Running pytest in Jenkins

In this blog, I will show how to run pytest in Jenkins. To run Python scripts in Jenkins, you can refer my previous blog. In order to run the pytest in the cloud, install pytest library. I have added requirements file. Run it by the command “pip3 install -r requirements.txt”.

I have created a freestyle project, Which pulls source code from git and runs the script. My git repo.

Underbuild section, select Execute Windows batch command. For the first build add “pip3 install -r requirements.txt”, so that it will install libraries. After a successful run, And add these command “SET PATH=%PATH%;%Python_path% dir pytest -v -s” and remove previous command.

Save the project and click on the build project.

Running Python scripts in Jenkins

In this post, I will show how to run python scripts in Jenkins. For demo purpose, I have installed python and Jenkins in my local system.

Make sure you have installed the latest version of Jenkins and Python in your system(local or cloud). I assume that you have already done setup of Jenkins in your system.

Now navigate to Global Tool Configuration which is under manage Jenkins. Scroll down and click on add Python under python.

Give the path of python installed location here and save it.

Now go Jenkins job and create a new job. Select the freestyle project.

Under SCM select your git repository. And add your git URL. My repo

Underbuild section select Execute Windows batch command. And add the below command to set python path “SET PATH=%PATH%;%Python_path%”.

Python_path is variable, I have set this in Global properties under environment variable. Change it with your path.

And now add python command to run the file i.e, “python Trial.py”.Save it and click on a Build job.

The project will get executed and you can check the console log.

Hope this information has helped you.

What is this Agent Smith? Is it related to Matrix?

Recently a New virus has been found which is known as Agent Smith. This app hides like WhatsApp, Hotstar, Jiotv, Flipkart, Operamini and other apps.

This attack has occurred majorly in India, Pakistan and other Asian countries. Nearly 25million Android devices have been affected by this virus.

Agent Smith uses permissions which users blindly approve. The infected app modifies its name to something that looks more “authentic” like Google Updater or Google Themes or something else with Google in it.

And it also starts injecting its code into the bits of other popular apps like WhatsApp and Flipkart. This code is then used to serve more ads to users.

Now the question arises how to detect this virus. Well, you can’t detect it. But you can take precaution such as downloading the app from google play store and glance at the permissions the app is asking for, also if you are updating the app check the permission again before updating.

I know lots of users install the apps from 3rd party. After downloading the app upload it to VirusTotal and scan it. There is 62-64 antivirus on this server which will detect whether the app is safe or not based on that you can install it.

For more details visit this link

A critical flaw in Zoom video conferencing:

If you are using Zoom video conferencing then you need to read this.

Why Zoom is used?

Zoom is popular for cloud-based meeting platforms such as video, audio and screen sharing for users, And its free.

Recently a flaw has been found which exposes your webcam. If you uninstall zoom from your device even then the attacker can access your webcam.

For more details and Zoom’s response for this attack. click on the link

Is Android App safe?

Many of the Android apps have been collecting your data such as Messages, Calls, Location, Media and etc. There is a setting where you can block this permission for the apps. But is that sufficient?

Recently some of the applications have been caught collecting information even though you deny these application.

Researchers have reported these apps and bugs to Google. These bugs will be fixed once Andriod Q is rolled out. So until you receive update from google, turn off app permissions for the applications which are not needed.

For more details visit this link

How to connect and deploy application from docker container to EC2 instance

In this article, I will be showing how to run and deploy the angular project from Docker Container(Localhost) to the Amazon EC2 instance.

I have made a video and uploaded it on Youtube. This is the theoretical article.

First, I have taken a base Ubuntu OS in docker and installed Angular, Nodejs, JDK, Jenkins and created a new image, which I pushed to my repository. After doing that I ran my docker container by this cmd

docker run -it -d -p 8095:8080 -p 81:80 -p 50000:50000 image_id. For entering into container type this cmd

docker exec -it container_id bin/bash.

