Configuring Apache Httpd Reverse Proxy for Internal Virtualbox VM
Trying is only good when accompanied by commonsense.
, Random thoughts.
5 Nov 2019
For small companies, some of their enterprise applications may reside on internal servers; but these applications may have to be made available to users over the public internet. An Apache HTTPD reverse proxy can be used to control access to such internal applications, improving security. This article describes how to set up an Apache HTTPD reverse proxy that will restrict access to an internal application running on a virtualbox virtual machine. The Apache HTTPD reverse proxy itself will be set up on a Ubuntu VM (virtual machine) in the same virtualbox host.
Developing an Nginx URL Whitelisting Module
Premature optimization is the root of all evil. ,
29 Oct 2019
One of the challenges of securing web applications and websites is preventing the accidental exposure of sensitive parts of an application or website, such as administrative interfaces. A common technique is to blacklist an application path and prevent access to resources starting with that path; other techniques include disabling unneeded administrative interfaces, or removing unwanted features. This article shows how to develop an Nginx module that allow access only to whitelisted URLs or web resources.
Replacing and Updating Html files using BeautifulSoup
Obey the principles without being bound by them. , Bruce Lee
12 Jan 2019
It is the new year again. For websites that consists mainly of static html pages that are built manually, a common task is to update the year and copyright information or some other common text/elements. This can be time consuming if the website has many pages. This article shows to automate such changes and modifications using BeautifulSoup, a python library for parsing html. It also shows how to use BeautifulSoup and Response to check for broken links in html files.
Blocking Sensitive Content using Nginx and Docker
I'm smart enough to know that I'm dumb. , Richard Feynman
21 June 2018
Web application firewalls (WAFs) are often deployed by security professionals to protect applications against malicious attacks. Some of these like the popular opensource Mod-Security, can inspect both the incoming requests and the outgoing responses to detect web attacks or information leakage. There are also cloud-based WAFs such as those by Cloudflare, Securi etc... that make it easy to protect a web application.
Not all web application firewalls offer outgoing response inspection. Some WAFs focused only on analyzing incoming requests to stop attacks before these reach the application. This article shows how to build a simple Nginx module that can inspect outgoing response body for sensitive data and block the response. The module uses PCRE regular expression library to inspect content and is based on a fork of Weibin Yao's nginx substitution filter.
Setting up a Test Lab using Google Cloud and strongSwan Ipsec VPN
Know thy self, know thy enemy. A thousand battles, a thousand victories. 知己知彼百战百胜。 , Sun Tzu （孙子）
3 June 2018
As cloud computing and infrastructure as code gain wider adoption, more and more companies are moving their IT infrastructure and applications into the cloud. This often requires a new model of operation, to take full advantage of what the cloud has to offer and to ensure the security of IT assets. IT and Security professionals have to keep up and learn the skills of operating in the cloud.
This article shows how to set up an isolated test lab environment on Google Cloud Platform and connecting it to a local network through strongSwan Ipsec VPN. A site to site VPN tunnel is configured such that local hosts can access specific services on the isolated test lab. The compute instances on the test lab though are denied access to the internet and to the local network, creating an isolated environment. A separate management subnet on Google Cloud is used to manage the test lab.
Learning SQL Injection using Vulnerable Mama Shop
We are just an advanced breed of monkeys on a minor planet of a very average star. But we can understand the Universe. That makes us something very special. , Stephen Hawking
12 May 2018
Injection attack is on the OWASP Top 10 list for many years and SQL Injection is a common injection technique used for attacking websites and web applications. Applications that do not cleanly separate user input from database commands are at risk of malicious input being executed as SQL commands. This often lead to an entire application being taken over, sensitive data being stolen, malicious malware being planted or a web defacement.
This article introduces a simple learning tool, Vulnerable Mama Shop (VMS), that can help security professionals, penetration testers, developers and IT professionals to learn about SQL Injection. By knowing how SQL injection works, defenders can better protect critical web assets. Vulnerable Mama Shop(VMS) is a docker application that runs Apache2 Httpd, Php and MariaDB. It is a simple online store that contains a SQL injection vulnerability. Its simplicity makes it easy to learn SQL injection.
Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. , Larry Wall
3 Apr 2018
A web application faces different kinds of attacks and security threats. The application can be hijacked to spread malware, sensitive data can be stolen, the website can be defaced etc... Security professionals and developers have to defend against these and ensure the availability of the application, the confidentiality and integrity of its data.
