ONE$ && ZER0$

What is RMI?  RMI stands for Remote Method Invocation. It is an application programming interface (API) that allows an object running on one Java Virtual  Machine (JVM) to invoke methods on an object running on another Java Virtual Machine (JVM), client server architecture is a good example where RMI is used. Basically, RMI provides for communication between programs written in the Java programming language. Architecture  In an RMI application there are two programs, a server side program and a client side program. Inside the server side program, a remote object is created and reference of that object is made available for clients. The client side program requests the remote object from the server to invoke its methods.  (A diagram to represent RMI architecture) Stub & Skeleton? Stub is a representation the remote object in the client and its acts as a gateway for the client program. Skeleton is the object that in the server-side. stub communicates with

What is HTTPS?.. if you don't have any idea about what is HTTPS, refer my previous blog post about HTTPS . If you have an idea about HTTPS and SSL/TLS handshake, you are good to go 😊  Creating a digital  certificate We can create a digital certificate using "Java KeyStore (JKS)". This is a repository of security certificates. We can generate a keystore file using keytool command. in order to work with keytool, you must have "JAVA" installed in your computer.  keytool is a key and certificate management utility that allows users to administrate their own public/private key pairs, and the keystore file we are going to generate bellow will also be our local tomcat server's server certificate.   Options  When creating a "keystore", we need to provide some options and values to it. -genkey/-genkeypair -alias  -keyalg  -keystore  -keysize -validity -sigalg -storepass -keypass -dname  -genkey/-genkeypair -genkey

What is HTTPS? HTTPS stands for "Hypertext Transfer Protocol Secure" . This is an extension of Hypertext Transfer Protocol (HTTP) for secure communication over a computer network. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or Secure Socket Layer (SSL) . Here servers and clients are still using HTTP to communicate with each other, but over a secure SSL connection that encrypts and decrypts the client-server requests and responses.  SSL ensures that all the requests and responses are directed to the legitimate destination and from a legitimate source, and also it ensures that only a legitimate server or a client can view the content of a request/response. Eavesdroppers will monitor the traffic, but they will not be able to read the content in the traffic since its encrypted. How SSL Works?  A Secure Socket Layer connection between client and server initiate with a "handshake". The goal is to satisfy the cli

I previously explained what is CSRF  and how we can mitigate a CSRF attack using Synchronizer token pattern technique. In this blog post I'm going to talk about another CSRF mitigation technique called "Double Submit Cookies Pattern"  😉 What is Double Submit Cookies Pattern? This is a technique, that sends a random seed or a "token" as we call it, in both a cookie and as a request parameter, with the server verifying if the cookie value and the request value match. Why DSCP? Now its obvious that a third party entity cannot perform a CSRF attack without the CSRF token, and in here attacker or the third party entity cannot get the token because its in a cookie, and third party web pages cannot retrieve cookies from another web page that has a different domain. For example, assume that the genuine web page is banker.com, and the attacker's web page is attacker.com, when a user logged in to the banker.com, and accidentally redirect to attacker

AJAX, short for Asynchronous Javascript And XML is a set of web development techniques that allows web pages to be updated asynchronously by exchanging data with a web server behind the scenes. This is simply a modification of a web page, without reloading it. In modern implementations, developers commonly utilize JSON instead of XML due to the advantage of JSON being native to javascript. AJAX is not a programming language, but a combination of browser build in XMLHttpRequest object, Javascript and HTML.  So in this word AJAX, as i previously mentioned, it means " Asynchronous Javascript And XML". In here, Asynchronous means, in the background or not requiring a page refresh. You all know what's "Javascript" means 😅. XML is a data format that very similar to JSON.  So, as i mentioned earlier, modern development is using JSON rather than XML when it comes to AJAXs. So I guess we can call this as AJAJ - Asynchronous Javascript And Jason,  because

In the previous blog post about cross site request forgery AKA CSRF , I discussed about the basics about CSRF, what it does and some mitigation techniques. Among those techniques, in this blog post I’m going to talk about the Synchronizer Token Pattern and its flow when exchanging CSRF token. What is Synchronizer Token Pattern? This is a technique where a unique secure string value, also known as a CSRF token, will embedded by the web application in all HTML forms and verified on the server side in each state changing requests. The token may be generated by any method that ensure uniqueness, unpredictability and security so that any attacker would not be able to place the correct token along with the request. Why STP? A third party attacker cannot perform a CSRF attack, because cross domain AJAX calls are not possible. This means, the victim is in banker.com, and attacker.com cannot request the CSRF token  from the server via an ajax, because the domain doesn'

What is this? ❓ Cross-Site-Request-Forgery in simple terms CSRF is an attack type that forces users to execute unwanted actions on a web application (typically a web page) in which they are currently authenticated. CSRF attacks specifically target state changing operations. An attacker can trick legitimate users of a legitimate web application into executing actions of the attacker’s choosing. A successful CSRF attack can perform state changing requests like transferring funds, changing statuses and so forth. A CSRF attack inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, the web browser request any credentials associated with the site, such as the user’s session cookie and all. Therefore, if a user currently authenticated to a site, the site cannot identify the difference between the legitimate requests sent by the victim and forged requests sent by the victim. (Attacker's request) For