Capstone Coding

OWASP 2013

Injection, Broken Authentication and Session Management, Cross-Site Scripting, Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery, Using Componests with Known Vulnerabilities, Unvalidated Redirects and Forwards

Open-closed Principle

Objects or entities should be open for extension, but closed for modification.

Step Into

Step Into - Causes the Debugger to execute the current line and continue until it reaches the next executable statement, which may be in the current procedure, a subprocedure, or a trigger. That statement becomes the current line, and is not executed until you continue.

Unit Test

s a software testing method by which individual units of source code, sets of one or more computer program modules together with associated control data, usage procedures, and operating procedures, are tested to determine whether they are fit for use. Unit tests are typically automated tests written and run by software developers to ensure that a section of an application (known as the "unit") meets its design and behaves as intended.[2] In procedural programming, a unit could be an entire module, but it is more commonly an individual function or procedure. In object-oriented programming, a unit is often an entire interface, such as a class, but could be an individual method.[3] By writing tests first for the smallest testable units, then the compound behaviors between those, one can build up comprehensive tests for complex applications.[2]

Conditionals operators

&& and || or ! not q ? a : b ternary e if condition q is true, a is evaluated, else b is evaluated

Basic Programming Constructs

1) Sequence-the order in which instructions occur and are processed 2) Selection-determines which path a program takes when it is running 3) Iteration-execution of a section of code when a program is running (count controlled or condition controlled)

Single Responsibility Principle

A class should have one and only one reason to change, meaning that a class should have only one job.

Interface segregation principle

A client should never be forced to implement an interface that it doesn't use or clients shouldn't be forced to depend on methods they do not use.

Complier

A compiler is a software program that transforms high-level source code that is written by a developer in a high-level programming language into a low level object code (binary code) in machine language, which can be understood by the processor. The process of converting high-level programming into machine language is known as compilation. The processor executes object code, which indicates when binary high and low signals are required in the arithmetic logic unit of the processor.

SS-Vulnerabilities

A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application. Lack of input validation on user input Lack of sufficient logging mechanism Fail-open error handling Not closing the database connection properly

SS-Broken Authentication and Session Management

A vulnerability that allows capture or bypass of authentication methods used to protect against unauthorized access. -use of username and password -23% of all applications are vulnerable -encrypted connections -predictable login credentials -session value does not timeout -session IDS are in the URL

Liskov substitution principle

All this is stating is that every subclass/derived class should be sustainable for their base/parent class.

Run-time Errors

An error that occurs during the execution of a program. In contrast, compile-time errors occur while a program is being compiled. Run-time errors indicate bugs in the program or problems that the designers had anticipated but could do nothing about. For example, running out of memory will often cause a run-time error. Note that run-time errors differ from bombs or crashes-in that you can often recover gracefully from a run-time error.

Client-Side

Client-server systems are today most frequently implemented by (and often identified with) the request-response model: a client sends a request to the server, which performs some action and sends a response back to the client, typically with a result or acknowledgement. Designating a computer as "server-class hardware" implies that it is specialized for running servers on it. This often implies that it is more powerful and reliable than standard personal computers, but alternatively, large computing clusters may be composed of many relatively simple, replaceable server components.

Deploy Java Web Application

Create a Java web application, build a war artifact, deploy your application inside a Tomcat server

SS-CSRF

Cross Site Request Forgery- makes it possible for an attacker to force a user to unwillingly perform attacks. Hidden automatic requests can be hidden in pages.

SS-XSS

Cross-Site Scripting-inject snippets of JS into your application without validation Reflected XXS-attacker sends victim a link to the target app thru email or social media, script embedded which executes when on site Stores XXS-plant a persistent script in the target website which will execute when anyone visits DOM based XXS-not http, injected after modifying DOM In victims browser then executes

Deploy .Net Web Application

Deploy your application to IIS on your development computer using the same process that you'll use later to deploy it to your production environment. You can configure Visual Studio to use IIS when you run a web project, but that wouldn't test your deployment process. This method validates your deployment process and that your application runs correctly under IIS. Deploy your application to a test environment similar to your production environment. The production environment for these tutorials is Web Apps in Azure App Service. The ideal test environment is an additional web app created in the Azure Service. Though it would be set up the same way as a production web app, you would only use it for testing.

