Computers, Programming, Technology, Music, Literature

OWASP ZAP: Global Exclude URL (Beta) – bug and fix

leave a comment »

As you proxy your browser traffic through OWASP ZAP, chances are that you are annoyed by noise.  That is by default browsers these days make a lot of requests to update version, update cache, addons update and what not. It get’s really difficult to focus on the website at hand when you have other sites cluttering your Sites and History tab.

The Global Exclude URL functionality was supposed to work and it did work partially.

There was a minor bug and that was fixed.  A screen recording of the bug and the bug fix url below:

Global Exclude URL (beta) – after close and reopen does not pick up added regex for excluding URLs #3275

 

 

Written by gmaran23

March 22, 2017 at 2:08 am

OWASP ZAP Development – Fixing the Can’t find bundle for base name lang.Messages error

leave a comment »

 

I have been generating the API files for OWASP ZAP DOT NET API since the inception. There is the core zaproxy project that has the DotNetAPIGenerator.java class. And there is the extensions project, including the beta and alpha.

image

Now, when I tried to generate the ‘non-optional’, i.e., the core API files for .Net, everything would work fine, the API files would be generated as below.

 

image

OWASP ZAP is internationalized, so the source code comes with a bunch of resource bundles with supporting language files.

When you try to generate the API files for the extensions project, you get this wonderful error message.

Exception in thread "main" java.util.MissingResourceException: Can’t find bundle for base name lang.Messages, locale en at java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1564) at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1387) at java.util.ResourceBundle.getBundle(ResourceBundle.java:890) at org.zaproxy.zap.extension.api.AbstractAPIGenerator.(AbstractAPIGenerator.java:68) at org.zaproxy.zap.extension.api.JavaAPIGenerator.(JavaAPIGenerator.java:81) at org.zaproxy.zap.extension.ApiGenerator.main(ApiGenerator.java:73)

 

image

I have fixed this error message before when I was trying to generate the api files back in 2015. Running in debug mode and stepping through pointed out that the zaproxy core project had the resource files under a directory that was not available to the extensions project.

This error was gruesome.

In the end all I had to do was copy the contents of the workspaceowaspzap\zaproxy\src\lang directory to workspaceowaspzap\zap-extensions\bin\lang

That’s it. Do the same thing for the alpha, and beta extensions’ bin directory too.

 

image

Cheers. Try the OWASP ZAP DOT NET API available at nuget.org.

Written by gmaran23

March 22, 2017 at 1:46 am

Fixing VMWare Player Cannot write to local file Cancelling the file copy operation

leave a comment »

 

 

PROBLEM: When copying files from VMWare player to the host (Windows host in this case), you get “Cannot write to local file”.

SOLUTION: Make space. Clear temp and %temp% directories, on your operating system drive.

 

I was trying to copy 5 GB of files from my VMWare player guest OS Kali Linux to my Windows Host. VMWare player displays Copying file “part2.rar” from virtual machine and exits with “Cannot write to local file. Cancelling the file copy operation.”.

 

image

image

This knowledge base from vmware hints disabling tempfs in linux operating systems.  https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2056353 

I looked at the temp and %temp%  windows directories and dicovered the below temp location  where VMWarePlayer copies the files from the VM Guest, and from there it copies to the destination directory in the host OS.

image

My Operating System drive C: was full, and I had to clear the temp directories and free up some space to do 5 GB copy operation from WMWare Player Guest Kali Linux to Windows Host.

Written by gmaran23

March 3, 2017 at 6:30 pm

Getting hackazon up and running on Wamp on Nov 2016

leave a comment »

Following the steps described here will most likely help in fixing the error messages and issues below:

 

 

Of all the vulnerable applications from the OWASP’s vulnerable web applications directory, Hackazon is up to date with the latest technology stack and customizable vulnerabilities. It’s is a great choice to learn and teach ethically hacking today’s web applications. As of today, although the project on GitHub reports an update nine months ago, the application still uses recent web technologies to that we can learn hacking like it is 2016. This article helps you set up hackazon on a windows machine.

