a4apphack

In this post, we talk about using various third party Chart APIs to display a trend graph on any SharePoint site (or a blog). These graphs delivers a quick summary of the vulnerabilities identified during various security assessments. This can be embedded in a Security SharePoint portal or a dashboard which will be accessed by clients/higher management.

For applications that are assessed at the end of every release cycle (version change), from this graph, one can visualize the trend of vulnerability detection. Here severity scale – Critical, High, Medium & Low (Info) is also displayed in the graph.

We will have a look at 2 charting APIs to achieve this – Google Charts and Highcharts

Using Google Charts

By using Google Charts API, we try to embed the following chart on our SharePoint site. Once the code is embedded, user can hover over the data points to get its value and other information.

There are various obvious reasons for choosing a chart API over a static image inserted into the site.

1. Its easy to update. Just need to change the values in the embed code.
2. Less cluttered. As you can see, values of the data points are not displayed in the chart. If anyone needs to know the value, he/she just has to hover over any column.
3. This can later be programmed to update itself from the data available in any SharePoint list.

Read the rest of this entry »

This batch file decompiles an apk to its corresponding java sources. People who are looking forward to do a code review on an android app who’s source code is not readily available can utilize this bat. This batch runs various free tools available on the internet in a sequence to obtain the java source files.

This is not made to encourage piracy/plagiarism in any case.

How To

1. Extract batch file and lib folder to C:\apk2java\ (or any folder that doesnt have space in its path)

2. Backup the target app’s apk from phone to PC via ASTRO Browser (check this post for details)

3. Keep the target apk in the root folder where batch file is present

4. Run ‘apk2java.bat target.apk’ in cmd

c:\apk2java>apk2java.bat target.apk

Read the rest of this entry »

List of chrome browser extensions that can be useful while performing application security assessments. Some of the extensions are already discussed earlier in our blog. On the sidenote, a similar collection exists for Firefox users – check SecFox at Mozilla Addons Collection site

Note: Below table will be updated regularly. If you find any addons that are not listed but might be useful while conducting pentests, please mention in comments.

Read the rest of this entry »

This post explains about rooting a Tmobile G2/HTC Vision and then installing Cyanogenmod 7 (Gingerbread) while retaining the apps and data that were in use with stock ROM. Entire process from rooting till installation of Cyanogenmod should not take more than half an hour.

Read the rest of this entry »

AdBlock is one of the most popular browser extension that prevents ads or annoying page elements those are usually displayed in any webpage. It works by matching the pattern of unwanted elements in the page with what is available in its database and filters them.

Adblock can be made more efficient by adding custom patterns for the elements to be filtered.. This feature of AdBlock can be extended to block not only the ads but also the malicious content those are injected in seemingly genuine sites. This is done by adding MalwareDomains subscription to our Adblock preferences. MalwareDomain contains a list of domains that are known to be used to propagate malware and spyware. Adblock verifies whether there are any cross domain content loaded from any of malicious websites present in that list and if there is, then it blocks those elements.

Note: Subscribing to this list can increase the load time of the site. Increase in security at the cost of slight reduction in performance.

Here, we illustrate the steps to add the MalwareDomain list to our Adblock addon available for Chrome and Firefox browsers.

I. Adding MalwareDomain Subscription in Chrome

Download Adblock for Chrome here.

1. Access the AdBlock Options from the Chrome Extensions page and add MalwareDomains URL (http://malwaredomains.lanik.us/malwaredomains_full.txt)

2. Entered URL will now display in the subscriptions list. Make sure that its checked.

Read the rest of this entry »

It is the revolution of web browsers; they rule internet now. Browsers have evolved so much from what we had seen during the days of IE6. Now Firefox, Chrome, Opera, IE are on war to prove who is the best. They try different ways to win the heart of users; Firefox took a great leap by introducing the ‘panaroma’ feature – focus on multitasking, chrome gets appreciation for its fluid design – focus on simplicity & ease of use, Opera and IE has browser stability on priority – focus on robustness.

During this evolution, some browsers tries to standout from others by introducing a new feature which had never been available in any of their counterparts. But the other browsers instead wait for the users comments on the new feature implemented, if appreciated, they implement the same feature in theirs, may be in a better way. The browser who introduced that feature first might even loose its credit in due course. User is forced to switch from their  favorite browser for a ‘single feature’ they found useful in the ‘other’ browser. Once they completely switch and get used to the new browser, the old one brings out the same feature plus few bonus features. This cycle never ends. Firefox introduced tabs and extensions when IE did not have in them, people were attracted to it and finally switched to firefox. Then the light weight chrome came with Tab tearing, web apps, new tab page with speed dial and many other features, made few users to make chrome as their default browser. Firefox then inherited few of chromes’ features, syncing and expose like tab candy/panaroma effects. We don’t have to switch browsers just for UI features, and if at all we do, it should be seamless.

This article tries to identify best features in each of the browser and the features we expect to be part any modern browser. Here, we try to baseline few ideas, those ideas which takes browser design to the next level.

Browser Main Screen (Mockup)

MOCKUP - Main Screen - Click over image to zoom

Read the rest of this entry »

This post lists 13 Chrome Extensions to aid security testers during their web application pen testing.

1. WebDeveloper

2. Firebug Lite

3. Pendule

Read the rest of this entry »

There are various harddisk space analyzers which gives us a graphical representation of the files/folders which eats up our harddisk. These tools even provide options to visually navigate through the folders to view the space occupied by its subfolders. Here, we talk about few popular disk analyzers which are portable and worth giving a shot.

Comparison of all those are presented in a table at the end of this post.

Security Perspective: If you are an info sec guy, esp. in forensics, you can utilize the features of the these tools to identify the presence of hidden large files/archives which might possibly contain some sensitive data in it. Most of the time secret truecrypt files are hidden inside some OS folders to make it look genuine.

Note: Most of the apps mentioned here can be downloaded in a portable format. The others can be made portable using the method mentioned here

Comparison Table – here.

Read the rest of this entry »

Backtrack is the most popularly used security distro used while during pentests. While we can partition our harddisk, install this OS and dual boot with our default OS; things can be made simpler by running BackTrack VM within our default OS. Using a security distro in a VM gives us few advantages like, portability & ability to quickly restore/duplicate the instances as required.

Running Backtrack

BackTrack4 VM can be downloaded from the backtrack site (link at the end of the post) and to run the VM, we need the free VMWare Player.

Install the VMWare Player and open the BT VM with it. We are good to go with the default configuration unless we have more RAM to spare (Its recommended to provide 512MB of RAM if you have around 2GB).

Adjust Backtrack VM RAM

Default Credentials

Backtrack VM comes with the default login credentials (which can be changed later, ofcourse)

bt login:  root
Password:  toor
. . .
root@bt:~#  startx

Read the rest of this entry »

This post details about the steps to add Syntax Highlighting Feature to any SharePoint site where you have access to upload files to server. This can help people who embed code snippets in the SharePoint site and share it with their team.

Download and extract SyntaxHighlighter scripts to your PC (Check the download link at the bottom of the post). Now access the SharePoint site and create a folder structure as shown in the below screenshot (i.e. to create ‘scripts’, ‘src’ and ‘styles’ folders inside syntax folder which is present in ‘Shared Documents’). Now upload the syntax highlighter files to appropriate folders.

Upload Scripts Folder Structure

Read the rest of this entry »