Installing the Burp SSL certificate in your browser
One of the functions of SSL is to authenticate the identity of webservers. To intercept traffic between your browser and webservers, Burp needs to break the SSL connection. This causes a security warning in your browser because it detects that it is not communicating directly with the authentic web server. Burp generates an SSL certificate for that host which is signed by the CA certificate. Burp’s CA certificate can be installed as a trusted root in your browser so that the per-host certificates are accepted without any alerts. Installing Burps SSL certificate is detailed in the following procedures. Browser making an SSL connection. Burp is to break the SSL connection. This causes a security warning in your browser because it identifies that it’s not directly communicating with the authentic web service. This how the SSL warning looks like in different browsers: IE Mozilla Firefox Chrome Safari To allow HTTPS websites to load properly they use their own certificate authority. Then creates an SSL certificate for each host you visit and signs this using the CA certificates. To prevent security warnings you should install a Burp CA certificate as a trusted root in your browser. This will cause your browser to trust the SSL connections that it makes to Burp. Installing SSL certification is simple but the details depend on your browser. IE – should first launch IE as Administrator. Then using Burp as your proxy visit any HTTPS URL and click “Continue to this website (not recommended)”. Click on ‘Certificates Error’ and ‘View Certificates’. Go to ‘Certification Path’ and select ‘PortSwingger CA’ and ‘View Certificate’. This displays the Certificate screen. Click on ‘Install Certificate’ and in the wizard click ‘Next’. Select “Place all certificates in the following store”, browse and select “Trusted Root Certification Authorities”. Click ‘Next’ and then ‘Finish’. Confirm the action and restart IE. Now you will be able to visit any HTTPS URL without any warnings. Mozilla Firefox – Using Burp as your proxy visit any HTTPS URL. Click ‘I Understand the Risks’ and ‘Add Exception’. View the certificate and from the ‘Details’ tab select ‘PortSwingger CA’, ‘Export’ the certificate, save it somewhere and close all pop-ups. Go to ‘Options’. From the pop-up select ‘Advanced’ –> ‘Encryption’ –> ‘View Certificate’. Click ‘Import’. Select the certificate that you have saved and select the check box ‘Trust this CA to identify websites.’ Click ‘Ok’ on all pop-ups to close. Now you should be able to visit any HTTPS URL without warning messages. Chrome – It uses the certificate from the trust store of your host computer. Normally, if you install Burp using the default browser of your computer, chrome will use this. Using Burp as your proxy visit any HTTPS URL and click on ‘Proceed anyway’ and click on the broken lock and view the certificate information. This will link you to the relevant settings on your host computer. Click on ”PortSwingger CA” certificate. Safari – Visit any HTTPS URL using Burp as your proxy. Click ‘show certificate’ and select ‘Portswingger CA’ certificate. Click on ‘Trust’ and select the option ‘Always Trust’. Click ‘Continue’ and enter the password, if you need to update the settings. Now you will be able to visit any HTTPS URL without warning messages. Have questions? Contact the technology experts at InApp to learn more.
Find the MIME type of a file based on the file signature
Sometimes we need to store images in a database instead of as physical files. For this purpose, the SQL Server database provides a data type called image. For the sake of simplicity, the extension of the file is also stored with image content. The extension will help to identify the MIME type when loading the content from the database. If the file extension is incorrect or not given then we cannot download the document as a known type. The solution to this problem is MIME type detection using Urlmon.dll, to find an appropriate MIME type from binary data. In Urlmon.dll, there’s a function called FindMimeFromData. public static string GetMimeType(byte[] content) { IntPtr mimeout; int MaxContent = content.Length; if (MaxContent > 4096) MaxContent = 4096; string mime = string.Empty; int result = 0; byte[] buf = new byte[MaxContent]; Array.Copy(content,buf,MaxContent); result = NativeMethods.FindMimeFromData(IntPtr.Zero, null, buf, MaxContent, null, 0, out mimeout, 0); if (result != 0) throw Marshal.GetExceptionForHR(result); mime = Marshal.PtrToStringUni(mimeout); Marshal.FreeCoTaskMem(mimeout); return mime; } [DllImport(“urlmon.dll”, CharSet = CharSet.Unicode, ExactSpelling = true, SetLastError = false)] public static extern int FindMimeFromData(IntPtr pBC, [MarshalAs(UnmanagedType.LPWStr)] string pwzUrl, [MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.I1, SizeParamIndex = 3)] byte[ ] pBuffer, int cbSize, [MarshalAs(UnmanagedType.LPWStr)] string pwzMimeProposed, int dwMimeFlags, out