Nadeesha Meegoda's Blog: 2015

Friday, November 13, 2015

Security Testing with ZAP 2.4.2

Using ZAP 2.4.2 you can easily capture vulnerabilities in web applications. From this blog post my aim is to explain step by step how to do penetration testing using ZAP 2.4.2 to identify any vulnerabilities your site might hold

Getting Started

Once you start ZAP you will see a quick start tab. Simply insert the url of your web application and start the attack. ZAP will crawl through all the URLs which matches with the URL domain that you have specified.

Once you start the attack ZAP will crawl through your web application and record all url’s from your domain. It will skip url’s that point to other domains. In the second step it will run different attack scenarios against the found url’s and record the results.

As you can see this quick start entering the URL and doing the attack is just a basic security check for your application. The spider only finds url’s that were linked from the initial page. In order to find more security vulnerability and do more penetration testing you have to access more pages than the initial page.

For that you have to configure ZAP as a proxy and then record whatever scenarios you want, go to whatever pages you want and make a zap test script as you wish.

Configure ZAP as Proxy

To do this you have to configure a proxy setting in your browser and same proxy port should be configured in ZAP, so when you are browsing your web application from your browser, ZAP will listen and record the requests/traffic and later on you can playback as an attack what is recorded

How to Configure Your Browser to Use Proxy

Go to Firefox > Options > Network > Settings. Tick the "Manual Proxy Configuration" and enter the proxy port ( eg:8090). Tick "Use this Proxy for server for all protocols" and Save

How to Configure ZAP as Proxy

Open ZAP -> Tools -> Options -> Local Proxy. Configure the address and port on which ZAP will listen for requests.

Address: localhost

Port: 8090

Once you browse through the website ZAP will automatically record the traffic. In the Sites window you will find all websites and requests that ZAP recorded and will be broke-down according to different domains.

Now you can click on the active scan selecting which site you need to attack. Once the attack is complete you can see the high flags, medium flags and low flags to identity the security vulnerabilities your site is having.

Click on the ALERTS section to find out about the status of the alerts.

That's it. Hope this would be helpful.

Sunday, October 4, 2015

IDP initiated SAML2 SSO with WSO2 Identitiy Server

In an IdP-initiated use case, the identity provider is configured with specialized links that refer to the desired service providers. These links actually refer to the local IdP's Single Sign-On Service and pass parameters to the service identifying the remote SP. So instead of visiting the SP directly, the user accesses the IdP site and get access to the remote SP.

Prerequisites

You should have IS 5.0.0 Server downloaded. You can download it from here WSO2 Identity Server 5.0.0

You should have setup the travelocity app for SAML SSO with Identity Server. You can refer the steps from here SAML SSO with WSO2 Identity Server

Steps

1. Enable IDP initiated SAML SSO for the Service Provider
2. Constructing the GET request for IDP initiated SSO
3. Constructing the GET request for IDP initiated SSO for Non Super Tenant Domain

Enable IDP initiated SAML SSO for the Service Provider

To enable IDP initiated SAML SSO you need to tick on “Enable IdP Initiated SSO” check box in SAML2 SSO issuer configuration ( SAML SSO Service Provider for travelocity.com if you have followed SAML SSO with WSO2 Identity Server )

Constructing the GET request for IDP initiated SSO

To construct the GET request you need to follow this pattern. You will be directly calling the IDP with the GET request.

https://{Hostname}:{Port}/samlsso?spEntityID={SAML2 SSO Issuer name given to the Service Provider created}

If you are running Identity Server in 9443 port localhost and your Service Provider Issuer name = travelocity.com, The GET request will be as follows :

https://localhost:9443/samlsso?spEntityID=travelocity.com

Constructing the GET request for IDP initiated SSO for Non Super Tenant Domain

If your SAML2 SSO issuer has been configured in a separate tenant other than super tenant, then you need to append the tenantDomain parameter as well.

Note that in travelocity.properties if you have changed the Issuer specifically for the tenant domain with your tenant domain, you need to append it to the issuer as well.

For example if your tenant domain is ymc.com and if you have changed the issuer in travelocity.properties as travelocity.com@ymc.com, you need to use that as the issuer in GET request.

Example GET for tenant domain

https://localhost:9443/samlsso?spEntityID=travelocity.com@ymc.com&tenantDomain=ymc.com

When you do the GET request, you will be directed to the IS login page.

