Blog
New Relic's Overeager Browser Agent Injection
Published: March 9, 2018
NOTE: This post is based on the the New Relic PHP Agent as of Version 7.6.0.201
Recently I received a report from a client which read something like this…
Checkout is blocked on our website. Customers cannot place orders. Help!
I navigated to the website in question, added a product to my shopping cart and, upon clicking the “checkout” button was directed to a screen where I was prompted to select my “complimentary sample product”.
There, I selected a random “sample product” at which point a “loading” overlay appeared on the screen. I waited a few seconds and soon realized the overlay wasn’t going to disappear. I was effectively “blocked” from getting to checkout…
Digging in I found that the issue was caused by unencoded injection of the New Relic Browser Agent JavaScript into a JSON AJAX response leading to a JavaScript parse error, which prevented the overlay from disappearing and success message from showing up.
Here I’ll provide more details on the issue and my findings…
Images cannot be crawled because of robots.txt restriction: A Google Merchant Center Fallacy
Published: March 7, 2018
Recently at Something Digital I’ve been working with a client who’s been having a lot of trouble setting up Google Shopping ads.
After creating a product feed and submitting it to Google Merchant Center nearly half the products were listed as “Disapproved”. Drilling into these products in Google Merchant Center product details we saw the following error.
This stuck me as strange as, upon a quick check of the site’s robots.txt file I saw nothing that would prevent Googlebot from crawling the images in question.
We were ultimately able to resolve the issue, which, as suspected, had nothing to do with the robots.txt file. Here I’ll document my findings…
Add the Current Date to a Filename from the Command Line
Published: February 14, 2018
Something I do very often is add the current date to a filename from the command line.
Historically, I’ve always done something like this…
$ mv foo.txt 2018_02_14_18_07_foo.txt
It always felt dirty though…why should I manually type out the current date when I’m sitting in front of a computer which is equally if not more capable of doing that exact thing?
While I long put off researching this, today, I finally turned to Google in hopes of finding a more sane approach.
How Magento Generates Form Keys
Published: February 12, 2018
As a follow up to my recent article “How Magento Generates Admin Secret URL Keys” I’ve decided to take a look at yet another mechanism Magento uses to protect against CSRF attacks…form keys. In this post we’ll dig into Magento’s core code to understand how exactly, they are generated in both Magento 1 and Magento 2.
How Magento Generates Admin Secret URL Keys
Published: February 11, 2018
Recently, while looking into a vulnerability for the Magento Bug Bounty I needed to generate the secret key for an admin URL. While I’d long known that Magento adds these keys for security purposes (specifically to prevent against CSRF attacks) I never understood how exactly these keys are generated. In this post, I’ll document my findings.
Checking SSL / TLS Version Support of a Remote Host from the Command Line
Published: February 1, 2018
A few days back I received an alert from New Relic that a site was down.
I checked the New Relic UI for more details and saw the following…
“fatal alert: protocol_version” 
I did a little bit of research and arrived at the New Relic forums where I found a question titled “Availability report - connection error (Received fatal alert: protocol_version)”. There I found the following answer…
The legacy Availability Monitor in APM only supports TLS 1.0 which is why it began throwing errors once you disabled older TLS protocols.
My next course of action was to check whether or not the site in question supported TLS 1.0. In post, let’s review our options for checking SSL / TLS version support from the command line.