This is the first post in this series which I will show you how to generate SSL certificate in Java programmatically. Certificates are frequently used in SSL communication which requires the authentication of server to client. This is to make the client to trust that the server is actually the one it claims. Certificates are really important on the Internet. All HTTPS communications on the Internet need the server side to present their certificates signed by trusted CAs.The basic flow of a request generation is that we first use some tool to generate the certificate request, this certificate r...

In an X509 certificate, the cRLDistributionPoints extension provides a mechanism for the certificate validator to retrieve a CRL(Certificate Revocation List) which can be used to verify whether the given certificate is revoked.  A cRLDistributionPoints extension can contain one or more DistributionPoints where the CRL can be retrieved from. Each DistributionPoint consists of three fields,each of which is optional:distributionPoint : it contains either a SEQUENCE of general names or a single value. One distributionPoint can contain one or more general names which show w...

When doing data exchange among different parties, there is a frequent need of encrypting data or file and sending it to partner and asking partner to use corresponding key to decrypt the data or file. A famous way of exchanging data is using asymmetric keys where no secret key needs to be shared. One party can just use the public key shared by partner to encrypt the data and the other party uses the private key to decrypt the data.Today, we will introduce how to use PGP to encrypt and decrypt data on MacOS. Pretty Good Privacy (PGP) is an encryption system used for both sending encrypted ...

In previous post, we have explained how to create a certificate chain in Java. After generating the chain, we need to store it somewhere so that it can be used later when we are doing the actual SSL communication, either in a key store or trust store. This post will show you how to store the private key and its associated certificate chain in a keystore file.There are different types of keystore in Java, in this post, we will choose the JKS to demonstrate how to store the certificate chain. When storing a private key entry into a keystore, we need to store its associated certificate chain as w...

During vulnerability assessment or penetration testing, identifying the input vectors of the target application is a primordial step. Sometimes, when dealing with Web application testing, verification routines related to SQL injection flaws discovery are restricted to the GET and POST variables as the unique inputs vectors ever. What about other HTTP header parameters? Aren’t they potential input vectors for SQL injection attacks? How can one test all these HTTP parameters and which vulnerability scanners to use in order to avoid leaving vulnerabilities undiscovered in parts of the appl...

When using SVN to connect secure server, the server needs to send its certificate to the client for verification. In some cases, the certificate sent by the server is not a trusted certificate, the client may choose to trust the certificate if the server is target server for sure. But users may get "Error validating server certificate for 'https://...'" the next time when they try to connect to the same secure server even if they specified "p" the first time when they are prompted to accept the server certificate.Error validating server certificate for 'https://example.com': - The certifi...

The Quest for IdentificationIn my previous blogpost about the Duqu Framework, I described one of the biggest remaining mysteries about Duqu – the oddities of the C&C communications module which appears to have been written in a different language than the rest of the Duqu code. As technical experts, we found this question very interesting and puzzling and we wanted to share it with the community.The feedback we received exceeded our wildest expectations. We got more than 200 comments and 60+ e-mail messages with suggestions about possible languages and frameworks that could have bee...

With more pervasive of web applications, web security threats are becoming increasingly prominent. Hackers gain web server control by exploiting web server vulnerabilities and SQL injection vulnerabilities, then they may tamper with web content, or steal important internal data, the more serious is to inject malicious code into web pages to affect visitors of websites. Attention is gradually warming up to Web Application Security. Here we recommend eight very useful and free web security testing tools.N-Stalker Free VersionN-Stalker Web Application Security Scanner 2012 Free Edition provides a...