Email: info@zenconix.com

Project without planning and framework…



Visit Site:

Overview

This article is all about use framework, get its benefits, and minimize work of the developer.

Currently I am working on one project. Project is in the banking domain. For banking domain, the first thing that one need to focus on the security and functionality rather than the design (UX). But in our case, due to some management decisions and less communication in between client and manager.

The most important thing in software development life cycle is communication. If communication is poor then project may take a long to complete. Anyways our main topic is to whether to use framework or not and when?

Using any framework for project is not mandatory but it is very useful when we want to develop any project in given span of the time or we can say that, in little span of time.

There can be lots of benefits of using framework, one can get it from google. But the question is how development is get faster when one use framework.

We will see this by taking one example.

Let us consider the scenario that, we are working on some project. Let’s named it as “WebAuth”.

WebAuth is simple project which just have very good GUI and will be used to provide authentication to user. First we will see that what are the problem we will face if we not use any framework. It’s plane and simple project created with basic technologies like HTML, CSS, JavaScript and AJAX.

So the project structure we can imagine, will be something like this.

WebAuth

-HTML

-CSS

-JavaScript

-Common files

Here HTML folder will contain all HTML files, CSS will hold all CSS and same for JavaScript and AJAX will be in JavaScript folder. Some common files which we required will be in folder named Common.

The project will work fine, but lots of efforts will be required if not managed this files properly. Because, CSS which will be using for the project, need to give reference path in all the HTML files. Which need to handle properly. This is not the case if project is in ASP.NET or PHP or any server side language. Because in case of asp.net we can have masterPage.master directly. This is not the case here because we don’t have any concept like master page.

One more important and common thing is that, generally software developer is not aware of the design. So one does inline CSS. Which is very much harmful.

If we follow this approach to develop a project, lots of management and properly structured data we have to put in the HTML file. One more thing, if the project which you are developing is banking or any e-commerce like project then you also have to take care of security in the project. Lots of headache here. So ultimately project tends to failure. And here framework comes in to the picture.  If we have proper framework ready to use then we just have put the content of the HTML files and use it accordingly. Let’s build our project with some framework. Let’s take Durandal framework. Which is pure JavaScript framework and gives you properly managed structure for project.

Modified folder structure will be something like this

-app

-Views

Will contain all the html pages.

-ViewModel

Will contain all the JS files.

-CSS

-lib

-bootstrap

-durandal

-font-awesome

-jquery

-Knockout

-require

-Index.html
This is proper folder structure for out project.

As we are using durandal, it is framework for single page application. So one more point to our site has been added that, our site is single page application site.

There will be CSS for only one page, index.html because all the pages in app/views will be run in the special div of index.html called “applicaitonHost”. So no need to apply css for all page. It will get applied automatically. (NOTE: all the pages in app/view will start from

tag and end at

tag only.

Now the thing what we have to consider are only XSS and XST. Which can be viewed at the my previous articles.

Conclusion-Proper framework gives you proper structured project. Less headache of css and managing files. So it is very good to use framework.

Features

Specifications

Preview

Cross Site Tracing and its Prevention (XST)



Visit Site:

Overview

Cross Site Tracing

XST

Summery

Cross Site Tracing (XST) enables an attacker to steal the victim’s session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim’s browser communicates to destination system’s web server. The attacker first gets a malicious script to run in the victim’s browser that induces the browser to initiate an HTTP TRACE request to the web server. If the destination web server allows HTTP TRACE requests, it will proceed to return a response to the victim’s web browser that contains the original HTTP request in its body. The function of HTTP TRACE, as defined by the HTTP specification, is to echo the request that the web server receives from the client back to the client. Since the HTTP header of the original request had the victim’s session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the attackers’ malicious site. XST becomes relevant when direct access to the session cookie via the “document.cookie” object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST.

