Book Review

Book review: Continuous Enterprise Development in Java

Adrian Citu

This is a very short review of the Continuous Enterprise Development in Java book.

The book can be easily split in two parts.

The first part of the book from chapter 1 to chapter 4 javaArguillian contains general information about the difficulty of testing the JEE applications, about the software development cycles, the types of testing and some more technical details about the testing frameworks (JUnit and TestNG), about build tools like Maven and (JBoss) Forge, about version control (only Git deserves a paragraph) and (finally) about the Arquillian which is presented as “an innovative and highly extensible testing platform for the JVM”.

A very nice introduction is done to the ShrinkWrap  which is an API to create programmatically deployable JEE archives (jars, wars, ears).

An entire chapter (Chapter 3) is dedicated to write and deploy some business code and the associated Arquillian tests. Almost all the tools used in this chapter are JBoss or RedHat tools; Forge for the build of the application, JBoss Application Server to deploy the application, JBoss Developper Studio to deploy on the (Red Hat) OpenShift cloud service.

The second part of the book from chapter 4 to chapter 12 contains the implementation of the http://geekseek.continuousdev.org/app/root/show application, which is the JEE application. Every chapter is treating one aspect of the application: chapter 5  treats the persistence layer, chapter 6 the integration with NoSql data bases, chapter 7 the services layer, chapter 8 the REST services, chapter 9 the security, chapter 10 the user interface and chapter 11 the deployment on live.

Every chapter follow the same pattern, it starts with an introduction to the technology that will be used within the chapter, then the use cases and the business requirements are presented then it follows the implementation of the requirements and lastly the testing of the implementation using Arquillian.

I will conclude my ticket with a few points about what i like and what i don’t like about this book.

What i like about this book:

  • The author clearly masters the different JEE components; the technology introduction paragraphs of each chapter of the second part of the book are very clear and easy to understand.
  • The author knows the Arquillian framework inside out; all the examples are well explained and the introduction to ShrinkWrap is very well done.
  • Some of the chapters contains very valuable external references, like PicketLink for the security or Richardson Maturity Model for REST.

What i do not like about this book:

  • Too much marketing of the RedHat/JBoss products; I would have preferred to have more vendor agnostic examples of use for the Arquillian framework.
  • The subtitle of the book is “Testable Solutions with Arquillian” so it suppose to focus more on the testing part of the applications. Unfortunately, for me the book is not focusing on testing the applications but rather tries to  present how to continuously develop (JEE) applications and integration testing is only one part of this.
  • Nothing is said about the integration of Arquillian with other Java (non JEE) projects/frameworks like Spring and Guice and how Arquillian could ease (if it it can) the testing of the applications using these frameworks.

Book review: Basics of Web Hacking (Tools and Techniques to Attack the Web)

Adrian Citu

This is a review of The Basics of Web Hacking: Tools and Techniques to Attack the Web.

Chapter 1: The basics of Web Hacking

basicsOfWebHacking

The chapter starts with a quick introduction to some fundamental notions of web development like web applications, web servers, http protocol and a quick presentation of 2 penetration testing methodologies: The Open-Source Security Testing MethodologyManual (OSSTM) and Penetration Testing Execution Standard (PTES).

Then the author explains how the book is structured; the book will present attack vectors  around three type of targets: web server, web application and the web user and for every  type of target the same steps will be followed:

  1. Reconnaissance
  2. Scanning
  3. Exploitation
  4. Fix

The last part of the chapter is dedicated to the creation of the testing environment. As testing environment the author uses the BackTrack 5 distribution on which Damn Vulnerable Web Application (DVWA)  is installed.
The installation procedure is slightly outdated, for a newer version you can check this blog entry.

Chapter 2: Web Server Hacking

This chapter is dedicated to the hacking of the first type of target: the web server; the chapter is constructed arround the 3 steps (actually 4, but the Fix step have a dedicated chapter) that should be follow in order to sucesfully attack a web server.

The reconnaissance step is made firsly manually using commands like host and  analysis of the robots.txt file. Once some basic data about the web server is gathered, the automatic step of the reconnaissance is fulfilled using the Nmap port scanner. The authors explains how the Nmap can be updated (in case your BackTrack distribution do not have the version 6 or later) and some basic scan commands are performed (some of the flags used by the nmap command like -O, -sV, -p are explained in detail).