Dependency Inversion principle

Entities must depend on abstractions not on concretions. It states that the high level module must not depend on the low level module, but they should depend on abstractions.

OOP Encapsulation

Hiding unnecessary details from the user

SS-OWASP Top Ten 2017

Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities, Broken Access Control, Security Misconfiguration, Cross-Site Scripting, Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging and Monitoring

Javascript

JavaScript is the Programming Language for the Web. JavaScript can update and change both HTML and CSS. JavaScript can calculate, manipulate and validate data.

SS-SQL Injection

Public disclosures and breaches untrusted or manipulated requests, commands or queries to be executed by the web app. -SQL is the most common -Data is lost, stolen, or corrupted -unauthorized access -complete host system takeover

DP-Observer

This pattern is a one-to-many dependency between objects so that when one object changes state, all its dependents are notified. This is typically done by calling one of their methods. In case of many subjects and few observers, if each subject stores its observers separately, it'll increase the storage costs as some subjects will be storing the same observer multiple times.

OOP Inheritance

allows code re-usability when a class includes property of another class.

Server

a computer program or a device that provides functionality for other programs or devices, called "clients". This architecture is called the client-server model, and a single overall computation is distributed across multiple processes or devices. Servers can provide various functionalities, often called "services", such as sharing data or resources among multiple clients, or performing computation for a client. A single server can serve multiple clients, and a single client can use multiple servers. A client process may run on the same device or may connect over a network to a server on a different device.[1] Typical servers are database servers, file servers, mail servers, print servers, web servers, game servers, and application servers.[2]

IDE

a software application that provides comprehensive facilities to computer programmers for software development. An IDE normally consists of at least a source code editor, build automation tools and a debugger. Some IDEs, such as NetBeans and Eclipse, contain the necessary compiler, interpreter, or both; others, such as SharpDevelop and Lazarus, do not. The boundary between an IDE and other parts of the broader software development environment is not well-defined; sometimes a version control system or various tools to simplify the construction of a graphical user interface (GUI) are integrated. Many modern IDEs also have a class browser, an object browser, and a class hierarchy diagram for use in object-oriented software development.

DP-Strategy

allows grouping related algorithms under an abstraction, which allows switching out one algorithm or policy for another without modifying the client. Instead of directly implementing a single algorithm, the code receives runtime instructions specifying which of the group of algorithms to run.

OOP Class

collection of methods and variables. Blueprint which defines the data and the behavior of a type. Define class using a class keyword enclosed by a pair of curly braces: public class humanBeing { }

Debugging

computer code introduced to a computer program to test for errors or to help determine the cause of an error. It can be as simple as an echo command to print the value of a variable at certain points of a program. Modern integrated development environments sometimes render this unnecessary by allowing the placement of stop points at specific places in the program, and providing the ability to view the value of variables through the IDE rather than program output.

Syntax

computer language is the set of rules that defines the combinations of symbols that are considered to be a correctly structured document or fragment in that language. This applies both to programming languages, where the document represents source code, and to markup languages, where the document represents data. Computer language syntax is generally distinguished into three levels: Words - the lexical level, determining how characters form tokens; Phrases - the grammar level, narrowly speaking, determining how tokens form phrases; Context - determining what objects or variables names refer to, if types are valid, etc.

object-oriented programming

designing a program by discovering objects, their properties, and their relationships

Java

general-purpose computer programming language that is concurrent, class-based, object-oriented, and specifically designed to have as few implementation dependencies as possible. It is intended to let application developers "write once, run anywhere" (WORA), meaning that compiled Java code can run on all platforms that support Java without the need for recompilation.

