Web Service layer Threat Types: Disclosure Threats, Deception Threats, Disruption Threats, Usurpation Threats.
Service Level:
Vulnerability: WSDL contains the message exchange pattern, types, values, methods, and parameters that are available to the service requester. An hacker may use this information to gain knowledge about the system and to draft attacks against the service.
Suggestion:
At the service level, authentication and authorization mechanisms for service requesters may be used to protect WSDL and related service metadata from disclosure threats.
Apply necessary SOAP Fault handling / Error handling mechanism while processing security information of the messagges.
Message Level:
Observation: if Message Protection mechanism are missing.
Vulnerability: The message could be modified or read by attacker, before it reaches to the destination.
Suggestions:
1. Follow common message protection mechanism.
2. Signatures should be used to verify message origin and integrity.
3. Apply encryption to Messages.
4. Apply necessary Time stamps to messages
5. Apply necessary security tokens to the messages
6. Apply measures to ensure message expiry mechanism is in place.
Web Service Solution:
Observation: Need to test whether the following is possible in the setup:
1. Coercive Parsing
2. Parameter Tampering
3. Recursive Payloads
4. Oversize Payloads
5. Schema Poisoning
6. WSDL Scanning
7. Routing Detours
8. External Entity Attack
9. SQL Injection
10. Replay Attack
Vulnerability: You are done !
Tuesday, December 28, 2010
? Web security
Takeaway: Web-based application security is a major concern for all developers. Taking the time to secure your application development may involve nothing more than avoiding these common application security mistakes.
Some of the most common Web application security mistakes:
Blind trust of information retrieved from cookies and parameters passed in the URL
Unchecked input on screens
Pre-validation accounts
Unconstrained user navigation
Setting Web folder permissions incorrectly
Caching of sensitive information
Leaving Web server demos installed (like those loaded by default with IIS)
Forgetting to change default passwords on the database backend
Not loading security patches
Leaving Web administration ports enabled
Secure your network by using this expert advice
Malicious intruders plus vulnerable networks and buggy software equals a security nightmare. Security expert John McCormick will update you on how to secure your applications in Builder.com's Development Security Spotlight e-newsletter, delivered each Tuesday. Subscribe now with just a mouse click!
Some of the first five common mistakes:
Trust but verify
"Trust but verify" was the motto of one of my favorite bosses. This is a motto that Web application designers and programmers would do well to adopt. While cookies and URL-borne parameters make life much easier for the developer, the data passed in should always be validated.
Many Web-based businesses learned this the hard way with the infamous "shopping cart vulnerability," which enabled cyber thieves to change prices of items placed in the shopping cart. The shopping cart was nothing more than a text-based cookie. Upon checkout, the server would total the prices for the items stored in the cookie. Imagine—the client had total control over the prices. Worse, the server had no means of validating the data. I'm sure a lot of businesses experienced sticker shock!
The best way to check for this is to clear all cookies, run the application, and look at the cookies written to the disk. I always look at cookie content to validate that sensitive information is not stored in cookies such as roles—or worse, userids and passwords.
Commands can equate to control
I was once asked to look at a system that passed program controls via parameters sent in the URL. As I looked at the source code, I noticed a common thread. System-level commands were embedded in the URL as follows: "action='do something.'"
During testing, I crafted a couple of customized URLs to see how the system handled them. Consequently, I was able to take control of the system via the commands I passed in that the system didn't anticipate: "action='cat xxx >> /etc/passwd.'"
The long and short is this: If you pass parameters via the URL-bar, at least parse them for invalid and malicious content. Set some constraints for your parameters so if an unexpected value is passed in, your application can properly handle it. This is also easy to test—modify the address in the URL bar and see how the application handles the data.
Check, please
I often find fields that do not perform data validation on input. This is a gold mine for buffer overflow and SQL injection attackers. During testing, I'll open notepad and create a 500+ character string, then cut and paste it into the password field. If the system doesn't limit the input string, many systems will hang or crash.
Then I'll test for validation rules by embedding a condition that always evaluates to true (e.g., "OR 'x'='x'") and append it into the password field. A lot of systems can be manipulated to allow unauthorized access because of the way the SQL statements have been constructed—appending an "OR TRUE" conditional fools the system into allowing unauthorized access. Here's a sample SQL statement that could be manipulated:
Select userid, passwd from USERS where userid = :uid_entered and passwd = pwd_entered
Assume that the user entered admin into the userid field and password "OR 'x'='x'" into the password field. The SQL statement would expound this as "select userid, passwd from USERS where userid=admin and passwd=password OR 'x'='x'. This is probably not what the designer was expecting.
The keys are under the welcome mat
I am also amazed with how many times I see system accounts used to perform pre-validation logons to application databases. Many Web apps store user credentials (i.e., userids and passwords) in its own application database. Because you must logon to the database in order to validate the credentials, systems usually handle validation using what I call a "pre-validation logon account"; for example, the system logs in as "admin/admin" and validates there is a user and password in the database matching what the user input on the screen.
Notably, every pre-validation logon account I've encountered has always been an "admin" type account with extensive privileges within the application. What makes this an even riskier practice is that in order for the Web application to have visibility to passwords for these accounts, they are usually either stored in a text file housed in the Webroot or embedded directly in the start page. Either way a malicious user can get to the password very easily. This practice is a lot like hiding house keys under the welcome mat, or a spare set of car keys on top of the visor. It's a big mistake that makes it easy to break into a Web-based application.
Going left
Another one of my favorite tests is to have one of the application administrators login legitimately, bookmark any administrative page (e.g., "add a new user page"), and log out. I test to make sure that the session expires upon logout by opening a browser and clicking on the bookmark. A surprisingly high number of times the application will automatically grant me administrator rights.
Another technique is looking for dead code that has been commented out, but not removed from the baseline. I'll login as a guest user—or any user with limited rights—and attempt to surf to dead code. Again, a lot of dead code is kept in baselines.
Quite often developers will build a startup page during development that is not intended for deployment—one that bypasses the login process and sets up a test environment. When it comes time to release the system, typically Web programmers comment out the original call, or rename the page but leave the test page out in the Webroot.
I also examine the code to determine if there are multiple login or startup screens and test to see which one allows me administrator access to the system without providing credentials. I'll also attempt to navigate outside the controls, especially if the developer put navigation guides. Usually, I can take a look at the browser history or cache to see where other users have navigated for guidance. Temporary Internet files provide a wealth of information if not cleared. If the application clearly wants me to go right, I test to ensure there are controls preventing me from going left.
May I, please
Generally developers aren't responsible for miss-set permissions—unless the application was built relying on them. For example, if a Web application requires that a specific directory to be world writeable, or worse read, write, and execute for everyone, the application provides a perfect spot for hiding (and triggering, perhaps) malicious logic.
Many applications have directories for storing temporary reports. I will usually try traipsing through folders on the Web server by modifying the URL to get a feel for permissions. If the application provides ad hoc query capability (there are typically world writeable folders for storing results), I'll attempt to post an executable file there and then call it from the browser to see if it executes.
If the application provides any upload capability, I'll check for execute permissions. Very rarely should anyone have execute permissions to Web folders. Nor should a user be able to run executables on the server. If I can shell outside the application (which I often times can), any process spawned is generally owned by a privileged account, such as "oracle", "root", or "system" and has the rights of the owner. Potential problems arise if the application facilitates the uploading of data or fails to constrain access to the data once it is uploaded. Another common mistake is requiring weak permissions on upload directories.
Avoid vulnerabilities
While this list isn't all inclusive, it contains the common mistakes I've seen developers make when building Web-based applications. There are a few excellent resources for developers and testers wanting more information about common vulnerabilities. I strongly suggest that all developers read the OWASP report for 2004. You should also read the SANS top 20 list. While it is not specifically addressing Web applications, it will give developers an idea of what to defend against. Armed with this knowledge, you should be able to avoid most of the common "gotchas."
