Email notification service-email Bombing-example

Now a days every app has a module for notifying users through email. The same email module/service when written less carefully can lead to serious misuse by the attacker. Attacker can spam the inbox of any user when the app is vulnerable to this issue. Below is the example of vulnerable webapps test with explanation.

Suppose the reset password functionality is vulnerable to email bombing.

url – https://example.com/lost-password

Open it and you see a form to notify you by email. try putting email and send. Monitor and capture the request.

For now i take below headers:

POST /lost-password HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://example.com/lost-password
Cookie: lang=en; xyz
Connection: keep-alive
Upgrade-Insecure-Requests: 1

POST data
action=send
email=test@test.com

Looking at the header and body , we can see that their is no way for the web server to track user or to validate the genuine request. So we can replay the same request with different POST data using any client.

Continue reading

New and enhanced feature in JDK family [covered jdk 1.5 to 1.8]

What’s new in JDK 1.5 over 1.4 !

1. Generics {Compile}
2. Annotations {suppress ,override, deprecated….}
3. Enumerations
4. Variable arguments{void test(String…)}
5. Changes in concurrency utilities.Now includes high-level concurrency APIs.{ java.util.concurrent}
6. Autoboxing and Unboxing
7. Static imports {less keystrokes/time and the same outcomes.}
8. forEach loop {Beautify the existing for loop usage while iterating over collections}

Continue reading

Form submission using LifeRay MVC

Came around a task to raise Jira tickets and view existing Jira tickets using Liferay Framework. Started with creating two POC.

First POC is Portlet with Task submission that goes directly into schema on MYSql using Liferay MVC.

Covered:
Liferay Portlet Form
Liferay MVC Data Layer with MYSql

Project structure screenshot at the bottom.
Lets Create a new Portlet named IssueLiferayMVC.
Follow link to create one. Creating a new Portlet

 

Lets create jsp form containing inputs related to a task/Bug. Make the entries by replacing view.jsp with raise_issue.jsp

Continue reading

Switching from HSQL to MySQL or any other DB in Liferay

Lets Switch from existing HSQL to MySQL.

Simplest way of switching database is to use a property file named portal-ext.properties.Way to override the existing features can be written into this file.

Go to Liferay tomcat directory->WEB-INF->classes. Their you find the file portal-ext.properties.
In case you don’t find it,create a new file named portal-ext.properties.
Add the below database configuration parameters to run LFRay on MySQL.

Continue reading