Testing 2 Factor Authentication with Selenium
He who knows others is wise. He who knows himself is enlightened. 知人者智，自知者明。 , Lao Tzu （老子）
12 Jan 2018
An earlier article
shows how to build a 2 Factor authentication mechanism using Google Authenticator Mobile App. This article shows how to automate testing of the 2 factor authentication mechanism using Selenium WebDriver and Junit. Selenium is a browser automation tool offering an API to control and automate browser actions. It can be used with Junit to create automated test cases and test suites for web applications.
Implementing 2 Factor Authentication for Web Security
Self-education is, I firmly believe, the only kind of education there is. , Isaac Asimov
8 Jan 2018
The login and authentication mechanism of a web application plays a key role in securing user data. Modern web-based applications increasingly rely on multi-factor authentication. Two of the following methods are generally used: what a user knows (password), what a user has (physical token generation device), or who a user is (biometric). This article shows how to build a two factor authentication login for a Google App Engine Java application. The application uses password and a time-based token from Google Authenticator, a mobile application that runs on a smartphone.
Writing an Nginx Response Body Filter Module
By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is bitterest. , Confucius (孔子)
15 Dec 2017
Nginx is a popular opensource web/proxy server that is known for its performance and used by many websites. It supports 3rd party modules that can provide additional functionalities and customizations. This article shows how to write and develop a simple filter module that inserts a text string after the html <head> tag in a HTTP response body
Farmer Wolf Cabbage Sheep River Crossing Puzzle
An expert is a person who has made all the mistakes that can be made in a very narrow field , Niels Bohr
29 May 2017
Farmer, wolf, cabbage, sheep is a famous river crossing puzzle. The puzzle goes like this, a farmer wants to move a wolf, cabbage and sheep across a river. The farmer has only a small boat that can sit himself and one passenger. The wolf will eat the sheep if the farmer is not around. The sheep will eat the cabbage if the farmer is not around. How can the farmer ferry all of them across the river ?
The puzzle can be treated as a graph search problem and be solved using either breadth first search or depth first search. This article shows how to build a simple java application that solves this.
Building a UDP Token Bucket Rate Limit Server
If I have seen further than others, it is by standing upon the shoulders of giants. , Isaac Newton
20 Apr 2017
An earlier article,
Creating a Finite State Php Rate Limiter, shows how to build a php rate limiter using mariadb database. This article describes the implementation of a UDP server that serves out tokens for individual IPv4 addresses based on Token Bucket algorithm
; offering better performance than the previous rate limiter. The buckets are stored in memory, enabling faster access compared to the mariadb solution. Web applications and scripts can query the udp server for tokens to throttle and rate limit requests based on client IP addresses.
Exploring Buffer Overflow and Stack Smashing
To know that we know what we know, and to know that we do not know what we do not know, that is true knowledge. , Nicolaus Copernicus
3 Apr 2017
A lot has been written about buffer overflow vulnerabilities and many software developers and IT professionals will at least have some basic concepts about this issue. However, most people including IT security professionals may not necessary have direct practice with this age old vulnerability. It is the hackers and malicious attackers who will be using such techniques after all. To be effective defenders and fend off cyber attacks, it is increasingly important for IT professionals to learn about such offensive methods and techniques.
This article explores classical buffer overflow and stack smashing. Showing how it is actually done using the exploit exercises provided by the protostar live cd.
Web Application Security Headers
Absence of evidence is not evidence of absence. , Carl Sagan
5 March 2017
Web application security requires much efforts. It involves the entire application life cycle. From design to development, testing and deployment, and the final decommissioning. One common way to improve web application security is through the use of web security headers. If you are running a web server like Nginx, Apache httpd etc..., setting up proper HTTP security headers is not difficult and can help to improve security for users who are using modern and up to date browsers that support such headers.
Creating a Finite State Php Rate Limiter
My name is Sherlock Holmes. It is my business to know what other people don't know. , Arthur Conan Doyle
3rd March 2017
Security at the application layer is increasingly important in our digital world where web and mobile applications are pervasive, offering attackers prime targets to hack. Resource and rate limiting techniques are often used in networking and operating systems to prioritize and control the usage of shared resources. Such techniques can also be applied in application security, making it harder for brute force attacks, for attackers to probe an application for vulnerabilities and reducing spams from automated bots. This article shows how to create a simple finite state Php rate limiter using Mariadb database as the storage.