Thursday, April 10, 2014

How to see, edit and tamper all http, https requests, responses made from an android mobile or tablet device?

No comments:
In previous posts we saw an introduction to web proxy debugging and decrypting secure SSL requests.

Yet still, have you ever wondered how your mobile/tablet communicates with websites? , How information is being sent & received in my Facebook, Gmail app that you installed in your smartphone?

Well, I did, and here is what I found. We can view, capture and play with data sent from any smartphone over the network.
Install & open Charles. Go to Help Local IP address. Note down your IP address.

Now let’s move on to try capturing what all that is being sent from your android/windows/ IPhone device.
(Make sure both your device and PC are connected in the same network)
Go to android settings WiFi → long press your connected network → modify Network 

At the bottom, Check “show advanced options” → set proxy as “manual”. Proxy hostname is your IP address that you noted as seen when we started. (192.168.1.6 for me) Proxy port is Charles’s port “8888” by default. (Proxy menu → Proxy Settings →Port).
Let’s get to test if that is correct.
Now we have set all your android traffic to go through your PC and Charles read it clean and nice for you.
I am opening browser from my mobile and doing a Google search.
 Then I am going to Charles and … BINGO! Yes, I can view what I searched in my mobile, right here in my PC. Ok, can we edit and interpret the information being transferred?
Let’s do a similar thing to what we did in our previous post,
Go to any website, say “m.dictionary.com” & here is how it looks,

Note how the response is the HTML page of “m.dictionary.com”. Now enable breakpoints for this website in Charles, and reload the website in your device.

The request gets paused before being sent to the web-server. Let’s just let the request go, by clicking “Execute”.
Now Charles brings up the response sent by the server, which is to be sent to your smartphone.
But before that I am going to edit the Response with my own HTML content and then click execute.

Check out what gets displayed in my phone, for the website “m.dictionary.com”.
That’s the direction of things you can do with proxy debugging.
Android developers can use this method to see all your data traffic, whether requests are going good and responses are received OK.
If you encounter secured HTTPS/SSL data, please refer this post to decrypt them in Charles.

Yet, sometimes, new android versions may feel a bit insecure and just don’t believe this proxy drama.
If you’re not able to see encrypted data, go to this URL http://charlesproxy.com/charles.crt from your device browser and install the certificate.
Be sure to remove the certificate after using (settings → security → ! sign -> select Charles certificate & remove).

Try out to see what all information your phone sends and receives.
If you are using other’s device, inform them & respect their privacy. (All personal data including passwords & auth codes are viewable)
Please be noted this tutorial is for only educational purpose and be responsible. Have a great day :)
Read More

Tuesday, April 8, 2014

How to see, edit and tamper HTTPS encrypted SSL data sent from any browser or system?

No comments:
In the last post, we saw how to view & edit HTTP traffic using Charles.

Now that we’re cool enough to crack open any requests from our PC, not all websites are that dumb to just work on HTTP. Most sites we encounter, may follow a secure connectionHTTPS or SSL certified.
It’s still easier to dismantle, read & edit HTTPS too!

Just open Charles and go to Proxy (in menu bar) → Proxy SettingsSSL Tab
Check “Enable SSL proxying
In the Locations box, you can add websites (using SSL), that you want Charles to unmask for you.
Add the site address (host) & port used. For example, I have added “www.google.co.in” and 443 as port. (443 is port for https protocol).
Note: If this is hectic, you can catch all requests by using wildcards *, * as shown.

Open browser and check the website (which uses SSL).
Let me do a Google search.
Instantly, we can see all the encrypted data sent from our PC.

Feel free to enable breakpoints; edit requests, responses (as seen for HTTP before) and play around encrypted data, like a piece of cake, hereupon.
Check out how our request looks before and after enabling SSL decrypting.
   
Please be noted this tutorial is for only educational purpose and be responsible. Have a good day with Charles.
Read More

Monday, April 7, 2014

How to edit requests and responses, hack, test and tamper with data to websites from browser using Charles web debugging proxy?

No comments:
Though browsers are very comfortable, ever wondered what’s going on underneath it?
What is it sending and receiving when we visit a webpage?
Can I change it manually? What happens if I try to comment 100 times the same thing?
Wanna hack that Facebook game, or play around with request, response or headers?

Get introduced to Charles - Web debugging proxy Application.

