irigsoft Posted April 15, 2021 Author Share Posted April 15, 2021 This is also a security vulnerability: resolution is : "at the moment, you can try disabling jQuery. UniServerModule -> Options -> soDontLoadJQueryLib = True" Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 22, 2021 Author Share Posted April 22, 2021 Another theme for security problem: Is there a solution to this? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 24, 2021 Author Share Posted April 24, 2021 "How do you deal with the problem of plaintext?" Replace uniEditValue's with custom javascript hash function on Client Side. Project1.zip and with md5 hash: Project1.zip Quote Link to comment Share on other sites More sharing options...
irigsoft Posted April 30, 2021 Author Share Posted April 30, 2021 If someone can test with security software please post result here if I was succeeded Quote Link to comment Share on other sites More sharing options...
irigsoft Posted May 1, 2021 Author Share Posted May 1, 2021 this is with javascript md5 hash : Project1.zip 1.65 MB · 2 downloads Thank . It has been tested and solved. 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted May 4, 2021 Author Share Posted May 4, 2021 New Security problem: Quote Link to comment Share on other sites More sharing options...
irigsoft Posted May 5, 2021 Author Share Posted May 5, 2021 On 5/4/2021 at 9:01 AM, irigsoft said: New Security problem: there is solution: Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 15, 2021 Author Share Posted July 15, 2021 Hello, I add here how to replace url on browser (from here: ) procedure TMainForm.UniFormActivate(Sender: TObject); var EnableAutoLog : Boolean; begin If (TRIM (TUniGUISession(UniSession).UniApplication.Parameters.Values ['login']) <> '') and (EnableAutoLog) then begin //replace URL UniSession.AddJS( // Current URL: UniSession.ARequest.Referer 'const nextURL = ''' + StringReplace (UniSession.ARequest.Referer,'login=' + TUniGUISession(UniSession).UniApplication.Parameters.Values ['login'],'',[rfReplaceAll,rfIgnoreCase]) + ''';' + 'const nextTitle = ''' + UniServerModule.Title + ''';' + 'const nextState = { additionalInformation: ''Updated the URL with JS'' };' // This will create a new entry in the browser's history, without reloading + 'window.history.pushState(nextState, nextTitle, nextURL);' // This will replace the current entry in the browser's history, without reloading + 'window.history.replaceState(nextState, nextTitle, nextURL);' ); end; Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 18, 2021 Author Share Posted July 18, 2021 On 4/12/2021 at 7:42 PM, Stemon63 said: Hi, Have you solved your problem? I have the same trouble; sometimes files are showed, sometimes they are blocked with code 405. Any hint? Thanks! Hello, did You find some solution of this problem ? I make this on Server side: procedure TUniServerModule.UniGUIServerModuleHTTPCommand( ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); var sSessionID : String; begin sSessionID := ExtractSessionId(ARequestInfo.UnParsedParams); if (ARequestInfo.URI <> '/') and (ARequestInfo.Referer = '') then begin //Enable only UniServerModule.TempFolder (POS (ARequestInfo.Host + '/' + StringReplace (UniServerModule.TempFolder,'\','/',[rfReplaceAll]) + sSessionID + StringReplace (ARequestInfo.RemoteIP,'.','',[rfReplaceAll]) + SomeExtra + '/',ARequestInfo.Host + ARequestInfo.URI) <= 0) //or directory not exist OR (not DirectoryExists (ExtractFilePAth (Application.ExeName) + '\' + UniServerModule.TempFolder + sSessionID + StringReplace (ARequestInfo.RemoteIP,'.','',[rfReplaceAll]) + SomeExtra + '\')) then begin AResponseInfo.ResponseNo:=405; AResponseInfo.ContentText := '<h1>Access denied</h1>'; Handled := true; AResponseInfo.CloseConnection:=true; AResponseInfo.CloseSession; end; end; end; So, 1. If no session is opened (open from link - direct download) - Access denied 2. If try to download from other session - Access denied 3. If try to download from other User IP (man in the Middle attack, or sharing the link) - Access denied 4. Every Session have own directory to download. The creation of a session directory must be provided with some additional data if they try to penetrate the session ID Quote Link to comment Share on other sites More sharing options...