Some of the most common Web application security mistakes:
Blind trust of information retrieved from cookies and parameters passed in the URL
Unchecked input on screens
Pre-validation accounts
Unconstrained user navigation
Setting Web folder permissions incorrectly
Caching of sensitive information
Leaving Web server demos installed (like those loaded by default with IIS)
Forgetting to change default passwords on the database backend
Not loading security patches
Leaving Web administration ports enabled
Secure your network by using this expert advice
Malicious intruders plus vulnerable networks and buggy software equals a security nightmare. Security expert John McCormick will update you on how to secure your applications in Builder.com's Development Security Spotlight e-newsletter, delivered each Tuesday. Subscribe now with just a mouse click!
Some of the first five common mistakes:
Trust but verify
"Trust but verify" was the motto of one of my favorite bosses. This is a motto that Web application designers and programmers would do well to adopt. While cookies and URL-borne parameters make life much easier for the developer, the data passed in should always be validated.
Many Web-based businesses learned this the hard way with the infamous "shopping cart vulnerability," which enabled cyber thieves to change prices of items placed in the shopping cart. The shopping cart was nothing more than a text-based cookie. Upon checkout, the server would total the prices for the items stored in the cookie. Imagine—the client had total control over the prices. Worse, the server had no means of validating the data. I'm sure a lot of businesses experienced sticker shock!
The best way to check for this is to clear all cookies, run the application, and look at the cookies written to the disk. I always look at cookie content to validate that sensitive information is not stored in cookies such as roles—or worse, userids and passwords.
Commands can equate to control
I was once asked to look at a system that passed program controls via parameters sent in the URL. As I looked at the source code, I noticed a common thread. System-level commands were embedded in the URL as follows: "action='do something.'"
During testing, I crafted a couple of customized URLs to see how the system handled them. Consequently, I was able to take control of the system via the commands I passed in that the system didn't anticipate: "action='cat xxx >> /etc/passwd.'"
The long and short is this: If you pass parameters via the URL-bar, at least parse them for invalid and malicious content. Set some constraints for your parameters so if an unexpected value is passed in, your application can properly handle it. This is also easy to test—modify the address in the URL bar and see how the application handles the data.
Check, please
I often find fields that do not perform data validation on input. This is a gold mine for buffer overflow and SQL injection attackers. During testing, I'll open notepad and create a 500+ character string, then cut and paste it into the password field. If the system doesn't limit the input string, many systems will hang or crash.
Then I'll test for validation rules by embedding a condition that always evaluates to true (e.g., "OR 'x'='x'") and append it into the password field. A lot of systems can be manipulated to allow unauthorized access because of the way the SQL statements have been constructed—appending an "OR TRUE" conditional fools the system into allowing unauthorized access. Here's a sample SQL statement that could be manipulated:
Select userid, passwd from USERS where userid = :uid_entered and passwd = pwd_entered
Assume that the user entered admin into the userid field and password "OR 'x'='x'" into the password field. The SQL statement would expound this as "select userid, passwd from USERS where userid=admin and passwd=password OR 'x'='x'. This is probably not what the designer was expecting.
The keys are under the welcome mat
I am also amazed with how many times I see system accounts used to perform pre-validation logons to application databases. Many Web apps store user credentials (i.e., userids and passwords) in its own application database. Because you must logon to the database in order to validate the credentials, systems usually handle validation using what I call a "pre-validation logon account"; for example, the system logs in as "admin/admin" and validates there is a user and password in the database matching what the user input on the screen.
