irigsoft Posted March 14, 2021 Author Share Posted March 14, 2021 7 hours ago, andyhill said: Here is my latest implementation:- procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean); var Referer, RedirectURL, FormattedDateTime: String; begin // FORCE https Hack if UniServerModule.UseSslFlag = True then begin if UniSession.ARequest.URI = '/HandleEvent' then begin Referer:= LowerCase(UniSession.ARequest.Referer); if LeftStr(Referer, 5) = 'http:' then begin if ( (UniServerModule.AllRefererSslFlag = True) // ReDirect ALL http or (Pos(UniServerModule.DomainName, Referer) > 0) // ReDirect DomainName http //or (Pos(UniServerModule.BindToIpStr, Referer) > 0) // ReDirect Bound IP http (Testing) ) then begin Handled:= True; // Analytics Inc(UniServerModule.ReDirectCounter); // Audit DateTimeToString(formattedDateTime, 'dd/mm/yyyy hh:nn:ss.z', Now()); UniServerModule.Logger.AddLog('ANDY-M', UniSession.RemoteIP + ' - ' + FormattedDateTime + ' - ' + UniSession.SessionId + ' - ReDirect "'+Referer+'" ' + '('+IntToStr(UniServerModule.ReDirectCounter)+')'); // http --> https RedirectURL:= StringReplace(Referer, 'http://', 'https://', [rfIgnoreCase]); // Prevent ReCycling UniSession.AResponse.ResponseNo:= 308; UniSession.AResponse.ResponseText:= 'Redirected'; // Add Delete Current Thread Here // ReDirect UniSession.UrlRedirect(RedirectURL); end; // Process end; // 'http:' end; // '/HandleEvent' end; // UseSslFlag end; Happy for feed back. It's work for You ? Just for information. Quote Link to comment Share on other sites More sharing options...
andyhill Posted March 14, 2021 Share Posted March 14, 2021 Yes, the only thing I am unsure about is the "Kill Current Thread" after redirect ? Does the ReDirect create a new thread -or- does it continue to use the current thread ? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 14, 2021 Author Share Posted March 14, 2021 49 minutes ago, andyhill said: Yes, the only thing I am unsure about is the "Kill Current Thread" after redirect ? Does the ReDirect create a new thread -or- does it continue to use the current thread ? No need to kill thread, session is closing after redirect. I use TerminateafterSec (20), but someone in the forum wrote that the session is closed when redirected and its attributes cannot be used. from the topic in the forum: "Oops my bad! yes redirect would destroy the previous session so my answer is wrong." When testing after redirection, I always get an message: "Session terminated" (I catch session destroy) Maybe this will help: Quote Link to comment Share on other sites More sharing options...
andyhill Posted March 14, 2021 Share Posted March 14, 2021 Thanks Quote Link to comment Share on other sites More sharing options...
andyhill Posted March 15, 2021 Share Posted March 15, 2021 Using my MainModule FORCE HTTPS Custom Code for my Domain I put out a challenge (now closed) for Security IT Engineers to see if they could bypass the secure protocol using all sorts of Tools at their disposal (both commercially and from the DarkWeb). eg. ManInTheMiddle StripSSL SQLMap ZAP I am happy to report our crypt everything approach came through with flying colors. Farshad, could you consider my solution, improve if necessary and build it into UniGUI as an option ? For those interested in viewing http/https vulnerabilities check this out:- 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Author Share Posted March 22, 2021 I will add and this for list of security problems: If anybody know some solution, please help . Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 22, 2021 Author Share Posted March 22, 2021 Maybe the solution is this:: URL: https://youdmain.com:8077/files/user1file.pdf this block url to get files from other directories. if You try to open something like https://youdmain.com:8077/systemdir1/user1file.pdf, You will get error 405 procedure TUniServerModule.UniGUIServerModuleHTTPCommand begin //check if is new session if (ARequestInfo.URI <> '/') and (ARequestInfo.Referer ='') then begin // block if trying to access different directories from "/files/" if (POS (ARequestInfo.Host + '/files/',ARequestInfo.Host + ARequestInfo.URI) = 0) then begin Handled := false; AResponseInfo.ResponseNo:=405; AResponseInfo.CloseConnection:=true; //AResponseInfo.ContentText := '<h1>Access denied</h1>'; Handled := true; AResponseInfo.ResponseNo:=405; //save log SaveHTMLLog ('NONE ACCEPTABLE COMMAND' + #9 + 'IP: ' + ARequestInfo.RemoteIP + #9 + 'URI: ' + ARequestInfo.URI + #9 + 'COMMAND: ' + ARequestInfo.Command + #9 + 'ROW COMMAND: ' + ARequestInfo.RawHTTPCommand + #9 + ARequestInfo.RawHeaders.Text + #9 + ARequestInfo.Document ); AResponseInfo.CloseConnection := true; AResponseInfo.CloseSession; exit; end; end; end; Just add this check for User1 sessionId. 1. Create Directory of user1 : /files/sessionID when User1's session start 2. Generate PDF files of User1 and save them in /files/sessionID 3 Add In function check by sessionID like that if (POS (ARequestInfo.Host + '/files/' + uniSession.SessionId + '/',ARequestInfo.Host + ARequestInfo.URI) = 0) then ..... when User2 try to get files of User1, then function will check sessionID and block User2 to get files of User1. this is helpful if we have this simple example: Stand Alone application My app allows users to watch video files. All of these videos are paid. User pay and get own session. I have 3 users, and user1 has paid for Video1, user2 has paid for Video2 and user3 has paid for Video3. If everyone can download video1 (2 or 3) from one directory (\ files) by url, that means that all user can download all these 3 video files without paying, if user1 send URL to user2 and user3 ? Quote Link to comment Share on other sites More sharing options...