Saturday, July 11, 2015

How to Install a New Key Store into WSO2 Enterprise Store

You can create a new key store, get the public certificate signed and get your public certificate exported from the key store and imported to trust store following 1,2 and 3 steps documented in the following blog - Hasini's Blog - Install a New Key store

After you have completed creating the new key store from the above steps next is to configure WSO2 Enterprise Store to work with the new key store.

Change the Configuration Files

1. Change the carbon.xml in [Product_Home]/repository/conf

<KeyStore>
            
            <Location>${carbon.home}/repository/resources/security/mykeystore.jks</Location>
            
            <Type>JKS</Type>
            
            <Password>mypkpassword</Password>
            
            <KeyAlias>mycert</KeyAlias>
            
            <KeyPassword>mypkpassword</KeyPassword>
    </KeyStore>

<RegistryKeyStore>
            
            <Location>${carbon.home}/repository/resources/security/mykeystore.jks</Location>
            
            <Type>JKS</Type>
            
            <Password>mypkpassword</Password>
            
            <KeyAlias>mycert</KeyAlias>
            
            <KeyPassword>mypkpassword</KeyPassword>
</RegistryKeyStore>

2. Change the catalina-server.xml in [Product_Home]/repository/conf/tomcat

This configuration resists under Connector protocl - port 9443

keystoreFile="${carbon.home}/repository/resources/security/mykeystore.jks"
keystorePass="mypkpassword"

3. Change the publisher.json in [Product_Home]/repository/deployment/server/jaggeryapps/publisher/config

You have to change this file in-order to authenticate successfully for the Enterprise Store - Publisher. If these configuration is not done you will not be able to login to publisher. The identityAlias should be the alias you use to import the pem details of your key to the client-trustore.jks

"authentication": {
        "activeMethod": "sso",
        "methods": {
            "sso": {
                "attributes": {
                    "issuer": "publisher",
                    "identityProviderURL": "%https.carbon.local.ip%/samlsso",
                    "identityAlias": "mynewcert",
                    "responseSigningEnabled": "true",
                    "acs": "%https.host%/publisher/acs",
                    "useTenantKey": false
                }
        }

4. Change the store.json in [Product_Home]/repository/deployment/server/jaggeryapps/store/config

You have to change this file in-order to authenticate successfully for the Enterprise Store - Store. If these configuration is not done you will not be able to login to store. The identityAlias should be the alias you use to import the pem details of your key to the client-trustore.jks

"authentication": {
        "activeMethod": "sso",
        "methods": {
            "sso": {
                "attributes": {
                    "issuer": "store",
                    "identityProviderURL": "%https.carbon.local.ip%/samlsso",
                    "identityAlias": "mynewcert",
                    "responseSigningEnabled": "true",
                    "acs": "%https.host%/store/acs",
                    "useTenantKey": false
                }
     },

That's it! Now the New key store is installed into WSO2 Enterprise Store. If in any case configurations have changed you can locate all the configuration files that have references to keystores, you can use the grep command as follows:

Open a command prompt and navigate to the <PRODUCT_HOME>/repository/conf/ directory where your product stores all configuration files.

Execute the following command: grep -nr ".jks" .

The configuration files and the keystore files referred to in each file will be listed. You can check what files you have not configured to point to the new key store.

How to Enable Email as Username for WSO2 Products (Email Authentication)

At present most people prefer to use their email as their username for any login since it's easy to remember the email rather than several non-email usernames. From this post my aim is to cover up how to enable email as username or email authentication for WSO2 products.

To enable Email as username/ Email authentication the following steps should be followed :

1. Enable Email Authentication in carbon.xml

You have to go to [Product_Home]/repository/conf/carbon.xml and enable the email authentication as follows :

<EnableEmailUserName>true</EnableEmailUserName>

2.Provide the Correct Regular expression to allow Email addresses for user store via the user-mgt.xml

You can find the user-mgt.xml in [Product_Home]/repository/conf directory

<Property name="UsernameJavaRegEx">[a-zA-Z0-9@._-|//]{3,30}$</Property>

3. Create the Admin user with an Email address in user-mgt.xml

<AdminUser>
<UserName>admin@wso2.com</UserName>
<Password>admin</Password>
</AdminUser>

Now you can login as admin@wso2.com and create users using Email as username

The above few steps will enable Email authentication. If you want to allow both email as username and normal authentication you just have to add the following line to your user store configuration. (jdbc user store/ldap/Active directory)

<Property name="UsernameWithEmailJavaScriptRegEx">[a-zA-Z0-9@._-|//]{3,30}$</Property>

That's it!!

