Night Hour

Reading under a cool night sky ... 宁静沉思的夜晚 ...

Building a Simple android QR code reader


Adopt and change before any major trends of changes.
, Jack Ma.

3 June 2020


The recent Covid 19 has brought about many changes in our society. To fight against the spread of Covid 19, Singapore requires the use of SafeEntry for registering entries and exits to various places. The SafeEntry system encodes specific URL into QR code that can be scanned by smartphone, which launches a browser to the specified URL for checking in and out.

This article shows how to create a simple android application that can scan a QR code containing a URL and launches a browser to open the URL. It uses the popular Zxing android embedded library for processing the QR code.

>>

Configuring Apache Httpd Reverse Proxy for Internal Virtualbox VM


Trying is only good when accompanied by commonsense.
, Random thoughts.

5 Nov 2019


For small companies, some of their enterprise applications may reside on internal servers; but these applications may have to be made available to users over the public internet. An Apache HTTPD reverse proxy can be used to control access to such internal applications, improving security. This article describes how to set up an Apache HTTPD reverse proxy that will restrict access to an internal application running on a virtualbox virtual machine. The Apache HTTPD reverse proxy itself will be set up on a Ubuntu VM (virtual machine) in the same virtualbox host.

>>

Developing an Nginx URL Whitelisting Module

Growing Tree

Premature optimization is the root of all evil. ,
Donald Knuth.

29 Oct 2019


One of the challenges of securing web applications and websites is preventing the accidental exposure of sensitive parts of an application or website, such as administrative interfaces. A common technique is to blacklist an application path and prevent access to resources starting with that path; other techniques include disabling unneeded administrative interfaces, or removing unwanted features. This article shows how to develop an Nginx module that allow access only to whitelisted URLs or web resources.

>>

Replacing and Updating Html files using BeautifulSoup


Obey the principles without being bound by them. , Bruce Lee

12 Jan 2019


It is the new year again. For websites that consists mainly of static html pages that are built manually, a common task is to update the year and copyright information or some other common text/elements. This can be time consuming if the website has many pages. This article shows to automate such changes and modifications using BeautifulSoup, a python library for parsing html. It also shows how to use BeautifulSoup and Response to check for broken links in html files.

>>

Blocking Sensitive Content using Nginx and Docker

Pavilion leaf

I'm smart enough to know that I'm dumb. , Richard Feynman

21 June 2018


Web application firewalls (WAFs) are often deployed by security professionals to protect applications against malicious attacks. Some of these like the popular opensource Mod-Security, can inspect both the incoming request and the outgoing response. It can detect web attacks and information leakage. There are also cloud-based WAFs such as those by Cloudflare, Securi etc... that make it easy to protect a web application or website.

Not all web application firewalls offer outgoing response inspection. Some WAFs solely focused on analyzing incoming requests to stop an attack before it can reach the application. This article shows how to build a simple Nginx module that can inspect outgoing response body for sensitive data and block the response. The module uses PCRE regular expression library to inspect content and is based on a fork of Weibin Yao's nginx substitution filter.

This module can be useful as an additional layer of defense against web attacks. It can complement a WAF that only analyzes incoming requests. In this article, the module will be compiled into Nginx and packaged as a Docker image.

>>

Setting up a Test Lab using Google Cloud and strongSwan Ipsec VPN


Know thy self, know thy enemy. A thousand battles, a thousand victories. 知己知彼百战百胜。 , Sun Tzu (孙子)

3 June 2018


As cloud computing and infrastructure as code gain wider adoption, more and more companies are moving their IT infrastructure and applications into the cloud. This often requires a new model of operation, to take full advantage of what the cloud has to offer and to ensure the security of IT assets. IT and Security professionals have to keep up and learn the skills of operating in the cloud.

This article shows how to set up an isolated test lab environment on Google Cloud Platform and connecting it to a local network through strongSwan Ipsec VPN. A site to site VPN tunnel is configured such that local hosts can access specific services on the isolated test lab. The compute instances on the test lab though are denied access to the internet and to the local network, creating an isolated environment. A separate management subnet on Google Cloud is used to manage the test lab.

>>

Learning SQL Injection using Vulnerable Mama Shop

City Night

We are just an advanced breed of monkeys on a minor planet of a very average star. But we can understand the Universe. That makes us something very special. , Stephen Hawking

12 May 2018


Injection attack is on the OWASP Top 10 list for many years and SQL Injection is a common injection technique used for attacking websites and web applications. Applications that do not cleanly separate user input from database commands are at risk of malicious input being executed as SQL commands. This often lead to an entire application being taken over, sensitive data being stolen, malicious malware being planted or a web defacement.

This article introduces a simple learning tool, Vulnerable Mama Shop (VMS), that can help security professionals, penetration testers, developers and IT professionals to learn about SQL Injection. By knowing how SQL injection works, defenders can better protect critical web assets. Vulnerable Mama Shop(VMS) is a docker application that runs Apache2 Httpd, Php and MariaDB. It is a simple online store that contains a SQL injection vulnerability. Its simplicity makes it easy to learn SQL injection.

