I've been deep fried!

Keith Elder and Chris Woodruff were nice enough to have me on their excellent and very popular webcast Deep Fried Bites last month, and the episode is up and ready! We discuss the security environment for web developers today, focused on the OWASP Top 10 and testing your web app.

I had a good time on the show, and it turned out really well, I think. Hope you'll take a listen!

http://deepfriedbytes.com/podcast/episode-83-helping-web-developers-get-more-secure-with-bill-sempf/ 

Windows 8 CP installation experience

Some of you may have read my dual boot setup post when Dev Preview (DP) came out. Now it is time to upgrade that rig to Consumer Preview (CP), and I through I would give an update.

The bootable USB drive I used for DP got repurposed for CP, so the laptop got booted from that. I decided to format the partition that I had used to set up dev preview, and do a fresh install of Consumer Preview. The disk tools look unchanged (since Vista, actually) and that went painlessly. So far so good.

Interesting that the license key management has been installed, anthough it is freely avainatable. The English key is DNJXJ-7XBW8-2378T-X22TX-BKG7J. Other than that the installation was the same as DP. The install took about 6 minutes on my Intel i7.

If you are using a bootable USB note that Windows won't warn you before reboot. It will go right back into the setup routine when it is finished installing. You can just turn the machine off, unplug the USB drive, and turn the machine back on to continue installation.

The best news was that is honored my dual boot that DP set up!

 I was happy about that. There are backups, and honestly I pretty much live in Windows 8 now, but it is nice to know my Windows 7 partition is still there if I need it.

It should be noted that my display driver wasn't recognized. I downloaded the NVidia display driver from Acer's site and installed it. After a reboot, I was in business - awesomesauce.

Oh, and another thing: I installed Windows 8 CP on my Asus slate Wednesday with zero problems also. It isn't a dual boot though so I didn't think it was worth a blog post. This one is a little neater.

Hope everyone is enjoying Windows 8! Now go build some apps!!

How to login to Facebook from Windows 8 Metro using HTML 5

Facebook login with OAuth 2.0 is baked into WinRT. You can't actually use the samples on the Facebook Developer postal. So, from an application, try these steps:

  • Start with a Navigation template, or add an appbar to your app
  • Add a login button to your appbar. Should be in the default.html page in the root directory
<button id="loginButton" class="win-command" style="float: right;">
  <span class="win-commandicon win-large login"></span><span class="win-label">login</span>
</button>
  • In the related JS file, add an event handler for the button. This collects the required values for the OAuth call and then calls Windows.Security.Authentication.Web.WebAuthenticationBroker.authenticateAsync, where all the magic happens. The scope parameter in the querystring is how you get extended permissions.
function loginButtonClick() {
        var facebookURL = "https://www.facebook.com/dialog/oauth?client_id=";
        var callbackURL = "https://www.facebook.com/connect/login_success.html";
        var clientID = "12434567890987654321";
        facebookURL += clientID + "&scope=publish_stream,publish_checkins,publish_actions,share_item&redirect_uri=" + encodeURIComponent(callbackURL) + "&scope=read_stream&display=popup&response_type=token";

        var startURI = new Windows.Foundation.Uri(facebookURL);
        var endURI = new Windows.Foundation.Uri(callbackURL);

        try {

            Windows.Security.Authentication.Web.WebAuthenticationBroker.authenticateAsync(
								Windows.Security.Authentication.Web.WebAuthenticationOptions.default,
								startURI,
								endURI).then(callbackFacebookWebAuth, callbackFacebookWebAuthError);
        } catch (err) {
            console.log(err.message);
            return;
        }
    }
  • The promise has callbacks for completion and error. You can swallow the error, but on completion, make sure to keep the token.
function callbackFacebookWebAuth(result) {
        var url = result.responseData;
        var querystring = {};

        url.replace(
            new RegExp("([^?=&]+)(=([^&]*))?", "g"),
            function ($0, $1, $2, $3) {
            querystring[$1] = $3; }
        );
        facebookToken = querystring["access_token"];

    }
 
And that's about it. The token in facebookToken is what is used to call the open graph. For instance, to get my data, I could call the graph like this: 
 
facebookButton.addEventListener('click', function () {
	var buildUrl = "https://graph.facebook.com/billsempf/feed?access_token=" + PA.facebookToken;
	WinJS.xhr({ type: "GET", url: buildUrl }).then(parseProfileJson, promiseError);
    });

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList