irigsoft

I am sorry but changing controls with Enter key from Android keyboard, maybe is made by javascript (onClient Side) and this is not fire onKeyEvent (is not going to) on server. Here @Sherzod maybe will help.

Real this key do: go to Next Control. To check if Enter Key is work, try to connect standard keyboard and get keypress event

Hello, sorry, but this button has changed its meaning. They are now used as Tab, not Enter. So try to check if when you press the button Tab is activated. This impressed me when I want to switch from Tuniedit to another component with onkeypress event handling. !

Struggling with some (R.U.B.Y) attacks trying to control slow uploads, if anyone can help please advise:

Hi, You can try to use html into SQL script. I use it on my Desktop. like this (H1, H2, H3 are set in CSS file): SELECT ('<H2>'+ Products."PrdName" + '</H2>' + '<ul>' + Groups."gName" + '</ul>' + CASE WHEN CONVERT (varchar (250) , STUFF ( (SELECT CHAR (10) + '|||' + REPLACE ([PName],'-','') + CHAR (10) + [PValue] FROM OtherTable1 WHERE OtherTable1."ID" = Products."ID" FOR XML Path ('')),1,1,'')) <> '' THEN '<h3>' + REPLACE (CONVERT (varchar (250) , STUFF ( (SELECT CHAR (10) + '|||' + REPLACE ([PName],'-','') + CHAR (10) + [PValue] FROM OtherTable1 WHERE OtherTable1."ID" = Products."ID" FOR XML Path ('')),1,1,'')) ,'|||','</br>') + '</h3>' ELSE '' END + '<ul><ul><h3 align="right">Price: ' + CAST (ROUND (Products."Price",2) as varchar (20)) + ', ' + lower (Products."V") + '</h3></ul></ul>' ............. ) as Opisanie FROM TableName WHERE .... css file: html,body,h1,h2,h3,h4,h5,h6 { font-family: "Segoe Script", cursive, sans-serif; line-height: 1.2; }

Hi, When a user opens a session and tries to upload files, is it possible to control the upload time and minimum packet size (some kind of check if the connection is slow) when Content-Length header specifying an extremely large amount of data and transmitting the file (form data) one byte at a time ? I try to protect my app from this: R-U-Dead-Yet attack https://www.imperva.com/learn/ddos/rudy-r-u-dead-yet/

I read many topics on web and all they say: The client side javascript is not secure. I don't know why, but I take it into account when I add some code to be executed on the client side. 1. https://iteo.com/blog/post/security-for-single-page-applications/ These are the most common security issues faced by this type of applications: - Data exposure via API - Cross-site scripting (XSS) attacks - Cross-site request forgery (CSRF) - Session Tracking and Authentication 2. https://jscrambler.com/blog/the-most-effective-way-to-protect-client-side-javascript-applications The Risks of JavaScript 1. Debugging and Tampering "Just like anyone can use the debugging tool for legitimate purposes, an attacker can use this feature to change JavaScript at runtime. The attacker can hit a breakpoint, change the DOM, and enter arbitrary JavaScript in the console." As OWASP puts it: "An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application’s data and resources. This can provide the attacker with a direct method of subverting the intended use of the software for personal or monetary gain." 2. Data Exfiltration and Other Client-Side Attacks "Likely, you won’t notice this change, and your website will be distributing malware." "Like any double-edged sword, you must wield this with responsibility. To protect JavaScript code, you must take into account what happens at runtime, both because attackers can target your exposed source code and because they can inject malicious JavaScript code through your third-party scripts." https://jscrambler.com/blog/javascript-obfuscation-the-definitive-guide "JavaScript is an interpreted language, so client-side JavaScript requires an interpreter in the browser to read it, interpret it, and run it. This also means that anyone can use a browser debugger to easily go through the JS code and read or modify it at will." https://www.spiceworks.com/tech/devops/articles/what-is-single-page-application/ 5. Security issues SPAs are more prone to getting hacked through cross-site scripting attacks. They allow consumers to download the entire application, exposing it to more opportunities for finding vulnerabilities through reverse engineering. To fix this, developers should ensure that all web application security-related client-side logic, such as authentication and input validation, is doubled on the server for verification. Additionally, developers should provide restricted role-based access.

Yes, this is possible solution and is good practice. If the file is signed then it is not malicious! - but not always true. Digitally signed files know who the owner of the certificate is, but is there also certificate theft, even if signed it does not make the file safe. "Here in Brazil we have e-card (hard solution) to validate biz and digital signatures in docs (gov, secure transactions, banks etc) much alike a "smart" debit card" - Our government too, but that's because they want to know who owns the file and for security reasons (i think). In theory, we apply the principle: the user is malicious and we look for as many rules as possible to make it difficult for him to attack the server. Because the most dangerous thing in an attack with an infected file is the infection of the server. When a server is infected, the consequences are not just for the server owner, but also for the users. I recently read an article about an mobile phone company vulnerability that went undetected for some years. This has certainly given malicious individuals the opportunity for more attacks or data theft. Ultimately, the goal is to keep the server from getting infected. to your questions: 1- You allow the user to upload to your server with authentication provided by you - Yes, only authorized user can upload files, even I add user details in the upload process, which is verified by the server 2- You use https - Yes, not self signed 3- You can save in a non public folder with no access to browser - Yes, outer directory, protected with user rights of OS. 4- You can modify rights to such file - not yet, but in the future I will (I work on it) 5- You can save in raw format with out decoding or absolutely removing association to a app. - Yes, I save a file with a changed name and no extension. The raw format is a good idea, thanks 6- Only who upload can download it - No, only authorized user to app can download or open files. Like example : 1. I give rights to clients to upload advertisement files and this ad will be played on other users (such as video or image with iFrame) 2. I give rights to clients to upload their own image/video/other files (like YouTube) and it will play on other users 3. I grant rights to an internal user of the company to upload video files from security cameras, then only camera owners can download recordings from each day all this can be do it from mobile device (problem with smart cards) or pc 7- All upload to your server you have antivirus and such - Yes, I have an antivirus app and an anti-malware app. But getting information that files are dangerous is not enough if no one is watching (like at 03:00 in the morning) and files are on server. Consider this: a- If not sharing to third parties... issue is ? - 1. server is at risk, all work can stop. 2. I share it, so the risk is to malicious files go to clients PC and make them bot net. b- if now allowing downloads and any kind of access... issue is ? - risky files may attack clients, a Trojan horse or worm c- Any options the burden of processing and things going wrong is at the client-side (delays, corruptions etc etc). - I prefer it to be done on the server side, and on the client side only hash files and HMAC for them. On the server side, when they upload files, they first go to the temporary directory (with changed names), but they are not encrypted, and this creates a risk for the server, so I'm looking for a way to secure (obfuscate/encrypt) files beforehand.

Thanks, this is a possible solution for some attacks. But even with VPN client (attacker) can upload malicious file. I know this is generally true of all software regardless of the server type. I don't want to create problems for the team or others, let's concentrate on coding other things. How to generate the client (or better than the server): 1. Change file names - I have a feature in attached example 2. Generation of hashes of files - I have a feature in attached example 3. how to uploading file with HMAC - https://www.jscape.com/blog/what-is-hmac-and-how-does-it-secure-file-transfers https://medium.com/@rosyparmar/google-cloud-storage-use-hmac-to-authenticate-requests-to-cloud-storage-aa8ed859be33 https://crypto.stackexchange.com/questions/86136/prove-that-you-have-the-data-when-hash-is-public Let's make him work if possible. Тhanks

