How Do You Use Burp (the Burp Suite tools)?

Problem scenario
You want to test out Burp to verify your website is secure. What do you do?

Solution
1. We use the desktop GUI of Linux for this solution. Deploy Kali Linux (e.g., in Azure).

2. Run these commands on it if you are not connected to the GUI Desktop:

sudo apt -y update
sudo apt -y install xrdp
sudo service xrdp start

3.

 » Read more..

How Do You Find which IAM Roles Your EC-2 User Account Has?

Problem scenario
You want to see what IAM permissions a given Linux user on an EC-2 instance has. You tried going to the web console for AWS. You were unable to find the user (e.g., ec2-user or ubuntu). How do you determine which roles the user is a member of?

Solution
From the OS, run this command:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access

 » Read more..

What Are Some Ways to Prevent MITM Attacks or Other Session Exploitative Attacks with a Web Page That Uses JavaScript?

Problem scenario
You know that sessions of a JavaScript can be exploited in today’s world. This category of vulnerability is related to imperfections in authentication and is listed as the #2 biggest web application security risk as of June of 2020 (according to OWASP). What are some techniques to stop such attacks from happening when designing a website that uses JavaScript?

Possible Solution #1
Ensure cookie information is passed using connections that leverage HTTPS (as paraphrased from page 23 of Node.js Security by Liran Tal).

 » Read more..

How Do You Install and Configure OWASP ZAP?

Problem scenario
You want to install OWASP ZAP (aka Open Web Application Security Project’s Zed Attack Proxy). You want to test it out. How do you do this on Linux?

Solution
Note: It is advisable to only install ZAP on OSes that have JREs that have up-to-date patches with regular maintenance. If you need assistance installing the JRE, see this posting.

 » Read more..

What is a Hacker?

Question
You have seen the word “hacker” appear in different contexts. You have seen it used to describe a cybercriminal. Moreover some companies proudly claim that they employ no hackers while only hiring trained software developers. In some articles the term hacker has a positive connotation. What is a hacker?

Answer
“Hacking tends to be a misunderstood topic, and the media likes to sensationalize,

 » Read more..

What Are Some Ways to Prevent XSS Attacks with a Web Page That Uses JavaScript?

Problem scenario
You know that cross-site scripting (aka XSS) attacks are a big concern in today’s world. OWASP places XSS security risks as the seventh biggest web application risk as of June 2020. What are some techniques to stop such attacks from happening when designing a website that uses JavaScript?

Possible Solution #1
Have the HTML and JavaScript validate and escape regularly throughout the code.

 » Read more..

How Do You Use a NACL in AWS?

Problem scenario
You have a VPC. You want a NACL to protect your VPC from hackers and other networks. What do you do?

Solution
Network ACLs are created by default when you create a VPC. They can be configured the same way Security Groups are configured in the AWS Console. Go to the VPC Dashboard -Security -Network ACLs. Click on the relevant Network ACL.

 » Read more..

How Do You Troubleshoot Ansible Errors about SELinux?

Problem scenario
You have Python 3 installed, but you do not have pip3 installed. One of the following also apply to your situation:

Problem scenario #1
You run an Ansible playbook. You receive the error message “Aborting, target uses selinux but python bindings (libselinux-python) aren’t installed.”

Problem scenario #2
You run an Ansible playbook.

 » Read more..

How Do You Get the libselinux-python to Work with Python 3?

Problem scenario
You have Python 2 and Python 3 installed. When you run Python 3 programs, you get an error message about selinux. The message is consistent with libselinux-python not being installed.

When you enter the Python interpreter for Python 2, you can run this command without errors: import selinux

But when you enter the Python interpreter for Python 3 (e.g., python3), you get errors when you run this command: import selinux

Security of the server is not critical,

 » Read more..

How Do You Troubleshoot the Adaware Antivirus Problem of “Definitions could not be updated”?

Problem scenario
You are using Adaware Antivirus. You try to download the latest definitions, but you get this error message: “Definitions could not be updated Something prevented the definitions from updating. Please try again at a later time.”

How do you update Adaware Antivirus?

Solution
Try a different internet connection. Some public WiFi spots may block certain ports. VPN tunnels may not help solve the problem.

 » Read more..