Ganymed SSH-2: Java based SSH-2 Protocol Implementation
The Ganymed SSH-2 library allows one to connect to SSH servers from within Java programs. It supports SSH sessions (remote command execution and shell access), local and remote port forwarding, local stream forwarding, X11 forwarding, SCP and SFTP. There are no dependencies on any JCE provider, as all crypto functionality is included.
Ganymed SSH-2 for Java is the de-facto standard for open source based SSH communication in Java software. The library is used in many industrial products but also in open source software, e.g., in the widely used SVN plugin for Eclipse and in Cyberduck (a popular SFTP client for the Mac).
Originally, Ganymed SSH-2 for Java was developed by Dr. Christian Plattner for the Ganymed replication project at ETH Zurich, Switzerland, back in 2005. In the meantime, its clearly structured code has been ported by different people to other languages as well. Confusingly, there are also Java branches with slightly different names. However, Ganymed SSH-2 for Java is the original implementation with a stable interface that is backwards compatible to the first implementation written in 2005 (!). ·
Darik's Boot and Nuke ("DBAN") is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction. ·
Apache Shiro is a powerful and easy-to-use security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications. ·
Want to beat the hackers at their own game?
* Learn how hackers find security vulnerabilities!
* Learn how hackers exploit web applications!
* Learn how to stop them!
This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:
* How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
* How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.
To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.). ·
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management and cryptography.
Our mission: To provide the most robust and comprehensive application security framework available while also being very easy to understand and extremely simple to use. ·
Die scip VulDB ist eine freie Verwundbarkeitsdatenbank in deutscher Sprache. Unsere Experten dokumentieren täglich die neuesten Schwachstellen und stellen die Daten dieser zur Verfügung. Dadurch können sowohl unsere Penetration Tester als auch Kunden oder Partner von den katalogisierten Schwachstellen profitieren. ·
verinice ist ein ISMS-Tool für das Management von Informationssicherheit. Die Software wird unter der Lizenz GPLv3 zum freien Download als OpenSource-Software kostenfrei bereit gestellt.
verinice unterstützt die Betriebssysteme Windows, Linux und MacOS und hat die Grundschutzkataloge des BSI lizenziert. ·
In many Java EE applications declarative security is required where user and group information is stored in a database. To support this, an application server must support a security realm based on a JDBC datasource.
Glassfish V2 application server also supports a configuration like this through the JDBCRealm. Unfortunately, this JDBCRealm is restrictive in various ways:
* It assumes a data model where groups are modeled as value objects in the sense of Eric Evan's terminology in Domain Driven Design. Specifically, if a group should have more properties apart from its name, then this should be modeled in a different database structure with the group name as a key.
* A very specific datamodel is assumed. Two tables are used: One with for every user the encoded password and another with pairs of usernames and groupnames to define to which groups a user belongs.
* It is static in that it assumes that a user will always be a part of the same groups over time. After retrieving the groups for the first time, it caches them indefinitely. This makes the JDBCRealm of glassfish unsuitable for dynamic applications where users can join or leave groups.
As is clear, the JDBCRealm of glassfish either fits your purpose and you are done, or it doesn't and you have to either work around it in your application or create a separate more flexible JDBC security realm yourself. Since I had a stable application that I wasn't intending on modifying, I decided to do the latter.
The FlexibleJdbcRealm is a JDBC security realm which is similar to the approach used in JBoss application server. Instead of depending on a fixed database structure with only limited configuration, it is configured with two queries instead:
* One query for determining the (encoded) password of the user based on the user name.
* One query for determining the groups the user belongs to based on the user name.
In other words, instead of assuming a certain type of data model with configuration of some column and table names and constructing the two JDBC queries for passwords and groups as JDBCRealm does, the FlexibleJDBCRealm is configured with the two queries. As a result, FlexiblJDBCRealm is more general than JDBCRealm since it can handle any datamodel that JDBCRealm can.
In particular, in the application that triggered this, I had a datamodel that did not fit the one assumed by JDBCRealm. In my design I am using surrogate keys and have three tables:
* a Users table with primary key, user name, encoded password, and other user attributes
* a groups table with primary key, group name, and other group attributes
* a user_groups table with a mapping of users to groups (based on primary key)
This datamodel can easily be handled using FlexibleJdbcRealm but would have required a redesign of the application if I would have used JDBCRealm. ·
As you can probably deduce from its name, the purpose of this project is to provide an OAuth implementation for Spring Security . Support is provided for both OAuth provider developers and OAuth consumer developers. ·
Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms. ·
Spring Remoting with Security and SSL
September 30th, 2008 by Mattias Hellborg Arthursson — Security, Spring
Avatar of Mattias Hellborg Arthursson
One of my favorite features of the Spring Framework is the Spring Remoting part, which enables you to expose any bean in a Spring Application Context as a remote service over HTTP. It's fast, it's easy, and it's really, really simple. ·
In order to solve web application vulnerabilities we have created HDIV (HTTP Data Integrity Validator) open source project.
