a4apphack

In this post, we talk about using various third party Chart APIs to display a trend graph on any SharePoint site (or a blog). These graphs delivers a quick summary of the vulnerabilities identified during various security assessments. This can be embedded in a Security SharePoint portal or a dashboard which will be accessed by clients/higher management.

For applications that are assessed at the end of every release cycle (version change), from this graph, one can visualize the trend of vulnerability detection. Here severity scale – Critical, High, Medium & Low (Info) is also displayed in the graph.

We will have a look at 2 charting APIs to achieve this – Google Charts and Highcharts

Using Google Charts

By using Google Charts API, we try to embed the following chart on our SharePoint site. Once the code is embedded, user can hover over the data points to get its value and other information.

There are various obvious reasons for choosing a chart API over a static image inserted into the site.

1. Its easy to update. Just need to change the values in the embed code.
2. Less cluttered. As you can see, values of the data points are not displayed in the chart. If anyone needs to know the value, he/she just has to hover over any column.
3. This can later be programmed to update itself from the data available in any SharePoint list.

Read the rest of this entry »

This post explains about rooting a Tmobile G2/HTC Vision and then installing Cyanogenmod 7 (Gingerbread) while retaining the apps and data that were in use with stock ROM. Entire process from rooting till installation of Cyanogenmod should not take more than half an hour.

Read the rest of this entry »

It is the revolution of web browsers; they rule internet now. Browsers have evolved so much from what we had seen during the days of IE6. Now Firefox, Chrome, Opera, IE are on war to prove who is the best. They try different ways to win the heart of users; Firefox took a great leap by introducing the ‘panaroma’ feature – focus on multitasking, chrome gets appreciation for its fluid design – focus on simplicity & ease of use, Opera and IE has browser stability on priority – focus on robustness.

During this evolution, some browsers tries to standout from others by introducing a new feature which had never been available in any of their counterparts. But the other browsers instead wait for the users comments on the new feature implemented, if appreciated, they implement the same feature in theirs, may be in a better way. The browser who introduced that feature first might even loose its credit in due course. User is forced to switch from their  favorite browser for a ‘single feature’ they found useful in the ‘other’ browser. Once they completely switch and get used to the new browser, the old one brings out the same feature plus few bonus features. This cycle never ends. Firefox introduced tabs and extensions when IE did not have in them, people were attracted to it and finally switched to firefox. Then the light weight chrome came with Tab tearing, web apps, new tab page with speed dial and many other features, made few users to make chrome as their default browser. Firefox then inherited few of chromes’ features, syncing and expose like tab candy/panaroma effects. We don’t have to switch browsers just for UI features, and if at all we do, it should be seamless.

This article tries to identify best features in each of the browser and the features we expect to be part any modern browser. Here, we try to baseline few ideas, those ideas which takes browser design to the next level.

Browser Main Screen (Mockup)

MOCKUP - Main Screen - Click over image to zoom

Read the rest of this entry »

Google has launched Secure Google search hosted on SSL lately . This post talks on how to enable this Secure Google search to the browser search bar/search suggestions in Firefox, Chrome and IE browsers.

Updated: Added Screenshots for IE

1. Firefox

Go to the Mozilla Addons Page and add Google SSL Search Plugin

Select ‘Start using it right away in the dialog box that displays – Add “Google SSL” to the list of engines available in the search bar?

2. Chrome

Right Click on Chrome Omnibar(Address bar) and Select ‘Edit Search Engines’.

In the Edit Search Engines Dialog box add https://www.google.com/search?q=%s in the URL field and click on Make Default Button.

Dont forget to check the Chrome Extensions List for Security Testers, here (Internal Post)

3. Internet Explorer

• Access the Add Search Providers page

• In the Create Your Own enter https://www.google.com/search?q=TEST in the URL field

Click on the Install Button to see the following screen. Check the ‘Make this my default search provider’

Now the Search box in IE will display Google.

via Google Blog and TechDows

Gruyere is a vulnerable application which can be used to learn and understand web vulnerabilities. Detailed documentation is provided on the type of the vulnerabilities present in the application and ways to exploits it.

Update: Jarlsberg is now Gruyere

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you’ll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you’ll learn the following:

• How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
• How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

Documentation Here

Read the rest of this entry »

Skipfish is an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Installation on Ubuntu/BackTrack (via Redspin)

Use the following commands in the terminal windows to install and run Skipfish. Replace OUTPUT_FOLDER and TARGETSITE with the domain name and the target’s URL respectively. Also change the wget URL to the URL of the latest version of Skipfish download available.

wget http://skipfish.googlecode.com/files/skipfish-1.29b.tgz
tar zxvf skipfish-1.01b.tgz
sudo apt-get install libidn11-dev
cd skipfish
make
cp dictionaries/default.wl skipfish.wl
./skipfish -o OUTPUT_FOLDER http://www.TARGETSITE.com

Trial Run

Installed SkipFish and ran on the target site, specs below.

Guest OS : BackTrack4 VM

Host OS : Windows Vista

RAM : 512MB

Application Size : Medium ( < 1000 Unique Pages )

Internet Speed : 1 MBPS

Skipfish Verbose

Skipfish displays the scan run statistics continuously during the run. Once the scan run is complete, we get to see the scan summary (shown in the below screenshot).

Skipfish Console (Click to Enlarge)

Read the rest of this entry »

Chrome is becoming popular among the developers due to its extended support for the upcoming web technologies. If these features of chrome can help the developers to dissect & analyse the newest web applications, so can it for security analysts. Firefox has become so popular among the security guys due to the availability of addons like WebDeveloper/Firebug which can aid them during their security assessments.

The extension Pendule is an attempt to reproduce the features of WebDeveloper Addon for firefox. Currently it doesn’t support all the features of WebDeveloper but expected to incorporate soon.

Pendule - Chrome Extension

Features

1. Form Manipulations

2. View Javascripts

3. Show Image Paths Inline

Download Pendule:

Translate any page on the fly in a single click by using a simple bookmarklet. Entire page is translated without a need of reload and it happens in real time. The best part is that ‘Automatic Language Detection’ is enabled by default, so all you have to do is to click on Translate button in the ‘Google Translate’ bar displayed after opening the bookmarklet.

Click on the Translate and notice that the translation progress is displayed

Real Time Translation - In Progress

Read the rest of this entry »

Google Gears provides enhanced interactive functionality for websites designed to use it: drag-and-drop, client-side database storage, and the ability to view and work with specially prepared websites when offline (not connected to the Internet).

Now-a-days most of the feature rich sites interact with the Gears installed in the PC and makes our browsing experience better. But what if we frequently switch our PCs and use portable version of Firefox! what if we dont have admin privileges in the PC we are currently working with? Gears Portable Addon can save our day.

Read the rest of this entry »

Greased LightMonkey is a GreaseMonkey script which helps us to enhance our image browsing experience. This works in all the websites which links to any image. This script will help you to view the full size of the image thumbnail links in the same page without having to navigate to any other browser tab or window .

This script comes with additional controls like slideshow, navigation, zoom options.

Keyboard shortcuts are available too…

Note: GreaseMonkey needs to be installed in your firefox so as to make this script work. Install it from here

Tip:

1. Close the lightbox containing the image by just clicking outside the image area.
2. This script can be easily enabled or disabled by right clicking GreaseMonkey Icon in the status bar and check/uncheck Greased Lightbox from the menu.

Install Greased LightMonkey :

After installation, go to the below links and click on the image thumbnails to popup the lightbox.
http://www.mozilla.org/projects/calendar/sunbird/screenshot.html
http://images.google.co.in/images?&q=31nst31n