Get it from here and install it.
Open the application & this is how it looks.


Note the two enabled buttons
1.    Record - Starts recording all requests and responses from your PC (only browser traffic)
2.    Breakpoint – Enables you to pause a request for viewing, editing before sending to the web server.

Now open a browser and goto your favourite website.
For beginners, I am opening dictionary.com and searching for the word “hello”
Now go to Charles and you should see something like this.

Select the website you want to see and you can see a lot of information on the right side.
Note the search string “hello” in there.
Play around with the tabs and you see things such as, what request is sent, what response is received, in how much time, etc


In the bottom also you can find a few tabs to see various formats of data. 


QueryString shows you the url parameters sent, Raw is the format in which the browser sends the actual data, Headers are meta data of your browser, OS etc.

Ok now that we can see a soup of data, how to edit them?
We have the breakpoint for that, if you're a programmer, you'd have heard your teacher say 'use breakpoints in debugging the code'. (
a web developer? you might have heard firebug). This is the same, but better.
 

Right click on the website name and select breakpoint.


Now interactions with this website are under your control!!
Let’s try searching again for “hello world” now.
Immediately when I click search, the Charles window pops open.
This is the middle step of my request before being sent to the website, now I change the request to “hello world welcome!!” as shown and clicking execute. Charles now displays the response from the website. Clicking execute again, the browser blindly displays the result for edited search.


Check out the resulting web page
The actual search was just “hello world” but we interrupted in between to change it to “hello wold welcome!!”
This is just a tip of ice-berg on the uses and applications of Charles. Actually a lot could be done. I use it mostly to test my websites. It’s popularly used for hacking Facebook games.

You can try options like Repeat, Copy URL, Block cookies etc.

Check out the features of Charles listed in charlesproxy.com,

Please be noted this tutorial is for only educational purpose and be responsible, while we'll back with more posts on this wonderful tool. In case you've any doubt, please leave comments.
Read More

Saturday, April 5, 2014

What is new in Java 7? New useful features

No comments:
Java 7 is everywhere now and your boss maybe thinking to migrate too. So if you are still coding old way, it's useful to sneak peek the features.

Java has been constantly growing so much bigger that I cannot fathom all that is added to it.
Let me sum up the ones I found useful in my daily use. Consider this an introduction to Java 7 and we’ll be rolling out more detailed posts on each topic eventually.


String in switch case:

Let me start with a favourite,
With java 7, we can use string in switch case!
switch(str){ //str of type String
  case "abc": //do something
  case "efg": //do other thing
}

Multiple Exception Handling:
No need to copy paste many catch expressions. We can bundle related exceptions in a single catch.
try{
get_A_Coffee (); //do someting;
}
catch(NotTastyException, NotHotEnoughException coffeExpObj){ //bundle similar exceptions
throwCoffeAndGetNew(coffeExpObj); //handle
}

Type Inference:
Lists can be put as such easily!
 Map<String, Integer> = new HashMap<String, Integer>();  //no need to write like this
 Map<String, Integer> = new HashMap<>();     //this will just do

Elvis Operator:
This is from groovy language. ( ?: looks like Elvis)
Instead of  x!=null? x: y, we can write as x ?: y
Ex:- Integer ival = (input from user); // may be null
int i = ival ?: -1; // no NullPointerException from unboxing

Module:
We hear something called Module in Java 7, module or a module definition by book is ‘a logical unit of set of files, resources and its dependencies that can be versioned, packaged and deployed in the module repository for re-use by some other application.’ Each module consists of a module meta-data that is self-describing. (Good for JAR versioning). Modules can be exported & imported between projects.

/* module meta-data */
module A @ 1.0 //this module class is of version 1.0
{
requires B @ 2.1; //this needs B of version 2.1
requires C @ 1.1; //this needs C of version 1.1
} /*meta-data end*/

module A;
package com.sample;
public class sample class{ 
public void sample()
{}
}

Note: If class or one of its members or constructors is declared module, it will be accessible from a type that belongs to the same module.
If you don’t get it chill, I didn’t either, at first. We’ll see more on this in following posts.
 
