Wednesday, January 18, 2017

Web security : tool that u can make use to test your website


It important for a web-developer to know kind of attack malicious people make use to do damage to your web site.

You can easily visualize how these attack is being used for some of the world biggest data breached
Check the information beaches around the world http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


some of the common one are

1. SQL injection.  here I will discuss error based sql injection.In these attacker try to modify the serach query in the url and then try to get the error and next he will modify the query to get output they you does not want to desirably want to share on the web page.

The easier way to make user of automated tool "Havij". Plz explore it to validate to test your website.
Make sure validate the data getting as external input eg if u are expecting number .. then it should be number in thr post and get request.
The other best way to get stay away from SQL injection to make use of binding variable  (parameterize queries) in query that you are making use having the input from the outside.
The last one is allow application to have access access to certain table with "principle of least permission". Eg should ur application db account , can run database admin command".
Last one but important is web application firewall and cryptographic storage.



2.  Insufficient Transport Layer Security : it  mean here that are you making lack of making secure layer (eg http or https) while communicating to web server on internet.Most people get hacked when they using open wifi network. Here , attacker may monitor the information in and out flowing through the router. Some attacker even modify the DNS server setting for common ip request to their own hosted website with replicated page.
Some times attacker inject the key loger js script into the page. So how to prevent such attack.
Make sure that you web application login page open in https mode along with https post form is used.So apply TLS to encrypt by default (U need to pay some money to get the certificate) if you are expanding your application especially for the login page authentication.

Also make use of encrypted authentication cookies in your application and firewall is the last defense.
Also check out out the blog how to setup SSL certificate.
https://ksylvest.com/posts/2014-05-06/setup-free-ish-ssl-tls-on-heroku-for-ruby-on-rails-or-any-other-framework



3. Insecure Password Storage
I hope very developer  is aware of rainbow table.Here the attacker has pre-computed hash table that he make use of guess the password. Easiest way to prevent , to make use of bcrypt algorithm (avoid md5) and save password and random salt used , save  in two separate column. You can add additional layer of security by encrypting the output from bcrypt again using md5.
 
eg
byscript alogorithm -> random salt + password -> md5 -> save salt column and password column
I future I may be sharing , how to implement the above in node js

4. Cross Site Scripting (XSS)

5. Weak Account Management


Tuesday, July 26, 2016

interview details for Perl/ Unix developer @ deutsche bank

Recently I had interview @ Deutsche bank for perl developer.

I would like to share , though most of the question where pretty basic , few added my learning. :)


Friday, February 19, 2016

Perl problem of the ziprecuiter while submitting the application

Recently I had chance to apply for the zip reciter (USA base startup.)
While application you are asked to resolve a problem in perl or Phython.


Here the description of the problem



Though when I submitted the application , I did not thought and made used of JSON module.
But I think , It can be solved too without module , as it an ref to array.



Tuesday, March 24, 2015

Perl and selenium - a trail of youtube history


Recently I wanted to to get complete list of the youtube history page to a video I have seen a long time back. Though Youtube save ur maintain ur history but does not provide the option to search your history. The history button provided shows very few videos at time.

So I decided to write my own script recipe to handle this scenario. Though I have know about selenium for along time but never tried it Perl API. Let see it this can help me to get my list.

 Before reading this script recipe u need to check some info video and slide share get the functionality and usage the module (ingredient) we will going to use 

Friday, February 13, 2015

simple usage Time::HiRes of the 'for execution time of child process

Hi All

some times we are required to control the time execution of the child sub program. This can be achieved use the  Time::HiRes



I have added the code snippet. Here  I have line the main program (line 9 ) to sleep for 30 sec.
But setup alarm timeout to 3 sec (line 4)  and trigger timeout after 3 sec and setup local variable $SIG{ALRM} to time out/

Thursday, December 4, 2014

flock - All u need to know abut file locking in perl




Some times we need control over  read and write over files operation. File locking comes for rescue.

Though Perl provide many function to control over  file locking operation. I found flock function is the best.

Perl monks has a great tutorial for flock and operation and usage . Simple usage  and operation number and their meaning.


  sub LOCK_SH { 1 } ## shared lock
  sub LOCK_EX { 2 } ## exclusive lock
  sub LOCK_NB { 4 } ## non-blocking
  sub LOCK_UN { 8 } ## unlock 





Sunday, August 10, 2014

all u need to know about perl unit testing

Hi
I have been using Test::Simple, I always wanted to know about Test::More

In the below talk James has been able to easily capture all important modules and function offered by them especially ok, is,  and like

Check out the video , 56 min worth spending :)