 

Things to be downloaded before we get started:

1. Hackazon User guide

Download from https://community.rapid7.com/docs/DOC-3452

Direct Download Link https://community.rapid7.com/servlet/JiveServlet/downloadBody/3452-102-3-8267/Hackazon_User%27s_Guide.pdf

 

Alternative like to the Original Hackazon user guide (in case the link above goes dead) – https://renouncedthoughts.files.wordpress.com/2017/02/hackazon_users_guide.pdf

 

2. Wamp server

http://www.wampserver.com/en/

 

Here’s the story

I had a Wamp installed on Nov 2014 and I tried using the same Wamp server for hackazon deployment. After following the instructions on the user guide, and going to a browser, hitting http://hackazon.lc the install page came up, and after you put the credentials for the MySQL user hackazon, and hit the Next Step button, the page would load the same page over and over again. So basically I was stuck at the first step of the wizard where you supply the administrator credentials. [Bug #5 filed at “Installation – unclickable buttons "next step" ” https://github.com/rapid7/hackazon/issues/5]

I tried everything in the Hackazon User Guide (here after referred to as the user guide) on a Kali linux machine, set up went smooth, just as described in the User Guide and the site was up and running in no time. It was happiness to see the second step of the installation page where you provide the MySQL database credentials.

Though I cant technically confirm if the older version of Wamp was the cause of bug # 5. My guess was may be to reinstall the Wamp to a recent version on a window machine and try the same steps as the user guide. And it indeed, helped me get over the bug # 5.

For Windows, the User Guide describes installation on Wamp 2.some version. However the current stable version available for release is Wamp 3.0.6 at the time of this writing. So something in MySQL changed, some things in Apache changed and hopefully this post will help you fill the gaps between the Hackazon User guide and the recent changes to the Wamp.

 

1. Download Wamp server

http://www.wampserver.com/en/

clip_image002

Please ensure your computer has the recent version of VC++ Runtime. If you want to install the VC++ runtime to the recent version, either have it done via Windows Update, or download it from the Microsoft website as recommended by the Wamp servers download page (as in the screenshot above). It is so important for Wamp to function properly that they have even updated their installation agreements during the installation wizard to reflect the installation and update of VC++ runtime. I had to download VC++ runtime for Visual Studio 2015 here at https://www.microsoft.com/en-in/download/details.aspx?id=48145.

Ok. Install Wamp. Pretty straight forward installation, go with the defaults.

This is the current Wamp installation on my computer right now.

clip_image004

2. Download Hackazon source code

https://github.com/rapid7/hackazon

Head over to the hackazon source code download page at github and download a zip of the hackazon source code.

clip_image006

Have them zip file contents extracted to c:\home\hackazon

clip_image008

3. Rename db.sample.php to dp.php

Head over to C:\home\hackazon\assets\config and rename the file db.sample.php to db.php

clip_image010

4. Create hackazon db and username in MySQL console

Open ‘MySQL console’ from the Wamp server system tray.

clip_image012

Press Enter on the ‘Enter password’ prompt if you did not create a MySQL root account password, which is the default during installation. Or if you had created a password for your MySQL installation, authenticate.

clip_image014

Enter the below query to create a database named hackazon.

create database hackazon;

 

Enter the below query to create a user named ‘hackazon’ and give it a password. In the screenshot below and in the query below, admin123!  is the password, feel free to choose your favorite.

The password you provide here is important as you would need it on the first step of the Hackazon Installation wizard.