Whole new I/O API:
The Java team has rolled out a whole new IO package, java.nio(new IO)
Tons of useful things for file and path handling under this.
Path is one such new class. (http://docs.oracle.com/javase/tutorial/essential/io/pathOps.html)
It’s like a Unix path for manipulation, finding file, properties etc
Path searchPath = Paths.get(“c:/sample”);
final Path findFile = Paths.get(“samplefile”);
//similar to FileSystems.getDefault().getPath("/samplefile");
FileVisitor visitor = new SimpleFileVisitor()
{
public FileVisitResult visitFile(Path file, BasicFileAttributes attrs)
{
if(file.getName().startsWith(findFile)
{
//do something
}}
};
Files.walkFileTree(searcPath, visitor);
Other features of nio are Buffers, Channels, Selectors, Character sets, asynchronous I/O, File Notifications, Directory Operations. know more

Garbage First!:
No more chaos with a fuzzy GC,
•    All new garbage collector, the “Garbage First Collector”.
•    Memory split into multiple regions as opposed to 2 regions in the last version.
•    Quite predictable and provides greater through-put for memory intensive applications.
•    Performs faster than the last parallel collectors.

There are more features like Fork and Join, Cache API (temporary, permanent), new Date and time API. Stay tuned to pro them too.

Read More

Saturday, October 12, 2013

Google app engine php tutorial in windows. Getting started hello worldexample. GAE development and deployment

No comments:



Google App Engine (GAE) is a platform as a service (PaaS) cloud computing platform for developing and hosting web applications. Recently Google has made Google App Engine PHP runtime support fully available to the general public, meaning you can run your PHP applications in the Google Cloud Infrastructure with various pricing plans.
I've never used App Engine before and thought of give it a try. I thought I might have to put a lot of workaround for setup and deployment of the project. But I am really impressed by its simplicity of creation and deployment of the project. Also they provide a simple GUI called Google App Engine Launcher for making the application management simpler.

Lets get started,

Creating the Application

1. Go to http://www.python.org/getit/releases/2.7.4/ and download the Python MSI installer for windows and install the application.


2. Then download the PHP SDK for App Engine from the link  http://googleappengine.googlecode.com/files/GoogleAppEngine-1.8.5.msi and install the application.
3. After Installing Python and App Engine PHP SDK, Open the Google App Engine Launcher application,

4. Go to menu bar and click  File -> Create New Application,

5. Fill up the Application Name, Parent Directory, Runtime (PHP), Port and Admin Port.

6. The application will be created and listed out in the GAE launcher.

7. Open the Parent Directory in Explorer, You can see the application folder got created.

8. The new empty application folder will have app.yaml file, main.php file and a favicon.ico file.

9. The app.yaml file will have the application configurations, and by default it is configured in a way that main.php will handle all the requests coming into the application. We'll see the configuration options later and run the application first.

10. Now open Google App Engine Launcher Click Run button given above (Control -> Run),


11. Now goto http://localhost:8080 or to whatever port you have given. You can see the "Hello World!" over there.

If the application is not starting goto Edit -> Preferences, and fill up the required details.

It is said that the default values will be used if it is not set. But for me, Unless I set it manually, The application was not running. Try with the above details. If it is still not running, Try adding the Deployment Server value with "C:Program FilesGooglegoogle_appenginedev_appserver.py" in the preference and try again.

The given demo is done in Windows 8 machine. But when I tried with Windows XP, I've got the error message "The procedure entry point InitializeSRWLock could not be located in the dynamic link library KERNEL32.dll" and I couldn't resolve it though.

Deploying application to Google App Engine
12. Go to https://appengine.google.com/ , Login with your Google account and Click create application.

13. Fill up the Application ID, Title and leave the other options to default and Click Create Application.

14. After creation, You can see a dashboard for the application. Lets not get complicated and start with deploying the application.

15. Now lets create an application to deploy to App Engine, Or you can use your old application itself. Make sure to change the "application:" in the app.yaml with the Application Identifier you've registered with Google App Engine.

16. Select the application and click the Deploy button ( Control -> Deploy )
Fill up your google account credentials and Click Ok.
17. The below window will be opened and the application will be deployed to the Google App Engine.
18. After the deployment is successful, Go to http://<your-app-id>.appspot.com, in the current scenario it is http://tinywall-app.appspot.com/

Bazinga!! Your PHP application is running in Google App Engine Cloud Infrastructure.

I'll explore what else we can do with PHP in Google App Engine and will blog in the upcoming posts.
Read More