Saturday, December 19, 2020

Secured Web Service testing with Burp Suite

After you have intercepted the request in Burp Suite, follow below steps to send request for secured web services

Sending Request to Repeater:

Right click under "Proxy"-->"Intercept"-->"Raw" tab

Click on option "Send to Repeater"

Goto Repeater tab. You will now be able to see the same request as intercepted over here also.

If the Web service is secured one; you will  have below details in SOAP header:

1. Username

2. Password in Digest mode (encrypted)

3. Nonce (Should be unique in each request)

4. Created date

For secured web service testing, you need to install WS-Security Extension from Burp Suite App store.

Steps for installation of WS-Security extension:

Goto "Extender" --> "BApp Store"

Navigate to "WS-Security" & install it.

Once installed , the extension will be seen as a new tab named "WS-Security"

Configuration of WS-Security:

Navigate to "WS-Security" tab

Provide the password in Plain text "Password" text box

Now click "Turn WS-Security on".

Configuration of Scope:

Goto "Target"--> "Scope"

Click on "Add" button

Provide the Web Service End Point URL

Configuring WS-Security details in request:

Now we need to configure below 3 details in "Extender" tab, so that the nonce, created date  & password digeest  can be done automatically by WS-Security extension.

Replace the password value in SOAP request with #WS-SecurityPasswordDigest

Replace the value in nonce tag with #WS-SecurityNonce

Replace the value in created tag with #WS-SecurityCreated

This will enable to dynamically change the values with the one configured in "WS-Security" tab while making the SOAP request.

Click on the "Send" button in under "Repeater" tab. 

You will see the reponse in right hand side. 






- No comments:

Web Service Testing with Burp Suite & SOAP UI

Installation of Burp Suite:

Pre-requisite:

Java 8 should be already installed.

Goto below link:

https://portswigger.net/burp/releases?initialTab=community

If you are using Java 8, then download the JAR version for release version 2020.2.Java 8 is no longer supported for version upper than this.

Start Burp Suite:

Goto windows command prompt.

Navigate to the folder where the JAR is downloaded.

Run the below command

java -jar burpsuite_community_v2020.2.1.jar

Intercepting request:

Once the Burp Suite is open, first step is to turn on interceptor.

Navigate to "Proxy" --> "Options" tab

By Default the Interceptor is hosted in 8080 port. This can be changed to port you want.

Check the status is "Running".

Now  Navigate to "Proxy"-->"Intercept" tab

Now turn on the Interceptor by clicking button "Intercept is on".

SOAP UI Proxy Configuration:

Download SOAP UI from below link:

https://www.soapui.org/downloads/soapui/soapui-os-older-versions/

Start SOAP UI.

Goto "Files"-->"Preferences"

Click on "Proxy Settings"

Select "Manual" option & provide Host "127.0.0.1" & Port as "8080" (same as Burp Suite interceptor port)

Now doing any SOAP request in SOAP UI will be intercepted in Burp Suite & will be shown in "Proxy"--> "Intecept"-->"Raw"




- No comments:
Labels:

Wednesday, December 9, 2020

Concurrency In RxJava


RxJava achieves concurrency through the Schedulers. 

Most commonly used Schedulers are IO & Computation:

Schedulers.io : Used for IO bound tasks (e.g.network call or Database call.)

Schedulers.computation : Used for CPU bound tasks.  (e.g. sorting large array in Java code)

The difference of CPU bound Vs IO bound task:

In case of IO bound task, we can have more theads , than,  the no of CPU cores of running machine. Because CPU is idle when the IO operaion is called.

Whereas in case of CPU bound task, as it is purely computational (e.g. Performing sorting in Java ArrayList); hence we should avoid creating threads more than the no of CPU core in the running machine.


subscribeOn : runs the tasks in new thread (start to end)

observeOn  : threading is applied only on the downstram task. (Operations defined after observeOn call)


Example:

In below example, we have taken a String , then transform the String to uppercase  , then printed the value.


