So Much Good Information - Python Web Penetration Testing Cookbook!

I just finished reading "Python Web Penetration Testing Cookbook" by Cameron Buchanan et al. (pick it up at Packt or Amazon)

Overall an excellent read! Easy to follow scripts presented in the point of view as a hacker (including subtle remarks toward those that use these techniques for ill-fated purposes). Cameron presents an idea, shows the python script and corresponding source contents for which this script works against, then describes the scripts steps, and then goes on to describe additional related things about this script. You could say that each script could build upon each other, but that's not totally true. The author makes sure they are really cut and paste recipes. He gives you the recipe and often a way to include it into a bigger, more comprehensive script - that builds upon each step as the book progresses. Being a cookbook, there is plenty of code examples for you to try out. This is not a book about theory, but rather implementation - so all the fluff is cut out and it gets right to the point.

The book also focuses most of the direct web page vulnerability testing (2-3 chapters) at php script as the web pages' source. This would have been nice to have a corresponding discussion related to aspx, jsp, etc. There is some discussion of other technology other than php, and I get that the book would have probably doubled in size if more common page source was discussed, but it is something to think about when reading. Create the same page in aspx or jsp and attempt if there is a similar vulnerability.

Don't worry though, there's plenty of scripts related to SQL injection, header processing, encryption, encoding, payloads, shells, and even how to report your findings. These items are not necessarily exclusive to a single technology, so you are not pigeon-holed into testing only a certain type of website/server.

This book is not about learning python so if you're new to it, and you really want to understand how to manipulate each recipe, then I suggest searching for a beginner python book. However, that being said, most average level programmers can understand the scripts presented without needing to reach out for a python book/video.

Being in the industry for over 15 years, I've seen a lot of tools you can buy off the shelf that tout the ability to do this same thing just by running a program. I think knowing what it actually does is key to really understanding your vulnerabilities rather than trusting someone else's process because after all, attack vectors change all the time and with this information you can easily change your scripts.

In conclusion, this book is perfect for a web application developer wanting to test her application or an IT person ready to see just how vulnerable their application is - all with the ability to report the findings to those who need to know where to plug the holes. This is a book I will be referring to during and after each project I work on.

WOW! I'm Very Impressed! - Stencyl Essentials

Just finished reading Stencyl Essentials by Richard Sneyd (pick it up at Packt or Amazon). I was a bit wary about yet another game creation tool that touted no coding necessary in order to create high quality games for iOS, Android, desktop, etc. So, I read this book and I'm happy to say that I'm very glad I did. Richard Sneyd has done an impressive job at creating a very fast, yet simple to grasp introduction and implementation of a full 2D side-scroller game. In particularl, he gives detail where detail is appropriate in order to help the user understand the "why", and then lays out the "how" in very easy to understand terms. The detail does not come in a lot of vast technical explanations about the underlying system, but rather very well placed analogies that, in my opinion, really helped me understand the tools; after-all, I think that's the whole point of the book (It gives you a well founded explanation of the essential ingredients in order to create a high quality and fun to play game). I had no idea Stencyl was such a powerful tool.
I highly recommend this book to anyone - beginner to expert. Though an expert game developer probably would not opt to use Stencyl since they would surely have their own framework setup already, this book really does a great job of convincing me to use Stencyl for some of my 2D games, and I will be using it. Thanks Richard!

Mastering Cocos2d Game Development - Great For Creating Your First Game Dev Pipeline

I just read "Mastering Cocos2d Game Development" and I was pleasantly surprised. (Get it at Packt or Amazon)
I'm impressed by the historical information the book gives you about other tools that are used to support a cocos2d pipeline. The first few chapters do a great job of giving the reader all the info they need to quickly and efficiently get a game framework up and running and out into testers hands for prototyping. The code examples are all for the most part clear and understandable for anyone familiar with objective-c/c++, but someone new to the language should also be able to learn how to write code using the same examples as long as they are not completely new to programming. Each line of code is not always discussed so if you are unfamiliar with objective-c, it may be best to review the basics in another book/resource first. There are plenty of visual diagrams and references that help the reader understand what is being discussed - this is a great benefit. The author also take special consideration that not everyone will be using the same workflow, so alternatives are given in these situations - which is a welcome benefit of this book.
I recommend this book for devs that want to get an app into the market fast, but the draw back is that the app being designed is not a 3D game or even a 2D side-scroller. Though the book does show examples of 3D games (Crossy Road, etc.) and does talk about elements of a 2D side-scroller, it really only covers 2D static playing fields (board game style) and does a good job of it. I must, however, add that the book adds polishing effects such as parallax scrolling for dept perception. This is all very cool and extremely helpful for creating a board game style app that helps the user feel like it's a bit 3-dimensional. All the setup and framework is still incredibly helpful even for 2D side-scrollers, but it's really teaching you a board game type of playing field.
In conclusion, If you need to learn how to create a board game style app for iOS, then I highly recommend it. If you are creating a side-scroller or 3D game, then this may be a good reference for setting up the basic framework and other tools that help create 2D graphics. But you will not finish this book with a working knowledge of how to create other style games.