>>

Detecting Web Defacements using Javascript and Google App Engine

Go Board

Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. , Larry Wall

3 Apr 2018


A web application faces different kinds of attacks and security threats. The application can be hijacked to spread malware, sensitive data can be stolen, the website can be defaced etc... Security professionals and developers have to defend against these and ensure the availability of the application, the confidentiality and integrity of its data.

This article shows how to implement a simple monitoring application using Client-side Javascript and a Java JSP/Servlet application running on Google App Engine. The application can detect unauthorized changes for static web content, e.g. web defacements, and alert the website administrator. Many websites already utilize client- side javascript for analytics and performance monitoring. Such techniques can be used for monitoring web content as well; to detect and prevent tampering or website defacement.

>>

Testing 2 Factor Authentication with Selenium

Chinese Teapot Set

He who knows others is wise. He who knows himself is enlightened. 知人者智,自知者明。 , Lao Tzu (老子)

12 Jan 2018


An earlier article shows how to build a 2 Factor authentication mechanism using Google Authenticator Mobile App. This article shows how to automate testing of the 2 factor authentication mechanism using Selenium WebDriver and Junit. Selenium is a browser automation tool offering an API to control and automate browser actions. It can be used with Junit to create automated test cases and test suites for web applications.

>>

Implementing 2 Factor Authentication for Web Security


Self-education is, I firmly believe, the only kind of education there is. , Isaac Asimov

8 Jan 2018


The login and authentication mechanism of a web application plays a key role in securing user data. Modern web-based applications increasingly rely on multi-factor authentication. Two of the following methods are generally used: what a user knows (password), what a user has (physical token generation device), or who a user is (biometric). This article shows how to build a two factor authentication login for a Google App Engine Java application. The application uses password and a time-based token from Google Authenticator, a mobile application that runs on a smartphone.

>>

Writing an Nginx Response Body Filter Module

Willow tranquility

By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is bitterest. , Confucius (孔子)

15 Dec 2017


Nginx is a popular opensource web and proxy server that is known for its performance and used by many websites. It supports third party modules that can provide additional functionalities and customizations. This article shows how to write and develop a simple filter module that inserts a text string after the <head> element in a HTTP response body.

>>

Farmer Wolf Cabbage Sheep River Crossing Puzzle

Plant Zenstones

An expert is a person who has made all the mistakes that can be made in a very narrow field , Niels Bohr

29 May 2017


Farmer, wolf, cabbage, sheep is a famous river crossing puzzle. The puzzle goes like this, a farmer wants to move a wolf, cabbage and sheep across a river. The farmer has only a small boat that can sit himself and one passenger. The wolf will eat the sheep if the farmer is not around. The sheep will eat the cabbage if the farmer is not around. How can the farmer ferry all of them across the river ?

The puzzle can be treated as a graph search problem and be solved using either breadth first search or depth first search. This article shows how to build a simple java application that solves this.

>>

Building a UDP Token Bucket Rate Limit Server

Windy tree

If I have seen further than others, it is by standing upon the shoulders of giants. , Isaac Newton

20 Apr 2017


An earlier article, Creating a Finite State Php Rate Limiter, shows how to build a php rate limiter using mariadb database. This article describes the implementation of a UDP server that serves out tokens for individual IPv4 addresses based on Token Bucket algorithm ; offering better performance than the previous rate limiter. The buckets are stored in memory, enabling faster access compared to the mariadb solution. Web applications and scripts can query the udp server for tokens to throttle and rate limit requests based on client IP addresses.

>>

Exploring Buffer Overflow and Stack Smashing

Wine glass image

To know that we know what we know, and to know that we do not know what we do not know, that is true knowledge. , Nicolaus Copernicus

3 Apr 2017


A lot has been written about buffer overflow vulnerabilities and many software developers and IT professionals will at least have some basic concepts about this issue. However, most people including IT security professionals may not necessary have direct practice with this age old vulnerability. It is the hackers and malicious attackers who will be using such techniques after all. To be effective defenders and fend off cyber attacks, it is increasingly important for IT professionals to learn about such offensive methods and techniques.

This article explores classical buffer overflow and stack smashing. Showing how it is actually done using the exploit exercises provided by the protostar live cd.

>>

Web Application Security Headers

Gecko lizard image

Absence of evidence is not evidence of absence. , Carl Sagan

5 March 2017


Web application security requires much efforts. It involves the entire application life cycle. From design to development, testing and deployment, and the final decommissioning. One common way to improve web application security is through the use of web security headers. If you are running a web server like Nginx, Apache httpd etc..., setting up proper HTTP security headers is not difficult and can help to improve security for users who are using modern and up to date browsers that support such headers.

>>

Creating a Finite State Php Rate Limiter

Bamboo image

My name is Sherlock Holmes. It is my business to know what other people don't know. , Arthur Conan Doyle

3rd March 2017


Security at the application layer is increasingly important in our digital world where web and mobile applications are pervasive. Resource and rate limiting techniques are often used in networking and operating systems to prioritize and control the usage of shared resources. Such techniques can also be applied in application security, making it harder for brute force attacks, for attackers to probe an application for vulnerabilities and reducing spams from automated bots. This article shows how to create a simple finite state Php rate limiter using Mariadb database as the storage.

>>