Portfolio

Web Development Portfolio

A good website is the fastest and most cost effective solution to getting more customers, getting your voice heard, or getting known.

I offer exceedingly high quality web development for exceedingly low cost, please review my Skill Set and my Services to determine what I can do for you, then contact me

• BuyDirectLed.com

  A Complex E-Commerce site that automatically handles issues like payment and commission.

• AngerCentral.com

  A foul-mouthed social networking site dedicated to posting about what is making users angry at the moment. Described as the "Anti-Twitter"

  Fully dynamic, database driven site, with user systems, high end security, and a slew of complicated blogging systems, all custom made.

  Anger Central

• Sir Ghettophones

  Client wanted a band site based on Word Press, with a dark purple and black elegant theme. Client also had a background image that was desired, and the background had to stretch to any computer monitor size, opting a creative solution that was cross browser compatible and fully dynamic.

  I opted for an XHTML 1.0 strict document type for this project because strict standards compliance was critical to the user base.

  Sir Ghettophones

• This Grant For You, inc.

  The client need a sleek, professional website for his grant writing service. Since the rapid deployment of this website, his business has grown by an order of magnitude.

  This Grant For You, inc.

• Williams and Sons Electric, CO.

  Client requested a simple online business card to divert traffic to his company. With use of proper Search Engine Optimization (SEO) and promotion, his site has grown in users steadily, with large numbers of new users every month, increasing his sales conversions.

  I opted for HTML 4.01 strict document type on this project because low cost and fast development was paramount to the project.

  Williams and Sons Electric, CO.

Security Portfolio

Security Skills

Information security is my top priority, I believe that before a site goes live, it must have be held to the highest standard of security imaginable.

I have extensive experience in web security, primarily in the areas of:

• XSS (Cross-Site scripting)
• CSRF (Cross-Site Request Forgery)
• SQL Injection
• Buffer Overflows
• Remote File Inclusion
• Local File inclusion
• Read Exploits
• Browser Exploits
• AJAX Worms
• Data Exposition
• XSSRF (Cross-Site Scripting Request Forgery)
• Database Security
• And essentially any other web application security issue

Below I have listed some of the more significant exploits I have identified.

NOTE: Information on exploits I have located is ONLY released after the exploit has been corrected.

• StumbleUpon Exploit
  
• cPanel CSRF and XSS
  cPanel is an exceedingly popular server management tool.
  By utilizing a CSRF exploit, I was able to gain root access on any server running this software, via several methods.
  One, I could create a cron job to change the server's administrative or root password, or I could upload a PHP bash shell to the server, running under the account of the server daemon.
• Opencart: SQL Inection and XSS in the search feature
  (confirmed by security community)
  SQL Injection and XSS hols in the search engine feature allowing server side SQL execution and client side JavaScript execution respectivley. Potential database exposition and manipulation, identity theft Cookie and account stealing, Redirects, Phishing, Page defacing, stealing passwords, identity theft.
  
  
• Internet Explorer 6: FSO Object Remote Control
  (Confirmed by Internet Explorer Security Team)
  I discovered ActiveX FSO object (File Systen ObjectO) to write any batch, vbscript, or JScript file to the root folder (C:\), then execute it, allowing client side execution of malicious scripts. Permitting any sort of tampering with a client computer. Enormous Risk.
  Now, IE has FSO disabled by default, and better prompting as to risk when deactivated.
  
  Any vulnerable IE browser (IE 6) could visit a malicious page, and have malware installed, or even have a hard drive wiped by this exploit.
  
  
• Internet Explorer 6, FF1, etc. XSS: Function Corruption
  (confirmed by security community)
  I was able to access local functions, causing a potentially serious security issue on several client websites, bypassing the best XSS filters avalible at the time. Three major sites found vulnerable were Xanga.com, MySpace.com, and HackThisSite.org forums. They have since been fixed.
  
  The hole in the major sites has been averted, and my XSS Filter protects against this exploit.
  
  
• Attribute injection
  (confirmed by security community)
  A form of injection where attributes are injected instead of the "javascript:" hander or the SCRIPT tag.
  It closes the current attribute (as in "href" in a link or "value" in a textbox) and adds first a style attribute to make the object 100% height, 100% width, and a higher z-index than the rest of the page, then adds an onmouseover attribute to trigger JavaScript when the mouse is moved anywhere on the page.
  The injection looks like [code]
  " style="position:absolute; top:0; left:0; display:block; height:100%; width:100%" onmouseover="alert('hacked');
  [/code]
  As with all XSS exploits, some websites are still vulnerable.
  
  
• Non-Printable ASCII characters injected into the "Javascript:" hander. Or even functions and tags in some places.
  
  (confirmed by security community)
  Any ASCII Character, between dec00-dec16 can be injected into the "Javascript:" handler, usually via a GET variable to break up an injection and bypass a filter. Safari and Chrome are most vulnerable, but IE and Opera are also vulnerable to an extent.
  The injection looks like
  [code]
  somesite.com/search.php?query=<somecode someattribute= "ja%04v%13as%00cri%11pt:alert('hacked')">
  [/code]
  OR <scri%00pt>alert('hacked')</scri%00pt>
  The nullbyte, line break, carriage return and tabs have always been used in this injection, but I took it several steps further.
  As with all XSS exploits, some websites are still vulnerable.
  
  
• Alexandria Library System
  Multiple critical XSS exploits. Unconfirmed, as the company never responded to my multiple contact attempts, complete with proof of concept demonstrations. However, the proof of concept hacks were confirmed by multiple browser and version testing.
  
  
• Google Image Search
  (confirmed by Google Security Department)
  Redirect and ability to make it appear that a specific image is located in a website that does not actually host the image.
  Leaves the door open for SE attacks and loss of user trust.
  The Google Security Department told me that this was a known exploit, but not publically avalible (ie. in the general hacker community)
  
  
• MySpace
  (confirmed by secruity community)
  Multiple XSS injections (including function corruption) and HTML decfacement injections.
  
  
• Xanga
  (confirmed by secruity community)
  Attribute Injection XSS
  Active Content filtering bypass, by use of <script a=">" src=".."></script> hack and setTimeout("evi" + "lfunction(" + "something)", 0);
  
  
• Google Blogger
  (unconfirmed)
  XSS in post system, simple "javascript:" handler injection into a link. Fixed less than two weeks after discovery. Proof of concept hacks returned true.
  
  
• Misc. E-Commerce Shopping Carts
  (various states of confirmation)
  I can not release the name nor details of the exploits, as they have not returned my contact attempts, and the time has not yet expired for partial release.
  Most of the exploits were XSS and SQL injection however.
  
  

Search Engine Optimization

Businesses need to be found, and internet search engines like Google, Yahoo, AltaVista, Bing, AOL, and many others are the way to get your business found.

Experienced professional talent is a necessity for getting high search engine rankings.

I have proven ability to improve, start, or build search engine ranks via a wide variety of techniques, designed with the customer and conversion rates in mind.

Remember, there are far too many "blackhat SEOs" out there, that will try and trick Google and Yahoo into high rankings, but these invariably result in having your site banished from all of the major search engines.

When you need real Search Engine Optimization, hire a real professional.

I have a long history of significantly improving search engine rankings on everything from electrical contracting to real estate.

I can not guarantee top Google rankings, as no real SEO professional can, but I can guarantee to improve your ranking for target keywords, and have a high probability of reaching that coveted number one position.