Jump to content

Can we apply some protection against different attacks


irigsoft

Recommended Posts

I'm interested in security mechanisms, and how we can implement protection against some major attacks.

1. DDos

2. SQL injection

3. HTML injections

4. Javascript injection

I'm not a security expert, but we need to know about that.

Is there documentation or a hidden forum about this where we can read or comment?

Link to comment
Share on other sites

Thanks,

The question is:

What are the best security practices when using UNIGUI.

There are many security risks on the web and it is useful to know which ones the UNIGUI team has taken care of by default and which ones we will have to take care of.

I read a lot of information and topics in the forum, but I do not know how and what I should defend.

Is there documentation for this?

Link to comment
Share on other sites

4 hours ago, Sherzod said:

You should always use parameterized queries...

I use this + Blacklisted sql commands, to ignorе manipulations.

But how to encrypt and transfer data between client and server ?

Simple examples for DDos atacks:

1. Smurf Attacks

2. UDP Attacks

3. SYN Flood Attack

 

How  to protect from SYN Flood Attack or i don't need that, like example ?

 

Link to comment
Share on other sites

in servermodule

AntiFloodPerIP  prevents multiple access from the same ip, similar to ddos attacks or SYN Flood Attack

WhipeIPList define a list of ips that can connect to your system

 

attacks, DDOS must be implemented at the network layer, before reaching your server, and it does not depend on the unigui.

whenever you capture something to execute sql queries, without parameterization,

replace the content of the string by removing the character '(single quotes), this avoids sql injection

 

Smurf Attacks -  I only know they are blue rs

  • Like 1
Link to comment
Share on other sites

"in servermodule

AntiFloodPerIP  prevents multiple access from the same ip, similar to ddos attacks or SYN Flood Attack

WhipeIPList define a list of ips that can connect to your system"

 

Thanks, that's exactly what I would like to read from some documentation.

 

"prevents multiple access from the same ip", but If I have client that work from office and 10 computers (behind external ip: 65.000.45....)

then only one connection will be executed or all 10 computers?

Link to comment
Share on other sites

  • irigsoft changed the title to Can we apply some protection against different attacks
21 minutes ago, Sherzod said:

V 1.00.00

[UNG-2175] - Client side JS hacking is possible when control's parent is disabled or invisible.

this is possible right now:

after load url of Your site, try to send of address bar this code:   javascript:alert ('Hacked');

I read this article and it's work: https://www.softwaretestinghelp.com/javascript-injection-tutorial/

so javascript injecton is possible even in simple form, like that: javascript:void(document.cookie=”username=otherUser”);

Link to comment
Share on other sites

32 minutes ago, irigsoft said:

after load url of Your site, try to send of address bar this code:   javascript:alert ('Hacked');

For example open google.com, same thing.

 

33 minutes ago, irigsoft said:

so javascript injecton is possible even in simple form, like that: javascript:void(document.cookie=”username=otherUser”);

You shouldn't use simple cookie names...

Link to comment
Share on other sites

12 minutes ago, Sherzod said:

For example open google.com, same thing.

 

You shouldn't use simple cookie names...

I do not currently use cookies, if I have to use them they will be encrypted, but I am afraid that injecting javascript may disrupt functionality or steal some identification or payment information.

How can catch javascript code sent from Client and check and manipulate to ignore injection, something like UniGUIServerModuleHTTPCommand, UniGUIMainModuleHandleRequest, UniFormAjaxEvent or else

Link to comment
Share on other sites

8 hours ago, andyhill said:

Thanks for above.

What would be the syntax (AResponseInfo.CustomHeaders.AddValue) for HSTS (HTTP Strict Transport Security) ?

I'm not sure, Sherzod will say if it's right, but I think so:

AResponseInfo.CustomHeaders.AddValue ('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');

 

I made my Customheader file to load all the necessary Headers in TUniServerModule.UniGUIServerModuleHTTPCommand, but it is good if we can load from the server at startup as we do for UniServerModule.CustomCSS.

 

All security options make sense if you use a StandAlone server ot Service

 

  • Upvote 1
Link to comment
Share on other sites

I was looking in the ServerModule to see where to add AResponseInfo.CustomHeaders ?

Please advise how to add in server module - thanks

 

I tried this below, is this how it is done ? If so is it ONCE Only -OR- Every time the Event is Fired ?

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean);
begin

  if AddRespHdrFlag = True then begin
    AddRespHdrFlag:= False;
    AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1, mode=block');
  end;

...

Link to comment
Share on other sites

8 hours ago, andyhill said:

I was looking in the ServerModule to see where to add AResponseInfo.CustomHeaders ?

Please advise how to add in server module - thanks

 

I tried this below, is this how it is done ? If so is it ONCE Only -OR- Every time the Event is Fired ?

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean);
begin

  if AddRespHdrFlag = True then begin
    AddRespHdrFlag:= False;
    AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1, mode=block');
  end;

...

Hi,

I don't know in which function / procedure in the server module I can put this command.

I use information from this topic: 

 

and apply for 'X-XSS-Protection'.

Yes , "Every time the Event is Fired" !

I prefer to load it once in UniGUIServerModuleCreate, but there is no such thing.