Saturday, June 27, 2015

How to Create an Asset Type and attach a Life Cycle to that Asset Type for WSO2 Enterprise Store

Creating an Asset Type

By Default some asset types are added to WSO2 Enterprise Store(ES). But if you want add your own asset type here are the steps that you need to follow.

Steps :

1. You have to create a RXT definition for the asset type.

2. Add the RXT to ES, so that ES can work with that asset type.

3. Attach the created asset type with a life cycle.

Creating a RXT definition.

Here the asset type I want to add is a mobile app. So I'd be creating a RXT definition for mobile app called mobileapp.rxt

Following is the mobileapp.rxt :

In the RXT definition you can define all the fields you want to see in the UI when adding an asset from the asset type. And you can make a filed required or not or readonly or not etc from the RXT definition.

After creating the RXT definition next is to add the RXT to ES.

Add the RXT to ES

You just have to go to {ES_HOME}/repository/resources/rxts and add the created RXT definition to the directory specified.

After adding the RXT, restart the ES to see the asset type added as an asset type for ES Publisher/Store/Admin console. When you login to the ES as admin you will be able to see the created asset type Mobile App.

Attach the created asset type for a life cycle

As soon as you add a RXT and restart, your asset type will be added a default life cycle. The life cycle has the permissions defined for asset add/update/delete operations. So if you want add a customized life cycle follow the following steps.

You can see the life cycles already added from this Path [ES_HOME]\repository\deployment\server\jaggeryapps\publisher\extensions\lifecycles

So if you want to add MobileAppLifeCycle to the asset type what you have to do is to follow these steps

1. Create a mobileapp folder in the following location :

[ES_HOME]\ repository\deployment\server\jaggeryapps\publisher\extensions\assets

2. Create an asset.js file and define the configure callback as the following :

Here I've attach the mobileapp asset tyoe to MobileAppLifeCycle. After you save the file restart the ES in-order for the changes to get effected.

The default life cycle for all the asset types are defined in [ES_HOME]\repository\deployment\server\jaggeryapps\publisher\extensions\assets\default\asset.js

Until you do the above configurations and change the asset life cycle for your created asset type, the default one will be assigned.

Saturday, June 20, 2015

How to Create an Axis2 Web Service with the Eclipse IDE

Apache defines Axis2 as a Web Service / SOAP / WSDL engine, the successor to the widely used Apache Axis SOAP stack. My aim is to describe how to create an Axis2 web service using eclipse IDE in windows.

Prerequisites

You should have java installed and set path and Java_Home correctly (JAVA_HOME, JRE_HOME)
You should have Apache Tomcat and Axis2 downloaded and extracted
You should have installed the Eclipse Java EE IDE

Lets start the web service development

First lets add Tomcat run time environment to Eclipse. Go to Window->Preferences then select Server on your left hand side. Under that you can see run time environments > click Add. You can see similar interface as Figure 1.

Figure 1

Select Apache Tomcat v7.0 and click Next. Then you can see a similar interface as in Figure 2. Click on the Browse button and select the Apache Tomcat 7 Extracted folder. Then Click Finish

Figure 2

Then you can see the added environment as in Figure 3.

Figure 3

Then you need to add Axis2 path to the Eclipse preferences. Again go to Window->Preferences then click on Web Services and then select Axis2 Preferences. Then click on the Brows button and select the Extracted axis 2 folder path. (Figure 4)

Figure 4

Step 1 : Create Dynamic web project

Click on file->New->Other and you can see an interface like Figure 5. Type Dynamic in the wizard input field and select the Dynamic Web Project. Then click Next

Figure 5

Then add project name as you prefer. I'll put project name as SampleWebService (Figure 6) Then Change the Dynamic web module version to 2.5 and then Click on Modify button under configuration. Then select Axis2 Web Services and click OK button > Next > Finish.

Figure 6

Step 2: Create Web service class

Then we have to write the service class that have the method that we need to implement as a service. In my example I'll write a simple method to multiply two number which will be passed as parameters.

Figure 7

Right click on the project you created and select New->Other. Then type service on wizards input box as figure 8 and select the web service to mark the class you created as a web service.

Figure 8

Then You will see an interface similar to Figure 9. Give a service name as you prefer and then click on Web Service run-time: Apache Axis

Figure 9

Then change the web server run-time to Apache axis2. Click Next and in next interface make sure to select Generate a default service.xml file option.

Then click Next button and then in next interface you have to click Start Server button as show in Figure 10. Then Click Finish button.

Figure 10

After you finish you can see a log similar to the following :

Figure 11

As shown in Figure 11 you can find the port your service runs. In my example it runs on 8080 port (Circled in Figure 11 ). Then you can access the web service you have just created by going to following link.

http://localhost:8080/SampleWebService/services/listServices

Figure 12

Click on the Service class name, you will be able to access the wsdl file.

Step 3 : Create Axis Archive file

Now we have a;ready run the web service but we haven't created the Axis Archive file from the web service that we created. To create the Axis archive go to the following path YourProjectNamePath\WebContent\WEB-INF\services\ServiceYouCreated using command line. Then enter following command.

jar cvf FirstService.aar com META-INF

Then you can see FirstService.aar file has created on your folder location.

Now Let's deploy the Axis2.war file in to Tomcat. You should copy the Axis2.war file in to webapps folder on Apache tomcat. Then go to the bin folder on Apache tomcat installation directory from command prompt. Then run startup.bat. Please not that in this point you have to set JAVA_HOME and JRE_HOME correctly in Environment Variables.

Then you'd be able to access the http://localhost:8080/axis2/ and you can see interface similar to Figure 13.

Figure 13

Then Click on Administrator. Enter user name and password.(Default username is admin and password is axis2). Click on Upload Service in Top left in your page and upload the .aar file that was created earlier.

Then go to Available service section you can see your service as Figure 14. You can click on the web service you created and access the wsdl link.,

Figure 14

Step 4 : Create Web service Client

Then we have to create the client stub class which we can use to access the web service methods. You can right click on project then New->Other then select Web Service Client. (Figure 15)

Figure 15

In the interface in service definition give the wsdl path (for my project it's http://localhost:8080/SampleWebService/services/FirstService?wsdl ) then click on Web Service Runtime and select Axis2. Then click next. (Figure 16)

Figure 16

Next interface you can provide package name for the class which we are going to generate. Then click Finish

Figure 17

Then create a java project File->New->Other Java Project and copy the clientstub class in to that project. Then write sample test class to run the web service client.

package it.com.clientapp;

import java.rmi.RemoteException;

import org.apache.axis2.AxisFault;

import it.com.clientstub.*;

import it.com.clientstub.FirstServiceStub.MultyTwoNumber;

import it.com.clientstub.FirstServiceStub.MultyTwoNumberResponse;

public class TestWebServie {

public static void main(String[] args) {

try {

FirstServiceStub stub=new FirstServiceStub();

MultyTwoNumber num=new MultyTwoNumber();

num.setNum1(10);

num.setNum2(16.2);

MultyTwoNumberResponse response=stub.multyTwoNumber(num);

double returnVal=response.get_return();

System.out.println("Client values are :"+ 10 + " x "+16.2);

System.out.println("Server returns "+returnVal);

} catch (AxisFault e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (RemoteException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

Then right click on the class Run As -> Java Application. Then you can see this client application call the service method and returns the output.

This is a simple two number multiplication service implementation and your can implement your own service logic with different kind of parameters to the service.

Sunday, June 14, 2015

Configuring Single Sign-on with SAML 2.0 for WSO2 Enterprise Store

Basic Overview of SAML 2.0 SSO with IS 5.0.0

My aim is to explain a simple SAML 2.0 Single Sign-on (SSO) scenario with Identity Server 5.0.0 and Enterprise Store 2.0.0. The Enterprise Store consists of a Publisher web site and a Store web site. The scenario would be to enable SSO to Publisher and Store with Identity Server 5.0.0 where IS will provide SAML2 Web browser based acting as an Identity Provider or a Service Provider.

The diagram depicts the exact use case of the above mentioned scenario where we need to enable SSO to ES publisher and store via the WSO2 Identity Server. In the above use case both the ES Publisher and ES Store are the service providers and IS is the identity provider.

For the SSO to work, both the Publisher and Store are registered as trusted service providers in the Identity Server. Both the Publisher and Store implements the SAML 2.0 SSO and talks to the Identity Server via the assertion consumer URL defined in the publisher and store configuration files.

