Useful Information on Application Security

1. Sql Injection Checking Library:
https://github.com/rkpunjal/sql-injection-safe

2. Checking Vulnerable libraries in application:

Add below plugin in pom.xml of you application. This will provide the list of libraries which are vulnerable. A file named dependency-check-report.html will be generated in target folder of you maven based app
 <plugin>
              <groupId>org.owasp</groupId>
              <artifactId>dependency-check-maven</artifactId>
              <version>5.2.4</version>
              <executions>
                  <execution>
                      <goals>
                          <goal>check</goal>
                      </goals>
                  </execution>
              </executions>
            </plugin>
More details can be found in below link:
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/

3. Security Guidelines Tutorial:

https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95

4. Code Review Checklist
https://github.com/softwaresecured/secure-code-review-checklist

5. Burp Extension:

https://github.com/snoopysecurity/awesome-burp-extensions

Http Client Code Auto Generation

Many a times we write http client code in various programming language by our own. Postman (a Chrome Browser extension), provides an way to auto-generate the HTTP client code. Below are the steps to proceed:

1. Open the Postman extension from Chrome
2. Hit the url you wnat to develop the client code
3. Provide other details in Authorization/Header tabs
4. Provide the Content in Body tab
5. Click on the Code link in Right Side.
6. You will be provided with list of options with Programming language like Java/Python etc.
7. Choose the option & your code is there.
8. You can now add the code in your application with the library used.

Happy Coding !
  

SQL Injection testing using SqlMap & Postman

SqlMap is very powerful tool for Automated Sql Injection testing for Web Application/API (SOAP/REST). This blog describes the procedure to get started with testing



SqlMap & Python Installation:

1.Download Python 2.7.16.
2.Goto https://www.python.org/downloads/release/python-2716/
3.Choose Windows x86-64 MSI installer option for Windows Installation
4.Add the folder where Python is installed in Path (Environment variable). e.g. If Python is installed in C:\Python27 then add this path in Path Variable in Windows
5.Download the .Zip version of SQLMap from http://sqlmap.org/
6.Extract in any folder in any Drive (e.g. D:\sqlmapproject)

Preparation of Test Data:
Here we are going to test Sql Injection in url http://testphp.vulnweb.com/listproducts.php?cat=1
1.Open Chrome Browser
2.Open Postman extension in Chrome. Install from Chrome Web Store if Postman is not installed
3.Hit the url mentioned above using GET request
4.Click on the Right Side of Postman in Link "Code"
5,Choose Http Option.
6.Copy the content & paste in a text file (e.g. attack.txt)

Sql Injection Testing:


1.Open Windows Command prompt
2.Navigate to the folder where SqlMap is extracted (D:\sqlmapproject)
3.Copy the attack.txt in D:\sqlmapproject
4.Run below command. adding --flush-session --fresh-queries will enable to execute the test cases freshly; else the old cached data will be shown in command prompt.
python sqlmap.py -r attack.txt --dbs --flush-session --fresh-queries
This will run all the sql injection test cases automatically & provide the output




Using the same way REST/SOAP API can be tested

Notes: In Windows 10, you might get an error Python not installed & need to install from Microsoft Store. In that case, declare the Python installation path at the top as below: