Tuesday, May 15, 2018
OAuth 2.0
In this blog I'm going to describe how to create a Resource Server API. And here is a brief idea about how it works..,
How to implement Cross-site Request Forgery protection in web applications via Double Submit Cookies Patterns
In this blog i'm going to show you how to achieve CSRF attack protection using double-submitted cookie pattern.
this is a brief idea of this method..,
As you can see in the above diagram, in double-submitted cookie pattern two cookies (for the session and for the csrf token) are stored in the browser.
In our previous method, we stored CSRF token values on the server side (text file). But here we don't do it.
Let's start with the "index.php" page..,
This one is similar as the previous one.. you have to give correct credentials to go to the next page.. (Username and Password is in my previous blog)
If you entered the correct details you will redirect to "result.php" page..
and the coding of "result.php" is here..,
As you can see two cookies are stored on the browser. These cookies have 1 year expiration time and they are accessible from anywhere.
Javascript function is written to retrieve the csrf value from the csrf cookie set on the browser. Then DOM will be modified with the value that is retrieved from the csrf cookie.
once you update something it will again redirect to a page call "home.php"
csrf cookie value and the html hidden field csrf value are sent to the checkToken function as parameters.
and here is the "token.php"
This function returns true if the csrf token values get matched.
You can download this sample website from my github using the following link;
and this is just a one simple method.., you can try many ways to do the same thing..
Try different and make a Change..!! :) :)
Understand "Synchronizer Token Patterns"
First we'll see what Cross Site Request Forgery is?
"Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request.
This blog describes you a method that can apply to protect your own website by generating Cross-Site Request Forgery Tokens in server side and validating them before respond to any client request.
Now we'll move on to a sample website to understand the method we discuss above..,
Here I have 5 .php files and one .txt file called "authKeys".. and other files are used to add some effects to my web page.. ;)
You can download this sample website from my github using the following link;
https://github.com/janitha1st/Sample-Synchronizer-Token-Patterns-
and this is just a one simple method.., you can try many ways to do the same thing..
Try different and make a Change..!! :) :)
"Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data since the attacker has no way to see the response to the forged request.
This blog describes you a method that can apply to protect your own website by generating Cross-Site Request Forgery Tokens in server side and validating them before respond to any client request.
Now we'll move on to a sample website to understand the method we discuss above..,
Here I have 5 .php files and one .txt file called "authKeys".. and other files are used to add some effects to my web page.. ;)
and here is my "index.php" page..,
When an user logs into the website using his/her credentials (in here my Username is "JANITHA" and my Password is "SSE"), the log in a session will be created and the session id will be used to map with the CSRF token that will be generated along with the session creation.
Then if, he/she has entered the right credentials, the user will re direct to an another page if will ask for his/her first name and last name. And there will be a token stored in the "authKeys.txt" automatically..
Once the user enter the First Name and the Last Name CSRF token will be validated. If it is valid user will get a message saying that "Token is Valid".
https://github.com/janitha1st/Sample-Synchronizer-Token-Patterns-
and this is just a one simple method.., you can try many ways to do the same thing..
Try different and make a Change..!! :) :)
Tuesday, October 24, 2017
Bitcoin
Bitcoin
Bitcoin is a latest currency that was created by an anonymous person using the alias Satoshi Nakamoto in 2009. Transactions are made with no central men, it means not using banks. There are no transaction fees and no need to give your actual name. More merchants are beginning to allow them. You can buy webhosting services.
Why use Bitcoins?
Bitcoins can be used to buy goods anonymously. In addition, because of bitcoins are not tied to any country or subject to regulation international payments are easy and cheap. There are no credit card fees so small businesses may like them because. Some people just buy bitcoins as an investment, hoping that they’ll go up in value.
Buying Bitcoins
Buy on an Exchange
Some marketplaces called “bitcoin exchanges” agree to people to buy or sell bitcoins using different currencies. Mt. Gox is the largest bitcoin exchange.
Transfers
People can send bitcoins to each other using mobile apps or their computers. It’s similar to sending cash digitally.
Mining
People try to win to “mine” bitcoins using computers to solve difficult math puzzles. This is how bitcoins are created. Currently, a winner is rewarded with 25 bitcoins roughly every 10 minutes.
How own Bitcoins
Bitcoins are stored in a “digital wallet,” which exists either in the cloud or on a user’s computer. The wallet is a kind of virtual bank account that allows users to send or receive bitcoins, pay for goods or save their money. Unlike bank accounts, bitcoin wallets are not insured by the FDIC.
Secrecy
Though each bitcoin transaction is recorded in a public log, names of buyers and sellers are never revealed – only their wallet IDs. While that keeps bitcoin users’ transactions private, it also lets them buy or sell anything without easily tracing it back to them. That’s why it has become the currency of choice for people online buying drugs or other illicit activities.
Future in question
No one knows what will become of bitcoin. It is mostly unregulated, but that could change. Governments are concerned about taxation and their lack of control over the currency.
Bitcoin is a latest currency that was created by an anonymous person using the alias Satoshi Nakamoto in 2009. Transactions are made with no central men, it means not using banks. There are no transaction fees and no need to give your actual name. More merchants are beginning to allow them. You can buy webhosting services.
Why use Bitcoins?
Bitcoins can be used to buy goods anonymously. In addition, because of bitcoins are not tied to any country or subject to regulation international payments are easy and cheap. There are no credit card fees so small businesses may like them because. Some people just buy bitcoins as an investment, hoping that they’ll go up in value.
Buying Bitcoins
Buy on an Exchange
Some marketplaces called “bitcoin exchanges” agree to people to buy or sell bitcoins using different currencies. Mt. Gox is the largest bitcoin exchange.
Transfers
People can send bitcoins to each other using mobile apps or their computers. It’s similar to sending cash digitally.
Mining
People try to win to “mine” bitcoins using computers to solve difficult math puzzles. This is how bitcoins are created. Currently, a winner is rewarded with 25 bitcoins roughly every 10 minutes.
How own Bitcoins
Bitcoins are stored in a “digital wallet,” which exists either in the cloud or on a user’s computer. The wallet is a kind of virtual bank account that allows users to send or receive bitcoins, pay for goods or save their money. Unlike bank accounts, bitcoin wallets are not insured by the FDIC.
Secrecy
Though each bitcoin transaction is recorded in a public log, names of buyers and sellers are never revealed – only their wallet IDs. While that keeps bitcoin users’ transactions private, it also lets them buy or sell anything without easily tracing it back to them. That’s why it has become the currency of choice for people online buying drugs or other illicit activities.
Future in question
No one knows what will become of bitcoin. It is mostly unregulated, but that could change. Governments are concerned about taxation and their lack of control over the currency.
Monday, October 23, 2017
AES $ DES
Different between DES and AES
DES (Data Encryption Standard) and AES (Advanced Encryption Standard) both are the symmetric block cipher. AES was introduced to overcome the drawback of DES. DES has a smaller key size which makes it less secure to overcome this triple DES was introduced but it turns out to be slower. Hence, later AES was introduced by the National Institute of Standard and Technology. The basic difference between DES and AES is that in DES plaintext block is divided into two halves before the main algorithm starts whereas, in AES the entire block is processed to obtain the ciphertext.
DES (Data Encryption Standard) - This is a symmetric key block cipher that was adopted by National Institute of Standard and Technology in the year 1977. DES is based on the Feistel structure where the plaintext is divided into two halves. DES takes input as 64-bit plain text and 56-bit key to produce 64-bit Ciphertext.
AES (Advanced Encryption Standard) - This is also a symmetric key block cipher. AES was published in 2001 by the National Institute of Standards and Technology. AES was introduced to replace DES as DES uses very small cipher key and the algorithm was quite slower.
DES (Data Encryption Standard) and AES (Advanced Encryption Standard) both are the symmetric block cipher. AES was introduced to overcome the drawback of DES. DES has a smaller key size which makes it less secure to overcome this triple DES was introduced but it turns out to be slower. Hence, later AES was introduced by the National Institute of Standard and Technology. The basic difference between DES and AES is that in DES plaintext block is divided into two halves before the main algorithm starts whereas, in AES the entire block is processed to obtain the ciphertext.
DES (Data Encryption Standard) - This is a symmetric key block cipher that was adopted by National Institute of Standard and Technology in the year 1977. DES is based on the Feistel structure where the plaintext is divided into two halves. DES takes input as 64-bit plain text and 56-bit key to produce 64-bit Ciphertext.
AES (Advanced Encryption Standard) - This is also a symmetric key block cipher. AES was published in 2001 by the National Institute of Standards and Technology. AES was introduced to replace DES as DES uses very small cipher key and the algorithm was quite slower.
- In DES Plaintext is of 64 bits and in AES Plaintext can be of 128,192, or 256 bits.
- DES in comparison to AES has smaller key size. AES has larger key size as compared to DES.
- In DES the data block is divided into two halves. In AES the entire data block is processed as a single matrix.
- DES work on Feistel Cipher structure.AES works on Substitution and Permutation Principle.
- DES has a smaller key which is less secure. AES has large secret key comparatively hence, more secure.
- DES is comparatively slower. AES is faster.
Crack a Password protected ZIP file using KALI LINUX
First take the ZIP file which was protected by a password to the KALI environment.
Then, type following commands..,
in above photo "zipcracker" is the folder which includes the ZIP file which I want to crack and a text file which includes huge number of different words. Actually we are going to do a Dictionary Attack to find the Password.
"crack.zip" is the file which I want to crack. And dictionary.text is the word list..
Now you have the password... :)
Then, type following commands..,
in above photo "zipcracker" is the folder which includes the ZIP file which I want to crack and a text file which includes huge number of different words. Actually we are going to do a Dictionary Attack to find the Password.
"crack.zip" is the file which I want to crack. And dictionary.text is the word list..
Now you have the password... :)
How to mount a Pen Drive to a Virtual Box using commands
- First run the ISO image which you want to install the pen drive, using Virtual Box.
- Then plug the Pen Drive to you Personal Computer.
- In that Window, go to the "Devices" tab then go to the "USB" tab and then select your Pen Drive from the list.
Then, in the Terminal type following commands as it is..
In here, "sdd1" is my pen drives name. It is changing every time you are trying to mount your pen.
then make a directory inside "media" directory call "usbstick"
then type following command..,
*Make sure that your pen format is "FAT32"
Now you pen driver has been mounted.. :)
Subscribe to:
Posts (Atom)