Jump to content

Can we apply some protection against different attacks


irigsoft

Recommended Posts

4 minutes ago, andyhill said:

I use Chrome, are you sure you cleared ALL images ?

Yes, now in Microsoft Ege: domain is opened, file is blocked.

Now, the same in Goolge Chrome : domain is opened, file is blocked .

no cache clearing.

One tab for domain, other with link to file.

 

 

Now file is opened again with Goolge Chrome

Link to comment
Share on other sites

[ANDY-S]:REJECTED - 26/03/2021 09:00:15.779 - IP: 45.146.165.157, URI: /vendor/phpunit/phpunit/src/util/php/eval-stdin.php, DOCUMENT: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
[ANDY-S]:REJECTED - 26/03/2021 09:00:20.908 - IP: 45.146.165.157, URI: /api/jsonws/invoke, DOCUMENT: /api/jsonws/invoke
[ANDY-S]:REJECTED - 26/03/2021 09:00:27.902 - IP: 45.146.165.157, URI: /wp-content/plugins/wp-file-manager/readme.txt, DOCUMENT: /wp-content/plugins/wp-file-manager/readme.txt
[ANDY-S]:REJECTED - 26/03/2021 09:00:32.869 - IP: 45.146.165.157, URI: /_ignition/execute-solution, DOCUMENT: /_ignition/execute-solution
[ANDY-S]:REJECTED - 26/03/2021 09:12:25.602 - IP: 47.114.114.56, URI: /_ignition/execute-solution, DOCUMENT: /_ignition/execute-solution
[ANDY-S]:REJECTED - 26/03/2021 09:12:26.191 - IP: 47.114.114.56, URI: /vendor/phpunit/phpunit/src/util/php/eval-stdin.php, DOCUMENT: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
[ANDY-S]:REJECTED - 26/03/2021 09:12:56.778 - IP: 47.114.114.56, URI: /manager/html, DOCUMENT: /manager/html
[ANDY-S]:REJECTED - 26/03/2021 09:12:58.238 - IP: 183.191.30.218, URI: http://110.242.68.4/, DOCUMENT: /
[ANDY-S]:REJECTED - 26/03/2021 09:17:15.270 - IP: 213.214.86.89, URI: /images/axfiteeditorial.pdf, DOCUMENT: /images/AxfiteEditorial.pdf
[ANDY-S]:REJECTED - 26/03/2021 09:17:19.874 - IP: 213.214.86.89, URI: /images/axfiteeditorial.pdf, DOCUMENT: /images/AxfiteEditorial.pdf
 

Link to comment
Share on other sites

I cant understand how it's work.

One time file is open from url without open domain.

Other time domain is opened, error 405 ocure from link to file

Other link open file, with no problems.

Befor every try I clear browser's cache

Link to comment
Share on other sites

I am leaving now for today but look again at

https://axfite.com.au

Go to last Left Menu Icon (Online Shop).

We present only 3 unique products, they choose a Product, they select a Default Country (used to pre-calc freight which can be overridden if required at checkout), they choose Checkout (user has to login to PayPal where we retrieve their registered, validated Address [a must as it relates to taxes]).

Then the order is placed, PayPal confirms payment - then in your case you would provide the download link.

Be careful, this is a live PayPal system, do not proceed with payment unless you want to purchase the items. 

Link to comment
Share on other sites

  • 2 weeks later...

I thought it would be of interest to UniGUI Programmers to share my 24hr Attack List for my Stand-Alone-Server here in Australia.

What is of interest is the Russian Federation probing (check out the ROUGE IP's).

Attackers seem to now have some basic understanding how UniGUI and Sencha work (check out the "ext-7.0.0..." probing). 

125 x  45.155.205.211 CYPRUS
276 x    106.12.54.16 CHINA
295 x     3.141.21.92 AMAZON (Why ?)
452 x  39.109.114.137 HONG KONG
550 x 192.162.101.235 RUSSIA

Attacks-24hr.txt

  • Upvote 1
Link to comment
Share on other sites

12 hours ago, andyhill said:

Attackers seem to now have some basic understanding how UniGUI and Sencha work

Hello,

Thanks to share.

How You know that unigui was blocking all request?

Do You have some info in log file like "/script" was blocked or something else to be sure how was worked under attacks.