IntPtr ppwzMimeOut, int dwReserved);} FindMimeFromData tests for the following MIME types: text/plain, text/html, text/xml, text/richtext, text/scriptlet, audio/x-aiff, audio/basic, audio/mid, audio/wav, image/gif, image/jpeg, image/pjpeg, image/png, image/x-png, image/tiff, image/bmp, image/x-xbitmap, image/x-jg, image/x-emf, image/x-wmf, video/avi, video/mpeg, application/octet-stream, application/postscript, application/base64, application/macbinhex40, application/pdf, application/xml, application/atom+xml, application/rss+xml, application/x-compressed, application/x-zip-compressed, application/x-gzip-compressed, application/java, application/x-msdownload FindMimeFromData does not detect word or excel file, it simply return “application/octet-stream”. To determine the MIME type of word/excel we have to compare the file content with a content set of byte sequences. private static readonly byte[] BMP = { 66, 77 }; private static readonly byte[] MSO = { 208, 207, 17, 224, 161, 177, 26, 225 }; //MSO includes doc, xlsprivate static readonly byte[] XLS = { 77, 105, 99, 114, 111, 115, 111, 102, 116, 32, 69, 120, 99, 101, 108, 0 }; private static readonly byte[] GIF = { 71, 73, 70, 56 }; private static readonly byte[] JPG = { 255, 216, 255 }; private static readonly byte[] PDF = { 37, 80, 68, 70, 45, 49, 46 }; private static readonly byte[] PNG = { 137, 80, 78, 71, 13, 10, 26, 10, 0, 0, 0, 13, 73, 72, 68, 82 }; private static readonly byte[] TIFF = { 73, 73, 42, 0 }; public static string GetMimeType(byte[] content) { string mime = “application/octet-stream”; if (content.Take(2).SequenceEqual(BMP)) mime = “image/bmp”; else if (content.Take(8).SequenceEqual(MSO)) mime = IsOfType(content,XLS) ? “application/vnd.ms-excel” : “application/msword”; else if (content.Take(4).SequenceEqual(GIF)) mime = “image/gif”; else if (content.Take(3).SequenceEqual(JPG)) mime = “image/jpeg”; else if (content.Take(7).SequenceEqual(PDF)) mime = “application/pdf”; else if (content.Take(16).SequenceEqual(PNG)) mime = “image/png”; else if (content.Take(4).SequenceEqual(TIFF)) mime = “image/tiff”; return mime; } private static bool IsOfType(byte[] contents,byte[] pattern) { int i = 0; foreach (byte content in contents) { if (content.Equals(pattern[i])) { i++; if (pattern.Length.Equals(i)) return true; } else i = 0; } return false; } Have questions? Contact the technology experts at InApp to learn more.
Importance of Security Testing
Why Security Testing? With the cyber world becoming more and more vulnerable to attacks, security is something that cannot be compromised. In order to develop secure applications, one really needs to use a security development lifecycle. Security must be considered and tested throughout the project lifecycle of any application. What are the processes involved in Security Testing? The security testing process involves evaluating the quantum of risks within the application under test and pointing out the security vulnerabilities using various techniques and tools. By this it is possible to ensure that there is no data theft, there is no unauthorized access or there is no security compromise that has been made through assistance. Security testing involves Vulnerability scanning, Security scanning, Penetration Testing, Security Auditing, and Security Review. Vulnerability scanning is usually performed using an automated software tool that scans for the basic known vulnerability. It is an automated process performed using a vulnerability scanning tool like SARA. Next in line is Security scanning, where an assessment is done manually along with the software scanning. Although tools help in building a robust application, every tool has its own bottlenecks. That is the reason, in addition to automated scanning one is required to perform manual testing, that is going through system responses, examining the log files, error messages, error codes, and the like. The other aspect is Pen Testing or Penetration testing. A real-time simulation environment is used to perform penetration testing. It is totally a Black Box, a hacker’s approach, the way in which Hackers use it but is done in a controlled environment. It is performed internally within the organization without breaching any security terms. Security Auditing is for specific control or compliance issue. Usually, the compliance team or the risk evaluating team performs this security assessment. So, very frequent audits make the application more error-prone and less vulnerable. Finally, Security Review, which is static testing, wherein security review is performed as per the industry standards by reviewing documents, and architecture diagrams, and performing gap analysis. It is basically done for code reviews considering the architecture diagrams and documents which are very important. All these processes in security testing ensure that the applications developed are prone to any kind of security risk. Have questions? Contact the software testing experts at InApp to learn more.