GRANT ALL ON hackazon.* TO hackazon@’localhost’ IDENTIFIED BY ’admin123!’;

clip_image016

After this step, if you are curious, only if you are, head over to phpMyAdmin (from the Wamp Server system tray), login with your root server credentials, to see a database named hackazon, and a user named hackazon. Or just imagine, if the above two queries worked fine, a user name and a database named hackazon would have been created.

clip_image018

Do a restart by selecting Restart All Services from the Wamp server system tray menu.

clip_image020



5. Configuring or Verifying Apache’s default port

Open apache’s httpd.conf file. From Wamp Server System tray  -  Apache  – httpd.conf

clip_image022

Search for the word Listen, and ensure Apache listens on port 80. I tried changing it from the default settings and tried to configure Apache to run on 7070 port, and hackazon kept giving me 400 Invalid Referrer error message, I couldn’t find out why. So I reversed back to the default settings.

Tip: Let’s try to configure Apache on the default port 80.

If you have Skype or IIS, running on port 80, change them, at least for now to give hackazon a preference to run on apache’s port 80.

clip_image024

Also, search for ServerName and verify if Server localhost also says port 80. I honestly do not know what this for, read the description and figure out. For now, all we are trying to do is configure apache to run on port 80.

clip_image026

6. Configuring the hackazon website set up

Open apache’s httpd-vhosts.conf file. From Wamp Server System tray  – Apache  – httpd-vhosts.conf

clip_image028

Copy paste the below contents of the httpd-vhosts.conf file in to your httpd-vhosts.conf file.

# Virtual Hosts
#

<VirtualHost *:80>
ServerName localhost
DocumentRoot c:/wamp64/www
<Directory "c:/wamp64/www/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
Allow from all
</Directory>
</VirtualHost>

#

<VirtualHost *:80>
ServerName hackazon.lc
DocumentRoot "c:/home/hackazon/web"
<Directory "c:/home/hackazon/web/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
Allow from all
</Directory>
</VirtualHost>

 

clip_image030

Save the file. The vhost settings provided above is good enough to even access http://hackazon.lc from another machine on the LAN.

7. Edit Windows hosts file to bind hackazon.lc to loopback address

C:\Windows\System32\drivers\etc open hosts file with administrative privileges and add the below entries

 

127.0.0.1 hackazon.lc
::1 hackazon.lc

8. Restart DNS service from wamp server tools (right click wamp server from system tray)

clip_image032

After Restarting DNS, Restart All Services from wamp server from system tray.

This is all is required to start hackazon installation wizard. For the first time you hit http://hackazon.lc, you will automatically be redirected to the installation wizard.

9. Final tinkering

If you just go with this set up and continue with the Installation Wizard, on step 4 – the final step of the installation wizard will give you an error message as below:


Error 42S02: SQLSTATE[42S02]: Base table or view not found: 1146 Table ‘hackazon.tbl_product_options_values’ doesn’t exist”.


There is also a bug filed for it. [Bug #9 Database problem https://github.com/rapid7/hackazon/issues/9]

clip_image036

After digging and digging and executing the contents of the db.sql file at C:\home\hackazon\database manually at phpMyAdmin Sql console, it occurred that the default value given for the timestamp data type is not supported by MySQL anymore or you would need to turn off date zero validation for the query execution.

clip_image038

To fix, add the below line at the very top of the db.sql file in C:\home\hackazon\database and save the file.

SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='ALLOW_INVALID_DATES';

 

Now, for one last time, Restart All Services from the Wamp server system tray.

10. Navigating through the Hackazon installation wizard

Open a browser and hit http://hackazon.lc

1.

You will be redirected to http://hackazon.lc/install

Provide the admin123! password, that is the one we typed in the MySQL console. Hit Next Step.

clip_image040

2.

Provide the same password under the Password field, and hit Next Step

admin123!

clip_image042

3.

Leave the defaults, hit Next Step

4.

Leave the defaults, hit Install

In a couple of seconds, you should be automatically redirected to http://hackazon.lc

clip_image044

Basically, that’s it. The hackazon user guide has more information on how to use the vulnerabilities configuration and other things that are specific to the hackazon application itself.

10.1

Just to do a walk through, hit http://hackazon.lc/admin, provide user name as admin and password as the password we entered in the MySql console admin123!

