New Technologies

  • Java
  • Javascript
  • DTML
  • Dot Net
  • ASP .Net
  • C# .Net
  • PHP
Your Ad Here

Tuesday, May 27, 2008

Web site security–Ajax security

Fuelled by the increased interest in Web 2.0, AJAX (Asynchronous JavaScript Technology and XML) is attracting the attention of businesses all round the globe.

AJAX is meant to increase interactivity, speed, and usability. The technologies have prompted a richer and friendly experience for the user as web applications are designed to imitate ‘traditional’ desktop applications.

There is the general misconception that in AJAX applications are more secure because it is thought that a user cannot access the server-side script without the rendered user interface (the AJAX based webpage). XML HTTP Request based web applications obscure server-side scripts, and this obscurity gives website developers and owners a false sense of security – obscurity is not security. Since XML HTTP requests function by using the same protocol as all else on the web (HTTP), technically speaking, AJAX-based web applications are vulnerable to the same hacking methodologies as ‘normal’ applications.

Another weakness of AJAX is the process that formulates server requests. The Ajax engine uses JS to capture the user commands and to transform them into function calls. Such function calls are sent in plain visible text to the server and may easily reveal database table fields such as valid product and user IDs, or even important variable names, valid data types or ranges, and any other parameters which may be manipulated by a hacker.

With this information, a hacker can easily use AJAX functions without the intended interface by crafting specific HTTP requests directly to the server. In case of cross-site scripting, maliciously injected scripts can actually leverage the AJAX provided functionalities to act on behalf of the user thereby tricking the user with the ultimate aim of redirecting his browsing session (e.g., phishing) or monitoring his traffic.

Solution

The only solution for effective and efficient security auditing is a vulnerability scanner which automates the crawling of websites to identify weaknesses. However, without an engine that parses and executes JavaScript, such crawling is inaccurate and gives website owners a false sense of security.

Sunday, May 25, 2008

Special Characters in Development

‘ ‘ left single quote
’ ’ right single quote
‚ ‚ single low-9 quote
“ “ left double quote
” ” right double quote
„ „ double low-9 quote
† † dagger
‡ ‡ double dagger
‰ ‰ per mill sign
‹ ‹ single left-pointing angle quote
› › single right-pointing angle quote
♠ ♠ black spade suit
♣ ♣ black club suit
♥ ♥ black heart suit
♦ ♦ black diamond suit
‾ ‾ overline, = spacing overscore
← ← leftward arrow
↑ ↑ upward arrow
→ → rightward arrow
↓ ↓ downward arrow
™ ™ trademark sign

Name Code Number Code Glyph Description

� � -
  unused
	 horizontal tab

 line feed
 unused
  space
! ! exclamation mark
" " " double quotation mark
# # number sign
$ $ dollar sign
% % percent sign
& & & ampersand
' ' apostrophe
( ( left parenthesis
) ) right parenthesis
* * asterisk
+ + plus sign
, , comma
- - hyphen
. . period

Name Code Number Code Glyph Description

⁄ / / slash
0-
9 digits 0-9
: : colon
&#59; ; semicolon
&lt; &#60; <> greater-than sign
&#63; ? question mark
&#64; @ at sign
&#65;-
&#90; uppercase letters A-Z
&#91; [ left square bracket
&#92; \ backslash
&#93; ] right square bracket
&#94; ^ caret
&#95; _ horizontal bar (underscore)
&#96; ` grave accent
&#97;-
&#122; lowercase letters a-z
&#123; { left curly brace
&#124; | vertical bar

Name Code Number Code Glyph Description
&#125; } right curly brace
&#126; ~ tilde
&#127;-
&#149; unused
&ndash; &#150; – en dash
&mdash; &#151; — em dash
&#152;-
&#159; unused
&nbsp; &#160; nonbreaking space
&iexcl; &#161; ¡ inverted exclamation
&cent; &#162; ¢ cent sign
&pound; &#163; £ pound sterling
&curren; &#164; ¤ general currency sign
&yen; &#165; ¥ yen sign
&brvbar; or &brkbar; &#166; ¦ broken vertical bar
&sect; &#167; § section sign
&uml; or &die; &#168; ¨ umlaut
&copy; &#169; © copyright
&ordf; &#170; ª feminine ordinal
&laquo; &#171; « left angle quote
&not; &#172; ¬ not sign
&shy; &#173; ­ soft hyphen
&reg; &#174; ® registered trademark
&macr; or &hibar; &#175; ¯ macron accent