Notably, every pre-validation logon account I've encountered has always been an "admin" type account with extensive privileges within the application. What makes this an even riskier practice is that in order for the Web application to have visibility to passwords for these accounts, they are usually either stored in a text file housed in the Webroot or embedded directly in the start page. Either way a malicious user can get to the password very easily. This practice is a lot like hiding house keys under the welcome mat, or a spare set of car keys on top of the visor. It's a big mistake that makes it easy to break into a Web-based application.
Going left
Another one of my favorite tests is to have one of the application administrators login legitimately, bookmark any administrative page (e.g., "add a new user page"), and log out. I test to make sure that the session expires upon logout by opening a browser and clicking on the bookmark. A surprisingly high number of times the application will automatically grant me administrator rights.
Another technique is looking for dead code that has been commented out, but not removed from the baseline. I'll login as a guest user—or any user with limited rights—and attempt to surf to dead code. Again, a lot of dead code is kept in baselines.
Quite often developers will build a startup page during development that is not intended for deployment—one that bypasses the login process and sets up a test environment. When it comes time to release the system, typically Web programmers comment out the original call, or rename the page but leave the test page out in the Webroot.
I also examine the code to determine if there are multiple login or startup screens and test to see which one allows me administrator access to the system without providing credentials. I'll also attempt to navigate outside the controls, especially if the developer put navigation guides. Usually, I can take a look at the browser history or cache to see where other users have navigated for guidance. Temporary Internet files provide a wealth of information if not cleared. If the application clearly wants me to go right, I test to ensure there are controls preventing me from going left.
May I, please
Generally developers aren't responsible for miss-set permissions—unless the application was built relying on them. For example, if a Web application requires that a specific directory to be world writeable, or worse read, write, and execute for everyone, the application provides a perfect spot for hiding (and triggering, perhaps) malicious logic.
Many applications have directories for storing temporary reports. I will usually try traipsing through folders on the Web server by modifying the URL to get a feel for permissions. If the application provides ad hoc query capability (there are typically world writeable folders for storing results), I'll attempt to post an executable file there and then call it from the browser to see if it executes.
If the application provides any upload capability, I'll check for execute permissions. Very rarely should anyone have execute permissions to Web folders. Nor should a user be able to run executables on the server. If I can shell outside the application (which I often times can), any process spawned is generally owned by a privileged account, such as "oracle", "root", or "system" and has the rights of the owner. Potential problems arise if the application facilitates the uploading of data or fails to constrain access to the data once it is uploaded. Another common mistake is requiring weak permissions on upload directories.
Avoid vulnerabilities
While this list isn't all inclusive, it contains the common mistakes I've seen developers make when building Web-based applications. There are a few excellent resources for developers and testers wanting more information about common vulnerabilities. I strongly suggest that all developers read the OWASP report for 2004. You should also read the SANS top 20 list. While it is not specifically addressing Web applications, it will give developers an idea of what to defend against. Armed with this knowledge, you should be able to avoid most of the common "gotchas."
? 4G
4G is the short name for fourth-generation wireless, the stage of broadband mobile communications that will supercede the third generation (3G).
Carriers that use orthogonal frequency-division multiplexing (OFDM) instead of time division multiple access (TDMA) or code division multiple access (CDMA) are increasingly marketing their services as being 4G, even when their data speeds are not as fast as the International Telecommunication Union& (ITU) specifies. According to the ITU, a 4G network requires a mobile device to be able to exchange data at 100 Mbit/sec. A 3G network, on the other hand, can offer data speeds as slow as 3.84 Mbit/sec.
From the consumer's point of view, 4G is a more a marketing term than a technical specification, but carriers feel justified in using the 4G label because it lets the consumer know that he can expect significantly faster data speeds.
Although carriers still differ about whether to build 4G data networks using Long Term Evolution (LTE) or Worldwide Interoperability for Microwave Access WiMAX, all carriers seem to agree that OFDM is one of the chief indicators that a service can be legitimately marketed as being 4G. OFDM is a type of digital modulation in which a signal is split into several narrowband channels at different frequencies. This is more efficient than TDMA, which divides channels into time slots and has multiple users take turns transmitting bursts or CDMA, which simultaneously transmits multiple signals on the same channel.
