Review of “The Basics of Web Hacking Tools and Techniques to Attack the Web” by Josh Pauli; O’Reilly Media


Josh Pauli, in this book tries to touch of the basics of web hacking -concepts, tools, methodologies and all. The author does a great justice providing enough pointers to start with and then delve as much deeper as ones interest.

It identifies different layers at which hacking can be done for example network layer, application layer etc., provides insight about the tools (Burp, Zed Attack Proxy, Nmap, Nessus etc.) which can be used at each layer –both free as well as paid ones, discusses what are the ways an application vulnerability can be attacked, good analogies to understand the issues better and many hands on example to try out each one of them. In fact analogies makes life much easier to understand stuff!
If you are developer and have not thought about the security issues before –it will be an eye-opener! Oh no, can this be hacked? Tools to monitor HTTP traffic (Browser extension as well as PC tools), types of XSS attack, how user’s trust and server’s trust can be fooled –many more concepts have been nicely touched upon. For advanced knowledge, author have given out an impressive list of book at the end.

One drawback –or maybe not, it’s really subjective, is that most of context is for Linux –so users working primarily with windows will have to map all linux stuff to windows parallel.

For the users who already are well versed with the tools, methodology and type of attacks -this might be a refresher, but at end it does justice for its title, BASICs.

A must have for everyone who want to understand the basic, what really a PEN test mean, want to “break” and fix application before the penetration test team does it! Have fun hacking your own website ;)

Failing unit tests with mockito


I posted a question here

Mockito will report an exception in calling class and fail the test -but it would not print the trace. Check out for two stuff:

  1. toString -can it result in NPTR? Do not print the field values blindly, have a NULLability check there.
  2. equals -While mocking, we pay not initialize the ID, for example if ID is a DB generated, then it’s NOT
    part of constructor and one can easily forget to assign it..
  3. Check for exception which can occur in calling module -may be the problem is as simple as trace not being printed!

Mock annotation returning null for mocked object


Using mockito and had written

@Mock
private SomeService someService;

This was returning NULL and my test cases were failing -What was the missing element – a one liner

@RunWith(MockitoJUnitRunner.class)
public class SomeClass{

Which is needed for @Mock annotation to work!

Remote debugging eclipse with tomcat


Its extremely basic -but I always miss a step or so and end up searching on google. So I though I will just Jot it down -more so for me!

  • In bin/catalina.bat add following

    set JPDA_OPTS=-agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n
  • For starting tomcat, do not use startup.bat instead navigate to bin folder from command prompt and use following command to start tomcat
    “catalina.bat jpda start”
  • If tomcat starts listening successfully -it should print a message as

    “Listening for transport dt_socket at address: 8000″
  • Next In eclipse,

    1. select the project and click on debug->debug configurations Under “Remote Java application” -create a new configuration, and then enter

      Host -> localhost

      Port -> 8000 (same as given in address for JPDA_OPTS)
    2. All set ..eclipse should be able to connect to tomcat and debug points should be enabled in webapp

Why web sockets fail on http while succeed over https


I was in a mess and this is the blog which gave me clue out of it.
I had created two simple examples of websocket implementation using yet to realease spring 4 support for websockets.
I tested it from home and all well and good (no issues).
Next day I tried to demo it in my team –and the HTTP version failed, but to surprise the HTTPS was still good and saved my day!
I realized that I have not done my homework properly –rather impressed by simplicity of spring, have rushed in implementation. While searching for the issue I stumbled on the above article –it turns out that “Automatic Proxy” at office network was culprit. Here is the story

  1. We have “automatic proxy ” at work place –meaning no explicit IP or script in proxy tab in browser setting, once on network, transparent proxies are used.
  2. For HTTP :: Since browser was not aware of any explicit proxy, it addressed the Web socket server and while passing through the transparent proxy, required headers were removed. Websocket is an http upgrade (communicated via certain header, above article have all the details) -since headers were removed, the end server could not make sense of it and treated as simple HTTP
  3. For HTTPS :: Again browser was not aware of proxy, but since data was encrypted –proxy did not tampered the header and request went through to the actual server -since headers were still there all went good and fine!
  4. Spring web socket client (Sockjs) was smart enough to switch to WSS when I used HTTPS –which I did not realize at first shot. Lesson learned -test stuff behind proxy, firewalls even if it is an internal demo :)

In actual scenario –in any of corporate deployment, it’s going to be a HTTPS, so seems that web socket have a very good story there!

Spring data -yet another abstraction -quickly getting started


We started with JDBC, then ORM which abstracted the underlying relation DB. Then came JPA -which abstracted the underlying ORM. Now Spring Data

But the kind of versatility we see today in data storage -relational, distributed, nosql and others, to me Spring Data seems to server the purpose.

It abstracts the CRUD for “different” type of data as relational, nosql and just by coding to appropriate interface CRUD operations can be achieved. For getting started use this link for configuring the entity manage, transaction manager -basically the setup stuff.

Write a DaoInterface -here the magic goes, the extended interface decides type of data , relational, nosql etc.

public interface TestDao extends CrudRepository<TestData , Integer> {
}

And then for CRUD operations use this Interface :

@Service
public class TestService{
    @Autowired
    TestDao testDao;
 	public boolean saveTestData(TestData testData){
    	if(testData!=null){
    		testDao.save(user);
                return true;
        }
    	return false;
    }
}
     @Entity
	@Table (name="testtable")
	public class TestData {
	 
	    @Id
	    @GeneratedValue
	    private Long id;
	     
	    public Long getId() {
	        return id;
	    }
	 
	    public void setId(Long id) {
	        this.id = id;
	    }

I found it simple, yet flexible and power full considering the fact that although projects start with SQL, but down the line NOSQL is definitely on their road map -this abstraction will ensure least throwaway code!