Step by Step approach of the visual Scenario

1. User tries to enter to the Publisher and Store via the corresponding URLs.

2. SAML 2.0 SSO will be configured for both the Publisher and Store as service providers in the Identity Server.

3.When the user hit the Publisher or Store URL, user will be directed to the IS login

4. User enters the login credentials ( Note - Here both IS and ES should be pointed to one common user database/AD/ldap etc)

5.If the user exists, the login will be successful.

The Actual Configurations for SSO and How to get it Working..

Prerequisites :

Identity Server 5.0.0 (Download : http://wso2.com/products/identity-server/)
Enterprise Store (Download : http://wso2.com/products/enterprise-store/)

Configurations for both ES and IS to point to a common User database/store.

1. Create a MySQL database (e.g., 410_ustore) and run the <ES_HOME>/dbscripts/mysql.sql script on it to create the required tables.
2.Open <ES_HOME>/repository/conf/datasources/master-datasources.xml file and add the datasource configuration for the database that you use for the shared user store and user management information. For example,

3. Open <ES_HOME>/repository/conf/user-mgt.xml file and point to jdbc/ustore.
<Property name="dataSource">jdbc/ustore</Property>
Note - ES will have the the jdbc user store as the default user store. So in the same file the jdbcUserStoreManager will be uncommented. Leave it as it is.

4.Open <IS_HOME>/repository/conf/datasources/master-datasources.xml file and add the USTORE datasource that you added to ES listed above. So now both IS and ES will point to the same database.

5. Open <IS_HOME>/repository/conf/user-mgt.xml and point to jdbc/ustore
<Property name="dataSource">jdbc/ustore</Property>
Note - IS will have the ldap user store as the default user store. So you have to comment out the ldap configuration and uncomment the jdbc user store in the same file. So both ES and IS will be accessing one common user store.

6. Open <IS_HOME>/repository/conf/embedded-ldap.xml and disable the embedded ldap by setting <Property name="enable">false</Property> within <EmbeddedLDAP> tags.

Now Both ES and IS will be pointing to one common user store..

Now Let's Register the Publisher and Store as Service Providers in IS

1. Start the IS pack

2. Go to IS Management Console > Main > Service Providers > Add

3. Give a unique name for service provider and click Register

4. Click on Inbound Authentication Configuration > SAML2 Web SSO Configuration > Configure

5. Fill on the details as follows for the publisher

Note - Assertion Consumer URL has my local/machine ip address. Configure it with your correct ip address and my ES is running on port 9444 which I have stated the offset as 1. This will be done in the future steps.

6. Fill on the details as follows for the store

Now the Service Providers are successfully registered.

Now Let's Do the Configurations for ES to Enable SSO

Publisher Configurations

1. Open <ES_HOME>/repository/conf/carbon.xml and change the offset to 1

2. Open <ES_HOME>/repository/deployment/server/jaggeryapps/publisher/publisher.json and change the values as follows :

"sso": {

"attributes": {

"issuer": "publisher",

"identityProviderURL": "https://10.100.7.57:9443/samlsso",

"keyStorePassword": "wso2carbon",

"identityAlias": "wso2carbon",

"responseSigningEnabled": "true",

"acs": "%https.host%/publisher/acs",

"keyStoreName": "/repository/resources/security/wso2carbon.jks"

}

Here the identityProviderURL will point to the IS and the issuer is given as publisher since when we were adding the service provider for the publisher we gave the issuer as publisher. Both should be the same.

3. Open <ES_HOME>/repository/deployment/server/jaggeryapps/store/store.json and change the values as follows :

"sso": {

"attributes": {

"issuer": "store",

"identityProviderURL": "https://10.100.7.57:9443/samlsso",

"keyStorePassword": "wso2carbon",

"identityAlias": "wso2carbon",

"responseSigningEnabled": "true",

"acs": "%https.host%/store/acs",

"keyStoreName": "/repository/resources/security/wso2carbon.jks"

}

Here also the identityProviderURL will point to the IS and the issuer is given as store since when we were adding the service provider for the store we gave the issuer as store. Both should be the same.

Now We are Done with the Configurations!!

Start the ES pack and Open up a Browser. Hit the Publisher URL > You should be directed to the IS login. Enter admin/admin username/password and sign in. Same with the Store.

Following is the IS login page that you will be directed to :

Hope this post is helpful. Any feedback is welcome!