XSS scan testing for any website



Use-case :

How to perform online - Website Vulnerability Scanner Report
Solution :
  1. Go to this URL: https://pentest-tools.com/home
  2. Input the website URL https://www.test.com/ under the  tools-->webapplication scanning--> XSS scan
  3. Click on scan , it will generate the report and it will have various scanning parameters.

This tool focus on below Areas :

Summary

Overall risk level:
Info
Risk ratings:
High:
0
Medium:
0
Low:
0
Info:
2
Scan information:
Start time:2019-04-01 04:07:56
Finish time:2019-04-01 04:09:30
Scan duration:1 min, 34 sec
Tests performed:2/2
Scan status:Finished

Findings

 Light spider results: 0 dynamic URLs of total 24 URLs crawled

 No Cross-Site Scripting vulnerabilities found.


Scan coverage information

List of tests performed (2/2)
  •  Spidering target
  •  Scanning for XSS vulnerabilities
No comments:

BitBucket and SourceTree - CICD tools

Use case- Sourcetree tool for GIT GUI

Solution : Use the Sourcetree GUI tool for GIT/Mercurial for local and remote repo management

Step 1: Create a Git repository

Step 2: Copy your repository and add files

Step 3: Pull changes from your repository

Step 4: Use Sourcetree branches to merge an update


https://www.sourcetreeapp.com/?utm_source=internal&utm_medium=link&utm_campaign=clone_repo_win


2 comments:

Online Security Scan tool for any website



Use-case :

How to perform online - Website Vulnerability Scanner Report
Solution :
  1. Go to this URL: https://pentest-tools.com/home
  2. Input the website URL https://www.test.com/ under the  webserver scan tab
  3. Click on scan , it will generate the report and it will have various scanning parameters.

This tool focus on below Areas :
Testing areasLight scanFull scan
Website fingerprinting
Version-based vulnerability detection
Common configuration issues
SQL injection
Cross-Site Scripting
Remote command execution
Discover sensitive files


Summary of sample scan report

Overall risk level:
Medium
Risk ratings:
High:
0
Medium:
1
Low:
3
Info:
6
Scan information:
Start time:2019-03-29 08:03:21
Finish time:2019-03-29 08:03:28
Scan duration:7 sec
Tests performed:10/10
Scan status:Finished







Scan coverage information

List of tests performed (10/10)
  1.         Fingerprinting the server software and technology...
  2.  Checking for vulnerabilities of server-side software...
  3.  Analyzing the security of HTTP cookies...
  4.  Analyzing HTTP security headers...
  5.  Checking for secure communication...
  6.  Checking robots.txt file...
  7.  Checking client access policies...
  8.  Checking for directory listing (quick scan)...
  9.  Checking for password auto-complete (quick scan)...
  10.  Checking for clear-text submission of passwords (quick scan)...
  11.        Server software and technology found
Software / VersionCategory
 ApacheWeb Servers
 Adobe Experience ManagerCMS
 ZURB FoundationWeb Frameworks
 Google MapsMaps
 Google Tag ManagerTag Managers
 jQueryJavaScript Frameworks

Insecure HTTP cookies

Cookie NameFlags missing
AWSELBSecure, HttpOnly
  Details
Risk description:
Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.

Lack of the HttpOnly flag permits the browser to access the cookie from client-side scripts (ex. JavaScript, VBScript, etc). This can be exploited by an attacker in conjuction with a Cross-Site Scripting (XSS) attack in order to steal the affected cookie. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session. 

Recommendation:
We recommend reconfiguring the web server in order to set the flag(s) SecureHttpOnly to all sensitive cookies. 

More information about this issue:
https://blog.dareboost.com/en/2016/12/secure-cookies-secure-httponly-flags/.
4. That's all!

4 comments:

How to find the technology stack used by for any website

Usecase :

How to Identify the unknown site Tools and Technology stack used.