If the system with which the victim is interacting is susceptible to XSS, an attacker can exploit that weakness directly to get his or her malicious script to issue an HTTP TRACE request to the destination system’s web server. In the absence of an XSS weakness on the site with which the victim is interacting, an attacker can get the script to come from the site that he controls and get it to execute in the victim’s browser (if he can trick the victim’s into visiting his malicious website or clicking on the link that he supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the attackers’ malicious script cannot directly issue an HTTP TRACE request to the destination system’s web server because the malicious script did not originate at that domain. An attacker will then need to find a way to exploit another weakness that would enable him or her to get around the same origin policy protection.

A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting (XSS) and the TRACE or TRACK HTTP methods. According to RFC 2616, “TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information.”, the TRACK method works in the same way but is specific to Microsoft’s IIS web server. XST could be used as a method to steal user’s cookies via Cross-site Scripting (XSS) even if the cookie has the “HttpOnly” flag set and/or expose the user’s Authorization header. The TRACE method, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate users’ credentials.

How attacker can attack ?

A cross-site tracing attack combines a cross-site scripting (XSS) vulnerability – where an attacker injects malicious code into a link — and the HTTP TRACE method — hence the XST name. Most Web developers are familiar with the HTTP methods GET and POST, which send requests to and access information from a Web server, but there are several other less well-known methods, including TRACE.

HTTP TRACE asks a Web server to echo the contents of the request back to the client. The complete request, including HTTP headers, which can include sensitive information such as cookies or authentication data, is returned in the entity-body of a TRACE response. The request is primarily used by developers for testing and debugging HTTP applications and is available by default in most Web server software. One way to carry out an XST attack is to create a webpage which includes some JavaScript that contains the TRACE request. The JavaScript can then exploit any cross-domain vulnerability in a visitor’s browser to collect the cached credentials of any website, including those utilizing SSL.

Another more common method takes the JavaScript snippet containing the TRACE request and injects it into the vulnerable Web application. The JavaScript will be able to send the victim’s request headers, including cookie data tagged as “httpOnly” to the attacker. “httpOnly” is an extra parameter added to cookies, which hides cookies from scripts and is supported in most browsers; the TRACE method, however, can be used to bypass this protection. It is easy for an attacker, or system administrator, to test if a Web server supports the TRACE method

How to stop a cross site tracing vulnerability exploit ?

To prevent this type of attack, it’s essential that the PUT, DELETE, CONNECT and TRACE methods are disabled on your Web server as they all pose a potential security risk.

If an application needs one or more of these methods, such as REST Web Services (which may require PUT or DELETE), it is important to check that their usage is properly limited to trusted users and safe conditions. To disable HTTP TRACE support on an Apache Server, set TraceEnable Off. If you are running IIS and a Windows Server, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet your site’s requirements and security policy.

Referances

https://www.owasp.org/index.php/Cross_Site_Tracing
http://capec.mitre.org/data/definitions/107.html
http://www.computerweekly.com/tip/How-to-prevent-a-cross-site-tracing-vulnerability-exploit

Features

Specifications

Preview

Single Page Application (SPA)



Visit Site:

Overview

I am creating new project in sharePoint 2013 and client requirement was a single page application. Then I started searching for requirement of SPA.

It should satisfy following conditions:

1) Proper navigation and history maintenance.

2) Notification after complete operation.

And main is

3) Data Binding

So for develop this we can have 2 approaches first is that use separate javascript libraries for specific function or you can also use some existing javascript functions

we can use knockout.js for data binding operation

sammy.js for navigation and history maintenance

toastr.js for notification purpose

But this all things also can be done with some framework available

We can use 2 great framework for SPA

1) Anguler JS– can get more information here http://angularjs.org/

2) Durandal JS – http://durandaljs.com/

here the differance is that angular Js uses only jquery and if jquery fails to load then it uses its one JqLite file for all operation while Durandal Js uses 3 top library knockout.js for data binding, require.js for loading js file and jquery for UI rendering

durandal and angular

Its good framework. you will get more information for this here http://www.johnpapa.net/spa/

Features

Specifications

Preview