How to record HTTPS with JMeter | JMeter Recording
To record HTTPS traffic, one needs to configure the browser proxy settings and JMeter proxy server. In the browser proxy server, the following changes should be made. Go to the options tab in the firefox browser and click Advanced >> View Certificates >> Authorities. Check for the Apache Software Foundation, JMeter Proxy Certificate and select that certificate, then click on the edit button and tick all the boxes and click Ok. JMeter Recording – When recording HTTPS with JMeter, do the following steps in the JMeter proxy server: 1. In HTTP Request Defaults: Test Plan >> Thread Group >> HTTP Request Defaults Server Name or IP[IP of the server] Port Number[Port number of the server] Implementation [HttpClient4] Protocol [https] Path [/] 2. In Recording Controller: HTTP Request Server Name or IP[IP of the server] Port Number[Port number of the server] Implementation [HttpClient4] Protocol [https] Path [/] Have questions? Contact the technology experts at InApp to learn more.
Backend as a Service (BaaS) in a Box
Backend as a Service (BaaS) in a Box BaasBox is an Open Source that provides a complete solution for managing the backend of web and mobile applications. Backend as a Service allows mobile app developers to set up and operate a cloud-based backend for their mobile and web apps. All the backend features are in a standalone server as in a box and the API facilitates storing and retrieving information to the server. This enables developers to focus on the front end of the application with the backend being readily available with rich features. You can access the source code from the GitHub repo. The available functions in this service are the administration console, content management, user management, push notifications, and DB management. This is best achieved using the web console which facilitates managing and performing administrative tasks. Its intuitive dashboard is separated into several sections each clearly depicting an array of utilities. The settings option lets one change the settings of the application such as password recovery, images, push notifications, and modifying its actions. Assets form an integral part of the BaasBox application. They are specific objects to store generic files, images, or a blob of JSON that forms the building block in the application model. Using BaasBox one can design and develop apps on the fly. Being an open-source it is community-driven and fully integrated into the cloud service. With all that you need in a box, enables developers to deploy their projects with just a click! Have questions? Contact the technology experts at InApp to learn more.
The Usability Factor – WordPress vs Drupal
WordPress and Drupal are popular platforms used by individuals and businesses to create websites. The majority of the bloggers and webmasters will choose WordPress as it is simple and easy to use. WordPress has thousands of great features which is easily customized and user-friendly. Drupal provides plenty of features but one needs to create the custom features which is confusing. WordPress encompasses a rich library of Plugins nearly 15000, whereas Drupal provides just over 8000 which is definitely a grade separator. WordPress plugins facilitate the easy modification, customization, and enhancement of a WordPress website. WordPress is constantly releasing new plugins (like Google Publisher, Skype Mobile Switcher, and Gallery Overview) thus adding to the huge repository of plugins. Considering the advantages WordPress offers, InApp is currently developing a Business Consulting website for a Middle East client using WordPress. The main reason being a Classifieds plugin was readily available in WordPress and easily customizable as per the client requirements. Unlike WordPress, Drupal is harder to learn and requires a certain level of technical knowledge. Since WordPress is supported by a massive community, one can easily find answers to questions, whereas Drupal does not possess any large user base or resource. A majority of blog owners and webmasters use WordPress because Google, Yahoo, and Bing are best navigated with WordPress sites. Drupal is for the experienced user, whereas WordPress allows both beginners and advanced users plenty of easy-to-use options. Have questions? Contact the technology experts at InApp to learn more.
Elixir Programming Language – The Smart Programming Language
Lately, a lot of attention has been gathering over Elixir, one of the latest programming languages. What is Elixir? Elixir is a functional, concurrent language built on the Erlang VM with syntax close to the Ruby programming language. Apart from Ruby, Elixir is a language that is inspired by the syntax and concepts of various other languages such as Clojure, Haskell, Python, and even Lisp. What makes Elixir smarter? Elixir’s flexible syntax and macro support for metaprogramming allow one to devise elegant and concise constructs that seem as if they’re an integral part of the language. Metaprogramming helps one remove structural duplication, a situation where two pieces of code share the same abstract pattern, but differ in various details. Elixir works directly with the source code to do smart things. Tests rarely require more than the built-in assert, to display meaningful errors. Single-line functions and multi-line blocks are made equivalent to Elixir. This means one can write a macro that works just like a built-in in both cases. Elixir is implemented with the same tools that are for use, so one can write a macro that works as the language does. With the ready-to-go built-in commands of unit tests, the hassles of learning and writing unit tests are eliminated in Elixir. Currently, InApp is engaged in custom software development using Elixir for a B2B auction company based out of Japan. It will be a challenge to master this cutting-edge technology, taking into consideration all the advantages it offers. The Elixir programming language is authored by stealing useful features from other languages, thus making it easier to write complex applications. It is easier to write more performant code in Elixir simply because of the power available to the user at compile time. Have questions? Contact the technology experts at InApp to learn more.
