Can we apply some protection against different attacks

[irigsoft]

This is also a security vulnerability:

resolution is : "at the moment, you can try disabling jQuery.

UniServerModule -> Options -> soDontLoadJQueryLib = True"

 

[irigsoft]

Another theme for security problem: 

Is there a solution to this?

[irigsoft]

"How do you deal with the problem of plaintext?"

Replace uniEditValue's with custom javascript hash function on Client Side.

 

Project1.zip

 

and with md5 hash:

Project1.zip

[irigsoft]

If someone can test with security software please post result here if I was succeeded

 

[irigsoft]

this is with javascript md5 hash :

Project1.zip 1.65 MB · 2 downloads

Thank . It has been tested and solved.

[irigsoft]

New Security problem:

 

[irigsoft]

On 5/4/2021 at 9:01 AM, irigsoft said:

New Security problem:

 

there is solution:

 

[irigsoft]

Hello, I add here how to replace url on browser (from here:

)

 

procedure TMainForm.UniFormActivate(Sender: TObject);
var

EnableAutoLog : Boolean;
begin
 If (TRIM (TUniGUISession(UniSession).UniApplication.Parameters.Values ['login']) <> '')
 and (EnableAutoLog) then begin
    //replace URL
    UniSession.AddJS(
            // Current URL: UniSession.ARequest.Referer
            'const nextURL = ''' + StringReplace (UniSession.ARequest.Referer,'login='  + TUniGUISession(UniSession).UniApplication.Parameters.Values ['login'],'',[rfReplaceAll,rfIgnoreCase]) + ''';'
            + 'const nextTitle = ''' + UniServerModule.Title + ''';'
            + 'const nextState = { additionalInformation: ''Updated the URL with JS'' };'
            // This will create a new entry in the browser's history, without reloading
            + 'window.history.pushState(nextState, nextTitle, nextURL);'
            // This will replace the current entry in the browser's history, without reloading
            + 'window.history.replaceState(nextState, nextTitle, nextURL);'
            );

 end;

[irigsoft]

On 4/12/2021 at 7:42 PM, Stemon63 said:

Hi, 
Have you solved your problem?
I have the same trouble; sometimes files are showed, sometimes they are blocked with code 405.
Any hint?
Thanks!

Hello, did You find some solution of this problem ?

 

I make this on Server side:

 

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(
  ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo;
  var Handled: Boolean);

var

 sSessionID      : String;

begin
sSessionID := ExtractSessionId(ARequestInfo.UnParsedParams);

if (ARequestInfo.URI <> '/')
and (ARequestInfo.Referer = '')
then begin
  //Enable only UniServerModule.TempFolder
  (POS (ARequestInfo.Host + '/' + StringReplace (UniServerModule.TempFolder,'\','/',[rfReplaceAll]) + sSessionID  + StringReplace (ARequestInfo.RemoteIP,'.','',[rfReplaceAll]) + SomeExtra + '/',ARequestInfo.Host + ARequestInfo.URI) <= 0)
  //or directory not exist
  OR (not DirectoryExists (ExtractFilePAth (Application.ExeName) + '\' + UniServerModule.TempFolder + sSessionID  + StringReplace (ARequestInfo.RemoteIP,'.','',[rfReplaceAll]) + SomeExtra + '\'))
  then begin
      AResponseInfo.ResponseNo:=405;
      AResponseInfo.ContentText := '<h1>Access denied</h1>';
      Handled := true;      
      AResponseInfo.CloseConnection:=true;
      AResponseInfo.CloseSession;      
  end;
end;

end;

 

So,

1. If no session is opened (open from link - direct download) - Access denied

2. If try to download from other session -  Access denied

3. If try to download from other User IP (man in the Middle attack, or sharing the link) -  Access denied

4. Every Session have own directory to download. The creation of a session directory must be provided with some additional data if they try to penetrate the session ID

 

[irigsoft]

@Stemon63, did You try my proposal to protecting files ?

[irigsoft]

Hello everyone,

There is a new security challenge here !

the plan:

There are standart technics to slow down attacker:

 1 - after some trys to login (brute force attack) - log IP in BlockIPLIst. Block IP of attacker

 2 - using reCaptcha - prevents bot's (some reCaptcha is useless !)

 3 - using strong passwords (more then 10 symbols) - slow down GPU calculations

 4 - using hash of passwords - slow down GPU calculations

 5 - disable user account - attacker must change user name

 6 - using same error message for different login errors. - prevent to catching user name

 7 - after every next try, slow down answer from server - this will slow down GPU calculations

 8 - enable OneIpPerUser - this will block many session  from one PC

 

I make some protection code based on the plan: 

3 - using strong passwords (more then 10 symbols)

4 - using hash of passwords

 

on the TUniServerModule.UniGUIServerModuleHTTPCommand

TRY
unIServerModule.Lock;
If FileExists (ExtractFilePath(StartPath) + 'root\BldIPList.config') then
  BlockedIPList.LoadFromFile (ExtractFilePath(StartPath) + 'root\BldIPList.config');   - reload IP list
FINALLY
  unIServerModule.UnLock;
END;

IF BlockedIPList.Count > 0 then begin
  if BlockedIPList.IndexOf (ARequestInfo.RemoteIP) > -1 then begin
    AResponseInfo.ContentText := '<h1>Access denied</h1>';            point 6
    Handled := True;
    AResponseInfo.CloseSession;
    GOTO ENDALL;
  end;
end;