When fully implemented, 4G is expected to enable pervasive computing, in which simultaneous connections to multiple high-speed networks will provide seamless handoffs throughout a geographical area. Coverage enhancement technologies such as femtocell and picocell are being developed to address the needs of mobile users in homes, public buildings and offices, which will free up network resources for mobile users who are roaming or who are in more remote service areas.
Sunday, August 15, 2010
? Memcached and Java
1. Start the Memcache
$memcached -d -m 512 127.0.0.1 -p 1121
2. Check Memcache by Telnet
$ telnet localhost 11211
Trying ::1...
Connected to localhost.
Escape character is '^]'.
get customer
END
set customer 0 3600 10
complexity
STORED
get customer
VALUE customer 0 10
complexity
END
quit
Out of the various Java Memcached clients, I prefer to use Dustin's Spymemcached client.
Complete Spymemcached list of JAVA api is available here.
Sample code on how to create a connection:
OR
$memcached -d -m 512 127.0.0.1 -p 1121
2. Check Memcache by Telnet
$ telnet localhost 11211
Trying ::1...
Connected to localhost.
Escape character is '^]'.
get customer
END
set customer 0 3600 10
complexity
STORED
get customer
VALUE customer 0 10
complexity
END
quit
Out of the various Java Memcached clients, I prefer to use Dustin's Spymemcached client.
Complete Spymemcached list of JAVA api is available here.
Sample code on how to create a connection:
MemcachedClient c=new MemcachedClient(
new InetSocketAddress("hostname", portNum));
// Store a value (async) for one hour
c.set("someKey", 3600, someObject);
// Retrieve a value.
Object myObject=c.get("someKey");OR
// Get a memcached client connected to several servers
// over the binary protocol
MemcachedClient c = new MemcachedClient(new BinaryConnectionFactory(),
AddrUtil.getAddresses("server1:11211 server2:11211"));
// Try to get a value, for up to 5 seconds, and cancel if it
// doesn't return
Object myObj = null;
FutureSaturday, August 14, 2010
? Memcached in Ubuntu Server 10.04
Memcache is a very simple caching system that uses memory to store objects. As you may already know, memory is faster to read than hard drive. A site will take a lot less time to read a database result cached in memory. To make the best use of memcache, you should install the memcached module.
First, install the apache2, memcached package, php-pear , php5-dev and libmemcached-de
Install the following in the below order.
sudo apt-get install memcached
sudo apt-get install php-pear
sudo apt-get install php5-dev
sudo apt-get install libmemcached-dev
sudo pecl install Memcache
and
sudo echo "extension=memcache.so" >/etc/php5/apache2/conf.d/memcache.ini
Add the following line anywhere, to your php.ini file.
memcache.hash_strategy="consistent"
Start an instance of memcache daemon with the following command:
memcached -d -m 2048 -l 127.0.0.1 -p 11211
If you are only using a single server, then you only need to include this line to your site’s settings.php file.
$conf['cache_inc'] = '/sites/all/modules/memcache/memcache.inc';
The final step is to restart apache and then switch your site back online.
First, install the apache2, memcached package, php-pear , php5-dev and libmemcached-de
Install the following in the below order.
sudo apt-get install memcached
sudo apt-get install php-pear
sudo apt-get install php5-dev
sudo apt-get install libmemcached-dev
sudo pecl install Memcache
and
sudo echo "extension=memcache.so" >/etc/php5/apache2/conf.d/memcache.ini
Add the following line anywhere, to your php.ini file.
memcache.hash_strategy="consistent"
Start an instance of memcache daemon with the following command:
memcached -d -m 2048 -l 127.0.0.1 -p 11211
If you are only using a single server, then you only need to include this line to your site’s settings.php file.
$conf['cache_inc'] = '/sites/all/modules/memcache/memcache.inc';
The final step is to restart apache and then switch your site back online.