File Name: ObsSubsEx.java

import java.util.concurrent.TimeUnit;


import io.reactivex.Observable;

import io.reactivex.schedulers.Schedulers;

public class ObsSubsEx {


public static void main(String[] args) throws InterruptedException {


Observable.just("subscribeOn One").subscribeOn(Schedulers.computation()).map(ObsSubsEx::toUpper).subscribe(ObsSubsEx::printVal);


TimeUnit.SECONDS.sleep(1);


Observable.just("subscribeOn Two").map(ObsSubsEx::toUpper).subscribeOn(Schedulers.computation()).subscribe(ObsSubsEx::printVal);


TimeUnit.SECONDS.sleep(1);


Observable.just("observeOn").map(ObsSubsEx::toUpper).observeOn(Schedulers.computation()).subscribe(ObsSubsEx::printVal);


TimeUnit.SECONDS.sleep(1);

}

private static String toUpper(String val) {

System.out.println("Uppercase done on thread:"+Thread.currentThread().getName());

return val.toUpperCase();

}


private static void printVal(String val) {

System.out.println("Final value is:"+val+":Thread:"+Thread.currentThread().getName());

}

}


Let's see from output log how the flow works:

Uppercase done on thread:RxComputationThreadPool-1
Final value is:SUBSCRIBEON ONE:Thread:RxComputationThreadPool-1

Uppercase done on thread:RxComputationThreadPool-2
Final value is:SUBSCRIBEON TWO:Thread:RxComputationThreadPool-2

Uppercase done on thread:main
Final value is:OBSERVEON:Thread:RxComputationThreadPool-3

Conclusion:

As we can see, in case of subscribeOn , irrespective of where it is called, both methods toUpper & printVal runs in a seperate thread. i.e. Threading applies to all operation (upstream as well as downtream) 

Whereas in case of observeOn, toUpper  is running in "main" thread & printVal  runs in a seperate thread, as we have called observeOn after the transform. i.e. Threading applied to downstream operations.

Now if we call the observeOn before the map:

Observable.just("observeOn Two").observeOn(Schedulers.computation()).map(ObsSubsEx::toUpper).subscribe(ObsSubsEx::printVal);

Then we can see the methods run in a seperate thread

Uppercase done on thread:RxComputationThreadPool-4
Final value is:OBSERVEON TWO:Thread:RxComputationThreadPool-4

Further Reading:


http://tomstechnicalblog.blogspot.com/2016/02/rxjava-understanding-observeon-and.html

https://www.aanandshekharroy.com/articles/2018-01/rxjava-flowables

https://proandroiddev.com/understanding-rxjava-subscribeon-and-observeon-744b0c6a41ea

https://dzone.com/articles/server-sent-events-with-rxjava-and-sseemitter

Code Link in Github:





- No comments:
Labels: ,

Wednesday, August 19, 2020

Linux On Windows 10

 Windows 10 update version 2004 has come up with WSL 2 (Windows Subsystem for Linux ;Version 2). This features enable you to use Linux environment seamlessly from windows system.

Pre-requisite before install of WSL2.

To check Windows 10 version, follow below steps

  1. Open the command prompt or powershell window
  2. Type winver
  3. A pop-up will appear & show you windows update verion. Please check if the version is 2004 or not.
  4. Please update windows if the version is below 2004.

WSL 2 enablement also requires the Virtualization to be enabled. 

To check if Virtualization is enabled or not follow below steps:

  1. Open Task Manager--> Goto Performance Tab --> Click on CPU.
  2. Now check if Virtualization is enabled or not.

Now proceed to install WSL2 as instructed in below link:

https://www.youtube.com/watch?v=D7Em1wjMiak&t=179s

- No comments:
Labels:

Monday, August 17, 2020

Medium Post Unlock

 Medium has lock on posts if you are not a member. You can read upto 3 medium posts per month freely.

To read the Medium posts without being a member ,the trick is copy the url & open in incognitio tab for Chrome browser.

