Saturday, May 5, 2018

XSS Attacks

XSS Attacks - exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him.

This Javascript can - 

1. Read Cookie.
2. Modify DOM.
3. Make XMLHTTPCalls.

Doing these three things actually leads to problems like - 


1. Cookie Theft - Can be dangerous if Attacker reads your session cookie and tries to get information out of it.
2. Key Logging - Add Key Listener and Read what user is Typing.
3. Phishing - Insert Login Forms in HTML.

So its very necessary to figure out Vulnerabilities in the Server Side and Client Side Code so that a XSS attack cannot be made. This can be done by securing  input handling. 

Which can be done in two ways - 

1. Encoding - escapes the user input so that the browser interprets it only as data, not as code.
2. Validation. - filters the user input so that the browser interprets it as code without malicious commands.






Wednesday, May 2, 2018

GIT Checkin Project


git init

git add .

git commit -m "commit comment"

git push <remote> <origin>

Secure and HttpOnly Cookie

Secure - Saves you from Eavesdropping access on sites that run Both on HTTPS and HTTP.

HTTPOnly - Javascript cannot read this cookie and thus prevents XSS attacks.

Friday, November 22, 2013

Debugging Javascript using Console Object

Some of you might have already used  Console Object in javascript to log values of a variable for debugging purposes.

var arr = ['1','2','3','4','5'];
console.log(arr);

There are some interesting methods in Console API other than log. The details of Console API can be found  here https://developers.google.com/chrome-developer-tools/docs/console-api

Note: The link above is for Console API supported by Chrome.

But some of interesting one I would like to mention here are:

1. console.profile();  which is used along with console.profileEnd();

function processPixels() {
  console.profile("Processing pixels");
  // later, after processing pixels
  console.profileEnd();
}

This is used for profiling of time that a method is taking.

2. console.trace(); 

Prints a stack trace from the point where the method was called, including links to the specific lines in the JavaScript source.

3. console.table();

Prints a javascript array or Object in Tabular Format.

It should be noticed that Console Object is not available in all browsers and though debugging javascript with Console Object is Quite Helpful if you forget to remove your Console statements it will give you errors in unsupported browsers.

It can also be possible that you don't want to remove the console Statements so that you can always debug your application.

For this a small code that will take care of all the console.log Statements can be added..
if (typeof console === 'undefined')) var console = { log: function() {} };
It should be noted that the above function takes care of console.log statements only. If we are using other console functions than it should be entered in the console object similiar to the way log function is added.

Friday, April 26, 2013

Bootstrap the Frontend Framework for Non Designers.

So you are a Web Developer having an exciting idea flourishing in your mind.

And you rush to your machine and start writing that awesome code that was never written before.

And now you are ready to show it to your friends with all excitement.

Your friends think the idea is fine but it doesn't looks good and then you get a number of suggestions.

There should be proper use of Typography.
Your Site should be responsive to work in various devices.
You should use proper colors, fonts, paddings, margins.
You should have proper images.....

And you get an endless list of advises all telling you to go and find a designer.Someone who can wrap this brilliant idea of yours in a nice package and make it look like pretty cool thing.

And believe me you have to be lucky enough to find someone who can design that frontend for you. But if you are not that lucky here is Bootstrap for you.

Bootstrap is a sleek, intuitive and powerful frontend framework from Twitter for faster and easier web development. You just need to concentrate on your Development parts and not much on the looks part.

You just need not to worry about how boxes arrange on top of each other or why one css code works in one browser and doesn't works in another one.

It gives you several features like

A 12 column resoponsive Grid.
Several javascript components like tabs, navigation etc.
Standard Typography.
Reset CSS. etc.

For details on Bootstrap's you can visit it's website http://twitter.github.io/bootstrap/index.html

It has some examples which will get you started. All you need to take care is apply proper classes as described in the some of the examples.

Saturday, March 23, 2013

Just One thing "JavaScript"

So i am a Web Developer, and like most of you I know a bit of java, php on the server side. A bit of css, html, javascript, jQuery on the client side. Oracle and MySQL on the Database side. And this technology stack is never ending. Every now and then you will have to learn something new. Some new framework may arrive. Some new Library or another cool language.

Now with this so demanding and challenging Market How does the idea of learning just one thing sounds?

What if all you have to learn and understand more or less is just one thing and become a master of it.

What if that one thing is javascript. ?  Yaa you heard me right.
"Javascript" - The same language you have been validating your forms with from Years.


So if i have to write Server Side Code i will write something in Node.js
If i will have to do make a wonderful frontend i will do jQuery.js
If my Frontend javascript is becoming to messy i will use some Frontend MVC framework like Backbone.js
If i need to go Mobile I will learn jQuery Mobile and PhoneGap.js


Wait Wait all that is fine but what about database? You cannot do your databases in Javascript. That seems to much.

Ah well i agree on that but have you heard of MongoDB. Now that is a NoSQL database and uses something called BSON to store the data. Now BSON is nothing new its just Binary form of JSON the javascript Object Notation. So again your data is saved as a javascript object.

With so much focus of Market leaders like Google, Amazon, Microsoft and Yahoo! on these technologies and with ever growing demand of real time Applications Javascript looks to be the future of Web and is no more a toy language to validate your forms. I have started my journey to learning JS what are you waiting for? 

Saturday, December 22, 2012

Creating Apps by extending LinkedIn API.

Last few days I have worked with two small applications that extend power of LinkedIn platform using LinkedIn API.

LinkedIn has opened its platform through its REST API and Javascript API. The platform allows you to

Get Profiles Details
Get Jobs.
Get Details of Companies.
Get Groups.
Get Connections.
Do a People Search.

Idea of the First Application was to find the Job Openings by distance when a user enter his skills.

So if you enter "Java" in skills. You get the Jobs list. Starting from nearest to farthest.

Idea of Second Application was to display Profile Information of users of a company.

So if you enter FirstName LastName and Company Name then you can get detailed profile of a person. If you already have a company intranet where you have firstname and lastname of most of its users you can directly see the profile details without the need to enter the basic information.

Though the steps to connect to linkedin API and documentation is available on http://developer.linkedin.com/  site but i will write the generic steps that i took for using the API.

The REST API allows you to access protected resources available with linkedin with the help of REST URL's for example if you want to search a User with FirstName = "Sushil" LastName="Bharwani" Company="XYZ" then you will send a REST URL request like...

http://api.linkedin.com/v1/people-search?first-name=sushil&lastname=bharwani&company-name=xyz.

But before hitting this URL and accessing the resources you have to authorize your App through OAuth (An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications).

There are several OAuth Protocol implementations available in Market. I tried first using the PHP_OAuth.dll file but could not configure it so i decided to move to java implementation and found. Java Scribe Library.

The sample application didnt worked fine in the starting since i had to apply some hacks for people search as suggested in some of the similar questions.

The suggestions were on Extending the LinkedInAPI class to add r_fullprofile and r_network fields in the authorization url.

When i did performed these changes and ran the code. It gave me a authorization URL. The URL was supposed to be pasted in browser to get a token. When the token is typed in the desired location an XML based result is returned with details asked in the REST call.

So with a few small modifications i was able to query the Linkedin platform using the REST API services that it has provided.

In the Job search application similar call was made to LinkedIn Job search API which returned me a list of locations with their lat long information in JSON Format. I utilized this info and combined it to google distance API to find the matching jobs by distance.