DP-Factory Method

objects are created by calling a factory method instead of calling a constructor.

OOP: Polymorphism

redefine the way something words, by either changing how it is done or by changing the parts used to get it done. Done in two ways: overloading and overriding

Step-Over

refers to a set of commands that let you run procedures incrementally, suspending the process as each statement or block is executed so that you can evaluate the precise effect of each code segment. Used in conjunction with breakpoints, code-stepping commands let you fully control when the application runs uninterrupted and when it is suspended. Code-stepping options The following options are available: Step Into - Causes the Debugger to execute the current line and continue until it reaches the next executable statement, which may be in the current procedure, a subprocedure, or a trigger. That statement becomes the current line, and is not executed until you continue. Step Over - Causes the Debugger to execute the current line and continue until it reaches either a breakpoint, or the next executable statement in the same procedure. Thus, if the current line calls a subprocedure or causes a trigger to execute, the subprocedure or trigger is executed without interruption unless there is a breakpoint. In other words, the Debugger steps "over," not "into," the subprocedure or trigger. Step Return - Causes the Debugger to execute the current line and continue either until it reaches a breakpoint, or until the current procedure ends and returns control to the calling procedure. Resume - Causes the Debugger to execute the current line and continue without interruption until it reaches either a breakpoint or the end of the program. Suspend - Interrupts execution and gives control to the Debugger. Also, suspends an attached AVM. Terminate - Interrupts execution and ends the Debugger session. Disconnect - Disconnects the Debugger from the attached AVM.

OOP Abstraction

showcasing only the required things to the outside world while hiding the details. Focuses on what an object does. Used for managing large and complex programs

DP-State

state pattern encapsulates the various states a machine can be in, and allows an object to alter its behavior when its internal state changes. The machine or the context, as it is called in pattern-speak, can have actions taken on it that propel it into different states. Without the use of the pattern, the code becomes inflexible and littered with if-else conditionals.

Methods

statements gathered together to perform a specific task

Text Editor

type of computer program that edits plain text. Such programs are sometimes known as "notepad" software, following the naming of Microsoft Notepad.[1][2][3] Text editors are provided with operating systems and software development packages, and can be used to change files such as configuration files, documentation files and programming language source code.[4]

DP-Adapter

used to build objects. Sometimes, the objects we create can be complex, made up of several sub-objects or require an elaborate construction process. The exercise of creating complex types can be simplified by using the builder pattern. A composite or an aggregate object is what a builder generally builds.

DP-Builder

used to build objects. Sometimes, the objects we create can be complex, made up of several sub-objects or require an elaborate construction process. The exercise of creating complex types can be simplified by using the builder pattern. A composite or an aggregate object is what a builder generally builds.

DP-Singleton

used to limit creation of a class to only one object. This is beneficial when one (and only one) object is needed to coordinate actions across the system. constructor 'private' to the class we intend to define as a singleton. That way, only the members of the class can access the private constructor and no one else.

Design Patterns

used to represent some of the best practices adapted by experienced object-oriented software developers. A design pattern systematically names, motivates, and explains a general design that addresses a recurring design problem in object-oriented systems. It describes the problem, the solution, when to apply the solution, and its consequences. It also gives implementation hints and examples.

Variable

used to store information to be referenced and manipulated in a computer program. They also provide a way of labeling data with a descriptive name, so our programs can be understood more clearly by the reader and ourselves. It is helpful to think of variables as containers that hold information. Their sole purpose is to label and store data in memory. This data can then be used throughout your program.

Loops

while, for, do while used to perform a particular task repeatedly while loop is continuously executed if the Boolean condition becomes true, it can be considered as a repeating if statement. While loop first checks the body of the loop then it will be executed. Java for loop is a concise version of while loop, it provides the user to write the whole condition, i.e. initialization, condition and Increment/decrement in one line A do while statement is an exit controlled loop, i.e. it checks the condition after the execution of the loop. It means that the body of the loop is executed once if the condition is true or false.