Jump to content

Can we apply some protection against different attacks

irigsoft

By irigsoft
in General

 Share

Recommended Posts

irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted

HTTP request smuggling vulnerabilities

If some one can help to set /control request headers:

why is important: https://portswigger.net/web-security/request-smuggling

 

I created some control to restrict the body of the POST request message and add control of "Chunked" Encoding

If anyone can test it and help make better code I would be happy to test.

Link to comment
Share on other sites
  • 1 month later...
  • Replies 185
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

andyhill
andyhill

My code above blocks unwanted direct file access to any SubDirectory from outside Users (does not allow it to proceed) and adds these stats to the log file ([ANDY-S]:REJECTED) - of course my app can a

Sherzod
Sherzod

You should always use parameterized queries...

andyhill
andyhill

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); var newURL_SSL: String; begin if AddRespXxssH

Posted Images

  • 3 weeks later...
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted

"It is recommended to perform a validation and sanitisation of input data, both on the client side and on the server side, taking the restriction of special characters (</>"-#?), as well as the length of the data, taking into account the nature of the application and the type of data entered (names, emails, numerical values, ...)

 

 

"You’re free to utilize any prevention techniques for DOM XSS that you can use for standard XSS attacks. There’s only one thing you need to pay attention to. For DOM XSS attacks you need to review and sanitize the client-side code instead of the server-side code."

 

http://www.webappsec.org/projects/articles/071105.shtml

"To generalize, traditional methods of:
  1. HTML encoding output data at the server side
  2. Removing/encoding offending input data at the server side
Do not work well against DOM Based XSS."

Effective defenses

1. Avoiding client side document rewriting, redirection, or other sensitive actions, using client side data. Most of these effects can be achieved by using dynamic pages (server side).

2. Analyzing and hardening the client side (Javascript) code. Reference to DOM objects that may be influenced by the user (attacker) should be inspected, including (but not limited to):

document.URL

document.URLUnencoded

document.location (and many of its properties)

document.referrer

window.location (and many of its properties)

 

3. https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html

 

4. https://crashtest-security.com/cross-site-scripting-xss/

In JavaScript, you need to define an extra function for this task. You may use:

function escapeHtml(text) {
  var map = {
    '&': '&amp;',
    '<': '&lt;',
    '>': '&gt;',
    '"': '&quot;',
    "'": '&#039;'
  };
 
  return text.replace(/[&<>"']/g, function(m) { return map[m]; });
}

 

OR 

https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html

function escapeHTML(str) {
     str = str + "''";
     var out = "''";
     for(var i=0; i<str.length; i++) {
         if(str[i] === '<') {
             out += '&lt;';
         } else if(str[i] === '>') {
             out += '&gt;';
         } else if(str[i] === "'") {
             out += '&#39;';
         } else if(str[i] === '"') {
             out += '&quot;';
         } else {
             out += str[i];
         }
     }
     return out;
}

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted

Clear-Site-Data

good security header :https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data

experts: "This header is useful, for example, during a logout process, to ensure that all content stored on the client side is deleted."

"This is a privacy and security enhancing feature. A sensitive website can trigger local data deletion after the user signs out. A website dealing with a persistent XSS attack can use this to ‘reset’ itself to a clean state."

Link to comment
Share on other sites
Tokay Advanced Member

Tokay

Posted
Posted

I've added custom headers and do testing now. For now all works good: 

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo;
 AResponseInfo: TIdHTTPResponseInfo; var Handled: boolean);
begin
 AResponseInfo.CustomHeaders.AddValue('strict-transport-security', 'max-age=31536000; includeSubDomains; preload');
 AResponseInfo.CustomHeaders.AddValue('X-Frame-Options', 'DENY');
 AResponseInfo.CustomHeaders.AddValue('X-Xss-Protection', '1;mode=block');
 AResponseInfo.CustomHeaders.AddValue('X-Content-Type-Options', 'nosniff');
 AResponseInfo.CustomHeaders.AddValue('Referrer-Policy', 'strict-origin');
end;

 

  • Like 1
Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted
36 minutes ago, Tokay said:

I've added custom headers and do testing now. For now all works good: 

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo;
 AResponseInfo: TIdHTTPResponseInfo; var Handled: boolean);
begin
 AResponseInfo.CustomHeaders.AddValue('strict-transport-security', 'max-age=31536000; includeSubDomains; preload');
 AResponseInfo.CustomHeaders.AddValue('X-Frame-Options', 'DENY');
 AResponseInfo.CustomHeaders.AddValue('X-Xss-Protection', '1;mode=block');
 AResponseInfo.CustomHeaders.AddValue('X-Content-Type-Options', 'nosniff');
 AResponseInfo.CustomHeaders.AddValue('Referrer-Policy', 'strict-origin');
end;

 

Thank You.