The scanning step is fulfilled using the Nessus tool. For Nessus, the authors explains how to install the free version, configure, run a basic scan and interpret the results. The Nikto open-source scanning tool is also very briefly presented.

The exploitation step is fulfilled using the (well known) Metasploit framework. The author starts by introducing some basic terminology like vulnerability, exploit and payload and then he presents the use of Metasploit framework in  7 easy commands: search, use, show payloads, set payload, show options, exploit. In order to explain the Metasploit commands, the author uses a hunting game analogy; for example the search command is like reviewing all possible animals that you could target, the use command is like deciding what kind of animal to hunt, the show payload is like reviewing all possible gun types, etc…

Chapter 3: Web Application Recon and Scanning

The chapter is dedicated to the web application reconnaissance and scanning. The recon part have as goal to build a map of the target web site using a web proxy. A web proxy is a application that stands between the client browser and the web application and intercepts the . The recon part can be done using automated spidering (the application starts from a page and automatically finds and requests links, submits forms, and performs any allowed action) and a manual spidering (the human operator browse through the web site). The recon is handled using the Burp Suite.

The scanning part have as goal to discover vulnerabilities. A web proxy is capable to find vulnerabilities that are detectable by inspecting the clients requests and server responses like input-based vulnerabilities targeting the server side of the application (SQL injection, OS command injection and path traversal) or input-based vulnerabilities that target the client side (XSS). The scanning part is handled using the OWASP Zed Attack Proxy (ZAP) and the author also presents briefly the Burp Scanner which is only available in the pro version of Burp Suite.      

Chapter 4: Web Exploitation with Injection

This chapter is mainly dedicated to the SQL injection vulnerabilities and Operating System Command vulnerabilities. For the SQL injection the author explains in great detail what is the SQL and how this class of  vulnerabilities can affect the target web application. To find and expose this kind of vulnerabilities the author uses the Burp Proxy, Burp Repeater and the sqlmap tool (which is a SQL injection command line tool).

The second part of the chapter is dedicated to the Operating System Command vulnerabilities.  These types of vulnerabilities are  covered in less detail compared to the SQL injection. In order to demonstrate these types of vulnerabilities the DVWA application is used but no tools that are capable to find (or to help the user to find) this kind of vulnerabilities are presented. One interesting detail for this chapter is this page containing one-liner reverse shells.

Chapter 5: Web Exploitation with Broken Authentication and Path Traversal

The author tries to broke the (web application) authentication using 2 methods: a brute force attack and an attack on the cookies generated by the web application.

For the brute force attack, a normal authentication attemp is initially intercepted  using Burp Intercept in order to find the parameters (username name and password) used for the authentication. Once this parameters have been found, the Burp Intruder product is configured to execute (repetitively) the authentication with different usernames and passwords; these usernames and passwords (called payloads) are read from external files.  The attack on the cookies it’ around the randomness of the session identifiers and the test it’s done using the Burp Sequencer product.

The last part of the chapter is dedicated to the path traversal attacks. The theorethical  part of this kind of attacks is very good covered but (as for the OS command vulnerabilities) no tool that can discover this kind of vulnerbilities is presented.

Chapter 6: Web User Hacking

This chapter is a (very) light introduction to the Cross-Site Scripting (XSS) vulnerabilities, Cross-Site Request Forgery (CSRF) vulnerabilities and to the social engineering vulnerabilities.

The good part about this chapter is that the author gives very good explanations about how this kind of attacks are triggered by the bad guys: it gives very good explanation about the difference between the XSS and CSRF vulnerabilities, it explains what is the different between a reflected and a stored XSS attack, it also gives good (web sites) references  http://XSSed.org , OWASP XSS Filter Evasion Cheat Sheet , http://www.social- engineer.org/).

On the less good part, the author do not explains how the attacker can exploit the info gathered from an XSS attack (he just says that the attacker can retrieve the user cookie using a Java script call like document.cookie).

Chapter 7: Fixes

This chapter is about how to fix the vulnerabilities presented in the previous chapters. The chapter is articulated around the same 3 possible targets: web serverweb application and the web user.

For the web server, the author proposes some strategies for server hardening: develop a repeatable hardening process, develop a process for deploying all new software updates and patches in a timely manner to the live systems, running scans and doing audits.

For the web application and the web user, the author proposes some sort of “to do” list for almost every kind of vulnerability (for example for the “Injection vulnerabilities” here is the list of things to do: Use parameterized queries, Escape malicious syntax, Make use of stored procedures, Remove unnecessary functionality on your database server, Encrypt sensitive dat).

Chapter 8: Next Steps

This small chapter contains some ideas in order to extend your knowledge regarding the security topics; what are the security grouse and events, what are the existing (security)certifications and some titles of security books.

(My) Conclusion

If you have no prior knowledge, this is very good introductory book in the web security topics; the writing style is clear and easy to follow.

Book review: Hacking – the art of exploitation, 2-end edition

Adrian Citu

This is a review of the Hacking – the art of exploitation, 2-end edition book.hck2ed

Chapter 0x100 Introduction

Very short chapter (2 pages and 1/2) in which the author gives his definition of a hacker; person that find unusual solutions to any kind of problems, not only technical problems. The author also expresses very clearly the goal of his book: “The intent of this book is to teach you the true spirit of hacking. We will look at various hacking techniques, from the past to the present, dissecting them to learn how and why they work”.

Chapter 0x200 Programming

The chapter is an introduction to C programming language and to assembler for Intel 8086 processors. The entry level is very low, it starts by explaining the use of pseudo-code and then very gradually introduces many of the structures of the C language: variables, variables scopes, control structures, structs, functions, pointers (don’t expect to have a complete introduction to C or to find advanced material).

The chapter contains a lot of code examples very clearly explained using the GDB debugger. Since all the examples are running under Linux, the last part of the chapter contains some basics about the programming on Linux operating system like file permissions, uid, guid, setuid.

Chapter 0x300 Exploitation

This chapter it builds on the knowledge learned in the previous one and it’s dedicated to the buffer overflow exploits. The most part of the chapter treats the stack-based buffer overflow in great detail using gradual complexity examples. Overflow vulnerabilities on other memory segments are also presented, overflows on the heap and on the BSS.

The last part of the chapter is about format string exploits. Some of the string vulnerabilities use specific GNU C compiler structures (.dtors and .ctors). In almost all the examples, the author uses the GDB to explain the details of the vulnerabilities and of the exploits.

One negative remark is that in some of the exploits the author use shell codes without explaining how these shell codes have been crafted (on the other side an entire chapter is devoted to shell codes).

Chapter 0x400 Networking

This chapter is dedicated to the network hacking(s) and can be split in 3 parts. The first part is rather theoretical, the ISO OSI model is presented and some of the layers (data-link layer, network layer and transport layer) are explained in more depth.

The second part of the chapter is more practical; different network protocols are presented like ARP, ICMP, IP, TCP; the author explains the structure of the packets/datagrams for the protocols and the communication workflow between the hosts. On the programming side, the author makes a very good introduction to sockets in the C language.

The third part of the chapter is devoted to the hacks and is build on the top of the first two parts. For the  package sniffing hacks the author introduces the libpcap library and for the package injection hacks the author uses the libnet library (ARP cache poisoning, SYN flooding, TCP RST hijacking). Other networking hacks are presented like different port scanning techniques, denial of service and the exploitation of a buffer overflow over the network.  In most of the hacks the authors it’s crafting his own tools but sometimes he uses tools like nemesis and nmap.

Chapter 0x500 Shellcode

This chapter is an introduction to the shellcode writing. In order to be injected in the target program the shelcode must be as compact as possible so the best suitable programing language for this task is the assembler language.

The chapter starts with an introduction to the assembler language for the Linux platform and continues with an example of a “hello word” shellcode. The goal of the “hello word” shellcode is to present different techniques to make the shellcode memory position-independent.

The rest of the chapter is dedicated to the shell-spawning(local) and port-binding (remote) shellcodes. In both cases the same presentation pattern is followed: the author starts with an example of the shellcode in C and then he translates and adapts (using GDB)  the shellcode in assembler language.

Chapter 0x600 Countermeasures

The chapter is about the countermeasures that an intruder should apply in order to cover his tracks and became as undetectable as possible but also the countermeasures that a victim should apply in order reduce or nullify the effect of an attack.