Do’s & Don’t of JMeter
What is JMeter? JMeter is an open-source Java application designed to load test functional behavior and measure performance. JMeter is an Apache project used by a large open-source community. Being a part of Apache, JMeter has comprehensive protocol coverage and scripting capabilities. What can you do with JMeter? JMeter is used to test performance both on static and dynamic resources such as static files, Java Servlets, CGI scripts, Java objects, databases, FTP servers, and more. JMeter can be used to simulate a heavy load on a server, network, or object to test its strength or to analyze overall performance under different load types. JMeter can run on any environment/platform such as Windows, Linux, Mac, etc. Its multithreading framework is highly extensible and can be used to perform automated and functional testing. When compared to other testing applications, 80% of what is required can be accomplished with a simple, intuitive GUI, and not much scripting is required to achieve that. Since JMeter is backed by such a large community, any use case that comes to mind probably has an answer within JMeter. With JMeter, one can build test scripts that are realistic and accurate. What are the JMeter Limitations? JMeter is not a browser as it does not perform all the actions supported by browsers. To be more precise, it does not execute the JavaScript present in HTML pages nor does it render the HTML page as a browser does. It has limited support for JavaScript, AJAX, and complicated frameworks. Also, the total number of threads (virtual users) generated by the test plan should be less than 300 per engine. One of the major limitations is that everything goes through a single console. Under heavy load, the GUI consumes a lot of memory and the console server alone cannot sustain such a heavy load which leads to out-of-memory and disconnection logs. Have questions? Contact the technology experts at InApp to learn more.
Test Automation with Selenium
Selenium 2 is the newest addition to the Selenium toolkit. This brand-new automation tool provides all sorts of test features, including a more cohesive and object-oriented API as well as an answer to the limitations of the old implementation. Selenium2Library is a popular Robot Framework test library. Selenium2Library runs tests in a real browser instance which works with most modern browsers and is used with both Python and Jython interpreters. Selenium is a set of different software tools each with a different approach to supporting test automation. The entire suite of tools results in a rich set of testing functions specifically geared to the needs of testing web applications of all types. One of Selenium’s key features is the support for executing one’s tests on multiple browser platforms. Selenium is highly flexible as there are many ways one can add functionality to both Selenium test scripts and Selenium’s framework to customize test automation. Since Selenium is Open Source, the source code can always be downloaded and modified. Operations performed are highly flexible, allowing many options for locating UI elements and comparing expected test results against actual application behavior. This is perhaps Selenium’s greatest strength when compared with other automation tools. Have questions? Contact the software testing experts at InApp to learn more.
Sharable Content Object Reference Model (SCORM)
What is the Sharable Content Object Reference Model SCORM? The Sharable Content Object Reference Model (SCORM) is a repository of technical standards and specifications for web-based e-learning. It is an XML-based framework used to define and access information about learning objects, so they can be easily shared among different learning management systems (LMSs). SCORM was developed in response to a United States Department of Defense (DoD) initiative to promote standardization in e-learning. DoD was frustrated by the problems they encountered when trying to share distance learning courses among different learning management systems used within the Department, so in 1997 they formed the Advanced Distributed Learning (ADL) specification group to create a way to make learning content portable across various systems. ADL created the first version of SCORM, which originally stood for the Shareable Courseware Object Reference Model. It was designed to facilitate moving course content and related information (such as student records) from one platform to another, to make course content into modular objects that can be reused in other courses, and to enable any LMS to search others for usable course content. The current official version is 1.2. SCORM specification does not cover all aspects of a learning enterprise; for example, it does not specify how tracking information is stored and what reports are generated, what pedagogical or training models should be used, or how learner information is compiled. Have questions? Contact the technology experts at InApp to learn more.