andyhill Posted March 25, 2021 Share Posted March 25, 2021 Based on StandAlone Server, This is my solution to discard the Robots.txt File and in addition forbid outside access to any Sub-Directories:- procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); ... ////////////////////////////////////////////////////////////////////////////// // Check if trying to access sub-directories from the outside (not within unigui) if ( (ARequestInfo.URI <> '/') and (ARequestInfo.Referer = '') ) then begin MyHost:= LowerCase(ARequestInfo.Host); MyURI:= LowerCase(ARequestInfo.URI); if CountOccurences(MyHost+MyURI, '/') > 1 then begin // Save log DateTimeToString(FormattedDateTime, 'dd/mm/yyyy hh:nn:ss.z', Now()); Logger.AddLog('ANDY-S', 'REJECTED - '+ FormattedDateTime + ' - ' + 'IP: ' + ARequestInfo.RemoteIP + ', ' + 'URI: ' + MyURI + ', ' + 'DOCUMENT: ' + ARequestInfo.Document); // Reject Handled:= True; AResponseInfo.ResponseNo:= 405; AResponseInfo.CloseConnection:= True; AResponseInfo.CloseSession; end; // Occurences end; Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 25, 2021 Author Share Posted March 25, 2021 Thanks for sharing. Do You have solution for this: How to disable User2 and User3 to load Video1 if they know url of file. My app allows users to watch video files. All of these videos are paid. User pay and get own session. I have 3 users, and user1 has paid for Video1, user2 has paid for Video2 and user3 has paid for Video3. If everyone can download video1 (2 or 3) from one directory (\ files) by url, that means that all user can download all these 3 video files without paying, if user1 send URL to user2 and user3 ? Quote Link to comment Share on other sites More sharing options...
andyhill Posted March 25, 2021 Share Posted March 25, 2021 Based on my testing so far:- My code above will KILL any session trying to use a starting URL involving Sub-Directories (I deliberately left root open for static html files placed there for Google Crawler etc.). eg. https://axfite.com.au Menu: Select "Fifth Left Large Icon" URI: Click "IMAGO Editorial" Works as intended Now make sure you clear your browser, Chrome: More Tools "Clear Browsing Data - cached images and files" [Clear Data]. Then try and go direct to that URI from the starting URL https://axfite.com.au/images/AxfiteEditorial.pdf We throw a 405 Method Not Allowed. Remember browser caching can circumvent a round trip to the server so for testing purposes you must clear your browser. This is in my log:- [ANDY-S]:REJECTED - 26/03/2021 07:13:08.84 - IP: 192.168.15.91, URI: /images/axfiteeditorial.pdf, DOCUMENT: /images/AxfiteEditorial.pdf Therefore to offer a paying service one would make sure your user has a unique login before presenting any download options. Happy for comments, suggestions or improvements ... Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 25, 2021 Author Share Posted March 25, 2021 15 minutes ago, andyhill said: Remember browser caching can circumvent a round trip to the server so for testing purposes you must clear your browser. In my application Cashed is disabled, but I know that (for clearing cash). I am not sure for this will work, but : 1. You can block session creation in TUniServerModule.UniGUIServerModuleHTTPCommand 2. The problem is in that not SessionID can be optained befor creation of session 3. point 2 leads to a real problem: You can't check if the user is the same one who created or paid for a file before an open session, but opening the session will send the file from url to user2 or user3 or others without it paid How to block point 3 ? 1. I can delete file/directory after User1 session expire, browser closed or logout user, but if User1's PC is infected with javascript injection, that can make (I am not sure) posible everyone to get URL or sessionID, or some cookies. 2. If User1 is still active and just send to User2 link with URL to file, then User2 will download witout paying, is am right ? Quote Link to comment Share on other sites More sharing options...
