I have to do a vulnerability scan in our web application to find JSON Injection issues. I tried in OWASP ZAP, Burp Suite but not able to find the issues. Could anyone suggest a good open source vulnerability scanning tool where I can find the JSON Injection issues.
Related
I'm exploring options on open source data catalog tools which can provide metadata features like
Open source
Search and discovery
Lineage tracking
Tagging
I found Apache Atlas as a good candidate to start working on since it does not currently have connectors to Google Cloud Platform.
I've spent a lot of time on figuring out how the platform works but I need to understand how I can start writing connectors to support Google Cloud Platform. Is there any documentation to get started?
I went through the link: https://atlas.apache.org/#/EclipseSetup. which talks about how to setup the environment to start on eclipse but I'm not aware on how to actually start building and testing the new code I'm thinking to write.
I think there are a lot of components at play and I'm too noob to get started on this.
TLDR;
Detail i'm looking for is: once I write the code, how do I test that It will work after I package the application
I am new in liferay want to perform crud operation using service builder so i want to understand need & use of apache felix web console bundle in liferay 7.1 so that i use it in order to check json/webservice api.
I would say you are not looking at the right tool for the job.
The console enables you to interact with the OSGi framework, a good place to start is not on the console but on the file systems if you are looking into understanding how Liferay uses the framework. The framework is embedded into the web app in order to provide the environment where bundles can live and provide services collectively.
Gogo is an auxiliary tool that enables interaction, you can query if bundles are installed, check the dependencies that you missed and who is providing a certain service or exposing a package.
Most of day-to-day of this kind of information you can also find in the app manager and/or logs.
About testing you api, I assume you are looking for seeing if it was installed and if it was resolved and activated. The app managers can provide the first clue for this, but gogo is an adequate tool as well, you will need to learn its commands and syntax. Do not worry they are trivial, you can find a description on the Apache's project page an on Liferay's dev guide.
Now, if you are looking to test the API for correctives or availability, using gogo will demand custom commands and lots of extra logic other tools provide for you.
I am planning to use Bluemix for a ReST API development using Java. I wanted to use Application Security on Cloud for scanning the application to eliminate security concern.
Can I use it? Is there something more appropriate?
You can use the Static analysis feature of Application Security on Cloud to scan Java applications for security vulnerabilities. To accomplish this, a small utility needs to be downloaded to convert the application byte code files into an Intermediate Representation (IRX) of the code. This IRX file is uploaded to the server and scanned using trace analysis to find security vulnerabilities (the IRX file is encrypted to keep your data safe). IRX files can be generated using a small client command-line interface (CLI) that you need only download and extract to your local disk. In addition, you can run a small installer that adds static analysis plug-ins to Eclipse or Maven. Note that the Client Utility and cloud service versions must be compatible.
Take a look at Getting started with Application Security on Cloud for more information.
I'm having difficulty in integrating AEM 5.6.1 with Site Catalyst. It allows me to connect in the configuration successfully, but does not work on the framework setup.
I've followed the standard procedure to connect AEM to SC and it accepts my login in the configuration, but fails on the framework set up with the browser message 'We were not able to login to SiteCatalyst. Please check your credentials and try again.'. Behind the scenes in the server log;
12.12.2014 14:10:06.967 *WARN* [0:0:0:0:0:0:0:1 [1418393406764] POST /libs/cq/analytics/sitecatalyst/service.json HTTP/1.1] com.day.cq.analytics.sitecatalyst.impl.SitecatalystHttpClientImpl Data center 'https://api3.omniture.com/admin/1.3/rest/' responded with errors {"error":{"code":500,"message":"Internal Server Error"}}
12.12.2014 14:10:06.967 *ERROR* [0:0:0:0:0:0:0:1 [1418393406764] POST /libs/cq/analytics/sitecatalyst/service.json HTTP/1.1] com.day.cq.analytics.sitecatalyst.impl.servlets.SitecatalystServlet Call to SiteCatalyst method 'Company.GetReportSuites' failed com.day.cq.analytics.sitecatalyst.SitecatalystException: not authenticated
I've tried accessing via the API Explorer and it works.
I've tried the troubleshooting guide without success.
I can log in to Site Catalyst, I'm an admin, I am in the web services access group.
I've tried using a clean install of CQ5.6.1 with geometrixx - it doesn't work either.
I've tried this from a server and from a localhost/dev machine with the same results. No proxy. I've even tried using the shared secret as the password but then it doesn't connect at all, and fails on the configuration screen.
What might cause this to fail?
If it doesn't work with a fresh install and Geometrixx, then it's probably an Adobe bug. That's typically the first thing support will ask you about.
I would also verify using Geometrixx Outdoors, or a more recent demo site, on your fresh install, just to ensure it's not an outdated ClientLib issue.
I know this isn't a direct answer to your question, but honestly, I would approach the integration differently. I've worked with the AEM-SC framework and it's buggy at best. It's very finicky, it doesn't REALLY work the way the documentation claims, and it requires that you're very specific about what Clientlibs are on the page.
Moving forward, I think using Adobe Dynamic Tag Manager is the better approach, for many reasons. My understanding is that it's Adobe's recommendation as well. I'd consider moving to that. In AEM 5.6.1, you'll have to customize your integration with DTM, but it's not very hard.
Solution: Add a property on the configuration node for sitecatalyst: (eg. /etc/cloudservices/sitecatalyst/my-sc-configuration)
server=https://api.omniture.com/admin/1.2/rest/
it also seems to work with newer API versions such as https://api3.omniture.com/admin/1.3/rest/
It would appear that for 5.6.1 it ignores the OSGi configuration, at least for the configuration screens. With this extra property, the framework page loads without error and allows selection of the RSID.
I have a very large, mostly HTML/SSI site that I manage part-time and do weekly deployments on in addition do being an enterprise Magento developer. The site in question has ~5000 static HTML files and requires a lot of upkeep to manage deployments.
In addition to that site, I manage numerous Magento installs. I currently manage them from SVN and do exports/checkouts from various production and qa branches/tags.
While this is manageable, I don't get some of the things that I know build tools provide. Some of those features would be:
Automatic Minification of CSS/JS
Revision History
Multi-server deployment
Runtime configuration
Stats of broken builds/build time/deployment frequency
Integration with Testing frameworks
The three tools I've been reviewing are
Apache Ant
phpUnderControl
Capistrano (at the insistence of a friend of mine who is a RoR dev)
I briefly looked at Hudson, and had a ton of problems trying to get it up and running.
My Questions:
What is the upside/downside of going to this type of strategy?
Any hidden pitfalls that you've experienced?
Which tool do you think would best fit for the deployment/management of the HTML site?
Does anyone have experience with deploying distributed Magento from a deployment/build management system?
Thanks in advance...
Update
Still no movement here, so I'm going to ask this:
Should I rather rebuild in HTML5 Boilerplate which has Ant build scripts out of the box? This would afford me the ability to use Ant, but the build scripts are already pre-made so I have a good starting point. Your thoughts and suggestions are welcome.
I've got one more tool for you to review: Jenkins (earlyer: Hudson).
Its a great tool to run and control your builds. Furthermore you can remote the console and get notifications via Jabber protocol.