Thursday, 16 May 2019

Top 10 Web Application Security Risks

Injection

Injection flaws, such as SQL injection, LDAP injection, and CRLF injection, occur when an attacker sends untrusted data to an interpreter that is executed as a command without proper authorization.

* Application security testing can easily detect injection flaws. Developers should use parameterized queries when coding to prevent injection flaws.

Broken Authentication and Session Management

Incorrectly configured user and session authentication could allow attackers to compromise passwords, keys, or session tokens, or take control of users’ accounts to assume their identities.

* Multi-factor authentication, such as FIDO or dedicated apps, reduce the risk of compromised accounts.

Sensitive Data Exposure

Applications and APIs that don’t properly protect sensitive data such as financial data, usernames and passwords, or health information, could enable attackers to access such information to commit fraud or steal identities.

* Encryption of data at rest and in transit can help you comply with data protection regulations.

XML External Entity

Poorly configured XML processors evaluate external entity references within XML documents. Attackers can use external entities for attacks including remote code execution, and to disclose internal files and SMB file shares.

Broken Access Control

Improperly configured or missing restrictions on authenticated users allow them to access unauthorized functionality or data, such as accessing other users’ accounts, viewing sensitive documents, and modifying data and access rights.

Security Misconfiguration

This risk refers to improper implementation of controls intended to keep application data safe, such as misconfiguration of security headers, error messages containing sensitive information (information leakage), and not patching or upgrading systems, frameworks, and components.

Cross-Site Scripting

Cross-site scripting (XSS) flaws give attackers the capability to inject client-side scripts into the application, for example, to redirect users to malicious websites.

Insecure deserialization

Insecure deserialization flaws can enable an attacker to execute code in the application remotely, tamper or delete serialized (written to disk) objects, conduct injection attacks, and elevate privileges.

Using Components with Known Vulnerabilities

Developers frequently don’t know which open source and third-party components are in their applications, making it difficult to update components when new vulnerabilities are discovered. Attackers can exploit an insecure component to take over the server or steal sensitive data.

Insufficient Logging and Monitoring

The time to detect a breach is frequently measured in weeks or months. Insufficient logging and ineffective integration with security incident response systems allow attackers to pivot to other systems and maintain persistent threats.

Sunday, 6 January 2019

Getting Available Server Disk Space (Total Size / Free Space) SQL Query

SELECT distinct(volume_mount_point),
total_bytes/1048576 as Size_in_MB,
total_bytes/1048576/1024 as Size_in_GB,
available_bytes/1048576 as Free_in_MB,
available_bytes/1048576/1024 as Free_in_GB,
(select ((available_bytes/1048576* 1.0)/(total_bytes/1048576* 1.0) *100)) as FreePercentage
FROM sys.master_files AS f CROSS APPLY
sys.dm_os_volume_stats(f.database_id, f.file_id)
group by volume_mount_point, total_bytes/1048576,
available_bytes/1048576 order by 1


Saturday, 28 July 2018

Find Largest Element of an Array using Function in Python

# Find Largest Element of an Array using Function

# python function to find maximum
# in arr[] of size n
def largest(arr,n):

# Initialize maximum element
max = arr[0]

# Traverse array elements from second
# and compare every element with
# current max
for i in range(1, n):
if arr[i] > max:
max = arr[i]
return max
# Drive Code
arr =[i for i in  range(100)]
   
n = input(" Enter total number of elements(1 to 100):")
n=int(n);

for i in range(n):
    arr[i]=  input(" Enter Number for index {0} ".format(int(i)));


Ans = largest(arr,n)
print ("Largest in given array is",Ans)


   


Thursday, 26 July 2018

Swap two variables without using third variable in Python

# Swap two variables without using third variable in Python

a = input(" Please Enter the First Number: ")
b = input(" Please Enter the second number: ")
 
print('First Number {0} Second Number {1} '.format(a, b))

a=float(b)+float(a);
b=float(a)-float(b);
a=float(a)-float(b);   


print('After Swap First Number {0} Second Number {1}'.format(a, b))



Wednesday, 25 July 2018

Two Number Sum in Python

# Simple Python program to Add Two Numbers

number1 = input(" Please Enter the First Number: ")
number2 = input(" Please Enter the second number: ")

# Using arithmetic + Operator to add two numbers

sum = float(number1) + float(number2)
print('The sum of {0} and {1} is {2}'.format(number1, number2, sum))



Thursday, 12 April 2018

Track your Facebook login attempt


Facebook provides a feature which allows you to see all active sessions from different devices and apps together with the date it was last accessed, from where and which device type. In most cases, that should be enough information to find any suspicious activity.

This also comes in handy if you logged in to your friend's computer or on some public laptop, but forgot to log out.

To know if someone is logged into your Facebook account without your permission:-

Go to your settings page
Under option Security and Login you'll see the link "Where You're Logged In."

You will find all your active Facebook logins from desktop or mobile. It will also provide data on the location, browser and device. If something seems fishy, you also have the ability to "end activity" from individual or all devices. This means that the particular device or app cannot access your account anymore without your password.

Also keep in mind that the logged in location shown in report will not be accurate as some times it will show the gateway location of your internet provider which may be some different location. You can just check the device information from which account is accessed to confirm either it was wrong attempt.

Wednesday, 4 April 2018

Convert AM/PM time to 24 hours format C#

C# hh:mm tt (12 Hours to 24 Hours Format) convert


using System.Globalization;

var cultureSource = new CultureInfo("en-US", false);
var cultureDest = new CultureInfo("de-DE", false);
var source = "03:00 PM";

 var dt = DateTime.Parse(source, cultureSource);
  Response.Write(dt.ToString("t", cultureDest));

Upload valid file in C#

    protected bool CheckFileExtandLength(HttpPostedFile HtmlDocFile)     {         try         {             Dictionary<string, byte[]...