irigsoft Posted July 23, 2021 Author Share Posted July 23, 2021 @Stemon63, did You try my proposal to protecting files ? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted August 23, 2021 Author Share Posted August 23, 2021 Hello everyone, There is a new security challenge here ! the plan: There are standart technics to slow down attacker: 1 - after some trys to login (brute force attack) - log IP in BlockIPLIst. Block IP of attacker 2 - using reCaptcha - prevents bot's (some reCaptcha is useless !) 3 - using strong passwords (more then 10 symbols) - slow down GPU calculations 4 - using hash of passwords - slow down GPU calculations 5 - disable user account - attacker must change user name 6 - using same error message for different login errors. - prevent to catching user name 7 - after every next try, slow down answer from server - this will slow down GPU calculations 8 - enable OneIpPerUser - this will block many session from one PC I make some protection code based on the plan: 3 - using strong passwords (more then 10 symbols) 4 - using hash of passwords on the TUniServerModule.UniGUIServerModuleHTTPCommand TRY unIServerModule.Lock; If FileExists (ExtractFilePath(StartPath) + 'root\BldIPList.config') then BlockedIPList.LoadFromFile (ExtractFilePath(StartPath) + 'root\BldIPList.config'); - reload IP list FINALLY unIServerModule.UnLock; END; IF BlockedIPList.Count > 0 then begin if BlockedIPList.IndexOf (ARequestInfo.RemoteIP) > -1 then begin AResponseInfo.ContentText := '<h1>Access denied</h1>'; point 6 Handled := True; AResponseInfo.CloseSession; GOTO ENDALL; end; end; on the login form BtnLogin.onClick UniServerModule.Lock; try If FileExists (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config') then unIServerModule.BlockedIPList.LoadFromFile (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config'); finally UniServerModule.UnLock; end; //block IP if uniMainModule.BruteForceTrys > 5 then begin - point 1 // block IP addres try UniServerModule.Lock; UniServerModule.BlockedIPList.Add (UniSession.RemoteIP); UniServerModule.BlockedIPList.SaveToFile (ExtractFilePath(UniServerModule.StartPath) + 'root\BldIPList.config'); finally UniServerModule.UnLock; end; sleep (100); UniSession.Terminate ('<h1>Access denied</h1>'); - point 6 exit; end; UniGUIMainModuleCreate reload blocked Ip try UniServerModule.Lock; If FileExists (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config') then unIServerModule.BlockedIPList.LoadFromFile (ExtractFilePath(unIServerModule.StartPath) + 'root\BldIPList.config'); finally UniServerModule.UnLock; end; I added some extras, such as log for IP, which made 2 or more login errors (suspicious IP addresses) 7 - after every next try, slow down answer from server - add some timers to make to wait next login attemp ! 8 - enable OneIpPerUser - ServerLimits.SessionRestrict := srOnePerPC; ServerLimits.SessionRestrict := srOnePerIP; 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted November 4, 2021 Author Share Posted November 4, 2021 here is some info from penetration test result's: Quote Link to comment Share on other sites More sharing options...