To allow all my user to load custom headers from file, I have create this on TUniServerModule.UniGUIServerModuleHTTPCommand:

RespInfoCustomHeaders : TStringLIst

RespInfoCustomHeaders.LoadFromFile ('PathToMyFilewithCustomHeaders');

//This create Big amount of RAM
IF Assigned (AResponseInfo.CustomHeaders) then begin
     RespInfoCustomHeaders.NameValueSeparator := ':';
     RespInfoCustomHeaders.StrictDelimiter := True;
     //reload Custom Headers
     UniServerModule.Lock;
     if FileExists (ExtractFileDir(Application.ExeName) + '\PathToYourLocation') then
          RespInfoCustomHeaders.LoadFromFile(ExtractFileDir(Application.ExeName) + '\PathToYourLocation');

     for I  := RespInfoCustomHeaders.Count-1 downto 0 do begin
         TRY
           //if is not commented, then add to CustomHeaders
           if (COPY (RespInfoCustomHeaders.Names [I],1,2) <> '--')
           AND (COPY (RespInfoCustomHeaders.Names [I],1,2) <> '//')
           then begin
               if AResponseInfo.CustomHeaders.IndexOfName (RespInfoCustomHeaders.Names [I]) < 0 then
                   AResponseInfo.CustomHeaders.AddValue (RespInfoCustomHeaders.Names [I], RespInfoCustomHeaders.ValueFromIndex [I])
               else AResponseInfo.CustomHeaders.Values [RespInfoCustomHeaders.Names [I]] := RespInfoCustomHeaders.ValueFromIndex [I];
           end;
         EXCEPT
             on E: Exception do begin
             end;
         END;
     end;
    UniServerModule.Unlock;
end;

of course, like you, I add custom headers to use "default" when there are none set by the user

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted
On 7/16/2022 at 11:33 PM, andyhill said:

Could I see what you use inside your CustomHeaders File ?

Yes, but it's not much because I'm giving this option to a user.

All the default headers are in my application UniGUIServerModuleHTTPCommand (but I show them here too)

here is it:

--https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Keep-Alive: timeout=1, max=10
Feature-Policy: microphone ''none''; geolocation ''none''; camera 'none';

--thanks to @bbm to correct me in new settings if this header

Permissions-Policy: microphone=(), geolocation=(), camera=()

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
//protect from ClickJacking Attack.
X-Frame-Options: DENY
//protect from XSS (Javascript) injection   - https://geekflare.com/http-header-implementation/#anchor-x-content-type-options

--the HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. 
X-XSS-Protection: 1; mode=block
--https://geekflare.com/http-header-implementation/
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
--Cross-Origin-Embedder-Policy: Alternatively, the document can use the variant: Cross-Origin-Embedder-Policy: credentialless instead of require-corp. It allows loading the resource, despite the missing CORP header, at the cost of requesting it without credentials like Cookies.
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-origin
Referrer-Policy:  strict-origin-when-cross-origin
--it work only on https

Clear-Site-Data: "cache"

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted

@Sherzod how to apply this code, based on this: https://seclab.stanford.edu/websec/framebusting/framebust.pdf

<s t yl e >
body { d i s pl a y : none ; }
</ s t yl e >


<s c r i p t >
i f ( s e l f == top ) {
document . getElementsByTagName ( ”body ” ) [ 0 ] . s t y l e . di s p l a y = ’ bl o c k ’ ;
} e l s e {
top . l o c a t i o n = s e l f . l o c a t i o n ;
}
</ s c r i p t >

I try to add script in MainForm.Script but I get only "please wait" when load page.

explanation of code usage:

"This code works as follows: When the page is loaded, the style sheet hides all content on the page. If JavaScript is disabled, the page will remain blank. Similarly, if the page is framed, it will either remain blank or it will attempt to frame bust. If the frame busting code is blocked, say by hooking the unload event or doing a 204 flushing attack, the page will remain blank. The script only reveals the document’s contents if the page is not running in a frame. Note that users who have JavaScript disabled, via browser setting or NoScript, will not be able to use the site. Designers might want to have a fallback mechanism if such is the case"

Link to comment
Share on other sites
Sherzod Advanced Member

Sherzod

Posted
Posted
9 minutes ago, irigsoft said:

if (self == top) {
document.getElementsByTagName ("body")[0].style.display = 'block';
} else {
top.location = self.location;
}; 

Ext.onReady(function() {
    if (self == top) {
        document.getElementsByTagName("body")[0].style.display = 'block';
    } else {
        top.location = self.location;
    }
});

?

Link to comment
Share on other sites
irigsoft Advanced Member

irigsoft

Posted
  • Author
Posted
2 minutes ago, Sherzod said: 
Ext.onReady(function() {
    if (self == top) {
        document.getElementsByTagName("body")[0].style.display = 'block';
    } else {
        top.location = self.location;
    }
});

?

is it possible to use it for potection from clickjack attack from link above in OnReady event?

or i use it on mainform.Script?

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...