After entering into the container you will be logged in root user. Run this command “service Jenkins start”.You will get a message as Jenkins started on some pid number. If you are using a MAC OS the jenkins URL will be localhost and the port number which you entered when you started the container. I am running it on port 8095 so my URL will be “localhost:8095”. If you are using windows then your jenkins url will be 192.168.99.100: port number. it’s because of the NAT setting in the network.

Now create an EC2 instance using Ubuntu any version. I am using 18.04. log into instance. By default you will ubuntu user. Now run “sudo apt-get update” this cmd will update packages. And install apache2 in an instance.

“sudo apt-get install apache2 -y” by running this cmd apache will be installed. Now run “sudo service apache2 start” to start Apache service in an instance.

Now go to your docker container and switch to jenkins user. I have created a user called jenkins by using “useradd jenkins” cmd and set a password for the user by”passwd jenkins” cmd. To switch to jenkins user

“su – jenkins”. Now run “ssh-keygen” hit enter until you get the message that key has been created. Now this key will be under jenkins folder i.e, /usr/lib/jenkins/.ssh/id_rsa.pub. view that key by “cat /.ssh/id_rsa.pub” and copy that key. And go to ec2 instance, here you are logged in as ubuntu user run “ls -la”. You will find .ssh folder in your home directory. In that folder, there will be a file called authorize_keys open it and paste the key that you copied from your docker container by “sudo vi authorize_keys”. Once done go back to your docker container and run “ssh ubuntu@public-ip-address”. If everything is working fine you will be welcomed as ubuntu user inside ec2 instance. run “exit” to exit from ssh connection.

Now go to your jenkins url and create a new job or project. Under source management, select git. And add the git repository and under build section select “execute as shell”. And add these cmds “npm install”, “ng build”, “cd dist”, “tar -czvf new-name.tar.gz *”, “scp new-name.tar.gz instance-2-user@public-ip-address:folder” apply and save it. Now click on Build. The build is successful

.

 

How to spot an Scammer in online

In this article, we will be showing how to spot a scammer in the Digital world(Quickr, Telegram). You must have read in NEWS about people losing their money in quickr, Telegram.

First, what is a scam?

A scam is an attempt to defraud a person or group by gaining their confidence. So a person who does this is known as Scammer. I had heard that there were scammers in quickr. And found one easily.

Here I have uploaded a chat with one of the scammers who were in quickr. Now I am living in Bengaluru, India. So I have filtered the search for the ads within Bengaluru. I got attracted to the ads were the seller is selling iPhone X for 30K(INR). Now, who would sell an iPhone to such low amount?. Remember scammers always sell high budget products to a low amount, so that people would by the product from them.

Screenshots:

Here seller is from another country, but in ads, it says the seller is in Bengaluru. He is in hurry, so I bargained for 26K. which he accepted. Then he says that he will ship the product to me and I need to pay half amount in advance and the rest after the product is delivered. Then Seller calls me through Whatsapp call and he is talking in Nigerian accent. And is asking me how fast can I pay the money. He sends his account details which are from SBI(State Bank of India). And the number from which he is calling me is International Call. Now, how come a foreigner is having SBI account in INDIA. Here you can see how scammers are scamming people in name of the product. If I had gone ahead with the payment, he would have blocked me once I paid the amount.

Moral of the story: Always get confirmation from the seller whether She/He is from the same city or not. And chat with them by asking to send more pics of the device, accessories, and invoice. If they say that will send the product by courier. Then they are scammers.

What is carding?

Carding is a term describing the trafficking of a credit card, bank account and other personal information online as well as related fraud services.

Many of these(Carders) are in telegram and Instagram, where they say that they can get you any product in less amount. And like fools, many will fall for it and end up paying money. Once the carders get your money they just block you. Since they accept the money through Paytm, Paypal, BTC, or other eWallets we will not be able to trace them. Mark my words never deal with carders or scammers as you end up losing your money.