Link to comment
Share on other sites

My code above blocks unwanted direct file access to any SubDirectory from outside Users (does not allow it to proceed) and adds these stats to the log file ([ANDY-S]:REJECTED) - of course my app can access these SubDirectories.

The Attacks-24hr.txt file is an analysis of my apps log file from where I can review and decide to manually add any rouge IP to the BlockIPList.

I put this info up because I was shocked to see so many attacks and I thought programmers should know.

  • Like 3
Link to comment
Share on other sites

7 hours ago, andyhill said:

I put this info up because I was shocked to see so many attacks and I thought programmers should know.

I completely agree, and the file is very useful for anyone who wants to test their application for attacks.

Of course, it is best to leave this in the hands of professionals in this field, but we can test some problems.
It even impresses me that a specific version of unigui has been tested, is there already a breakthrough in this version and in the next ones?
Since so far I have not been able to find a correct way to block javascript injections, I decided to ask if you have found one and do you have any idea what could be extracted as information through it?

Link to comment
Share on other sites

 

Does anyone know how to apply this:

The following JavaScript security best practices can reduce this risk.

Avoid eval(): Don’t utilize this command in code, since it simply executes passed argument if it is a JavaScript expression. This means if the hacker succeeds in manipulating input value, he or she will be able to run any script she wants. Instead, opt for alternative options that are more secure.

Set secure cookies: To ensure SSL/HTTPS is in use, set your cookies as “secure,” which limits the use of your application’s cookies to only secure web pages.

Set API access keys: Assign individual tokens for each end user. If these tokens don’t match up, access can be denied or revoked.

Use safe methods of DOM manipulation: Methods such as innerHTML are powerful and potentially dangerous, as they don’t limit or escape/encode the values that are passed to them. Using a method like innerText instead provides inherent escaping of potentially hazardous content. This is particularly useful in preventing DOM-based XSS attacks.

Link to comment
Share on other sites

On 3/25/2021 at 11:33 PM, irigsoft said:

If I click on link , no problem to open file Goolge chrome.

If I copy link and past to new tab in Chrome, I get error 405

Hi, 
Have you solved your problem?
I have the same trouble; sometimes files are showed, sometimes they are blocked with code 405.
Any hint?
Thanks!

Link to comment
Share on other sites

14 hours ago, Stemon63 said:

Hi, 
Have you solved your problem?
I have the same trouble; sometimes files are showed, sometimes they are blocked with code 405.
Any hint?
Thanks!

Hello, I failed. I didn't really look for it, I just wrote it down for me as a problem.

I think the problem exists when you click the url link. No problem opening / downloading a file even without login. Error 405 gives it when you put an url directly in the address bar

This is a big problem for me, but I will use a Uniq user session ID to activate direct file access.
When User try to access the file, I will first check if a user session is open and only then will I allow the download.

 

In reality, if the user does not have an open session, access will be blocked, similar to blocking the directory from the code above.
At the moment I have made so that in case of an attempt to open a directory other than TEMP, the communication is terminated with "Access denied". This will also be the case for accessing the files:
1. Check if there is an open session - we block access via direct url click
2. If there is an open session and it is active, then I check if there is an attempt to download the file from the directory for the specific user.

When the user logs in to Temp, a special directory is created just for him and all the files that he will have access to will be in it.

3. This files are live some minutes after create it in this directory.

Link to comment
Share on other sites

15 hours ago, irigsoft said:

Hello, I failed. I didn't really look for it, I just wrote it down for me as a problem.

I think the problem exists when you click the url link. No problem opening / downloading a file even without login. Error 405 gives it when you put an url directly in the address bar

This is a big problem for me, but I will use a Uniq user session ID to activate direct file access.
When User try to access the file, I will first check if a user session is open and only then will I allow the download.

 

In reality, if the user does not have an open session, access will be blocked, similar to blocking the directory from the code above.
At the moment I have made so that in case of an attempt to open a directory other than TEMP, the communication is terminated with "Access denied". This will also be the case for accessing the files:
1. Check if there is an open session - we block access via direct url click
2. If there is an open session and it is active, then I check if there is an attempt to download the file from the directory for the specific user.

When the user logs in to Temp, a special directory is created just for him and all the files that he will have access to will be in it.

3. This files are live some minutes after create it in this directory.

Hi, can you share  your example code for this, so I will try if works for my scenario?
Thanks in advance.   

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...