We can briefly define HDIV as a Java Web Application Security Framework. HDIV extends web applications’ behaviour by adding Security functionalities, maintaining the API and the framework specification. This implies that we can use HDIV in applications developed in Struts 1.x, Struts 2.x, Spring MVC and JSTL in a transparent way to the programmer and without adding any complexity to the application development. It is possible to use HDIV in applications that don’t use Struts 1.x, Struts 2.x, Spring MVC or JSTL, but in this case it is necessary to modify the application (JSP pages).
The security functionalities added to the web applications are these:
INTEGRITY: HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages, etc.). Thanks to this property HDIV helps to eliminate most of the vulnerabilities based on the parameter tampering.
EDITABLE DATA VALIDATION: HDIV eliminates to a large extent the risk originated by attacks of type Cross-site scripting (XSS) and SQL Injection using generic validations of the editable data (text and textarea).
CONFIDENTIALITY: HDIV guarantees the confidentiality of the non editable data as well. Usually lots of the data sent to the client has key information for the attackers such as database registry identifiers, column or table names, web directories, etc. All these values are hidden by HDIV to avoid a malicious use of them. For example a link of this type, http://www.host.com?data1=12&data2=24 is replaced by http://www.host.com?data1=0&data2=1, guaranteeing confidentiality of the values representing database identifiers. Also it is possible to hide the name of the parameters becoming the link into http://www.host.com?0=0&1=1.
ANTI-CROSS SITE REQUEST FORGERY (CSRF) TOKEN: Random string called a token is placed in each form and link of the HTML response, ensuring that this value will be submitted with the next request. This random string provides protection because not only does the compromised site need to know the URL of the target site and a valid request format for the target site, it also must know the random string which changes for each visited page. ·
International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design ·
JUG is a pure java UUID generator, that can be used either as a component in a bigger application, or as a standalone command line tool (a la 'uuidgen'). UUIDs are 128-bit Universally Unique IDentifiers (aka GUID, Globally Unique IDentifier used in Windows world).
JUG generates UUIDs according to the IETF UUID draft specification (and further clarified in UUID URN name space IETF draft ) – all 3 'official' types defined by the draft – is fast, portable and Open Source (as well as Free Software ).
You can use JUG in your application according to the license terms of LGPL (Lesser General Public License); or, from version 2.0 on, ASL . See Download page for more details.
From version 1.0.0 on, native code (invoked via JNI) for accessing Ethernet MAC address is included with Jug distribution. Big thanks to Paul Blankenbaker and DJ Hagberg (amongst others) for their code contributions!
Note that using this functionality is optional: only time+location - based generation needs MAC address, and even with it, one can just pass the address from a configuration file.
Currently JNI-based Ethernet MAC address support is available on following platforms:
* Linux / x86
* Windows (98, ME, NT, 2K, XP?) / x86
* Solaris / Sparc
* Mac OS X
* FreeBSD / x86
Note: if anyone can recompile Mac OS X JNI code on Open/NetBSD and try if if it works, that would be useful (FreeBSD JNI code was compiled this way). ·
VELO is an Open Source Identity and Access Provisioning server.
* SPML V2 compliance. new!
* Role Based Access Control (RBAC)
* Consolidated Employee Identity Attributes repository
* Accounts Attribute Synchronization
* User and Access Reconciliations
* Integrated work-flow engine for complex business processes
* Self Service interfaces
* Support many resources
* Support Complete Account Operations
* Specific typed actions can be added easily
* Centralized Password Policy and Password Synchronization.
* Auditing & Compliance.
* Powerful scripting support for complex processes via Scripting expressions
* Supports more than 20 different scripting languages! new
* Remote services access via Web-Services.
* Extensible via Events.
* Advanced Report Designer & Web-based Reporting Manager.
* Pluggable Authentication Handlers.
* Jboss and Glassfish Support ·
Penrose is a java-based virtual directory server. Virtual directory enables federating (aggregating) identity data from multiple heterogeneous sources like directory, databases, flat files, and web services - real-time - and makes it available to identity consumers via LDAP. ·
* On Demand
o Can load keys when ssh is launched.
o Can load keys when the Apple Keychain is unlocked.
o Can unload keys on sleep (or after a period of sleep).
o Can unload keys when the screenssaver kicks in.
o Can unload keys when the Apple Keychain is locked.
o Can lock the Apple Keychain when the screensaver kicks in.
o Can ask for confirmation when keys are accessed (useful for agent forwarding).
o Icon can be displayed in the statusbar, dock, or both.
o Apple Keychain
+ Can store SSH key passphrases in the Apple Keychain.
+ Can lock/unlock the Apple Keychain from a menu item.
o Global Environment
+ Can add the necessary variables to the global environment, so you can use SSHKeychain with Project Builder, etc.
o SSH Tools
+ Works seamless with the commandline tools (adding keys from the commandline also updates the UI).
+ Can generate new keypairs from the UI.
+ Local ports can be forwarded over a ssh connection from the tunnel menu.
+ Tunnels can be launched when your keys are loaded.
+ The tunnel menu indicates the status of your tunnels.
+ Tunnels are automatically closed when the system goes to sleep.
+ Multiple ports can be forwarded over one ssh connection.
o Can handle agent requests through Agent Forwarding.
Shibboleth is standards-based, open source middleware software which provides Web Single SignOn (SSO) across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. ·