Following command helps to get the connection status :
$netstat -na | grep 11211
? Install Apache2 in Ubuntu Server 10.04
Installation
The Apache2 web server is available in Ubuntu Linux. To install Apache2:
- At a terminal prompt enter the following command:
sudo apt-get install apache2
? Enable FTP in ubuntu
Vsftpd is an FTP daemon available in Ubuntu. It is easy to install, set up, and maintain. To install vsftpd you can run the following command:sudo apt-get install vsftpdTo restart the daemon
sudo /etc/init.d/vsftpd restartSaturday, July 31, 2010
? Resin with MySQL as DB
Type A:
You need to edit the configuration file for Resin - resin.conf; to tell Resin how to access your new MySql databases.
It would be under
unix : resin.home/conf
windows : RESIN_HOME/conf
The configuration file by default defines a database whose JNDI name is jdbc/mysql and which is known by MySql as "test" .
You need to replicate Database part for each database to be created.
For example, we might define the JNDI name for Application A as "jdbc/A" . Similarly for Application B, we will have a JNDI entry with name "jdbc/B"
I have used mysql jdbc connector - in that case the driver name would look like "com.mysql.jdbc.Driver" and mysql connector jar will go into resin.home/lib or RESIN_HOME/lib.
restart your resin server.
Type B
Along with web.xml under WEB-INF folder of your application create a resin-web.xml - with the connection details. In this case your jar will go in the lib folder or your application.
You need to edit the configuration file for Resin - resin.conf; to tell Resin how to access your new MySql databases.
It would be under
unix : resin.home/conf
windows : RESIN_HOME/conf
The configuration file by default defines a database whose JNDI name is jdbc/mysql and which is known by MySql as "test" .
You need to replicate Database part for each database to be created.
For example, we might define the JNDI name for Application A as "jdbc/A" . Similarly for Application B, we will have a JNDI entry with name "jdbc/B"
I have used mysql jdbc connector - in that case the driver name would look like "com.mysql.jdbc.Driver" and mysql connector jar will go into resin.home/lib or RESIN_HOME/lib.
restart your resin server.
Type B
Along with web.xml under WEB-INF folder of your application create a resin-web.xml - with the connection details. In this case your jar will go in the lib folder or your application.
Friday, July 30, 2010
How to Install ZK on Resin
Resin
1. Download Resin from http://caucho.com/download/index.xtp and install it, if you haven't installed it yet.
2. Unzip zk-3.0.0.zip or zk-3.0.0.tar.gz
3. Copy dist/lib/*.jar to $RESIN_HOME/lib ($RESIN_HOME is where you installed Resin.)
4. Copy dist/lib/ext/*.jar to $RESIN_HOME/lib
5. Deploy demo/bin/zkdemo.war to Resin by copying it to $RESIN_HOME/webapps directly.
6. Start Resin.
7. Browse to http://localhost:8080/zkdemo/userguide.
Saturday, July 24, 2010
? How to install Mysql5.1 Server in Ubuntu 10.04 Server edition
To install MySQL, run the following command from a terminal prompt:
sudo apt-get install mysql-server
During the installation process you will be prompted to enter a password for the MySQL root user.
Once the installation is complete, the MySQL server should be started automatically. You can run the following command from a terminal prompt to check whether the MySQL server is running:
sudo netstat -tap | grep mysql
When you run this command, you should see the following line or something similar:
tcp 0 0 localhost.localdomain:mysql *:* LISTEN -
If the server is not running correctly, you can type the following command to start it:
sudo /etc/init.d/mysql restart
Network Configuration :
You can edit the /etc/mysql/my.cnf file to configure the basic settings -- log file, port number, etc. For example, to configure MySQL to listen for connections from network hosts, change the bind_address directive to the server's IP address:
bind-address = 192.168.0.5
Replace 192.168.0.5 with the appropriate address.
or
Comment the whole line, where in system will act perfectly in a DHCP env.