Navigate to Vulnerability Config, and choose account from the drop down. Or simply hit the url – http://hackazon.lc/admin/vulnerability?context=account

clip_image046

to see an error page as below:

clip_image048

To fix, click Wamp Server system tray icon  -  PHP   -   php.ini

clip_image050

Go to the very end of the php.ini file and comment out the zend_extension line by adding a semi colon ; in the front.

Save the file. Restart All Services.

clip_image052

10.2

If you want to access http://hackazon.lc from another computer (let’s say ‘X’) on the same Local Area Network (LAN), Open drivers/etc/hosts file on computer X and add the ip address of the hackazon.lc to point to hackazon.lc.

For every computer on the LAN, modify their windows hosts file to point hackazon.lc to the Wamp servers ip address.

That’s how I set up hackazon and got it working. Do you have similar experiences?

Written by gmaran23

February 21, 2017 at 11:40 pm

Creating a virtual machine in Schuberg Phillis Cosmic Client / Apache Cloudstack for the first time

leave a comment »

 

Let’s say you want to create a virtual machine with Apache Cloudstack or an IAAS provider like SchubergPhilis that has a Apache Cloud Stack based client called Cosmic Client. Follow the instructions below:

I am not going to explain in words, but the pictures below, point you to places you need to click and edit. If any of the settings below don’t work, chances are that you might have chosen an incorrect VPC, Tier, offering, feel free to reach our to your cloud provider for assistance.

 

1. Let’s start by adding a VPC, that is a Virtual Private Cloud.

image

2. Give it a Name, Choose a Zone, Super CIDR (the subnet range within the Virtual Private Cloud), and a VPC offering as advised by your cloud provider.

image

 

3. Once the VPC is created, click on Create network to Add new tier.
Give it a Name, Choose a network offering, provide the gateway address, a subnet mask.

image

 

4. Once the Tier is created, Click on the Virtual Machines, to add a new VM.

image

5. Next screen, click on Add Instance

image

6. Select a zone. Choose either ISO or Template. Choose ISO, if you would like to use an ISO image as bootable media and install the Operating System yourself. Choose Template, if you would like to choose from preinstalled Operating System VM templates.

We are going to choose ISO for this example.

image

7. Choose an ISO image.

image

8. Choose the amount of RAM, CPU from the available offerings.

image

9. Choose the required HDD size.

image

10.

image

11. Give an IP address for this machine

image

12.

image

13. Give a hostname and hit Launch VM

image

14. Once the VM is created, Click the View Console icon to access the running VM

image

15. Your VM is ready, you can start installing and perform the required work.

image

 

In case you get any Network Errors during the creation of VPC, or Tiers, ask your IAAS Cloud provider for assistance.

Written by gmaran23

February 21, 2017 at 4:37 pm

Troubleshooting Remote VPN and Internet access at the same time

leave a comment »

 

 

Issue: When connected to Remote Access VPN, internet cannot be reached because of IP routing conflicts

Solution: Enable Split Tunneling for the VPN connection, and add routing for the IP addresses on the device

 

On a Windows 10, When Remote VPN is connected, internet disconnects. Let’s say, 192.168.20.123 is an IP address on the VPN. In the screenshot below, when internet is connected, google.com pings, however 192.168.20.123 doesn’t ping. Expected behavior because we are not connected to VPN yet.

 

image

When Remote VPN connectivity is established, the internet goes off, and the VPN machine starts pinging.

image

So, that’s the issue.

Solution

Step 1:

Disconnect the VPN.

Open Windows Powershell, and type in the command to enable Split Tunneling for the VPN connection.

Set-VpnConnection  -Name “TheVPNConnectionName” –SplitTunneling $True –PassThru

 

image

If VPN connectivity is attempted now, after the Split Tunneling change, notice the internet works, however VPN machine cannot be reached.

image

 

Step 2:

Add a persistent route for the destination.