I know that creating an archive for files (by the client) is one possible solution and is simpler than others, but: 1. The first rule of security: every user is bad ! 2. Each JavaScript code from the customer can be compromised - for this reason I wrote about obfuscating the javascript code (and use it for some of my files) https://stackoverflow.com/questions/28352160/javascript-client-side-security https://softwareengineering.stackexchange.com/questions/200790/how-easy-is-it-to-hack-javascript-in-a-browser Since it is not clear to me how the Unigui core works with the Javasript Code, I suppose some of the codes added by me may be manipulated by the client (attacker). So less code on the part of the client, then less options for attack. 3. Uploaded archive files can generate "zip bomb" - https://www.microsoft.com/en-us/windows/learning-center/what-is-a-zip-bomb https://en.wikipedia.org/wiki/Zip_bomb 4. Archives may contain risk files. Assuming that the attacker has captured the file and replaced it with his own, this means that we are directly at risk due to the confidence voted to the type - A file. Good security practices avoid uploading archival files. How to check if archive is with my password without extraction ? Some antivirus cannot scan the content of archival files and this adds additional risk. I think encrypted files give me the solution, the less I think the bad code will not be executed directly (but this has two sides, how to use a encryption file and what happens when the file is decrypted - same like archiving) For this reason, given that the provision (encryption) must occur by the client, file encryption is not strictly necessary and applicable. The practice I have observed on some systems that allow you to upload XML files (which also runs a risk behind it) is that a HMAC is used to secure. If it is possible at least to apply, it may be useful to the audience

I have to change name and encrypt Files.stream when multiupload execute, but file is already on server when i do that, because they are on Windows temp directory, and is with different name.

thanks, but I dont want to use archiving, because there are risk of bigger attack

Yes code work, but using multiUpload after i select a list with files and show alert with replaced symbols, list on components is empty.

Thanks, all that is already executed on my action plan. but on list are : 1. Check file names for disabled symbols on Client Side 2. Generate file hash on Client Side 3. if is possible to encrypt file.

Yes, i share it here FileUpload - Multiple.zip

Hello, maybe this will help you using of XMLHttpRequest or

Hi, I'm trying to override (as you suggested on MainForm.Script) Ext.form.field.File.override({ onFileChange: function() { this.lastValue = null; // force change event to get fired even if the user selects a file with the same name Ext.form.field.File.superclass.setValue.call(this, this.fileInputEl.dom.value.replace(/C:\\fakepath\\/g, '')); var fi = this.fileInputEl.dom.files; for (var i = 0; i < fi.length; i++) { var file = fi[i]; alert ('Type: ' + file.type); };//for }//end - onFileChange });//end - Ext.form.field.File.override I am using uniFileUpload, but this way the list with selected files is not populated and none of the files are uploaded.

Hello and Merry Christmas to all. Yes, I prefer it to be "simpler", but I work with companies and their security engineers say, "Hey, if you allow the user to upload and download files, then you need to protect them!" Yes, I know there are many issues with OS provisioning and just one software that takes care of that is not enough, but if I want to sell my software to these companies then I have to work according to what they want, I don't have another choice. There are many other things in my action plan that I have done for my clients, but I try to add more of the security best practices as recommended by those more experienced than me: https://www.opswat.com/blog/file-upload-protection-best-practices https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload https://uploadcare.com/blog/secure-file-upload/ https://learn.microsoft.com/en-us/iis/get-started/planning-for-security/secure-content-in-iis-through-file-system-acls https://doc.sitecore.com/xp/en/developers/82/sitecore-experience-platform/secure-the-file-upload-functionality.html https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API/Non-cryptographic_uses_of_subtle_crypto

I've been working on this and hit a problem: my script: 1. Limit uniFileUpload.Filter to only list of available file extentions 2. rename the uploaded file and replace all special characters from the name 3. create a hash of the file 4. Encrypt the file 5. uploading an encrypted file to the server How to execute point 1 to extentions like - jpg,jpeg,xml,txt,csv,xls. however, in the code created in point 2 to replace characters in MainForm.Script, the file list is not populated with replaced (or original) file names, and of course I get an error when trying to upload. I am trying to replace characters from this filename like this : IMG_[20]23{}1205_%09#21@30+.jpg FileUpload - Multiple.zip

I see there is data in ARequestInfo.RawHTTPCommand that could be useful, but if I could ask (If You have control) that &hash=filehash be added as well such as on the server side, the programmer has the option to set a hashing method such as: SHA1, SHA128, SHA256, SHA512, HMAC

I'm trying to implement some of the Web Api capabilities to encrypt files on the client side and so far I've been able to get the hash of the file and I'm trying to use the WebApi to encrypt files myself. I'll share if I can. Here I write some suggestions only as a possibility to apply standard techniques integrated in uniGUI. If some of them cannot be implemented by the team, then another possibility will be sought for their implementation, naturally with your assistance. I believe that good web server security is possible by applying multiple software on it with different functionality, but some of the security options is better to be integrated into the application itself.