Is amazon micro instance of any worth?


I was attracted by per hour pricing of Amazon cloud hosting – to see how things work out, I decided to give it a try.

The Good Part
The entry level is “micro instance” -free of cost for 750 hrs a month. I quickly calculated 24×30=720 -hmm and it works. It says, it good for small traffic -perfect! I just had couple of visitors per HOUR! Nothing can be lesser than that ;)

Background of my APP -its a enterprise app, CPU intensive and high on DB queries. Wanted to demo a couple of clients so was just looking around for some cheap option and I stumbled upon “Free” option.

And The Bad Part
My excitement did not last longer -I noticed a behavior that for a couple of ‘seconds’ things would work as fast as its locally deployed but just a couple of minutes of continuous usage -and thing would come to grinding halt:(

I would have smelled fishy on my side if I could produce this behavior locally, but I have been running this app in LAB environment for a couple of days without any issue.

I spend couple of hours searching for the root cause and I stumble upon this -Thanks god, it saved me a hell lot of effort! Visit this blog and it’s nicely described how “stealed CPU” is the culprit!

So is micro instance any worth ? Only if you want to get a first hand feel of deployments in the cloud and a pat that “hooo -my app is running in ‘cloud’ “, nothing more nothing less!

For starter and less traffic -use their small instance which as on today comes at .080$ in singapore zone. As explained in the blog-at least it will provide consistent behavior.

HAPROXY up and running in couple of minutes


I tried HAPROXY for my WEBAPP (Hosted on tomcat) -reason for using HAPROXY is that it also supports WEBSOCKETS and my current project uses websockets for server push.
As first step, I tested it with bare bone web application -wow, it’s just so easy, without any hiccups it was up and working in ~30 minutes. I used Linux box as no distribution for windows is available (One can use cygwin) -My previous poston same.

  1. Download HAPROXY , I used version haproxy-1.4.24.
  2. Untar it tar -xvf haproxy-1.4.24.tar.gz.
  3. Build HAPROXY, command “make TARGET=linux26″ This is for centos58, Linux kernel 2.6. 26 in “TARGET=linux26″ indicates kernel for linux, if its 2.4 use TARGET=linux24″. As a side note, to know the kernel use uname -a on your linux box.
  4. copy haproxy to /usr/sbin use “cp haproxy /usr/sbin/haproxy”
  5. Create a config file say /etc/haproxy_chandan.cfg:
  6. A mentioned on the HAPROXY site, this is the bare minimum configuration needed -Add it to the config file
    global
        daemon
        maxconn 256
    
    defaults
        mode http
        timeout connect 5000ms
        timeout client 50000ms
        timeout server 50000ms
    
    frontend http-in
        bind *:80
        default_backend websockets_support
    
    backend websockets_support
        server ws1 a.b.c.d:8888 maxconn 32
        server ws2 a.b.c.d:8080 maxconn 32
    
    listen admin
        bind *:8080
        stats enable
    
  7. Start HAPROXY, /usr/sbin/haproxy -f /etc/haproxy_chandan.cfg
  8. As configured, requests will be handled at port 80 while the admin console for haproxy is 8080

Access your app from http://ipofmachinewherehaproxyisinstalled:80
Access haproxy admin console from http://ipofmachinewherehaproxyisinstalled:8080/haproxy?stats

Thats all. Moving on to configure it for WebSockets and see if it needs additional configuration tweaks or changes -will post.

Load balancer for Web Sockets


I am working on a implementation which requires using websockets with failover to comet. Web socket is an upgrade protocol to HTTP, and once established the connection remains open between server and client. Typical HTPP load balancers will not work – so what is the solution.
I did some research on loadbalancer with specific support for Websockets –it turns out that HAPROX is the most reliable and widely used open source option. Other option is NgNix, having community version as well as paid model –but community version lacks active support.

Apache has also released it’s module for websockets, but reviews are not as good as HAPROXY. A good comparison and discussion around these three is available in this post.

The “Greatest Limitation” of HAPROXY –it does not have a build for windows.
It can be worked out for testing with cygwin on windows -but for any production deployment, it has to be a linux machine.

Never put static files in WEB-INF folder and never be over confident about ur analysis ;)


It could be weird but when you code in hurry to get over ASAP, it invites even more delay and trouble -I spend almost 2 hrs trying to access static files placed in a folder inside WEB-INF folder, forgetting that it will never be accessible from a browser because that’s why there exist a WEB-INF folder -to restrict public access!

So my intent was good – I had a JSP which has embedded SWF file. Everything was in root foler parellal to WEB-INF. Then I though lets restrict access to SWF using direct URL (SWF have some login code as well) – So I created a folder view “inside” WEB-INF and moved all my files there. hmm..

  1. After execution of business logic, I forwarded the request to JSP .
  2. JSP was rendered but SWF was not loaded.
  3. I tried redirect by putting the folders outside WEB-INF (For redirect it has to be out side WEB-INF!) and it worked!!!
  4. Oh my –I concluded, it’s issue with the forward, completely ignoring the fact that it’s about static file location
  5. After 2-3 hrs, yeah, 2-3 hrs, I used Firebug -I do not know why I did not used at the beginning, may be I was trying to be over smart and highly confident about my analysis of the cause!
  6. Firebug reveled that all files need to be at a place accessible by browser -which is outside WEB-INF

More than any technical learning – do not be overconfident about your analysis ;)

Follow

Get every new post delivered to your Inbox.

Join 33 other followers