 

on the login form BtnLogin.onClick

UniServerModule.Lock;
try
  If FileExists (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config') then
    unIServerModule.BlockedIPList.LoadFromFile (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config');
finally
  UniServerModule.UnLock;
end;

//block IP

if uniMainModule.BruteForceTrys > 5 then begin     - point 1
  // block IP addres

try
    UniServerModule.Lock;
    UniServerModule.BlockedIPList.Add (UniSession.RemoteIP);
    UniServerModule.BlockedIPList.SaveToFile (ExtractFilePath(UniServerModule.StartPath) + 'root\BldIPList.config');
finally
   UniServerModule.UnLock;
end;

    sleep (100);

    UniSession.Terminate ('<h1>Access denied</h1>');    - point 6

    exit;
end;

UniGUIMainModuleCreate

 

reload blocked Ip

try
  UniServerModule.Lock;
  If FileExists (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config') then
    unIServerModule.BlockedIPList.LoadFromFile (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config');

finally
   UniServerModule.UnLock;
end;

 

I added some extras, such as log for IP, which made 2 or more login errors (suspicious IP addresses)

 

7 - after every next try, slow down answer from server - add some timers to make to wait next login attemp !

 8 - enable OneIpPerUser -   ServerLimits.SessionRestrict := srOnePerPC;   ServerLimits.SessionRestrict := srOnePerIP;

[irigsoft]

here is some info from penetration test result's:

 

[Abaksoft]

A good article.

https://www.acunetix.com/blog/articles/iis-security-best-practices/

[irigsoft]

50 minutes ago, Abaksoft said:

A good article.

https://www.acunetix.com/blog/articles/iis-security-best-practices/

Thank You.

[irigsoft]

Hello there,

one more question by security , If someone can help:

 

[irigsoft]

How we can protect from Spoofing attack? 

https://www.keyfactor.com/blog/what-it-is-ip-spoofing-how-to-protect-against-it/

[irigsoft]

Can block some IoT scanners like Shodan, Censys, Shadowserver

 

[irigsoft]

On 4/12/2021 at 7:42 PM, Stemon63 said:

Hi, 
Have you solved your problem?
I have the same trouble; sometimes files are showed, sometimes they are blocked with code 405.
Any hint?
Thanks!

Hello, I think I found solution of this.

on procedure TUniServerModule.UniGUIServerModuleHTTPCommand(

just add this headers:

  AResponseInfo.CustomHeaders.AddValue('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate'); //HTTP 1.1
  AResponseInfo.CustomHeaders.AddValue('Pragma','no-cache');////HTTP 1.0
  AResponseInfo.CustomHeaders.AddValue('Expires', '0');

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

this maybe will extend data transfer between Client and Server (will use more traffic)

[Abaksoft]

22 hours ago, irigsoft said:

Hello, I think I found solution of this.

on procedure TUniServerModule.UniGUIServerModuleHTTPCommand(

just add this headers:

  AResponseInfo.CustomHeaders.AddValue('Cache-Control', 'no-cache, no-store, must-revalidate'); //HTTP 1.1
  AResponseInfo.CustomHeaders.AddValue('Pragma','no-cache');////HTTP 1.0
  AResponseInfo.CustomHeaders.AddValue('Expires', '0');

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

this maybe will extend data transfer between Client and Server (will use more traffic)

Thank you so much IrigSoft.

We are learning good things with you.

[irigsoft]

Has anyone already built protection against Slow http attacks?

https://www.cloudflare.com/learning/ddos/ddos-low-and-slow-attack/

https://blog.qualys.com/vulnerabilities-threat-research/2011/11/02/how-to-protect-against-slow-http-attacks

 

How to limit the connection timeout, the time the server waits for all headers of the request before terminating it, and the minimum number of bytes per second when sending a response to a request to minimize the impact and slow HTTP attacks ?

Is it possible to control the common Keep-Alive header to control the above:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Keep-Alive

 

here are some Headers size limits:

https://stackoverflow.com/questions/686217/maximum-on-http-header-values#:~:text=No%2C HTTP does not define,headers size exceeds that limit.

@Sherzod how to

1. limit size of request Headers ?

2. Reject / drop connections with HTTP methods (verbs) not supported by the URL ?
3. Limit the header and message body to a minimal reasonable length. Set tighter URL-specific limits as appropriate for every resource that accepts a message body.
4. Set an absolute connection timeout ? - that's what AjaxTimeout is for ?

 

[irigsoft]

How to protect against Landspeed violation ?

 

[Sherzod]

9 hours ago, irigsoft said:

How to protect against Landspeed violation ?

What is this for? And what do you want to do if this is detected?
Well I think based on IP first. And that of course this is the main one.
Secondly, if there are ready-made detection methods, use them. Otherwise, you need to come up with a detection method yourself. And they can be different I guess...

[irigsoft]

21 minutes ago, Sherzod said:

What is this for?

To prevent from hacked account.

Thanks, I just want to know if is integrated in unigui.

[irigsoft]

@Sherzod, can You tell me something for this:

On 2/12/2022 at 10:00 PM, irigsoft said:

1. limit size of request Headers ?

2. Reject / drop connections with HTTP methods (verbs) not supported by the URL ?
3. Limit the header and message body to a minimal reasonable length. Set tighter URL-specific limits as appropriate for every resource that accepts a message body.
4. Set an absolute connection timeout ? - that's what AjaxTimeout is for ?

Is it possible to limit size of Headers and body (on client side) ?

[irigsoft]

this is how to add header "Content-Security-Policy" from here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

<meta http-equiv="Content-Security-Policy" content="script-src 'none'; object-src 'none'">