Normally, installing a python module and its dependencies is done via Pip. If HTTPS is blocked in private networks, then things might get tricky and you get the following message.
InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail.
To bypass this, you can issue the below command to trust pypi.python.org
$ pip install –trusted-host pypi.python.org Flask
To make sure that the needed module is installed, check it by
$ pip freeze
Git uses “Transfer-encoding” in POST requests and some proxy servers do not support this encoding by default. When large files are pushed, the git client requires higher http.postBuffer setting.
Increase the buffer size to see if the issue is related to it.
$ git config –global http.postBuffer 134217728
You get this message when the system is behind a firewall and when the security certificates are blocked.
There are two ways to overcome this message and to enable a git pull or git clone.
i) Issue the below command from git bash
$ git config –global http.sslVerify false
ii) Add http block in “gitconfig” file to avoid ssl verification[http] sslVerify = false
WebScarab is a testing tool used for analysing application data that is passed between browsers and servers. It can be used to review and modify data at either end by intercepting data originating from http and https layers. This tool can also be used as a bandwidth simulator (slow/fast network), in session id analysis, spidering url’s, parameter analysis and for many other testing schemes.
WebScarab is developed as an open source tool by The Open Web Application Security Project (OWASP) and can be downloaded from OWASP website
Points to consider before choosing the SSL certificate
i) Strength of the encryption offered by the certificates
ii) Browser comptability or recognition of the certificates. A well known brand is recognized by most of the browsers in the market
iii) If the certificate offers backward comptability across browsers offering
iv) Whether the Certification Authority (CA) is a Trusted Root or if they use a Chained Root Certificates.
v) Which web server will be used for SSL installation. Chained root certificates may be little complicated on some web servers.
vi) Nature of the application that will be served over the SSL – depending on the volume of the transactions and the value of each transaction
vii) Warranty offered by the certificate (if that matters which most certainly is when it comes to ECommerce products)
Have you ever come across a situation when you need to pass data from HTTPS to HTTP controlled web pages? If you have, you would have come to know that the header values especially REFERER values become empty. Reason for this being that it is not secure to transfer data from a security controlled HTTPS layer to a non-secure site serving HTTP content.
This is one of the key points to remember if you are involved in integrating applications
Solution(s) to the above scenario
i) Transfer data between HTTPs layers instead
ii) pass GET data as query string values
iii) Programatically handle the session across the two sites behind the scenes either by storing a cookie or through database controllers
Some of the tools that comes handy in checking the Header Values are FireBug, Live HTTP Headers, HTTP Watch plugin
In order to install SSL certificates on your Apache server you need to generate a key pair and a CSR (certificate signing request) as the first step. The following points will guide you in the creation of CSR file.
Once you finish generating the CSR file, you need to paste the content of the CSR file on to the SSL certificate request page in order for the certificate authorities to start their verification process.
Command line prompts in a Linux box
Find where openssl is installed and navigated to that directory
$ whereis openssl
Mostly it will be at /usr/bin/. If it is in a different path, then navigate to that directory path
$ cd /usr/bin
It is often advisable not to disclose information than is necessary when web request are made to Apache server.
By default, Apache displays the version of the server, modules loaded in the server and the version of PHP if PHP is configured with Apache.
In httpd.conf file, set the following directives.
By default, ServerSignature is set to Off and ServerTokens is set to Full in most Linux distros.
Session Fixation is method by which an intruder creates a session id which gets carried on when a user comes with that path and continues his/her activity on a website.
For e.g. an intruder may create a link to a site called samplesite.com as <a href=”http://samplesite.com/cart.php?PHPSESSID=Ax23mDud” />Sample Site<a>
When a user clicks on this link the session id gets carried on to the site ‘samplesite.com‘. The intruder waits for the user starts to perform a transaction on the site and will take over vital details by intruding user’s activity on samplesite.com.