OSWAP (Open Source Web Application Security Project) Replay attack

OSWAP (Open Source Web Application Security Project) focused on improving the security of a software and they provides “OSWAP top 10”, a collection of most frequent vulnerabilities exist in a Web, IoT and mobile applications.

Everyone who develops web, mobile or any IoT project MUST know about OSWAP and you may be wondering why I am writing this post now. 

I lead an initiative to migrate the payment provider for our existing B2B and B2C portfolios. The following are the integration flows:

•  Application(s) use a back end service to authenticate with the payment provider and then authorize for the $ amount.

• The payment provider authorizes and redirects to an external hosting page to enter credit card details

•   After the payment, the third party provider redirects to an application page with the payment status.

•  Based on the payment status, an application can decide what's the next steps.

Since the payment provider redirects back to an application URL, there is a potential chance of a replay attack. An attacker can use the URL in another transaction.

To mitigate the risk, we used a token-based approach - a signed token is send to the payment provider during the authorization process. After the payment, the token will be send along with the redirect URL and on the confirmation page; the token will be invalidated so that the same token cannot be used in another session.

Change audio input and volume windows 10

Original post: https://www.hanselman.com/blog/AutomaticallyChangeYourAudioInputOutputAndVolumePerApplicationInWindows10.aspx


I use multiple headsets and I find it very hard to manage these headsets when I jump into conf calls.

The two utilities mentioned by Scott will be a life saver :)

Audio Switcher: A simple app runs as part of the notification area, that help you to switch default audio input and output devices. There is no down load available. You have to copy code from git and build it. Once build is completed, find the exe from the bin folder and run the AudioSwitcher.exe program.

https://github.com/davkean/audio-switcher

EarTrumpet:https://www.microsoft.com/en-us/p/eartrumpet/9nblggh516xp?activetab=pivot%3aoverviewtab

Converting Odata Specification to OpenAPI

Last week I was working on on-boarding a few SAP Odata APIs to API Management gateway. The APIM tool used by my organization supports JSON or YAMAL specification file to on-board an API.

So, I have reached out to OpenAPI team and they informed me that Odata will soon be part of OpenAPI and mean while the below mentioned tools/process can be used to convert Odata specification to OpenAPI specification

• Odata to Open API conversion tools are available at https://github.com/oasis-tcs/odata-openapi/tree/master/tools
•  Download or clone tools folder
•  Create a folder and name  examples at the same level as of “tools” folder. This folder is used to keep Odata Edmx files.
•  If you have node installed, install the following npm packages (for windows machine)
•   $ npm install -g node-gyp
•   npm install --global --production windows-build-tools
•  Once the above packages are installed, then open command window at the tools folder location and run npm install –g. This will install a few packages based on the package.json located at tools folder
•   Once the packages are installed, to convert Odata to Open API, run the command odata2openapi -drp <<MyMetadata.xml>> (The file MUST be inside examples folder)
•   By default the tool converts to Open API 3.0 specification. To convert to 2.0 (swagger) specification, use the below options

Options:

--basePath              base path (default: /service-root)

-d, --diagram           include YUML diagram

-h, --help              show this info

--host                  host (default: localhost)

-o, --openapi-version   3.0.0 or 2.0 (default: 3.0.0)

-p, --pretty            pretty-print JSON result

-r, --references        include references to other files

--scheme                scheme (default: http)

-u, --swagger-ui        URL of Swagger UI for cross-service references

• .      Once the file is converted, I used swagger editor and modified a few values and finally on-boarded it to APIM

HTTPClient for ASP.NET core 2.0

The following articles explain the issue using HttpClient class:

https://aspnetmonsters.com/2016/08/2016-08-27-httpclientwrong/

http://www.nimaara.com/2016/11/01/beware-of-the-net-httpclient/

As per ASP.NET 2.1 road map a default HttpClient Service will be available. Until the framework available, I'm using the below implementation of HttpClient

https://gist.github.com/ajopjo/796ddf8d2f44dd3dbf6268da179cb239

If you find any issues with the implementation, please let me know.

Integrating Serilog to ASP.NET Core

If you are not using the seri log configuration package and want to set up serilog based on app specific configuration use

webHostBuilder.ConfigureLogging((hostingcontext, logging) =>
            {
                var logSettings = new LogConfiguration();
//my custom section
                hostingcontext.Configuration.GetSection("LogSettings").Bind(logSettings);
                if (logSettings.Sink.Equals("rollingFile"))
                {
                    Log.Logger = new LoggerConfiguration()
                                     .MinimumLevel.Debug()
                                     .MinimumLevel.Override("Microsoft", Information)
                                     .Enrich.FromLogContext()
                                     .WriteTo.RollingFile(logSettings.Url)
                                     .CreateLogger();
                }
                else
                {
                    Log.Logger = new LoggerConfiguration()
                                    .MinimumLevel.Debug()
                                    .MinimumLevel.Override("Microsoft", Information)
                                    .Enrich.FromLogContext()
                                    .WriteTo.Seq(logSettings.Url)
                                    .CreateLogger();
                }

                var levelSwitch = new LoggingLevelSwitch();
                int.TryParse(logSettings.LogLevel, out var level);
                levelSwitch.MinimumLevel = (LogEventLevel)level;
                logging.AddSerilog(dispose: true);
            });

Autofac dependency injection per request based on header parameter ASP.NET Core2.0

   builder.Register(c =>
            {
                string dependencyName= c.Resolve<IHttpContextAccessor>().HttpContext.Request.Headers[Constants.CountryHeader];
             
                return c.ResolveNamed<interface>(dependencyName);
            }).InstancePerLifetimeScope();

and in the module
   protected override void Load(ContainerBuilder builder)
        {
            //register modules here
            builder.RegisterType<ClassName>().Named<Interfacer>("Name of dependency");
}

API Dev Ex Journey

When I had a chit chat with the business I'm working with, they told me often they see a lot of fraud transactions originating from one of the their  eCommerce B2C web sites. Most of the fraud transactions exhibit a pattern – either billing address or shipping address is invalid. The eCommerce site doesn’t implement  an address validation for billing or shipping address. If the validations do exist, without correcting the address issues a user cannot navigate to the payment page. So, I looked at some of the address validation services. As a developer what I did is relevant for any API seekers J

1.     Searchability/Discoverability of an API

As the first step, a developer MUST go to any available search engines and hunt for an API they are interested in. So, if we are doing any commercial APIS, it’s very important to make sure that the APIS are ranked properly by the search engines and it MUST bubble up when a user search for any API related key words.

2.     API documentation

After the API hunt, I found a lot of companies, UPS, USPS, Experian, Smart streets offer address validation service. Various criterions I used to weigh the API offerings from different companies are:

1.     How easy and fast I can apprehend the APIs

2.     Simplicity of API methods, request and response – From smarty street, most of the APIS, request and response object are self-explanatory. I don’t even  go through their API documentationsJ - I think the APIs directly talk with the developer.

3.     Try it yourself – After reading the APIs, the immediate step a developer took is to see the APIs in action. Some API providers provide a try it now link that  allows a user to test the APIs without logging in or without even request for an API key.
Able to try out an API without logging in or providing 100 steps of information is another key aspect of Dx.

3.     Integration

Another criteria I considered is how easily I can integrate the APIs to my application. For this, I look for any SDKs available from the API provider. Most of the companies provides SDK that supports various programming languages.  Another aspect I considered is, how often the APIs are versioned and how often the companies publish their SDKs.

Other aspects like, cost of usage (fixed vs pay per use), support …etc are considered. However, I wish to share the above three core aspects. Please share your thoughts?