I am using ZAProxy 2.7.0 on RHEL7 with a smart card that holds a client certificate to the site I am trying to use access through ZAProxy. Using the smart card requires setting some PKCS#11 values under Tools/Options/Certificate, especially selecting a driver, PIN code, and setting it Active.
Unfortunately, these values do not persist between ZAProxy runs. I have seen that other options do persist, but not these ones. I would also like to use ZAProxy in headless mode - in that case I cannot even set these options (at least I haven't found a way).
Any ideas?
It's getting closer, you can now do this for pcks#12 certs, using a weekly build or the next release. It adds that functionality both to the cli and web API: https://github.com/zaproxy/zap-core-help/pull/227/files
If smart card support is important to you I'd suggest opening a feature request: https://github.com/zaproxy/zaproxy/issues/new?labels=enhancement&template=Feature_request.md
Related
I have an Angular(2) + TypeScript application using Keycloak as the authentication/authorization provider,
would like to integrate Keycloak with NativeScript to make the existing web application cater to iOS/Android users.
could see Keycloak supports iOS/Android as listed here : http://www.keycloak.org/docs/2.5/securing_apps_guide/topics/overview/supported-platforms.html?408DD571-0042-4EBB-BC37-1F2966A56651=123451
Is there any NativeScript based plugin to integrate with Keycloak (could not find anything here : http://plugins.nativescript.org/ ) ? pointers for a possible solution would be of great help
Version:
tns --version
2.5.0
Looks like the answer is no. But I start playing around, and to create a plugin, we have basically two strategies:
Extend a pure OAuth client for nativescript. There is this plugin: http://plugins.nativescript.org/plugin/nativescript-oauth
Port the keycloak.js to Nativescript.
I like the second approach because there are more features build in keycloak, so my first try was edit the original code and remove the use of window and other API's that are not present in the browser. I quickly find out that keycloak.js code is a mess (at least to me), and I'm getting a bad time undestanding how to edit its 1258 lines. Because of that, I start a complete rewrite, highly inspired in the original. I'm actualy reading the code and trying to port the project piece by piece, reorganizing for test, and abstracting the use of browser API's to port for web and nativescript.
You can check the code here: https://github.com/atende/keycloak-js-universal but is not close to ready.
The problem is, I have no time to do it :-), but will get done eventually, because I need that too.
Is important to mention that I create a abstraction for Angular 2 that works using the keycloak.js for security, and porting the keycloak.js is strategic to make the library work for Angular 2 Nativescript, which is on my motivation to do it. You can check the project here: https://github.com/atende/angular-spa
Any contributions are wellcome ;-)
we are developing an application with a Helper Tool - which is installed into the system using SMJobBless. This works as expected; but there is a caveat.
We do frequent automatic deployments - sometimes more than one per week. Everytime the Helper Tool version changes, we re-register it - causing a password prompt. These 2 factors would quickly become irritating to our users.
Is there a way to have the password prompt appear only once, during the initial Helper Tool installation? Could subsequent updates happen without a prompt? Perhaps there is a way to leverage the existing Helper Tool to install a newer version of itself?
Short answer: No. SMJobBless() always prompts for admin credentials. There's no way to stop it from prompting. If you call this API, it'll prompt (or fail).
Longer answer on workarounds:
If your helper tool is running with admin/root privileges, it could theoretically replace itself with a new version. Think very carefully before doing this. Getting this right and maintaining security is very difficult, and the fact that even the major OSes have had vulnerabilities in installer functionality is a strong indicator that the risks of going this route may outweigh the benefits.
If you must proceed, read up on:
Race Conditions, Secure File Operations, and Time of Check vs Time of Use
Apple's Security APIs, particularly SecRequirementCreateWithString and SecCodeCheckValidity.
macOS Code Signing In Depth and the Code Signing Requirement Language
You would have to ensure that your helper tool cannot be tricked into replacing itself with (or executing) malicious code, or you will have opened your software up to being a trivial root exploit vector.
Also note: Regardless of what Apple currently does to verify helper tools installed by SMJobBless, it is conceivable that they could tighten the requirements in the future and refuse to run helper tools that have been modified since they were installed via SMJobBless. The safest method (in multiple respects) is to just call SMJobBless whenever you need to install/update the helper.
I am working on a site that uses the PayPal API. This new site will replace the old site at my job. As of right now, I need to check what data the old site sent to the PayPal API. Is there a way to check what data is being sent to and from a different site or API? It is data that is not typed in by the user, but data that already exists in the database that is being sent to the API.
Any help or advice would be great.
Thank you!
It "depends". On Windows platform you could use:
Fiddler or;
Microsoft Message Analyzer
to inspect traffic i/o (on the client system where either tool is installed). I'm sure other platforms will have similar tools.
Chrome Dev (or any other browser) tool will help with browser based traffic.
IMHO, depending on how "old" the existing system is, it maybe worth looking at the API again to see if any newer features are worth the effort since you're updating things...and seems to me getting paid/payments systems/ops would be something high on the priority list :)
Hth...
I have found a strange issue which I do not completely understand. When I run the LoadRunner with just a single protocol, the browser (when recording starts) is ran but says "page not found" (as if the proxy was not set).
How come? The protocols specify what traffic will be captured but I assumed in just does not record the ones not specified. But why the browser could not find the page in single protocol and could in multiple?
I've found that the single protocol mode (I assume web here) is somewhat erratic and does not work all the time. The workaround is to use the multiple protocol mode, but select only Web (HTTP/HTML). This works much better.
The actual reasons for why this is the case are unknown, but at least give it a try!
As for other issues:
Check that your PROXY settings are correct when you invoke IE for recording. Your issue sounds a little like a proxy issue, but please post more details if none of the above works.
Over 90% of recording issues can be tracked to environment items, specifically do you have the right match up between version of LR and version/manufacturer of your browser plus are you signed in with the proper credentials plus do you have any conflicting software packages loaded, such as antivirus, which could be impacting the recordingf mechansim.
Where to start?
Makes sure you are signed in with Administrative credentials
Disable any antivirus running locally
Validate your browser manufacturer and version with the requirements for your version of LoadRunner
I'm in the process of installing an open-source Python based web application to an internal server here at work. The existing code is open - it doesn't require a login to view it - but one of the requirements is that users have to be approved before they can see anything.
Is there a good way (using Apache configuration files for example, but any method would be great) to wrap the application so that any access requires a login? I would like to avoid modifying the open-source code (a maintenance nightmare every time a new release comes out).
Any thoughts or suggestions?
Apache supports Authentication, Authorization and Access Control.
It is a detailed process, and summarising it here would not do it justice. I refer you to the link provided,