Hi, is it possible to add more app security options when uploading files, such as: 1. Generating a hash for the file and sending it to the server before uploading. Checks if the uploaded file has been modified during the transfer 2. Checking file formats and extensions " Make sure you check the file extension of uploaded files against a white-list of permitted file types. Do this on the server-side, since client-side checks can be circumvented." 3. Checking the Content-Type Header " Files uploaded from a browser will be accompanied by a Content-Type header. Make sure the supplied type belongs to a white-listed list of permitted file types. (Be aware that simple scripts or proxies can spoof the file type, though, so this protection, while useful, is not enough to dissuade a sophisticated attacker.)" 4. Limiting min file size "To protect the stability of your service, you want to keep control over who and when can upload files to your website. Two-step verification can be useful here, as well as limiting the size of the file: both very large and very small files can be used for a DoS attack, so don’t forget to establish a minimum file size limit as well." 5. File encryption Blocks direct execution of the file on the server side 6. Sanitize Filenames "Overlong filenames could be abused to exploit buffer overflow vulnerabilities. Similarly, files with special characters in the name can cause weird behaviour, depending on how they are treated by your software. It is good practice to ensure file names are sanitized before being written to disk." 7. Using signed URLs to simplify data uploads "The signature allows a specific action to be executed on cloud-resource URL for a specific timeframe. For example, a resource can be uploaded by performing a one-time POST to a signed URL with a signature that enables this POST for 30 seconds. The action is further bounded by the permissions of the credentials used to sign the URL. For example, a URL signed by read-only credentials cannot be used to upload data." There are many ways to attack the server when uploading files. SSL between client and server does not provide 100% attack protection and security engineers ask us to add additional protections when uploading a file to better protect the server.

But you should keep in mind that counting sessions is not the same as counting connected users. I'm sure you know this, but using websockets probably won't solve your throttling problem. Let's say you set a limit of 10 simultaneous sessions, the user opening a new session for work is usually accompanied by the creation of a shadow session (I don't know when exactly it appears). Observing this behavior of the application, I chose the method described above

hi if i can help with any idea. I'm using per-user limits. Each user can log into the application only once on one device and in one browser tab. if a user logs in on one device and then logs in with the same user on another device, it will close all other sessions with that user. for this process, I use some techniques that picuka also mentioned, such as: 1. each user on login is recorded in a table on the server 2. when a user logs in, all records in the table with that user are deleted and then only one record is added (user, device ID, some other unique data about the user) 3. I have a timer in each session that closes it if the user is not active (checks every X ms if the user + device ID (Pos Terminal ID) + other data is in the table) 4. I have added srOnePerIP server limit per session 5. I have added a function that closes the user (logged in user session) if there is no activity (checks every 15 minutes by displaying a message to the user and waits for action (button press) 30 seconds) This way I limit not the sessions but the number of logged in users that are kept in the server table. I do this because it is possible to have shadow sessions or not a closed session (a closed tab in the browser takes time, any closed session from the user side needs time to close and as you know this may not reach the server because the connection between them is broken for some reason)!

hello, maybe this will help to You: how to get data from iframe using javascript https://www.google.com/search?q=how+to+get+data+from+iframe+using+javascript&sca_esv=593079107&ei=bIWFZYv1F7fWxc8P3NuKwAM&oq=parse+data+from+iframe&gs_lp=Egxnd3Mtd2l6LXNlcnAiFnBhcnNlIGRhdGEgZnJvbSBpZnJhbWUqAggAMgoQABhHGNYEGLADMgoQABhHGNYEGLADMgoQABhHGNYEGLADMgoQABhHGNYEGLADMgoQABhHGNYEGLADMgoQABhHGNYEGLADMgoQABhHGNYEGLADMgoQABhHGNYEGLADSLEZUNQEWPsNcAJ4AZABAJgBgwGgAYMBqgEDMC4xuAEDyAEA-AEBwgIFECEYoAHiAwQYACBBiAYBkAYI&sclient=gws-wiz-serp