Tuesday, January 29, 2013

top 10 application security risk

Reference- http://www.security-audit.com/blog/owasp-top-10-2012/
Injection -Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

Cross Site Scripting /XSS- XSS flaws occur whenever an application takes untruste ddata and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites 

Broken Authentication / Session Management: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.

Insecure Direct Object References:A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data

Cross Site Request Forgery-A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Security Missconfiguration-Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application

Insecure Cryptographic Storage- Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.

Failure to Restrict URL Access-Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway

Insufficient Transport Layer Protection- Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly

Unvalidated Redirects and Forward- Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Wednesday, January 23, 2013

How to find Unknown Device Drivers In Windows

1- Using Unknown Device Identifier

Unknown Device Identifier enables you to identify the yellow question mark labeled Unknown Devices in Device Manager. And reports you a detailed summary for the manufacturer name, OEM name, device type, device model and even the exact name of the unknown devices. With the collected information, you might contact your hardware manufacturer for support or search the Internet for the corresponding driver with a simple click. With this utility, you might immediately convert your unidentified unknown devices into identified known devices and find proper driver on the Internet and contact the hardware device manufacturer or vender. Known devices recognized by Microsoft Windows will also be analyzed independent of the operating system.
udi 3 Ways To Find Unknown Device Drivers In Windows
Download Unknown Device Identifier from the following location:

 2- Using Unknown Devices

Unknown Devices helps you find what those unknown devices in Device Manager really are.
By checking Device Manager for unknown devices and extracting information from it, this program attempts to figure out what the device is. You might not have to open your case or look up random numbers off of PCI cards to figure out what they are.
However when I run this software on my Windows Vista machine, it doesn’t detect my operating system. I have updated the vendors database file and packed with this software. The software can be downloaded from the following location:

Unknown Devices (462.2 KiB, 9,603 hits)

3- Manually Identifying The Unknown Devices

To manually identify the devices we have to find out the device instance ID which has two parts, one is the vendor ID and the second is Device ID. Once we have got the vendor ID and identified the device ID, we can easily find the drivers for our device.
To find the device instance ID go to Device Manager –> Right click the unknown device –> Properties –> Details.
Now from the drop down menu select Device Instance Path (Windows Vista)/ Device Instance ID (Windows XP)
It will give you a string value which contains the vendor ID and the Device ID. The string is like this:
Where red is the Vendor ID and green is the Device ID. Note down both of them.
deviceinstancepath thumb 3 Ways To Find Unknown Device Drivers In Windows
Once you have the Vendor ID and the device ID, you can go to the following websites and find out the vendor and device name and search for its drivers.
You can also download PCI Utilities which displays the Vendors and devices in human readable format instead of the alphanumeric code characters.
image 3 Ways To Find Unknown Device Drivers In Windows

Tuesday, January 22, 2013

Large WAR file cannot be deployed in Tomcat 7


When uploading a WAR file larger than 50 MB, the Tomcat 7 Manager application reports:
The server encountered an internal error () that prevented it from fulfilling this request.
Exception java.lang.IllegalStateException:
the request was rejected because its size (XXX) exceeds the configured maximum (52428800)


  • Go to the web.xml of the manager application (for instance it could be under /tomcat7/webapps/manager/WEB-INF/web.xml.
  • Increase the max-file-size and max-request-size:
<!– 50MB max –>


Mail List “The request was rejected because its size (102811565) exceeds the configured maximum (52428800)”

Saturday, January 19, 2013

My attempt for generosity- Donate blood, give life

I wanted to do blood donation two times this year. This is one of the bucket list items I put when year 2012 started. I called up the Stanford blood donation center on Friday (10/19/2012) and setup an appointment for Saturday morning.

Instead of going alone, I also made an appointment for one of my friend (without asking him). I send him a message- You are coming with me! I was very excited and woke up early morning. Picked up my friend and reached the donation center on time.
When I went inside for screening the lady asked me when did I travel outside of US. I said in January, which was 10 months ago. She smiled and said I can not donate because I have to be in US for 1 year continuously.

I was little disappointed. I wanted to do some generous work. I can not donate in year 2012 and my goal will remain incomplete :(

Anyway, I am hopeful and that I will not travel outside of US until January and would be able to donate in 2013.
OK, so fast forward to January 19, 2013. Here I am doing the Donation. Its feels good when your pending goal becomes complete and that also when you are doing a work of Generosity!.

Tuesday, January 15, 2013

Get BIOS information from Windows cmd

Windows TIP:
An easy way is to use the Windows command prompt the view the BIOS settings.

Check out the steps below..
Go to Start >> Run. Type cmd and press Enter to open the Command prompt.
Type the command wmic bios get /format:list to view the BIOS settings.

You can also save the results in an html file and see it in a browser

wmic bios get /format:list > test.html


if you just need to see the BIOS version from windows and run "systeminfo"