The chapter is organized around the exploits of a very simple web server. The exploits proposed are increasingly complex and stealthier; from the “classical” port-biding shellcode that can be easily detected to more advanced camouflage techniques like forking the shellcode in order to keep the target program running, spoofing the logged IP address of the attacker or reusing an already open socket for the shellcode communication.

In the last part of the chapter some defensive countermeasures are presented like non-executable stack and randomized stack space. For each of this hardening countermeasures some partial workarounds are explained.

Chapter 0x700 Cryptology

The last chapter treats the cryptology, an subject very hard to explain to a neophyte. The first part of the chapter contains information about the algorithmic complexity, the symmetric and asymmetric encryption algorithms; the author brilliantly demystifies the operation of the RSA algorithm.

On the hacking side the author presents some attacks linked to the cryptography like the man-in-the-middle attack of an SSL connection (using the mitm-ssh tool  and THC Fuzzy Fingerprint) and cracking of passwords generated by Linux crypt function (using dictionary attacks, brute-force attacks and rainbow tables attacks).

The last part of the chapter is quite outdated in present day (the book was edited in 2008) and is dedicated to the wireless 802.11 b encryption and to the weaknesses of the WEP.

Chapter 0x800 Conclusion

As for the introduction chapter, this chapter is very short and as in the first chapter the authors repeats that the hacking it’s state of mind and the hackers are people with innovative spirits.

(My) Conclusion

The book it’s a very good introduction to different technical topics of IT security. Even if the author tried to make the text easy for non-technical peoples (the chapter about programming starts with an explanation about pseudo-codes) some programming experience is required (ideally C/C++) in order to get the best of this book.

Book review: Foundations of Security (Part 3 Introduction to Cryptography)

Adrian Citu

Chapter 12:  Symmetric Key Cryptography

The chapter starts with an introduction to cryptography that consists in explaining some notations and terminology. Then the block ciphers are explained and the following algorithms are introduced:

The second part of the chapter introduce the stream cyphers and as examples the One Time Pad and RC4.

Chapter 13: Asymmetric Key Cryptography

This chapter explains how the asymmetric key cryptography algorithms are working and briefly explains the RSA and Elliptic Curve Cryptography (ECC) algorithms; it also highlights one of the most important problem of the asymmetric key algorithms which is the public key creation and exchange.

Chapter 14: Key Management and Exchange

Key management refers to the process by which keys are generated, stored, agreed upon and revoked. The chapter is structured on 3 parts:

  • Key generation (how should new keys be created). For the key generation the authors focus on securely generating random numbers by using the C rand() function, using the Random APIs (CryptGenKey library or java.security API) or random device files.
  • Key Storage (how should keys be securely stored so that they cannot be easily stolen). The authors propose some solutions and starts from non secure storage “platforms” (as storing the keys into the compiled code or to a disk) until more secure “platforms” as external devices like smart cards, Hardware Security Modules (HSM).
  • Key agreement and exchange (how should to or more parties decide on a session key used to protect the confidentiality of their conversation). The authors present two ways that can be used to initiate a conversation:
    • generate a cryptographically random conversation key and  encrypt it with a public key
    • use Diffie-Hellman key exchange protocol

Chapter 15: MACs and Signature

This chapter presents Message Authentication Codes (MACs) and digital signatures. A MAC is  sequence of bits that can be attached to a message to verify where is originated and that is has not been tampered with. For MACs construction the authors present the following algorithms CBC-MAC and HMAC.

Chapter 16: Exercises for Part 3

As usually this chapter contains some questions and problems in order to test the comprehension of the notions discussed in the chapters 12-15.

(My) Conclusion

For me the book fulfill his goal: to present in a (rather) clear and concise way the fundamental notions about the security but what I disliked to this book is the writing style which I find it rather difficult to follow sometimes.

Book review: AspectJ in action – Second edition (Part 1 Understanding AOP and AspectJ)

Adrian Citu

Introduction and … conclusion

Since I’m a fan of AOP and especially of AspectJ, I participated to the MEAP (Manning Early Access Program) of the AspectJ in action – Second edition book. The review that I will done will be of the MEAP edition, so maybe the final version will be slightly different. So, my conclusion about this book is that it is the bible of AspectJ; it gives a very clear introduction to AOP and a tremendous view of the AspectJ functionalities.