 Solution :
  1. Go to this URL: https://pentest-tools.com/home
  2. Input the website URL https://www.test.com/ under the  webserver scan tab
  3. On the report look for - server software and Technology found section 
Example for one of the site analysed:

Server software and technology found

Software / VersionCategory
 ApacheWeb Servers
 Adobe Experience ManagerCMS
 ZURB FoundationWeb Frameworks
 Google MapsMaps
 Google Tag ManagerTag Managers
 jQueryJavaScript Frameworks
4. That's all!

No comments:

Troubleshooting Oak indexes in AEM

No comments:

Oak queries and Indexing in AEM with embedded Solr configurations

No comments:

RDBMS documentStore setup in AEM 6.4

Supported Databases

For more information on the level of Relational Database support in AEM, please see the Technical Requirements page.

Configuration Steps

The repository is created by configuring the DocumentNodeStoreService OSGi service. It has been extended to support relational database persistence in addition to MongoDB.
In order for it to work, a data source needs to be configured with AEM. This is done via the org.apache.sling.datasource.DataSourceFactory.config file. The JDBC drivers for the respective database need to be provided separately as OSGi bundles inside the local configuration.
For steps on creating OSGi bundles for JDBC drivers, please see this documentation on the Apache Sling website.
Once the bundles are in place, follow the below steps in order to configure AEM with RDB persistence:
  1. Make sure the database daemon is started and that you have an active database for use with AEM.  
  2. Copy the AEM 6.3 jar into the installation directory.
  3. Create a folder called crx-quickstart\install in the installation directory.
  4. Configure the document node store by creating a configuration file with the following name in the crx-quickstart\install directory:
    • org.apache.jackrabbit.oak.plugins.document.DocumentNodeStoreService.config
  5. Configure the data source and the JDBC parameters by creating another configuration file with the following name in the crx-quickstart\install folder:
    • org.apache.sling.datasource.DataSourceFactory-oak.config
    Note:
    For detailed information on the data source configuration for each supported database, see Data Source Configuration Options.
  6. Next, prepare the JDBC OSGi bundles to be used with AEM:
    1. In the crx-quickstart/install folder, create a folder named 9.
    2. Place the JDBC jar in the new folder.
  7. Finally, start AEM with the crx3 and crx3rdb runmodes:
    1
    java -jar quickstart.jar -r crx3,crx3rdb

Data Source Configuration Options

The org.apache.sling.datasource.DataSourceFactory-oak.config OSGi configuration is used to configure the parameters needed for communication between AEM and the database persistence layer.
The following configuration options are available:
  • datasource.name: The data source name. The default is oak.
  • url: The URL string of the database that needs to be used with JDBC. Each database type has its own URL string format. For more info, see URL String Formats below.
  • driverClassName: The JDBC driver class name. This will differ depending on the database you want to use and subsequently, the driver that is needed to connect to it. Below are the class names for all the databases supported by AEM:
    • org.postgresql.Driver for PostgreSQL;
    • com.ibm.db2.jcc.DB2Driver for DB2;
    • oracle.jdbc.OracleDriver for Oracle;
    • com.mysql.jdbc.Driver for MySQL and MariaDB (experimental);
    • com.microsoft.sqlserver.jdbc.SQLServerDriver for Microsoft SQL Server (experimental).
  • username: The username the database runs under.
  • password: The database password.

URL String Formats

A different URL string format is used in the data source configuration depending on the database type that needs to be used. Below is a list of formats for the databases that AEM currently supports:
  • jdbc:postgresql:databasename for PostgreSQL;
  • jdbc:db2://localhost:port/databasename for DB2;
  • jdbc:oracle:thin:localhost:port:SID for Oracle;
  • jdbc:mysql://localhost:3306/databasename for MySQL and MariaDB (experimental);
  • jdbc:sqlserver://localhost:1453;databaseName=name for Microsoft SQL Server (experimental).

Known Limitations

While concurrent use of multiple AEM instances with a single database is supported by RDBMS persistence, concurrent installations are not.
In order work around this, make sure you run the installation with a single member first, and add the other ones after the first has finished installing.
No comments:
Subscribe to: Posts (Atom)