irigsoft Posted May 24, 2022 Author Share Posted May 24, 2022 HTTP request smuggling vulnerabilities If some one can help to set /control request headers: why is important: https://portswigger.net/web-security/request-smuggling I created some control to restrict the body of the POST request message and add control of "Chunked" Encoding If anyone can test it and help make better code I would be happy to test. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted June 28, 2022 Author Share Posted June 28, 2022 hello all, I add this topic (SOLVED) if someone can help or search solution: Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 14, 2022 Author Share Posted July 14, 2022 Hello all, is there a way to protect from DOM-based XSS vulnerabilities more info here: https://brightsec.com/blog/dom-based-xss/ https://portswigger.net/web-security/cross-site-scripting/dom-based https://owasp.org/www-community/attacks/DOM_Based_XSS Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 14, 2022 Author Share Posted July 14, 2022 "It is recommended to perform a validation and sanitisation of input data, both on the client side and on the server side, taking the restriction of special characters (</>"-#?), as well as the length of the data, taking into account the nature of the application and the type of data entered (names, emails, numerical values, ...) "You’re free to utilize any prevention techniques for DOM XSS that you can use for standard XSS attacks. There’s only one thing you need to pay attention to. For DOM XSS attacks you need to review and sanitize the client-side code instead of the server-side code." http://www.webappsec.org/projects/articles/071105.shtml "To generalize, traditional methods of: 1. HTML encoding output data at the server side 2. Removing/encoding offending input data at the server side Do not work well against DOM Based XSS." Effective defenses 1. Avoiding client side document rewriting, redirection, or other sensitive actions, using client side data. Most of these effects can be achieved by using dynamic pages (server side). 2. Analyzing and hardening the client side (Javascript) code. Reference to DOM objects that may be influenced by the user (attacker) should be inspected, including (but not limited to): document.URL document.URLUnencoded document.location (and many of its properties) document.referrer window.location (and many of its properties) 3. https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html 4. https://crashtest-security.com/cross-site-scripting-xss/ In JavaScript, you need to define an extra function for this task. You may use: function escapeHtml(text) { var map = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''' }; return text.replace(/[&<>"']/g, function(m) { return map[m]; }); } OR https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html function escapeHTML(str) { str = str + "''"; var out = "''"; for(var i=0; i<str.length; i++) { if(str[i] === '<') { out += '<'; } else if(str[i] === '>') { out += '>'; } else if(str[i] === "'") { out += '''; } else if(str[i] === '"') { out += '"'; } else { out += str[i]; } } return out; } Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 15, 2022 Author Share Posted July 15, 2022 Hello, here is topic how to replace special symbol on client side (against DOM Based XSS) Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 15, 2022 Author Share Posted July 15, 2022 Clear-Site-Data good security header :https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data experts: "This header is useful, for example, during a logout process, to ensure that all content stored on the client side is deleted." "This is a privacy and security enhancing feature. A sensitive website can trigger local data deletion after the user signs out. A website dealing with a persistent XSS attack can use this to ‘reset’ itself to a clean state." Quote Link to comment Share on other sites More sharing options...