Chapter 1:  Discovering AOP

The chapter explain what is AOP and how it can be integrated into the today IT systems. Then the author presents the basic ingredients of an AOP language(join point, pointcut, advice and aspect) and how an AOP language can help to improve the modularity of a complex system.

Chapter 2:  Introducing AspectJ

The chapter is a very gentle introduction to the AspectJ5 framework containing the classic “Hello world” application.For every basic block of an AOP language enumerated in the first chapter, the equivalent AspectJ5 structure is presented using some simple examples. Beside the traditional AspectJ syntax, the new syntax using the annotations is presented (this new language syntax is called @AspectJ) and a paragraph is dedicated to the integration of AspectJ with the Spring framework.

Chapter 3:  Understanding the Join Point Model

This chapter takes us in the heart of the AspectJ framework by presenting the join point model. The joint points are the parts of a Java class (and or) object that can be intercepted by the framework. The joint points exposed by AspectJ are: methods, constructors, field access (read and write access), exception processing, static initialization of classes and objects and AspectJ advices. For every joint point type the author gives very detailed explanations with many examples . For some join point types, a small comparison is made with the Spring AOP framework.

Chapter 4:  Modifying Behavior with Dynamic Crosscutting

The goal of the dynamic crosscutting is to modify the execution behavior of the program. The construct that is offered by AspectJ for dynamic crosscutting is the advice.
This chapter deeply explains the notion of advice. An advice is a structure that contains the code to be executed when a join point is intercepted. The reflection support in AspectJ also is present.The reflection support is represented by a small number of interfaces that provides access to the join point’s static and dynamic information.

Chapter 5:  Modifying Structure with Static Crosscutting

The goal of static crosscutting is to modify the static structure of the Java elements (classes, interfaces). AspectJ offers the following features:

  • Member introduction. Introduction of new fields(final and non-final) and methods to any Java class. There is no need to have the source codes of the modified classes for using member introduction.
  • Type hierarchy modifications. With AspectJ you can modify the inheritance hierarchy of existing classes to declare a superclass and interfaces of an existing class. Of course the AspectJ cannot break the rules of the Java language; cannot declare multiple inheritance or cannot declare a class being the parent of an interface.
  • Compile-time errors and warnings. This is similar to the #error and #warning preprocessor directives from the C/C++ world. A typical use of this feature will be to enforce rules, such as prohibiting calls to certain unsupported methods or issuing a warning about such calls.
  • Softening checked exception. Exception softening allows treating checked exceptions thrown by specified pointcuts as unchecked ones and thus eliminated the need to deal wit it. Well, for me this constructs is a real danger and it should never be used. Even the author, raise a warning about overusing this feature because it can lead to masking off some checked exceptions that should be handle in the normal way.

Chapter 6:  Aspect: Putting it all together

As the name of the chapter it said, all the previous elements (joinpoints and advices) are put together into a same structure that is called “aspect”. The aspects have some similarities with the Java classes:

  • can be abstract
  • have data and members
  • have access specification
  • implement or extend other types
  • be nested inside other types

The main differences with aspects and Java classes:

  • aspects cannot be explicitly created (the AspectJ framework controls the aspect initialization)
  • aspects can inherit only from abstract aspects and not concrete aspects
  • aspects can have access to the private members of the classes (using the access specifier “privileged”)

So, as it was already said, the user cannot directly instantiate the aspects but it can instruct the framework how and when to instantiate the aspects. AspectJ offers 4 kinds of aspect associations:

  • singleton (default). A single instance of an aspect is created for the entire application.
  • per object. A new aspect instance will be created when executing a join point of a matching object for the first time.
  • per control-flow. A new instance will be associated with each control flow associated with a join point
  • per type Similar as the per object association with the difference that the aspect will be associated to the class instead of objects.

The last part of the chapter explains the aspects precedence or how to control the order on which advices sharing the same joint point are executed. For aspect precedence, the AspectJ framework introduced the “precedence” keyword.