Abaksoft Posted November 9, 2021 Share Posted November 9, 2021 A good article. https://www.acunetix.com/blog/articles/iis-security-best-practices/ 1 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted November 9, 2021 Author Share Posted November 9, 2021 50 minutes ago, Abaksoft said: A good article. https://www.acunetix.com/blog/articles/iis-security-best-practices/ Thank You. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 12, 2022 Author Share Posted January 12, 2022 Hello there, one more question by security , If someone can help: Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 14, 2022 Author Share Posted January 14, 2022 How we can protect from Spoofing attack? https://www.keyfactor.com/blog/what-it-is-ip-spoofing-how-to-protect-against-it/ Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 22, 2022 Author Share Posted January 22, 2022 Can block some IoT scanners like Shodan, Censys, Shadowserver Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 22, 2022 Author Share Posted January 22, 2022 On 4/12/2021 at 7:42 PM, Stemon63 said: Hi, Have you solved your problem? I have the same trouble; sometimes files are showed, sometimes they are blocked with code 405. Any hint? Thanks! Hello, I think I found solution of this. on procedure TUniServerModule.UniGUIServerModuleHTTPCommand( just add this headers: AResponseInfo.CustomHeaders.AddValue('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate'); //HTTP 1.1 AResponseInfo.CustomHeaders.AddValue('Pragma','no-cache');////HTTP 1.0 AResponseInfo.CustomHeaders.AddValue('Expires', '0'); https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html this maybe will extend data transfer between Client and Server (will use more traffic) 2 Quote Link to comment Share on other sites More sharing options...
Abaksoft Posted January 23, 2022 Share Posted January 23, 2022 22 hours ago, irigsoft said: Hello, I think I found solution of this. on procedure TUniServerModule.UniGUIServerModuleHTTPCommand( just add this headers: AResponseInfo.CustomHeaders.AddValue('Cache-Control', 'no-cache, no-store, must-revalidate'); //HTTP 1.1 AResponseInfo.CustomHeaders.AddValue('Pragma','no-cache');////HTTP 1.0 AResponseInfo.CustomHeaders.AddValue('Expires', '0'); https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html this maybe will extend data transfer between Client and Server (will use more traffic) Thank you so much IrigSoft. We are learning good things with you. 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 12, 2022 Author Share Posted February 12, 2022 Has anyone already built protection against Slow http attacks? https://www.cloudflare.com/learning/ddos/ddos-low-and-slow-attack/ https://blog.qualys.com/vulnerabilities-threat-research/2011/11/02/how-to-protect-against-slow-http-attacks How to limit the connection timeout, the time the server waits for all headers of the request before terminating it, and the minimum number of bytes per second when sending a response to a request to minimize the impact and slow HTTP attacks ? Is it possible to control the common Keep-Alive header to control the above: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Keep-Alive here are some Headers size limits: https://stackoverflow.com/questions/686217/maximum-on-http-header-values#:~:text=No%2C HTTP does not define,headers size exceeds that limit. @Sherzod how to 1. limit size of request Headers ? 2. Reject / drop connections with HTTP methods (verbs) not supported by the URL ? 3. Limit the header and message body to a minimal reasonable length. Set tighter URL-specific limits as appropriate for every resource that accepts a message body. 4. Set an absolute connection timeout ? - that's what AjaxTimeout is for ? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 24, 2022 Author Share Posted February 24, 2022 How to protect against Landspeed violation ? Quote Link to comment Share on other sites More sharing options...
Sherzod Posted February 24, 2022 Share Posted February 24, 2022 9 hours ago, irigsoft said: How to protect against Landspeed violation ? What is this for? And what do you want to do if this is detected? Well I think based on IP first. And that of course this is the main one. Secondly, if there are ready-made detection methods, use them. Otherwise, you need to come up with a detection method yourself. And they can be different I guess... Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 24, 2022 Author Share Posted February 24, 2022 21 minutes ago, Sherzod said: What is this for? To prevent from hacked account. Thanks, I just want to know if is integrated in unigui. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted February 24, 2022 Author Share Posted February 24, 2022 @Sherzod, can You tell me something for this: On 2/12/2022 at 10:00 PM, irigsoft said: 1. limit size of request Headers ? 2. Reject / drop connections with HTTP methods (verbs) not supported by the URL ? 3. Limit the header and message body to a minimal reasonable length. Set tighter URL-specific limits as appropriate for every resource that accepts a message body. 4. Set an absolute connection timeout ? - that's what AjaxTimeout is for ? Is it possible to limit size of Headers and body (on client side) ? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted May 21, 2022 Author Share Posted May 21, 2022 this is how to add header "Content-Security-Policy" from here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy <meta http-equiv="Content-Security-Policy" content="script-src 'none'; object-src 'none'"> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.