We need four things to add a permanent route:

  1. The destination IP address [Eg: 192.168.20.123]
  2. Subnet mask [Eg: 255.255.255.255]
  3. Destination gateway [Eg: 192.168.20.1]
  4. VPN network interface id (route print command, and identify the Interface ID of the VPN connection)

[Eg: In the example below, the Interface Number for the VPN connection is 69]

image

 

Open a command prompt with Elevated Privileges, and type in the below command to add a permanent route to the destination IP address. For more IP addresses, repeat the command by changing the destination IP address.

 

route add –p 192.168.20.123 MASK 255.255.255.255 192.168.20.1 IF 69

 

Now, internet connectivity works as expected. If there is a request for 192.168.20.123 IP address which is on the VPN, then the route would go through the VPN interface.

image

That’s it.

Written by gmaran23

February 21, 2017 at 3:32 pm

The love and trust affair

leave a comment »

 

December 1, 01.15 AM IST

I can’t express how much I love you these days
I wish it was it was only the sex, we had to haste
The moment I gave you a place in my heart
Every time we fought it ripped me to shrapnels apart

I don’t like anger, neither do you?
But I can’t control, the way I am, can you?
You don’t understand how much I love you
You have deep trust paranoia, sad but true

I threw away things that I ever cared for
You misunderstand me, you tell me to fuck off
Be careful next time what you say
Words that hurt, put me in ceaseless dismay

Hell, I can’t fucking count the number of stars
As my body, you left me with so many scars
You asked me to write a poem for you the times we met
Here I am, pouring down my feelings, I am now a whiskey’s pet

You think I am drunk, you think you can blame me
Well, I am slam dunk, you still can’t assume me
I am a man of duty, pride and honor
In love’s court, I plead not guilty your honor!

Past is past, and the past is done, can’t be undone
You can’t recover what’s been said and done
Either we live in the dark, worrying about shattered dreams
Or start a new life spark, with new joyful schemes

I sorry I can’t be like your father or him
I am me! It’s our ego, we both need to trim
At least I have the to courtesy to accept my mistakes
If you confide in me, I don’t have to say you manipulate

Where there is anger, there is intense love
Its fear you monger, allow me to exalt you above
Remember, you used to ask me, "Who am I to you?!"
You realize now, how desperately I am the one who needs you?!

No matter what happens, we are family, we never leave the house
We stick together through our bitterly woes, my spouse
They say two same poles repel each other
We two similar souls, I wonder, can we propel together?

I know, I should learn to treat you better
I am learning, trying hard, and I never regretted
Seems like true care and affection are hard to come by
I happen to think, in my mind they are naturally imbibed

I don’t boast, I am the best you will ever get
I wanna be your dawn to dusk from the sun rise to set
What about my dreams of having kids with you?
You wanna give up, Damn, I thought you thought so too.

Hey baby, don’t you worry, what are you afraid of?
When you have our love to be proud of?!
It’s our life, we gotta live for ourselves
But at first, You gotta start believing in thyself

If I lived for people that will say whatever they say?!
Fuck the society, every fucking dog has its fucking day
You suffer people bitch; you live well, people still bitch
Think, do we have to be their bitch, you bitch?

Baby, I cry when your face strikes my mind
Like it rains, when lightning strikes, so the sky whined
You probably got the same feelings like I do
I object, your claims that you love me more than I do

End of day, it boils down to whether you marry me or not
What will I do, if I don’t tie you the knot?
I gotta ask your parents, how they made you so hot
Especially in bed, when you bring all your naught

You weren’t brought up like me, I will do my best
But, when I am off the edge, you gotta learn to adjust
My mom, your mom, my father, your father
They don’t matter to me anymore as they are farther

I am tired of people around you bleeding you dry
When you run out of money, guess what? They sigh
All our dreams comes don’t come true like in a story book
In real life, you gotta little bit broaden your outlook

I get angry cause it’s about your wellbeing I care
Don’t you question my love and trust, don’t you dare!
I recon I have to be an even kinder man
Or what’s the difference between me and a garbage can?