Maybe is possible to load from file on UniGUIServerModuleCreate in local variable, and after that load data from this variable on UniGUIServerModuleHTTPCommand

Link to comment
Share on other sites

OK, so I implemented the following based on this discussion thread.

  if AddRespXxssHdrFlag = True then begin
    // Help prevent reflected cross-site scripting attacks
    // If a potential XSS Reflection attack is detected, the browser will prevent rendering of the page
    AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1, mode=block');
  end;
  if AddRespHstsHdrFlag = True then begin
    // The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header,
    // the browser records this information (age set to 2yrs), so that future attempts to load the site using HTTP will automatically use HTTPS instead
    AResponseInfo.CustomHeaders.AddValue ('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
  end;
 

Using Chrome

Testing Hsts on http://127.0.0.1 no SSL worked just fine 

Testing Hsts on http://192.168.x.x no SSL Certificate worked just fine ???

So it appears End User must use https FIRST before Hsts works ??? How do we make Browser go from HTTP to HTTPS without a ReDirect Script ? 

Link to comment
Share on other sites

15 hours ago, andyhill said:

OK, so I implemented the following based on this discussion thread.

  if AddRespXxssHdrFlag = True then begin
    // Help prevent reflected cross-site scripting attacks
    // If a potential XSS Reflection attack is detected, the browser will prevent rendering of the page
    AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1, mode=block');
  end;
  if AddRespHstsHdrFlag = True then begin
    // The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header,
    // the browser records this information (age set to 2yrs), so that future attempts to load the site using HTTP will automatically use HTTPS instead
    AResponseInfo.CustomHeaders.AddValue ('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
  end;
 

Using Chrome

Testing Hsts on http://127.0.0.1 no SSL worked just fine 

Testing Hsts on http://192.168.x.x no SSL Certificate worked just fine ???

So it appears End User must use https FIRST before Hsts works ??? How do we make Browser go from HTTP to HTTPS without a ReDirect Script ? 

forum with problem: https://superuser.com/questions/1107285/hsts-not-working-with-chrome

@andyhillI think that's the solution  of the problem: "For others who are seeing a similar issue - it may be because your browser has not yet accessed the site over HTTPS. Try accessing it over HTTPS and then again over HTTP. If HSTS is correctly implemented, then that last request should fail. MDN explains it nicely:"

or this: "The problem was that i had no CA in chrome trusted store. Added exception manually. It looks like for such a scenario chrome does not honor HSTS headers. Once added CA to the trusted store everything is working fine - i also see my domain in chrome://net-internals/#hsts. Thanks ! "

Please try it and write back the result .

 

"How do we make Browser go from HTTP to HTTPS without a ReDirect Script ", maybe this will help :

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

"Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header."

 

https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/

google docs: https://www.chromium.org/hsts

Link to comment
Share on other sites

@andyhill, is this will help: https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections

or this: https://en.wikipedia.org/wiki/URL_redirection

 

Can you try this (I don't know if it will work):

Add custom meta in UniGUIServerModuleCreate , this will redirect to https:

  // from here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections

  //check up this: https://www.w3.org/QA/Tips/reback

    CustomMeta.Add ('<meta http-equiv="Refresh" content="0; URL=https://YOURSECURITILOCATION.COM/">');

 

and add  in UniGUIServerModuleHTTPCommand, this will redirect to https and block if not have https:

   //from here: https://en.wikipedia.org/wiki/URL_redirection

   AResponseInfo.CustomHeaders.AddValue('Refresh', '0; url=https://YOURSECURITILOCATION.COM/');

    AResponseInfo.CustomHeaders.AddValue ('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');

  • Like 1
Link to comment
Share on other sites

Yes, redirection work :UniGUIServerModuleHTTPCommand

var  newURL_SSL : String;

change http:// to https:// (but I am not sure where can get URL, maybe from here TUniGUISession(AResponseInfo.Session).URLPAth)

newURL_SLL := StringReplace (TUniGUISession(AResponseInfo.Session).URLPAth,'http://','https://',[rfIgnoreCase]));

 if (POS ('https://',TUniGUISession(AResponseInfo.Session).URLPAth) = 0) then begin
        AResponseInfo.ResponseNo:=308;
        AResponseInfo.ResponseText:=' Permanently redirected';
        //AResponseInfo.Location :=newURL_SLL
        AResponseInfo.Redirect (newURL_SLL);
  end;

 

Link to comment
Share on other sites

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean);
var
  newURL_SSL: String;
begin

  if AddRespXxssHdrFlag = True then begin
    // Help prevent reflected cross-site scripting attacks
    // If a potential XSS Reflection attack is detected, the browser will prevent rendering of the page
    AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1, mode=block');
  end;

  if UseSslFlag = True then begin
    newURL_SSL:= StringReplace(TUniGUISession(AResponseInfo.Session).URLPAth,'http://','https://',[rfIgnoreCase]);
    newURL_SSL:= LowerCase(newURL_SSL);
    if (Pos('https://',TUniGUISession(AResponseInfo.Session).URLPAth) = 0) then begin
      AResponseInfo.ResponseNo:= 308;
      AResponseInfo.ResponseText:= 'Permanently Redirected';
      AResponseInfo.Redirect(newURL_SSL);
    end;
  end;

  if AddRespHstsHdrFlag = True then begin
    // The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header,
    // the browser records this information (age=2yrs), so that future attempts to load the site using HTTP will automatically use HTTPS instead
    AResponseInfo.CustomHeaders.AddValue ('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
  end;

...

Thank you. I now have the following code based on the advice given.

 

  • Like 2
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...