Note: This is a Research purpose only. Never deal with scammers or carders

Difference between Android and IOS:

1. Architecture:

IOS:

1.  In IOS architecture there are 4 layers mainly Cocoa touch, Media player, Core services, Core Os.

Core OS:

This layer contains the low-level features on basis of which the other high-level features are built. Though we may not use these services directly, they used by the frameworks which are used by our application. We can make use of these features when we need to implement the security features or communicating with an external hardware accessory.

 

 

Core Service layer:

This Layer contains basic system services for apps. Core Foundation and Foundation Frameworks are the key services provided by this layer, which define the basic types that all apps use it also has the technologies which support the features like location, iCloud, social media and networking.

 

 

 

 

Media Layer:

This layer contains the graphics, audio, and video technologies you use to implement multimedia experiences in your apps. The technologies in this layer make it easy for you to build apps that look and sound great.

 

Cocoa touch:

Cocoa Touch mainly contains the classes implemented in Objective-C, an object-oriented language that is compiled to run at incredible speed, yet employs a truly dynamic runtime making it uniquely flexible. Because Objective-C is a superset of C, it is easy to mix C and even C++ into your Cocoa Touch applications

Android:

In Android, there are mainly 4 layers: Linux kernel, Libraries & Android Runtime, Application framework, and application.

Linux Kernel:

Android is partly Linux with some changes. In this layer device drivers, memory management, process management, and networking. However, we will never be programmed to this layer directly.

Libraries & Android runtime:

This layer contains native libraries. They are all written in C/C++ internally, but you’ll be calling them through Java interfaces. In this layer, you can find the Surface Manager (for compositing windows), 2D and 3D graphics, Media codecs (MPEG-4, H.264, MP3, etc.), the SQL database (SQLite), and a native web browser engine (WebKit).

Next is the Android runtime, including the Dalvik Virtual Machine. Dalvik runs dex files, which are converted at compile time from standard class and jar files. Dex files are more compact and efficient than class files, an important consideration for the limited memory and battery-powered devices that Android targets. Java libraries are also part of the Android runtime. They are written in Java, as is everything above this layer.

Application framework:

Parts of this toolkit are provided by Google, and parts are extensions or services that you write. The most important component of the framework is the Activity Manager, which manages the lifecycle of applications and a common “back-stack” for user navigation.

Application:

This is the top layer. Most of our code will live here, alongside built-in applications such as the Phone and Web Browser.

2. Security:

Studies have found that a far higher percentage of mobile malware targets Android than iOS, the software that runs Apple’s devices. That’s down both to Android’s huge global popularity and its open approach. Plus, Apple tightly controls which apps are available on its App Store, vetting all apps to avoid allowing malware through.

Many threats to Android could be largely eliminated if all users upgraded their handsets to the latest version of the OS. The fragmentation of Android devices across old versions plays into the hands of malware creators, so it’s vital to keep your own devices up to date.

Apple has no similar problem, as each release of iOS quickly filters through to users. Indeed, iOS updates are big events that prompt mass upgrades, and that means significant security scares are rare enough to be big news when they occur. There are of course downsides to Apple’s tight grip over everything that occurs on its platform, but there’s no doubt it makes for a more secure environment for casual users.

Majority cellphone users are android and that is the reason that android phones are easy to hack as hacker target majority users. And you might have read articles about google, facebook collecting data. if you are using apple phones chances are less .

Source: 1  2 3

OWASP top 10

OWASP stands for Online Web Application Security Project. It aims to raise awareness about application security by identifying some of the most critical risks facing organizations.

So the newly released list are:

  1. Injection.
  2. Broken Authentication.
  3. Sensitive Data Exposure.
  4. XML External entities.
  5. Broken Access Control.
  6. Security Misconfiguration.
  7. Cross-site Scripting(XSS).
  8. Insecure Deserialization.
  9. Using Components With Known Vulnerabilities.
  10. Insufficient Logging and Monitoring.