The Unreal Engine and C++ - Two of the Most Powerful Tools in the Known Universe!

If you want to learn C++ to build a game, check out "Learning C++ by Creating Games with UE4".  (Get it at Packt or Amazon)
This is a book that creates a simple to learn bridge between learning a complex language and applying that knowledge to creating a game in Unreal Engine 4, which can have a steep learning curve. Learning C++ by Creating Games with UE4 was like a breath of fresh air. I must admit, I'm not a beginner to C++, but I read it as if I was; and from that perspective, it's a tremendously helpful book. Even if you already know C++, but don't know Unreal Engine 4, you will know them both at the end of this book. But after all, the book's primary focus it to teach C++, and secondarily teach you Unreal Engine 4. I love the way William Sherif uses analogies to describe principles of the c++ language, then apply that same principle to the UE4 environment.

After the first initial chapters spent in the syntax of C++, William gets right into learning the ropes, but gives great encouragement along the way. In addition, his tips are timely and valuable, not just fluff. I feel like I'm a much better C++ programmer and can now script great games in the Unreal Engine 4 because I chose to read this book. I'm hoping to release my first Unreal Engine 4 game soon. Thanks William!

How to build openssl for iOS

I've been working on an app for iOS that requires a connection to https (ssl). This works great, but I've recently become aware of the all too daunting man-in-the-middle attack. This happens when the iOS app does not compare a hashed version of the ssl certificate against the server's certificate and just checks that the certificate has been signed. This allows a sniffer to intercept your request, and attach a proxy server to the iOS app's request, thus becoming the man-in-the-middle between you're communication with the server. They then have access to all the data you and the server send. Fortunatly, there is a verification process for the certificate that requires use of openssl for iOS. The problem is that openssl is not readily available for iOS... [enter stage "compile it yourself"]. It's not that difficult to compile openssl for yourself I followed this tutorial on the subject, but straight out of the box, it didn't compile, so I had to make a few modifications. Those modifications are what I'm documenting: Here's what that tutorial has:

Openssl is a useful library written in C that implements TLS, SSL and a few useful cryptographic functions. It's not included by default on iOS, but with a little shell scripting you can build and embed it in an app pretty easy. Without further ado, here are all the steps on how to do it in your favorite Terminal: Embedding the library in an app works by dragging the two .a files into the project and setting the header search paths to point at the newly created header files.

Everything worked fine until line 15 where the files are compiled. The tar that was downloaded was not "openssl-1.0.1f" but rather "openssl-1.0.1e" (you can see that in line 6, but that's not what is downloaded). So I needed to open up that script and edit line 7 to be LIB_NAME="openssl-1.0.1e". This worked like a charm. It took about 10-15 minutes for the compile, but then I had the libssl.a and libcrypto.a files compiled! Yay! I then copied them into by "lib" directory within the xcode project and then dropped them into the "Link Binaries With Libraries" section of "Build Phases" found in the project settings.

git-tf : Finally Got It Working with TFS

If you have a mixed computing environment (Windows and Mac) and you want to keep all your source in Team Foundation Server, then you'll most likely use Git-Tf to checkin your git commits into TFS and pull from TFS into git. 

Note: some of this post is copied directly from other sources to preserve clarity, but none of the other sources provided enough of the detail for a beginner to git-tf like me.  So I decided to combine all the separate steps into a single walk through. 

Here's what I had to do after scouring the net for partial solutions:

Assumptions:

1. You already have TFS up and running and have created a blank project/folder for your iOS source to be committed into.
2. You have already connected your iOS project to git locally (I am not paying for a private git repo, nor would I want to share this project publicly   All the git commands are working at the local repo on my Mac (except the very last one, "git push". I tell you about it, but I don't actually use it, since I'm not publishing my git repo to the world)

In order to check-in your existing xCode project code into TFS:

1. On your Mac, download and extract Git-TF. I placed it in /users/{yourloginaccountname}/Git-Tf
2. Create the .profile file:
1. Open Terminal and type in "cd ~/" to make sure you are at your home directory.
2. Create the .profile file with the following command: "touch .profile".
3. Open the .profile file with the following command: "open .profile".
1. The Open command will use the default editor, but you could alternatively use nano to edit the file as well: "sudo nano .profile".
3. Either way, you need to then make sure you have added the following text into the .profile file:
• export JAVA_HOME=/Library/export JAVA_HOME=/Library/Java/Home
• export PATH=$PATH:$JAVA_HOME/bin:/git_t
• export PATH="/Applications/Xcode.app/Contents/Developer/usr/libexec/git-core/":$
• export PATH="/Users/{yourloginaccountname}/Git-Tf/":$PATH
1. You could just run the above commands one by one in the terminal app as well, but I prefer that they are in the .profile file that gets merged with the $PATH when you start the computer.
1. But the above is the generic version that you can use.  Notice that the only thing you need to change is the {yourloginaccountname} in the last line, if JAVA is installed in the /Library/Java/Home directory and /Users/{yourloginaccountname}/Git-Tf is really where you installed Git-Tf.
2. Make sure the double quotes in the lines above (last two commands) are really double quotes and not the curly double quotes which translate to a different character and will not work!
4. Save the file and close it.
1. If you are using nano press "Control-x" then press "y"then enter, then press enter again to save the file. (look at the commands at the bottom of the terminal to see this.)
5. Now still in terminal, change the working directory to your xCode project folder: e.g.:
   cd "/users/{yourloginaccountname}/documents/xCode Projects/testproject1/" Wherever your project lives on file.
6. If you show all hidden folders & files, you will see the hidden .git folder – this is your projects GIT repository folder. If this folder doesn’t exist, you don’t have GIT setup with your project – read this post to find out how to create one.
7. Run Commands:
• For a team working with an existing Git repo, a developer sharing changes to TFS using Git-TF would use the following workflow.
  1. git tf configure http://myserver:8080/tfs/YourCollection $/Projects/Development/Mobile/iOS/iPhone/ 
     Configure the existing repo's relationship with TFS
  • It's important to note that the "YourCollection" is actually a Project Collection that is already setup in TFS.  You can read about it here: Organizing Your Server With Team Project Collections.
  2. git tf pull 
     Fetch the latest changes from TFS and merge those changes with the local changes. Note, merging is important when working in a team configuration. See "Rebase vs. Merge" below.
  3. git commit -a -m "merge commit"
  4. git tf checkin
     Check in the merge commit as a single TFS changeset
  • This step game me some problems.  During the checkin, TFS will create a temporary workspace before actually commiting the files.  git-tf will attempt to acuire a lock on the project directory, if it fails (due to some one else having a file checked out) then follow the following steps:
  1. Open Visual Studio 2010
  2. Open the "Team Explorer" tab, you may need to add this tab if you don't have it added already.
  3. Click "Pending Changes" to open the pending changes view.
  4. Click on the drop-down list labeled "Actions" and choose "Manage Workspaces".
  5. Down at the bottom of the "Manage Workspaces", click "Show remote workspaces".
  6. You should then see a workspace with the name like git-tf[some-big-number].  Select it, then delete it.  This will not change your workspace at all, but it will remove the locked workspace.  Once you delete the remote workspace, you can then run the checkin again:
  7. git tf checkin
  5. git push
     Push the merge commit to the origin
  • You only need to use the git push command if you are publishing to a free public git repo or are paying the $7 monthly subscription for a private git repo and you are intending to share the repo with multiple developers.
8. If you get prompted to install Java in step 5 – do it. Then re-run the command.
9. Now if(when) you get a java security exception, you will have to install your TFS SSL certificate and register it with JAVA so GIT-TF can talk to your TFS. You will only have to do this once.
• 
  
1. Download this InstallCert.jar: I put it inside the Git-TF folder – but it could go anywhere.
2. In terminal, CD to the folder where you downloaded the .jar file. Then run the command:
   java -jar InstallCert.jar  https://yourtfswebaddress.com/tfs/gittfs
3. This will create a file “jssecacerts”. Put this file in/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib (your java version may vary)
4. Rerun the commands in step 5.
5. Your code should now be in TFS

How to pull down the code from TFS (if you don't have the project and want to get it for the first time):

• Steps are nearly the same as above, after installing Git-TF and establishing the path variables, CD to your project directory, and run the command: 

1. git tf clone http://myserver:8080/tfs/YourCollection $/Projects/Development/Mobile/iOS/iPhone/ 
• Changes are cloned down from TFS to git

And Just to Be complete: Individual Developer with a New Repo

A typical workflow for an individual developer using the Git-TF tools are as follows.

1. git tf clone http://myserver:8080/tfs/YourCollection $/Projects/Development/Mobile/iOS/iPhone/ 
   Changes are cloned down from TFS to git
2. Make changes to the file in the Git repo
3. git commit -a -m "commit one" 
   (commit changes locally)
4. Make more changes
5. git commit -a -m "commit two"
6. git tf pull --rebase
   Fetch the latest changes from TFS and rebase master on top of the fetched changes.  You should research the difference between rebase and merge.  Rebase has potential issues if you are working in a team environment.
7. git tf checkin 
   Check in the changes from "commit one" and "commit two" as a single TFS changeset

SQL - Check Multiple Tables For Data (IF NOT EXISTS) in a Single IF Statement

Question:  How do you check for existence (IF EXISTS or IF NOT EXISTS) of data across multiple tables in a single if statement in SQL?

Answer:

IF NOT EXISTS (SELECT 1 FROM Table1) AND NOT EXISTS (SELECT 1 FROM Table2) AND NOT EXISTS (SELECT 1 FROM Table3)

BEGIN

PRINT 'DATA DOES NOT EXIST'

END

ELSE

BEGIN

PRINT 'DATA DOES EXIST'

END