To help staff and students quickly find useful code snippets in VB.NET, Python or pseudocode (for GCSE Computer Science with OCR, AQA, Edexcel or Eduqas) I’ve been putting together this website.
It aims to be a pseudocode, Python, VB.NET quick reference guide so you can quickly find definitions of key terms, a simple explanation of how key programming concepts work alongside code snippets that you can adapt and re-use as you learn.
VB.NET and Python are both programming languages designed to be understood and followed by computers. Pseudocode is not a programming language: it’s written to be understood by humans so that they can turn it into any programming language.
In the UK, each exam board has published a document saying how they’ll use pseudocode to describe algorithms in their exams. The whole idea of syntax (a set of rules) for pseudocode is silly – it’s not designed to be a programming language that is run by a computer. With this in mind, all exam boards state that you don’t have to follow the syntax for ‘their’ version of pseudocode when you write out your own algorithms, but you should be able to understand their version of pseudocode when reading an algorithm in an exam.
The idea is to give a really quick at-a-glance guide to explain some of the key concepts of programming that you need for GCSE Computer Science, alongside code snippets in Python and / or VB.NET as well as pseudocode for whichever exam board your school is using.
This searchable reference guide is designed for teachers and students preparing either for a Non-Examined-Assessment (NEA) or revising for a theory exam.
Students are not allowed to access the Internet and are not allowed to have access to code snippets matched to pseudocode like this during their actual NEA sessions. This resource is designed for students to access for support outside of those NEA sessions.
Create.withcode.uk is designed to allow anyone to write, run, debug and share python code that runs in your browser. It’s designed primarily for use in schools to allow teachers to quickly share code with students that they can adapt, debug and use.
Here’s an example python program that asks you for your name then says hello. Press Ctrl + Enter (or click on the green plus at the bottom of the code screen) to run the code.
When you save some python code on create.withcode.uk (press Ctrl+S or click on the share button) you get an option to copy and paste some HTML code that can be embedded into any website. e.g:
With the ransomware attack on the NHS dominating the news headlines this week, here’s – at last – some good news related to cyber security.
Back in February I launched a Bug Bounty competition to encourage school students to responsibly disclose any bugs, vulnerabilities or problems with the site rather than maliciously exploit them.
I’m not able to afford the hefty cash prizes offered by some tech firms when people disclose a bug, but I do always send out some freebies to reward anyone who finds and reports a problem with the site, along with a certificate, as a mark of respect which can hopefully help kickstart a future career in information security.
Today, a talented young student from Fulford School has submitted a bug report identifying a XSS vulnerability in create.withcode.uk. This responsible disclosure has led to the bug being fixed without any damage done. Thank you!
For those that are interested, I thought I’d write up what a XSS attack is; what damage they can do; how they work and how you can prevent them from causing any damage on your website.
What is XSS?
XSS stands for Cross Site Scripting.
Scripting means running code.
What are the dangers?
Read personal information stored in site cookies (such as name, username or site preferences)
Steal your authentication token (to allow someone else to login as you)
Hijack your user account (e.g. to post a message as you on that site)
To redirect you to another website (e.g. to display adverts)
Alter the functionality of the site (e.g. to add / remove / change site features)
Use your computer to take part in a DoS or DDoS attack (to overwhelm a web server with too much traffic that it becomes unusable)
create.withcode.uk is deliberately designed not to store any personal data or have user accounts so none of the above were a serious concern, but it’s never good to leave a vulnerability open once it’s been discovered.
How does XSS work?
Any website that allows the user to type in user data is potentially vulnerable. That means any website that has a text box for user input, or accepts any input from a file, cookie, URL parameter similar could potentially be compromised by a XSS attack.
For example, a webpage that asks someone their name then says a personalised hello could be attacked if someone enters their name as <script>alert(“do something nasty here”);</script>
How can you prevent XSS attacks?
The trick to preventing XSS is to filter out any <script> tags (or other similarly dangerous tags) by filtering any user input to blacklist anything that looks suspicious or whitelist only the type of data that you know you can trust
Blacklist: A list of data that you want to prevent
Whitelist: A list of data that you want to allow
The most common way to do this is using a RegEx (Regular Expression) on anything that you display in the browser that you don’t fully trust. A RegEx lets you search for data so that you can remove it or replace it with whatever you choose.
A good web designer shouldn’t trust any data that comes from an external source (another server / user) and so they should assume that any way of entering in data might be a possible source of malicious code to be filtered appropriately.
You can experiment with the algorithm I’ve used to filter out any XSS attacks here. If you can find a XSS attack vector that gets through the filter, please let me know and claim your own bug bounty!
XSS attack vector: text, html or user input deliberately designed to execute code on a web page
Example XSS attack
The student who detected the vulnerability in create.withcode.uk realised that whilst most user input was correctly filtered, error messages were not properly filtered and so were a potential avenue for a XSS attack. He demonstrated how this could be used to:
Change all of the toolbar images at the bottom of the site
Embed a game into the site
Change the text in the editor
Redirect the user to a random python script
This vulnerability has not caused any data on the site to be compromised (create.withcode.uk doesn’t store any user details) but it has now been fixed thanks to the responsible disclosure. I’ll send out a small reward tomorrow to the student in question and hope that they continue to develop and use their skill to do the right thing both legally and morally!
We certainly need more people willing and able to find and help fix vulnerabilities in computer software.
The wrong thing to do would have been to maliciously exploit the vulnerability to cause damage. The right thing to do was to share the discovery sensibly so that it can be fixed. This is exactly what the student in question did. Well done 🙂