Tokay Posted July 15, 2022 Share Posted July 15, 2022 I've added custom headers and do testing now. For now all works good: procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: boolean); begin AResponseInfo.CustomHeaders.AddValue('strict-transport-security', 'max-age=31536000; includeSubDomains; preload'); AResponseInfo.CustomHeaders.AddValue('X-Frame-Options', 'DENY'); AResponseInfo.CustomHeaders.AddValue('X-Xss-Protection', '1;mode=block'); AResponseInfo.CustomHeaders.AddValue('X-Content-Type-Options', 'nosniff'); AResponseInfo.CustomHeaders.AddValue('Referrer-Policy', 'strict-origin'); end; 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 15, 2022 Author Share Posted July 15, 2022 36 minutes ago, Tokay said: I've added custom headers and do testing now. For now all works good: procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: boolean); begin AResponseInfo.CustomHeaders.AddValue('strict-transport-security', 'max-age=31536000; includeSubDomains; preload'); AResponseInfo.CustomHeaders.AddValue('X-Frame-Options', 'DENY'); AResponseInfo.CustomHeaders.AddValue('X-Xss-Protection', '1;mode=block'); AResponseInfo.CustomHeaders.AddValue('X-Content-Type-Options', 'nosniff'); AResponseInfo.CustomHeaders.AddValue('Referrer-Policy', 'strict-origin'); end; Thank You. To allow all my user to load custom headers from file, I have create this on TUniServerModule.UniGUIServerModuleHTTPCommand: RespInfoCustomHeaders : TStringLIst RespInfoCustomHeaders.LoadFromFile ('PathToMyFilewithCustomHeaders'); //This create Big amount of RAM IF Assigned (AResponseInfo.CustomHeaders) then begin RespInfoCustomHeaders.NameValueSeparator := ':'; RespInfoCustomHeaders.StrictDelimiter := True; //reload Custom Headers UniServerModule.Lock; if FileExists (ExtractFileDir(Application.ExeName) + '\PathToYourLocation') then RespInfoCustomHeaders.LoadFromFile(ExtractFileDir(Application.ExeName) + '\PathToYourLocation'); for I := RespInfoCustomHeaders.Count-1 downto 0 do begin TRY //if is not commented, then add to CustomHeaders if (COPY (RespInfoCustomHeaders.Names [I],1,2) <> '--') AND (COPY (RespInfoCustomHeaders.Names [I],1,2) <> '//') then begin if AResponseInfo.CustomHeaders.IndexOfName (RespInfoCustomHeaders.Names [I]) < 0 then AResponseInfo.CustomHeaders.AddValue (RespInfoCustomHeaders.Names [I], RespInfoCustomHeaders.ValueFromIndex [I]) else AResponseInfo.CustomHeaders.Values [RespInfoCustomHeaders.Names [I]] := RespInfoCustomHeaders.ValueFromIndex [I]; end; EXCEPT on E: Exception do begin end; END; end; UniServerModule.Unlock; end; of course, like you, I add custom headers to use "default" when there are none set by the user Quote Link to comment Share on other sites More sharing options...
andyhill Posted July 16, 2022 Share Posted July 16, 2022 Could I see what you use inside your CustomHeaders File ? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 17, 2022 Author Share Posted July 17, 2022 On 7/16/2022 at 11:33 PM, andyhill said: Could I see what you use inside your CustomHeaders File ? Yes, but it's not much because I'm giving this option to a user. All the default headers are in my application UniGUIServerModuleHTTPCommand (but I show them here too) here is it: --https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy Keep-Alive: timeout=1, max=10 Feature-Policy: microphone ''none''; geolocation ''none''; camera 'none'; --thanks to @bbm to correct me in new settings if this header Permissions-Policy: microphone=(), geolocation=(), camera=() Strict-Transport-Security: max-age=31536000; includeSubDomains; preload //protect from ClickJacking Attack. X-Frame-Options: DENY //protect from XSS (Javascript) injection - https://geekflare.com/http-header-implementation/#anchor-x-content-type-options --the HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. X-XSS-Protection: 1; mode=block --https://geekflare.com/http-header-implementation/ X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none --Cross-Origin-Embedder-Policy: Alternatively, the document can use the variant: Cross-Origin-Embedder-Policy: credentialless instead of require-corp. It allows loading the resource, despite the missing CORP header, at the cost of requesting it without credentials like Cookies. Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-origin Referrer-Policy: strict-origin-when-cross-origin --it work only on https Clear-Site-Data: "cache" Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 17, 2022 Author Share Posted July 17, 2022 Result is: when use : Cross-Origin-Opener-Policy: same-origin but no problem if you use Cross-Origin-Opener-Policy: credentialless Quote Link to comment Share on other sites More sharing options...