andyhill Posted March 25, 2021 Share Posted March 25, 2021 There is a slight English translation issue for me in your posting (sorry I only speak English). I think you are saying this, a validated user pays and watches a video (which is now on his PC [cache or no cache it is there as a "temp file" etc.]). How does one prevent this user from locating that downloaded video on his PC and sending it to another person - I do not believe you can prevent the inevitable. Interesting challenge ... Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 25, 2021 Author Share Posted March 25, 2021 6 minutes ago, andyhill said: There is a slight English translation issue for me in your posting (sorry I only speak English). I think you are saying this, a validated user pays and watches a video (which is now on his PC [cache or no cache it is there as a "temp file" etc.]). How does one prevent this user from locating that downloaded video on his PC and sending it to another person - I do not believe you can prevent the inevitable. Interesting challenge ... I am sorry for my english , Problem is this: You want to get videofile, for that You will click on a button, that will show frame to pay (with card or else) and after that in that short session I will send You a link to file, something like that: www.mydomain/temp/Yourfile.mp4 Session timeout is 3 minutes, and file will be gone, but 3 minutes everybody will download this file via this link. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 25, 2021 Author Share Posted March 25, 2021 If I made something more stupid, I will clear temp folder every 5 day, and this 5 days everybody will see and get all temporary files in this directory. Without some user control, I will lose money or give away all sensitive data. Quote Link to comment Share on other sites More sharing options...
andyhill Posted March 25, 2021 Share Posted March 25, 2021 So you do not want them to login ? Quote Link to comment Share on other sites More sharing options...
andyhill Posted March 25, 2021 Share Posted March 25, 2021 Also, you cannot delete temp files on user's PC, you do not have access. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 25, 2021 Author Share Posted March 25, 2021 Yes, I made an entry form. But just try: yourdomain / rootfolder / somefile.pdf and see. In my StandAlone application, I will receive this file without requiring authorization. Maybe I'm wrong about something, but I'm not using the standard login form, I'm using my own. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 25, 2021 Author Share Posted March 25, 2021 10 minutes ago, andyhill said: Also, you cannot delete temp files on user's PC, you do not have access. I don't want to delete the files, they pay for them Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 25, 2021 Author Share Posted March 25, 2021 The problem come from that: I made some REST API application server, and users can download files. User just send some parameters, application check it and If everything is OK with login then application just send the link to file. Quote Link to comment Share on other sites More sharing options...
andyhill Posted March 25, 2021 Share Posted March 25, 2021 If you do not "yourdomain / rootfolder / somefile.pdf" but instead "yourdomain / subdirectory / somefile.pdf" then you can control access via my code above, it will prevent direct access and then via login you can optionally present them with the URI. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 25, 2021 Author Share Posted March 25, 2021 4 minutes ago, andyhill said: If you do not "yourdomain / rootfolder / somefile.pdf" but instead "yourdomain / subdirectory / somefile.pdf" then you can control access via my code above, it will prevent direct access and then via login you can optionally present them with the URI. Yes my full path to files is : www.mydomain/root/temp/myfile.pdf even more deap: www.mydomain/root/temp/usersessionid/datetime/myfile.pdf and the user gets this link, so through the link everyone will get my files. I don't know how to protect them. Like you and others, they offer me to move the file directory, Farshat offers me to use a specific function in unigui, but if the User can access this file through a link like this: www.youdomain / directori / file.pdf, it will always be possible to get this file from anyone who knows the link Quote Link to comment Share on other sites More sharing options...
andyhill Posted March 25, 2021 Share Posted March 25, 2021 So did you try my code ? Did you test the concept on https://axfite.com.au ? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 25, 2021 Author Share Posted March 25, 2021 2 minutes ago, andyhill said: So did you try my code ? Did you test the concept on https://axfite.com.au ? No, am sorry. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 25, 2021 Author Share Posted March 25, 2021 I test it, result is this (No errors, no logins): Quote Link to comment Share on other sites More sharing options...
andyhill Posted March 25, 2021 Share Posted March 25, 2021 Via https://axfite.com.au yes ? If so now clear browser cache and try https://axfite.com.au/images/AxfiteEditorial.pdf Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.