Posts

Showing posts from 2020

Understanding OAuth2

 What is OAuth2? OAuth2.0 is an open authorization protocol, which allows accessing the resources of the resource owner by enabling the client applications on HTTP services such as Facebook, GitHub, etc. It allows sharing of resources stored on one site to another site without using their credentials. It uses username and password tokens instead. Why Use OAuth 2.0? You can use OAuth 2.0 to read data of a user from another application. It supplies the authorization workflow for web, desktop applications, and mobile devices. It is a server side web app that uses authorization code and does not interact with user credentials. Features of OAuth 2.0 OAuth 2.0 is a simple protocol that allows to access resources of the user without sharing passwords. It provides user agent flows for running clients application using a scripting language, such as JavaScript. Typically, a browser is a user agent. It accesses the data using tokens instead of using their credentials and stores data in online...

Email Sending through O365 using OAuth Protocol

  Microsoft Office365 EWS servers have been extended to support authorization via the industry-standard OAuth 2.0 protocol. Using OAUTH protocol, user can do authentication by Microsoft Web OAuth instead of inputting user and password directly in application Microsoft / Office 365 OAuth + EWS We can use the OAuth authentication service provided by Azure Active Directory to enable our application to connect with IMAP, POP or SMTP protocols to access Exchange Online in Office 365. To use OAuth with our application we need to register application on Azure Active directory and other steps also we need to do to get the access token back. Below are the steps   To use Microsoft/Office365 OAUTH in your application, you must create an application in  https://portal.azure.com . Sign into the Azure portal using either a work or school account or a personal Microsoft account. If your account gives you access to more than one tenant, select your account in the top ...

What is Pen Testing or Ethical Hacking?

PEN TEST or ETHICAL HACKING? Pentesting , also known as penetration testing or ethical hacking , is a security assessment, an analysis, and  progression of simulated attacks on an application (web, mobile, or API). The objective is to penetrate the application security defenses by looking for vulnerabilities. These are usually weaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. The output of a pentest is a list of vulnerabilities, the risks they pose to the application or network, and a concluding report with an executive summary of the testing along with information on its methodology and recommendations for remediation. The vulnerabilities found during a penetration test can be used to fine-tune your security policies, patch your applications or networks, identify common weaknesses across applications, and  in general strengthen your entire security posture. Hacking often refers to the unauthorized intrusion into a n...

Cross-Site-Scripting(XSS)

XSS It is one of the most common application-layer web attacks. XSS vulnerabilities target scripts embedded in a page that are executed on the client-side. The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page that can be executed every time the page is loaded, or whenever an associated event is performed. XSS can be classified into 3 types 1. Stored XSS(Persistent XSS) 2. Reflected XSS 3. DOM Based XSS Stored XSS The most damaging type of XSS is Stored XSS, an attacker uses stored XSS to inject malicious content thru request payload, most often JavaScript code, into the target application. If there is no input validation this malicious code is permanently stored in DB. so, when victims opens the affected web page in a browser the it will process and execute the XSS attack. Reflected XSS This the most common type of XSS. in this case, the attackers payload has...

Test Case

What is Test Case? In software engineering, a test case is a specification of the inputs, execution conditions, testing procedure, and expected results that define a single test to be executed to achieve a particular Different types of Test Cases Functionality Test Cases Functionality test cases are used to discover if an application’s interface works with the rest of the system and its users. The tests identify the success or failure of functions that the software is expected to perform. The cases are a type of black-box testing that uses for its base, the specifications or user stories of the software under test. This allows the tests to be performed without needing access to the workings or internal structures of the software being tested. The QA team are usually the writers of functionality test cases because the task falls within normal QA processes. They can be written and run as soon as development makes a first function available for testing. To help steer development, they can...

Cross-Site Scripting (XSS) front-end security details for Ruby on Rails developers

Cross-Site Scripting is a security hole that allows attackers to inject and execute JavaScript on your website. The cause of the problems: Data changes context XSS is a very specific problem, but it’s caused by a general issue that affects all computer systems and programming languages: Applications process data using different programming languages and formats (for example Ruby, JavaScript, SQL; plain text, HTML, JSON, CSV).  Data moves from one context into another context because languages and formats are nested or chained. Data that has a specific meaning in one context gets different meaning when put into another context. In context one, data is just plain text. In another context , it may be interpreted as code.  Untrusted content Web applications deal with untrusted content all the time. This is data that isn’t created by the service provider, developers or trusted parties. It may contain errors, it may be incomplete, it may not comply with syntactical rules....

Utility trees and quality attributes in Architecture

Image
There are two types of requirements for  software projects: functional and non-functional requirements. Functional requirements are the requirements for what the solution must do (which  are usually expressed as use cases or stories). The functional requirements are what the users (or systems) that interact with the system do with the system (fill in an order, update customer details, authorize a loan etc.). Non-Functional requirements are attributes the system is expected to have or manifest. These usually include requirements in areas such as performance, security, availability etc. A better name for non-functional requirements is “Quality Attributes” . Below are some formal definitions from IEEE standad 1061 “Standard for a Software Quality Metrics Methodology”  for quality attributes and related terms Quality attribute: A characteristic of software, or a generic term applying to quality factors, quality sub factors, or metric values. Quality factor: A manageme...

ATAM in software architecture

Image
The Architecture Tradeoff Analysis Method (ATAM) is a method for evaluating software architectures relative to quality attribute goals. ATAM evaluations expose architectural risks that potentially inhibit the achievement of an organization's business goals. The ATAM gets its name because it not only reveals how well an architecture satisfies particular quality goals, but it also provides insight into how those quality goals interact with each other—how they trade off against each other. ATAM Process Business drivers and the software architecture are elicited from project decision makers. These are refined into scenarios and the architectural decisions made in support of each one. Analysis of scenarios and decisions results in identification of risks, non-risks, sensitivity points, and tradeoff points in the architecture. Risks are synthesized into a set of risk themes, showing how each one threatens a business driver. The ATAM consists of nine steps : Present the ATAM . T...

Performance Recommendations with ASPStateDB

Never use the same ASPState database for two different web applications or sites. The stored procedure tempresettimeout is called on every request and this can be madness on a high volume/many pageviews per visit site.  There is a deleteexpiredtokens stored procedure that kills the performance under load.  Found that a DELETE statement was the main culprit in DeleteExpiredSessions stored procedure. Looking at it, it seems applying delete operation on same table CREATE PROCEDURE DeleteExpiredSessions AS   DECLARE @now DATETIME   SET @now = GETUTCDATE()   DELETE ASPState..ASPStateTempSessions   WHERE Expires < @now   RETURN 0 GO However, the problem is that as session size grows, each delete takes longer and as the number of sessions grows, this simple DELETE ends up causing substantial blocking. It was at the head of nearly every blocking chain. This proc is run every  minutes. There is no need for this pro...