andyhill Posted July 17, 2022 Share Posted July 17, 2022 Thanks Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 18, 2022 Author Share Posted July 18, 2022 9 hours ago, andyhill said: Thanks If You change something, please share Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 23, 2022 Author Share Posted July 23, 2022 Hi, I found that protection against clickjacking attack is not enough with header alone: 'X-Frame-Options', 'DENY' i will try to make FrameBusting based on this: https://seclab.stanford.edu/websec/framebusting/framebust.pdf Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 23, 2022 Author Share Posted July 23, 2022 @Sherzod how to apply this code, based on this: https://seclab.stanford.edu/websec/framebusting/framebust.pdf <s t yl e > body { d i s pl a y : none ; } </ s t yl e > <s c r i p t > i f ( s e l f == top ) { document . getElementsByTagName ( ”body ” ) [ 0 ] . s t y l e . di s p l a y = ’ bl o c k ’ ; } e l s e { top . l o c a t i o n = s e l f . l o c a t i o n ; } </ s c r i p t > I try to add script in MainForm.Script but I get only "please wait" when load page. explanation of code usage: "This code works as follows: When the page is loaded, the style sheet hides all content on the page. If JavaScript is disabled, the page will remain blank. Similarly, if the page is framed, it will either remain blank or it will attempt to frame bust. If the frame busting code is blocked, say by hooking the unload event or doing a 204 flushing attack, the page will remain blank. The script only reveals the document’s contents if the page is not running in a frame. Note that users who have JavaScript disabled, via browser setting or NoScript, will not be able to use the site. Designers might want to have a fallback mechanism if such is the case" Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 23, 2022 Share Posted July 23, 2022 Hello @irigsoft Well, try without tags (<style>, <script>) using CustomCSS, CustomFiles for example. Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 23, 2022 Share Posted July 23, 2022 Just now, Sherzod said: CustomFiles Or using MainForm.Script (also without tag <script>) Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 23, 2022 Author Share Posted July 23, 2022 1 hour ago, Sherzod said: Or using MainForm.Script (also without tag <script>) thanks, but of course I tried it without tag script, and the result is as I wrote above just show on screen "loading..." Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 23, 2022 Share Posted July 23, 2022 1 hour ago, irigsoft said: ’ bl o c k ’ 'block' Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 23, 2022 Share Posted July 23, 2022 1 hour ago, irigsoft said: ”body ” "body" Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 23, 2022 Author Share Posted July 23, 2022 2 minutes ago, Sherzod said: "body" this code i use on Mainaform.Script: //framebust if (self == top) { document.getElementsByTagName ("body")[0].style.display = 'block'; } else { top.location = self.location; }; Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 23, 2022 Share Posted July 23, 2022 9 minutes ago, irigsoft said: if (self == top) { document.getElementsByTagName ("body")[0].style.display = 'block'; } else { top.location = self.location; }; Ext.onReady(function() { if (self == top) { document.getElementsByTagName("body")[0].style.display = 'block'; } else { top.location = self.location; } }); ? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 23, 2022 Author Share Posted July 23, 2022 @Sherzod, if I use this code: //framebust if (self == top) { //document.getElementsByTagName ("body")[0].style.display = 'block'; alert (document.getElementsByTagName ("body")[0]); } else { top.location = self.location; }; show message "undefined" Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 23, 2022 Author Share Posted July 23, 2022 2 minutes ago, Sherzod said: Ext.onReady(function() { if (self == top) { document.getElementsByTagName("body")[0].style.display = 'block'; } else { top.location = self.location; } }); ? is it possible to use it for potection from clickjack attack from link above in OnReady event? or i use it on mainform.Script? Quote Link to comment Share on other sites More sharing options...
Sherzod Posted July 23, 2022 Share Posted July 23, 2022 MainForm.Script: Ext.onReady(function() { if (self == top) { document.getElementsByTagName("body")[0].style.display = 'block'; } else { top.location = self.location; } }); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.