It’s the love we need to cherish
Not the arguments that will let us perish
None of my words here are meant to piss you
You don’t trust me? hah! I still miss you

It’s surprising that I let another girl become my priority
Sometimes I feel I loaned myself some hypocrisy
Like I don’t follow what I preach
Then I realize, it’s my code, I breached

My love is pure like the orgasm we have, you know it
Thank you for loving me back, to you I owe it
I can’t hold on to my leash when you are naked
Our sexual hormones we unleash, we become sacred

We always fight about our possessiveness, and forgiveness
But now you starting to question my trust, my highness?
I am sitting here thinking about the taint spew on my trust
Labelling me to be stingy and causing unrest

You think its money after all to me that’s important
Let alone my compassion, let it lay dormant
You think I don’t trust you for the loan money
It’s funny, retrospect, is that all you understand me, my honey?

Who should you give money or not? Wishing well for you is my fault?!
When you finger it as my shortcoming and start an assault
My actions may be frenzy, do you fail to see my intentions?
I don’t give up, though I am fed up of these tensions!

The day we give up, our family dies
Worse than a corpse fed by maggot flies
It’s our relationship, we respect
If we are true, ain’t no room for suspect

There is nothing wrong in saving for oneself and being selfish
Though I don’t mean we become scavenger fetish
It’s time we start saving for our marriage
And correct the abortion and all the papaya miscarriage

You like a flower that is soft to even fondly touch
Am I a gardener, not qualified to owe you as such?
I don’t want you be my next failed episode
Hence I write you and dedicate my profound ode

Tit for tat, ain’t gonna make our bonding work
I bash, many times I know I too can be too curt
Will I ever get another partner like you miss?
I still beg you pardon I promise

I know I hurt you too, that’s why I said I am a hypocrite
I want to apologize too, and express my plight
I pretty much had to say what I had in mind
In time you will comprehend the true meaning of my rhyme

-rotandripe

 

Written by gmaran23

December 1, 2016 at 1:16 am

Posted in literature, love, poems, quotes, rage

Tagged with , , , ,

Test from writer

leave a comment »

test

Written by gmaran23

November 21, 2016 at 12:03 am

Posted in Uncategorized

that delicious lamb meat

leave a comment »

That roasted lamb’s a delicacy
It’s parents would have made it with love
Well, they made love, hence the meat

And that exotic sauce on ’em for your taste buds
The chef should have made it with love
Well, he made love, hence the sauce

-rotandripe

Written by gmaran23

October 6, 2016 at 5:56 pm

Powerful and contextual sentences for the Constellations activity

leave a comment »

 

During the Coaching Agile Teams training by Michael Hammond, and Michael Spayd, we explored ways of using the Tribes, Constellations, and Explorers activity at different situations. Today I tried the tribes and constellations activity with a team with the below questions to get started with, to get a sense of the team’s dynamics before I started coaching the team.

  • I feel good when someone tells me what to do
  • I feel comfortable when someone teaches me
  • I am afraid of failures, it hurts
  • I am afraid of failures, it hurts, but it brings the best out of me
  • I am committed to my team, not to my tasks
  • I do not like feedback from others
  • I sometimes encourage feedback from others
  • I voluntarity believe in asking feedback from others for my improvement
  • I do not like cofessing my mistakes to my team because it makes me feel insecure
  • I like confessing mistakes to my team because I am trying to elicit help
  • I like to create best customer experience and I do not know how to do it
  • I like to create best customer experience and I know exactly what needs to be done
  • I have feedback for some team members but I am afraid to tell them because they once did not receive the feedback well
  • I gave feedback for some team members but I do not know if they are working on it
  • Sometimes I do not know if we are transparent at all
  • Sometimes I do now know if we are transparent enough

Written by gmaran23

October 20, 2015 at 7:23 pm