Example : declare precedence : Aspect1, Aspect2; // Aspect1 have the precedence over the Aspect2

For the case of advices from the same aspect sharing the same joint point, the lexical order is applied (the advice declared first have the precedence over the second one, etc…).

Chapter 7:  Diving into the @AspectJ Syntax

The AspectJ 5 (the last version of AspectJ) introduced support for the Java5 language features. The introductions of annotations in Java5 permitted to the AspectJ team to offer an alternative syntax to the “classical” AspectJ syntax. The newly syntax called @AspectJ offer a choice to compiling source code with a plain Java compiler because all the crosscutting information is kept in annotations on Java elements:

  • aspects are normal Java classes annotated with @Aspect annotation.
  • advices are Java methods annotated with the following annotations @Around, @After, @AfterReturning, @AfterThrowing, @Before.
  • pointcuts are Java methods annotated with the @Pointcut annotation
  • modifications of type hierarchy is done by annotating Java fields with @DeclareParents annotation.
  • error and warning declarations are done annotating Java fields with @DeclareError and @DeclareWarning annotations.

Unfortunately, not all the AspectJ feature are available using the @AspectJ syntax:

  • the member introduction; a workaround for this limitation is to use modification of type hierarchy by declaring as parent an interface using the @DeclareParents annotation with the attribute “defaultImpl” containing a class that implements the interface.
  • softening exceptions.
  • privileged aspects.

Chapter 8:  AspectJ Weaving Models

The AspectJ framework offers two types of weaving:

  • build-time weaving; the classes and aspects are weaved during the build process using the ajc compiler. The ajc compiler can take as input source files, class files and jar files each of which may contains classes and aspects.
  • load-time weaving (LTW);the aspects are weave into the classes as the classes are loaded by the classloader. The LTW uses another Java5 feature which is Java Virtual Machine Tool Interface (JVMTI). JVMTI allows a JVMTI agent to imtercept the loading of a class. The load-time weaver is a JVMTI agent that use this functionality to weave the classes as the VM loads them. If the @AspectJ syntax is used then the LTW must be used. The load-time weaver needs some additional information to decide which aspects to weave; this information should be in a XML format into the file META-INF/aop.xml (alternatives to aop.xml are also META-INF/aop-ajc.xml or org/aspectj/aop.xml file).

Basically, the aop.xml file should contains the list of aspects to weave, the list of aspects to exclude from weaving, the list of the packages of the classes to be modified by the aspects and the list of packages of classes that should not be weaved.

Chapter 9:  Integration with Spring

This chapter presents more than the integration of AspectJ into Spring framework; the chapter presents the Spring AOP framework.

Prior to Spring 2.0 version the only Spring AOP offered “schema-style” AOP support that consists into writing crosscutting information in the XML form (for more details about “schema style” aop support please see this: http://static.springframework.org/spring/docs/1.2.x/reference/aop.html). The “schema style” support is suitable for projects that use version of Spring prior to Spring 2.0 or your project don’t use Java5.
Since Spring 2.0, the Spinng AOP is capable to understand the @AspectJ syntax.
The Spring AOP is a proxy-based framework, Spring creates proxy classes for each bean that matches the criterias specified in pointcuts. The proxy classes will intercept the calls to the original object. Under the hood, Spring uses dynamic proxies mechanism for intercepting calls to a method of an interface or it uses the CGLIB-proxies if the method to intercept is not part of an interface.

Some drawbacks of the Spring AOP linked to the proxy-based nature:

  • method execution-only join points;the proxies can intercept only methods.
  • cannot intercept/advise final methods; since Java prevents overriding final methods, the dynamically created proxies cannot advise final methods.
  • bean-only crosscutting; the  proxy creation requires that Spring bean factory create the objects that needs to be advised, so Spring AOP works only on Spring beans.

Due to the proxy-based mechanism it is not possible to use the full AspectJ power; the following pointcuts are not available: call(),
initialization(), preinitialization(), staticinitialization(), get(), set(), handler(), adviceexecution(), withincode(), cflow(), cflowbelow(),
if(), @this(), @withincode().

On the other side, Spring AOP (since version 2.5)introduce a new pointcut for selecting Spring beans. The pointcut is bean(<name-pattern>) and the name-pattern follows the AspectJ matching rules for a name pattern with ‘*’ being the only allowed wildcard.