After making a change to /etc/mysql/my.cnf the mysql daemon will need to be restarted:
sudo /etc/init.d/mysql restart
User Configuration:
Log in to mysql server using
mysql -u root -p
GRANT ALL PRIVILEGES ON *.* TO 'myaccount'@'%' IDENTIFIED BY 'some_pass' WITH GRANT OPTION
The above should be executed for all the users of MySQL server. Also this should be executed replacing '%' with '%/localhost/ipaddress' times.
Now try to connect to MySQL server using clients like Toad, SQL Yog and you are in.
User Configuration:
Log in to mysql server using
mysql -u root -p
GRANT ALL PRIVILEGES ON *.* TO 'myaccount'@'%' IDENTIFIED BY 'some_pass' WITH GRANT OPTION
The above should be executed for all the users of MySQL server. Also this should be executed replacing '%' with '%/localhost/ipaddress' times.
Now try to connect to MySQL server using clients like Toad, SQL Yog and you are in.
? How to install .rpm files in Ubuntu 10.04
Install alien in Ubuntu
sudo apt-get install alien
This will install all the required packages.Now you can start converting your .rpm files to .deb packages.
Available Options for alien
Convert the package.rpm into a package.deb
sudo alien -d package-name.rpm
Convert the package.rpm into a package.deb, and install the generated package.
sudo alien -i package-name.rpm
If you want to keeps alien from changing the version number use the following command
sudo alien -k rpm-package-file.rpm
Example
Suppose we have a avg antivirus avg71lms-r30-a0782.i386.rpm file
To convert .rpm to debian
sudo alien -k avg71lms-r30-a0782.i386.rpm
Now you should be having avg71lms-r30-a0782.i386.deb file
To install .deb file
sudo dpkg -i avg71lms-r30-a0782.i386.deb
Friday, July 23, 2010
? VirtualBox 3.2.6 and Guest Additions
Its quite some time, I struggled to get this thing up and running in my :
Host OS : Windows 7 64 bit
Guest OS: Ubuntu Server 10.04
Virtual Box Guest Additions for 64 bit
If you are also experiencing the same, then follow the simple steps:
1. Install VBox 3.2.6 on Window 7
2. Install Ubuntu Server 10.04
3. Start Virtual Server & Click Devices - > Shared folders and add a Host machine folder.
4. Click on Devices - > Install Guest Additions
5. On Terminal paste
sudo apt-get install build-essential linux-headers-`uname -r`
sudo apt-get install build-essential linux-headers-`uname -r`
Note: replace 'uname -r' with the actual value
e.g. sudo apt-get install build-essential linux-headers-2.6.32-21-server
6. Create mount points for the Shared drive and then run the following
sudo mount /dev/cdrom /mnt
sudo mount /dev/cdrom /mnt
Note: Point to the actual cdrom in your machine.
7. Run
sudo bash /mnt/VBoxLinuxAdditions-amd64.run
sudo bash /mnt/VBoxLinuxAdditions-amd64.run
Note: There might chances of you getting following errors and not all features are installed properly
This is fine. VirtualBox's Guest Additions installs some features that we don't need on a server. If you want these features, you'll have to install them by
Installing the Window System drivers ...fail!
(Could not find the X.org or XFree86 Window System.)
This is fine. VirtualBox's Guest Additions installs some features that we don't need on a server. If you want these features, you'll have to install them by
sudo apt-get install xserver-xorg xserver-xorg-core
8. Reboot the Guest OS and as a last step, you have to now mount the Host share to Guest mount point
mount -t vboxfs share mountpoint
Note: If you get an error like this mount: unknown filesystem type 'vboxfs'
Run the following command
mount -t vboxsf share mountpoint
mount -t vboxsf share mountpoint
Replace the share and mountpoint with your actuals.