- No comments:

Thursday, June 4, 2020

Useful Links



Useful Commands:
Run Spring Boot application in a port assigned dynamically

mvn spring-boot:run -Dspring-boot.run.arguments=--server.port=8080
- No comments:

Monday, June 1, 2020

Git Commands

Below is the set of commands needs to be executed to update code from local system to Github repository 

git config --global user.name "<Your Name>"

git config --global user.email <E-mail id>

create folder: e.g. Test

Navigate to folder

git init

git remote add origin <github url>

git pull origin master

Make changes to the folder (Test)

git status

git add .

git commit -m "Test Comment"

git push origin master

In Windows a good alternative is TortoiseGit. It can be downloaded from below link:

https://tortoisegit.org/

- No comments:
Labels:

Friday, May 29, 2020

Changing the context name in Tomcat

Sometimes, it may happen, you want to provide the application context name  different from the WAR file name while deploying in Tomcat.

Scenario:

WAR Name: ABC.war
The default url becomes: http://localhost:8080/ABC

Want to access the url as: http://localhost:8080/XYZ

There are 2 options available to do this change

Option #1:
Here is the steps that can be followed:

1. Navigate to <TOMCAT_HOME>/conf/server.xml
2. Goto the Host section & do the below changes
3. Change it to below:

 <Host name="localhost"  appBase="webapps"
      unpackWARs="false" autoDeploy="false" deployOnStartup="false">    

Please note, unpackWARs , deployOnStartup, autoDeploy all three should be marked as false, else 2 folders will be generated one with name ABC & another XYZ.

4. Add the context changes under Host

 <Host name="localhost"  appBase="webapps"
      unpackWARs="false" autoDeploy="false" deployOnStartup="false">  
<Context path="/XYZ" docBase="ABC.war"/>
 <!-- other preexisting configuration-->
<Host>
5. Start Tomcat going to <TOMCAT_HOME>/bin/startup.bat (windows) or <TOMCAT_HOME>/bin/startup.sh in Linux environment.

Option#2:
  1. Explode the ABC.war (unzip the WAR file)
  2. Place the exploded WAR in a folder outside Tomcat Directory (e.g. D:\mywebapps)
  3. So, now the exploded WAR path will be D:\mywebapps\ABC
  4. Create an xml file in <TOMCAT_HOME>/conf/Catalina/localhost named XYZ.xml (the name of expected context)
  5. Now add the below line in XYZ.xml
  6. <Context path="/XYZ" docBase="D:/mywebapps/ABC"/>
  7. docBase refer to the path where exploded WAR is placed.
  8. Start Tomcat going to <TOMCAT_HOME>/bin/startup.bat (windows) or <TOMCAT_HOME>/bin/startup.sh in Linux environment.




- No comments:
Labels:

Wednesday, March 4, 2020

Thread Dump in Java

Steps to take thread dump in Java in Windows

1. Download PSTools from below link
https://docs.microsoft.com/en-us/sysinternals/downloads/pstools
2. Use below command to take thread dump:

psexec -s <Path_to_JDK_bin_folder>\jstack.exe -l <process_id> ><PATH_WITH_FILE_NAME_FOR_DUMP>

e.g.
psexec -s D:\jdk1.8.0_171\bin\jstack.exe -l 319732 >D:\dump.txt

3. Download IBM Thread Dump Analyzer(TDA) from below link
https://public.dhe.ibm.com/software/websphere/appserv/support/tools/jca/jca465.jar

4. Double click on the jar to open
5. Click on File-->Open Thread Dumps.
6. Choose the thread dump file
7. Click on Analysis-->Thread Status Analysis
 


Details on TDA can be found here 


- 1 comment:
Labels: ,

Useful Production Profiling links

Few days ago I was looking for a Profiling to be done on Production environment. Earlier, I used to use JProfiler & JavaMelody for performance / issue debugging in production environment.

But , of late I found Alibaba has created a new profiling tool for production usage. The below link contains the details. Please check out. Seems interesting

https://medium.com/@Alibaba_Cloud/troubleshooting-production-issues-with-alibabas-arthas-68d8ec2824d7


- No comments:
Subscribe to: Posts (Atom)

Convert Java Project from Log4j 1 to Log4j2

Many times while working on old Java projects we find Log4j 1.x is used. But as the Log4j2 is the new one; hence to upgrade to Log4j2 we nee...