Name Code Number Code Glyph Description
&deg; &#176; ° degree sign
&plusmn; &#177; ± plus or minus
&sup2; &#178; ² superscript two
&sup3; &#179; ³ superscript three
&acute; &#180; ´ acute accent
&micro; &#181; µ micro sign
&para; &#182; ¶ paragraph sign
&middot; &#183; · middle dot
¸ &#184; ¸ cedilla
&sup1; &#185; ¹ superscript one
&ordm; &#186; º masculine ordinal
&raquo; &#187; » right angle quote
&frac14; &#188; ¼ one-fourth
&frac12; &#189; ½ one-half
&frac34; &#190; ¾ three-fourths
&iquest; &#191; ¿ inverted question mark
&Agrave; &#192; À uppercase A, grave accent
&Aacute; &#193; Á uppercase A, acute accent
&Acirc; &#194; Â uppercase A, circumflex accent

Name Code Number Code Glyph Description
&Atilde; &#195; Ã uppercase A, tilde
&Auml; &#196; Ä uppercase A, umlaut
&Aring; &#197; Å uppercase A, ring
&AElig; &#198; Æ uppercase AE
&Ccedil; &#199; Ç uppercase C, cedilla
&Egrave; &#200; È uppercase E, grave accent
&Eacute; &#201; É uppercase E, acute accent
&Ecirc; &#202; Ê uppercase E, circumflex accent
&Euml; &#203; Ë uppercase E, umlaut
&Igrave; &#204; Ì uppercase I, grave accent
&Iacute; &#205; Í uppercase I, acute accent
&Icirc; &#206; Î uppercase I, circumflex accent
&Iuml; &#207; Ï uppercase I, umlaut
&ETH; &#208; Ð uppercase Eth, Icelandic
&Ntilde; &#209; Ñ uppercase N, tilde
&Ograve; &#210; Ò uppercase O, grave accent
&Oacute; &#211; Ó uppercase O, acute accent
&Ocirc; &#212; Ô uppercase O, circumflex accent
&Otilde; &#213; Õ uppercase O, tilde

Name Code Number Code Glyph Description
&Ouml; &#214; Ö uppercase O, umlaut
&times; &#215; × multiplication sign
&Oslash; &#216; Ø uppercase O, slash
&Ugrave; &#217; Ù uppercase U, grave accent
&Uacute; &#218; Ú uppercase U, acute accent
&Ucirc; &#219; Û uppercase U, circumflex accent
&Uuml; &#220; Ü uppercase U, umlaut
&Yacute; &#221; Ý uppercase Y, acute accent
&THORN; &#222; Þ uppercase THORN, Icelandic
&szlig; &#223; ß lowercase sharps, German
&agrave; &#224; à lowercase a, grave accent
&aacute; &#225; á lowercase a, acute accent
&acirc; &#226; â lowercase a, circumflex accent
&atilde; &#227; ã lowercase a, tilde
&auml; &#228; ä lowercase a, umlaut
&aring; &#229; å lowercase a, ring
&aelig; &#230; æ lowercase ae
&ccedil; &#231; ç lowercase c, cedilla
&egrave; &#232; è lowercase e, grave accent

Name Code Number Code Glyph Description
&eacute; &#233; é lowercase e, acute accent
&ecirc; &#234; ê lowercase e, circumflex accent
&euml; &#235; ë lowercase e, umlaut
&igrave; &#236; ì lowercase i, grave accent
&iacute; &#237; í lowercase i, acute accent
&icirc; &#238; î lowercase i, circumflex accent
&iuml; &#239; ï lowercase i, umlaut
&eth; &#240; ð lowercase eth, Icelandic
&ntilde; &#241; ñ lowercase n, tilde
&ograve; &#242; ò lowercase o, grave accent
&oacute; &#243; ó lowercase o, acute accent
&ocirc; &#244; ô lowercase o, circumflex accent
&otilde; &#245; õ lowercase o, tilde
&ouml; &#246; ö lowercase o, umlaut
&divide; &#247; ÷ division sign
&oslash; &#248; ø lowercase o, slash
&ugrave; &#249; ù lowercase u, grave accent
&uacute; &#250; ú lowercase u, acute accent
&ucirc; &#251; û lowercase u, circumflex accent

Name Code Number Code Glyph Description
&uuml; &#252; ü lowercase u, umlaut
&yacute; &#253; ý lowercase y, acute accent
&thorn; &#254; þ lowercase thorn, Icelandic
&yuml; &#255; ÿ lowercase y, umlaut

Tuesday, May 20, 2008

var varNotes = varNotes.replace(
// Replace out the new line character.
new RegExp( “\\n“, “g” ),

// Put in … so we can see a visual representation of where
// the new line characters were replaced out.
“<br>”
);

Saturday, May 10, 2008

SSL in WEBLOGIC7.0

SSL Generation PROCESS

WEBLOGIC SSL Generation PROCESS

STEP 1:

The CertGen is only used for weblogic and works only on the system installed weblogic.

Set the class path in system environments variables to \bea\weblogic700\server\lib\weblogic.jar

Generate a Private key and a certificate (public key) using CertGen

Syntax:

Java utils.CertGen [EXPORT] [hostname]

Password : This is the password given to the private key.

Certfilename : This is the file name for the certificate. This is also called Public keyfilename : This is the name of the private key file.

Export : use this option, so that weblogic accepts the key.

Hostname : By default the hostname is the system name.

E.g.:

Java utils.CertGen satish123 weblogiccert weblogickey export www.credense.com

The files generated by the above example are:

Public keys (certificates)

Weblogiccert.pem (this is in pem format)

Weblogiccert.der (this is in der format)

Private keys:

Weblogickey.pem (this key is in pem format)

Weblogickey.der (this key is in der format)

STEP 2:

Then generate a jks file using the above-generated private and public keys.

If we give an already existing file for a jks then the importprivatekey will override the contents and generate a new file so careful when giving the jks file name.

Syntax:

Java utils.ImportPrivateKey keystore keystorepass alias keypass certfile keyfile

E.g.: java utils.ImportPrivateKey satish.jks satish123 weblogickey satish123 weblogiccert.der weblogickey.der

Keystore : Name of the keystore (jks file name)

Keystorepass : Password for keystore.

Alias : this is the name we have to give in Server Private Key Alias in weblogic console (see below fig).

Keypass :Password of the private key given when generating the key

Certfile :name of the certificate filename.

Keyfile :name of the private key filename.

STEP 3:

The below step is not necessary if we give the path in the startWebLogic.cmd

The trustedCAKeyStore is the path and name of the java key store (jks)

And the pkpassword is the password for the keystore.

If we have not given this weblogic will take the default keystore as j2sdk1.4.2_10\jre\lib\security\cacerts and the default password is “changeit” if we have not given the string . -Dweblogic.management.pkpassword in startweblogic.cmd.

set JAVA_OPTIONS=-Dweblogic.management.pkpassword=satish123

set JAVA_OPTIONS=-Dweblogic.security.SSL.trustedCAKeyStore=D:\Satish\ssl\keys\satish.jks

Then import the above generated public key or certificate to

j2sdk1.4.2_10\jre\lib\security\cacerts

STEP 4:

Configuration in weblogic7.0 server

Go to https://localhost:7002/console

Now go to servers select myserver à connections à SSL


Set the default key store

Private Key Store Location:

To the jks that is generated for weblogic

Private Key Store Pass Phrase: Give the password

Declare the Server Private Key Alias: the alias name give for generation of weblogic keys.

Server Certificate File Name the path and name of the certificate file

Server Key File Name: give the name of private key

Server Private Key Pass phrase: Give the required password

STEP 5:

Now restart the weblogic server to get the ssl try this on the default port no 7002

Your Ad Here