9. Browse to your mount point to see the shared Folders/ Files.
10. To make this permanent loadable :
append fstab with
'HostShareName /GuestMountPoint vboxsf defaults 0 0'
after running sudo vi /etc/fstab
Note: If Step#10 is executed wrongly, system will not Boot
10. To make this permanent loadable :
append fstab with
'HostShareName /GuestMountPoint vboxsf defaults 0 0'
after running sudo vi /etc/fstab
Note: If Step#10 is executed wrongly, system will not Boot
Tuesday, July 20, 2010
? Blogspot BUG :)
Guys wake and see this BUG.
I have already deleted the header and entry.... still its displayed :)
I have already deleted the header and entry.... still its displayed :)
Sunday, June 20, 2010
? About Me
Phase I - To the world of computers
My first interaction with computers started while I was at 8th standard [1993]. I was one among the class toppers, who was selected to be the member of the school computer club. We were more attracted to play games than to work or do any academic activities.
In 1997, I opted Computer science as my Bsc major, in University of Kerala. I Passed out with First class. But I never thought about the numerous possibilities of this little magic box.
Phase II - I was my own Guru/ Teacher/ Disciple in the world of Computers
Major decisions in My life was always ignited by some invisible triggers. It always happened to me at the right time in the right spot.
That evening while walking with one of my colleague through Kerala university campus, as we were passing by an used books reseller - I picked up a text book named 'Managing J2EE' by Addison–Wesley, which was then gifted to me by my friend. It cost a dollar in 1999. But I never took interest to read it then. This book at a later point of time, changed my attitude towards the fascinating world of computers.
Due to financial difficulties, I was forced to quit further studies for a year. I slowly started to read this book and started to learn things one by one. I was pushed into the world of Web/ App Servers, multi threading, Containers, Connection pools, Web programming, Server side programming etc.... I learned the life cycle of a Java based application. As time passed by, I was very good in my theories - since I don't have a computer to try out all these.
As each day passed by - it was like what next, what next to learn...
I took advantage of an unused British Library membership card - from a friend of mine. I slowly started to read more and more book related to Java based web programming, Data structures etc... I started to teach others about what this magic box is all about.
A year later I joined my Master in Computer and completed the same with First class with Hight Distinction, which was all due to the inspiration which I carry forwarded while reading the a dollar worth text book.
During my final term of Masters, I boarded to Bangalore in search of a job, as all of my colleagues went out to do their own Final project.
I got into a UK Based call center, which deals with Broadband connectivity. Fifth month of my job, I successfully completed my Masters project with cent percent.
The project was about developing a Apache based Web server.
Phase III - Learned to explore the Unlimited opportunities
Carry forwarded by the unlimited passion towards Java, triggered by MILLION dollar worth Text book. I was desperate to move back to the world of programming.
I have worked with various Junior, Senior colleagues, Consultants, etc I always tried to keep my solutions SIMPLER and was always keen to update myself to industry standards. This lead my way to Open source stuff.
With end to end domain knowledge on Travel, Mortgage, Retail Supply chain industires I still feel that there is a lot to come out of me, as my search for perfection continues.
Currently I am working in M.H.Alshaya. I got opportunity to work in the following areas - in various roles such as Lead, Functional & Process reviewer, Release & Support coordinator. Apart from this I got involved in the following areas :
I was lead designer for the first PCI DSS support payment gateway for Retail application in Kuwait, along with Knet and Postilion systems.
I worked as Product review specialist group of iSERVE of Actutate.
To conclude on my specialties:
Personal: Fast Learner and a Good Analyst. Open to accept change and likes to do things in a smarter way.
Tech: J2EE, Oracle and MySQL, Ajax-GWT, Actuate e.Report Designer, Birt 2.x, etc
Tech: J2EE, Oracle and MySQL, Ajax-GWT, Actuate e.Report Designer, Birt 2.x, etc
Attitude: "My search for Perfection never Ends".
Kiran Mithra.
Subscribe to:
Posts (Atom)