Friday 30 August 2013

Distributed Application Frameworks

Primary purpose: "Distributed and asyncronous processing using Publish/Subscribe Communication model".

NService Bus:
Mass Transit:
Queues:
  • MSMQ
  • Amazon Queue
  • SQL Server Queue
Saga:
  • A long running process usually used to handle the life cycle of a certain parent message


Wednesday 14 August 2013

Oracle

Oracle Data Access Components (ODAC) for Oracle Client: 
http://www.oracle.com/technetwork/database/windows/downloads/index-101290.html

Installing above will enable you to connect to an Oracle Server from your PC. It installs all the required data access components, etc as well as the Oracle Client.

Friday 2 August 2013

Security Threats of Internet Applications

Cross-Site Scripting (CSS)

An attacker can inject some client-side scripts to application servers so that when users request certain web pages, they also receive other contents. Pretty significant security risk for application servers.

It can lead to stolen cookies and manipulated pages. Stolen cookies mean the attacker can logon to the target website on behalf of you!

Example:

  • The attacker sends an email to the user containing a link to the vulnerable site on which the user has an account.
  • Once the link is clicked, the malicious script in returned from the vulnerable site and gets executed in the user's browser.
  • The script sends the user session cookie to the attacker.
  • The attacker can access the site user account and do whatever he/she desires!

https://en.wikipedia.org/wiki/Cross-site_scripting

How to prevent?

  • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  • Set all cookies as HTTPOnly
  • https://www.owasp.org/index.php/XSS
  • XSS
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

Open Redirection Attacks

1. An attacker sends a malicious email to website users or (simply putting a malicious link online) asking users to logon with the below genuine Dashboard Logon Page but redirecting to the forged page
2. https://www.MIS.com/Dashboard/LogOn?ReturnUrl=https%3A%2F%2Fwww.MIIS.com/Dashboard
3. The user logins but Dashboard redirects them to the external forged site
4. Note that the malicious site has an extra “i” so users won’t notice it as it’ll look exactly like the genuine Dashboard site (that’s super easy to create; just save page as!)
5. This forged page includes an error message requesting that user logins again. User might think they have mistyped their password.
6. Our username/password get saved by the forged site
7. Then they redirect us back to the genuine Dashboard site as normal
8. So the end result is that the attacker has stolen the user credentials silently without even user noticing it


Other Security Concerns:

  • XSS Attacks (Cross Site Scripting)
    • XSS Phishing
    • XSS Stored Attacks
    • XSS Reflected Attacks
  • CSRF Attacks (Cross Site Request Forgery)
  • XST Attacks (Cross Site Tracing)
  • Cross-Server Attacks
  • Concurrency
  • SQL Injection; perhaps not relevant to us
  • SSL
  • Invalidated input controls

Security Firms:

  • https://www.qualys.com/
  • https://www.gdssecurity.com/
  • https://www.checkmarx.com/
  • http://www.pentest.co.uk/
Standards: