Night Hour

Reading under a cool night sky ... 宁静沉思的夜晚 ...

Learning SQL Injection using Vulnerable Mama Shop

City Night

We are just an advanced breed of monkeys on a minor planet of a very average star. But we can understand the Universe. That makes us something very special. , Stephen Hawking

12 May 2018


Injection attack is on the OWASP Top 10 list for many years and SQL Injection is a common injection technique used for attacking websites and web applications. Applications that do not cleanly separate user input from database commands are at risk of malicious input being executed as SQL commands. This often lead to an entire application being taken over, sensitive data being stolen, malicious malware being planted or a web defacement.

This article introduces a simple learning tool, Vulnerable Mama Shop (VMS), that can help security professionals, penetration testers, developers and IT professionals to learn about SQL Injection. By knowing how SQL injection works, defenders can better protect critical web assets. Vulnerable Mama Shop(VMS) is a docker application that runs Apache2 Httpd, Php and MariaDB. It is a simple online store that contains a SQL injection vulnerability. Its simplicity makes it easy to learn SQL injection.

>>

Detecting Web Defacements using Javascript and Google App Engine

Go Board

Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris. , Larry Wall

3 Apr 2018


A web application faces different kinds of attacks and security threats. The application can be hijacked to spread malware, sensitive data can be stolen, the website can be defaced etc... Security professionals and developers have to defend against these and ensure the availability of the application, the confidentiality and integrity of its data.

This article shows how to implement a simple monitoring application using Client-side Javascript and a Java JSP/Servlet application running on Google App Engine. The application can detect unauthorized changes for static web content, e.g. web defacements, and alert the website administrator. Many websites already utilize client- side javascript for analytics and performance monitoring. Such techniques can be used for monitoring web content as well; to detect and prevent tampering or website defacement.

>>

Testing 2 Factor Authentication with Selenium

Chinese Teapot Set

He who knows others is wise. He who knows himself is enlightened. 知人者智,自知者明。 , Lao Tzu (老子)

12 Jan 2018


An earlier article shows how to build a 2 Factor authentication mechanism using Google Authenticator Mobile App. This article shows how to automate testing of the 2 factor authentication mechanism using Selenium WebDriver and Junit. Selenium is a browser automation tool offering an API to control and automate browser actions. It can be used with Junit to create automated test cases and test suites for web applications.

>>

Implementing 2 Factor Authentication for Web Security


Self-education is, I firmly believe, the only kind of education there is. , Isaac Asimov

8 Jan 2018


The login and authentication mechanism of a web application plays a key role in securing user data. Modern web-based applications increasingly rely on multi-factor authentication. Two of the following methods are generally used: what a user knows (password), what a user has (physical token generation device), or who a user is (biometric). This article shows how to build a two factor authentication login for a Google App Engine Java application. The application uses password and a time-based token from Google Authenticator, a mobile application that runs on a smartphone.

>>

Writing an Nginx Response Body Filter Module

Willow tranquility

By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is bitterest. , Confucius (孔子)

15 Dec 2017


Nginx is a popular opensource web and proxy server that is known for its performance and used by many websites. It supports third party modules that can provide additional functionalities and customizations. This article shows how to write and develop a simple filter module that inserts a text string after the <head> element in a HTTP response body.

>>

Farmer Wolf Cabbage Sheep River Crossing Puzzle

Plant Zenstones

An expert is a person who has made all the mistakes that can be made in a very narrow field , Niels Bohr

29 May 2017


Farmer, wolf, cabbage, sheep is a famous river crossing puzzle. The puzzle goes like this, a farmer wants to move a wolf, cabbage and sheep across a river. The farmer has only a small boat that can sit himself and one passenger. The wolf will eat the sheep if the farmer is not around. The sheep will eat the cabbage if the farmer is not around. How can the farmer ferry all of them across the river ?

The puzzle can be treated as a graph search problem and be solved using either breadth first search or depth first search. This article shows how to build a simple java application that solves this.

>>

Building a UDP Token Bucket Rate Limit Server

Windy tree

If I have seen further than others, it is by standing upon the shoulders of giants. , Isaac Newton

20 Apr 2017


An earlier article, Creating a Finite State Php Rate Limiter, shows how to build a php rate limiter using mariadb database. This article describes the implementation of a UDP server that serves out tokens for individual IPv4 addresses based on Token Bucket algorithm ; offering better performance than the previous rate limiter. The buckets are stored in memory, enabling faster access compared to the mariadb solution. Web applications and scripts can query the udp server for tokens to throttle and rate limit requests based on client IP addresses.

>>

Exploring Buffer Overflow and Stack Smashing

Wine glass image

To know that we know what we know, and to know that we do not know what we do not know, that is true knowledge. , Nicolaus Copernicus

3 Apr 2017


A lot has been written about buffer overflow vulnerabilities and many software developers and IT professionals will at least have some basic concepts about this issue. However, most people including IT security professionals may not necessary have direct practice with this age old vulnerability. It is the hackers and malicious attackers who will be using such techniques after all. To be effective defenders and fend off cyber attacks, it is increasingly important for IT professionals to learn about such offensive methods and techniques.

This article explores classical buffer overflow and stack smashing. Showing how it is actually done using the exploit exercises provided by the protostar live cd.

>>

Web Application Security Headers

Gecko lizard image

Absence of evidence is not evidence of absence. , Carl Sagan

5 March 2017


Web application security requires much efforts. It involves the entire application life cycle. From design to development, testing and deployment, and the final decommissioning. One common way to improve web application security is through the use of web security headers. If you are running a web server like Nginx, Apache httpd etc..., setting up proper HTTP security headers is not difficult and can help to improve security for users who are using modern and up to date browsers that support such headers.

>>

Creating a Finite State Php Rate Limiter

Bamboo image

My name is Sherlock Holmes. It is my business to know what other people don't know. , Arthur Conan Doyle

3rd March 2017


Security at the application layer is increasingly important in our digital world where web and mobile applications are pervasive. Resource and rate limiting techniques are often used in networking and operating systems to prioritize and control the usage of shared resources. Such techniques can also be applied in application security, making it harder for brute force attacks, for attackers to probe an application for vulnerabilities and reducing spams from automated bots. This article shows how to create a simple finite state Php rate limiter using Mariadb database as the storage.

>>