Injection:

Flaws such as SQL, NoSQL, OS occur when untrusted or unverified data is sent to an interpreter as a part of a query.

Ex: SQL injection is a popular attack.

Mitigation:

1. Use safe API, which avoids the use of interpreter entirely.

2. Whitelist server-side input validation. This is not a complete defense as many applications require special characters, such as text areas or APIs for mobile applications.

3. Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.

Broken Authentication

It refers to improper authentication, such as session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

Mitigation:

1. Implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.

2. Do not deploy with any default credentials, particularly for admin users.

3. Implement weak-password checks, such as testing new or changed passwords against a list top worst passwords.

Sensitive Data Exposure

Web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

Mitigation:

1. Classify data processed, stored or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.

2. Apply controls as per the classification.

3. Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.

4. Make sure to encrypt all sensitive data at rest.

5. Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.

XML External Entities

External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Mitigation:

1. Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.

2. Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.

3. Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system.

Broken Access Control

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

Mitigation:

1. With the exception of public resources, deny by default.

2. Implement access control mechanisms once and re-use them throughout the application, including minimizing CORS usage.

3. Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record.

4. Unique application business limit requirements should be enforced by domain models.

5. Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots.

6. Log access control failures, alert admins when appropriate (e.g. repeated failures).

Security Misconfiguration

It is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

Mitigation:

1. A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.

2. An automated process to verify the effectiveness of the configurations and settings in all environments.

3. A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment.

Cross-site Scripting(XSS)

Whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Mitigation:

1. Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework’s XSS protection and appropriately handle the use cases which are not covered.

2. Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities.

Insecure Deserialization

Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

Mitigation:

1. Monitoring deserialization, alerting if a user deserializes constantly.

2. Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering.

Using Components With Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.

Mitigation:

1. Remove unused dependencies, unnecessary features, components, files, and documentation.

2. Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component.

Insufficient Logging and monitoring.

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

Mitigation:

1. Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions.

2. Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.

For more details, visit the official website 

What happens when you sleep

Recently you must have read or heard about Google collecting your data even though you are not
using them. You will be amazed at how they can collect your data without your knowledge. In this blog, I have shown how data is collected with a minimum lab setup.

Lab Setup:
1. I have installed a free Proxy server(JanaServer) on my laptop and started the server.
Link to download the software here.
Note: If the link is not working, Google “JanaServer server download”. And download from the website.

2. Go to the IP address section.

3. After clicking the IP address, you will be directed to the new page. Enter your laptop/System’s IP address there. In order to check your system’s/ laptop’s IP address. Open Command prompt-> Ipconfig->IPv4 address will be your IP address.

4. After setting the IP address go to the ports section. Set which port function you want and then click on submit.

5. Now Proxy server setup is done. To check the port number used by the functions, scroll down.

6. On your mobile:

a. Go to Settings->Wifi->On->Select wifi->And press the wifi name for a second.

b. It will give you options such as Forget network and Modify network.

c. Select modify network->select proxy->Enter your laptop’s IP address(192.168.225.62) and port number(3128) from server’s settings. Here 3128 is HTTP port.

d. Now save the settings.

e. Access the google.com or any other website to check whether your proxy is working or not.

f. Change the proxy port server to random and refresh the website. if its says problem occurred then your proxy setup is working fine.

g. Change the proxy port to the previous one.

7. After proxy server setup, I was browsing from 6.10PM-6.13PM.
8. And then I kept my phone idle from 6.14PM-6.21PM.
9. After a while, I went to the proxy server’s log file. In which log file will be created under “proxy.log” name.


10. After going through the log file, I got to know how much of my data was being collected by the apps that were installed on my mobile.

I have attached the “proxy.log” file. you can check it here Proxy_log.

Mitigation :

Always disconnect wifi/data carrier on your mobile/tablets so that your data won’t be sent the application’s server you have installed.

Now you know how much data is being collected even though you have closed application.