function jumps back to above the comparison so that it can do it again. This means that our input integers will probably be a pattern of some sort, where <+46> is where the math that increments the pattern happens. Let’s use until to jump down to the comparison and see if we can’t suss out what our second input number should be:

Once we’ve arrived at the comparison statement, we can use the i r command to see the contents of our registers. %eax, which is the register to which our value is being compared, is equal to 2. Therefore, the second integer in our passphrase should be 2.

The simplest way to solve this level completely is by continuing to step through the code, seeing what %eax is equal to after each iteration. Next you’ll find 6, then 24, then 120 followed by 720. If you’re really smart, however, you’ll notice that the assembly code is actually implementing the following algorithm:

v[0] = 1  
v[i] = (i+i) * v[i-1]

Either way, the second passphrase ends up being 1 2 6 24 120 720.

On to the next challenge!