Monthly Archives: November 2013

Review of “The Basics of Web Hacking Tools and Techniques to Attack the Web” by Josh Pauli; O’Reilly Media

Josh Pauli, in this book tries to touch of the basics of web hacking -concepts, tools, methodologies and all. The author does a great justice providing enough pointers to start with and then delve as much deeper as ones interest.

It identifies different layers at which hacking can be done for example network layer, application layer etc., provides insight about the tools (Burp, Zed Attack Proxy, Nmap, Nessus etc.) which can be used at each layer –both free as well as paid ones, discusses what are the ways an application vulnerability can be attacked, good analogies to understand the issues better and many hands on example to try out each one of them. In fact analogies makes life much easier to understand stuff!
If you are developer and have not thought about the security issues before –it will be an eye-opener! Oh no, can this be hacked? Tools to monitor HTTP traffic (Browser extension as well as PC tools), types of XSS attack, how user’s trust and server’s trust can be fooled –many more concepts have been nicely touched upon. For advanced knowledge, author have given out an impressive list of book at the end.

One drawback –or maybe not, it’s really subjective, is that most of context is for Linux –so users working primarily with windows will have to map all linux stuff to windows parallel.

For the users who already are well versed with the tools, methodology and type of attacks -this might be a refresher, but at end it does justice for its title, BASICs.

A must have for everyone who want to understand the basic, what really a PEN test mean, want to “break” and fix application before the penetration test team does it! Have fun hacking your own website 😉

Failing unit tests with mockito

I posted a question here

Mockito will report an exception in calling class and fail the test -but it would not print the trace. Check out for two stuff:

  1. toString -can it result in NPTR? Do not print the field values blindly, have a NULLability check there.
  2. equals -While mocking, we pay not initialize the ID, for example if ID is a DB generated, then it’s NOT
    part of constructor and one can easily forget to assign it..
  3. Check for exception which can occur in calling module -may be the problem is as simple as trace not being printed!

Mock annotation returning null for mocked object

Using mockito and had written

private SomeService someService;

This was returning NULL and my test cases were failing -What was the missing element – a one liner

public class SomeClass{

Which is needed for @Mock annotation to work!

Remote debugging eclipse with tomcat

Its extremely basic -but I always miss a step or so and end up searching on google. So I though I will just Jot it down -more so for me!

  • In bin/catalina.bat add following

    set JPDA_OPTS=-agentlib:jdwp=transport=dt_socket,address=8000,server=y,suspend=n
  • For starting tomcat, do not use startup.bat instead navigate to bin folder from command prompt and use following command to start tomcat
    “catalina.bat jpda start”
  • If tomcat starts listening successfully -it should print a message as

    “Listening for transport dt_socket at address: 8000”
  • Next In eclipse,

    1. select the project and click on debug->debug configurations Under “Remote Java application” -create a new configuration, and then enter

      Host -> localhost

      Port -> 8000 (same as given in address for JPDA_OPTS)
    2. All set ..eclipse should be able to connect to tomcat and debug points should be enabled in webapp