How to Encrypt Files when uploading with uniFileUpload or uniFileUploadButton from Client to Server ?

[Sherzod]

Just now, irigsoft said:

but using multiUpload after i select a list with files and show alert with replaced symbols, list on components is empty.

Yes I see, perhaps "simply replacing" the array of files will not work.

[irigsoft]

Just now, Sherzod said:

archiving the file

thanks, but I dont want to use archiving, because there are risk of bigger attack

 

[Sherzod]

Just now, irigsoft said:

because there are risk of bigger attack

Why do you think so?

[irigsoft]

2 minutes ago, Sherzod said:

Yes I see, perhaps "simply replacing" the array of files will not work.

I have to change name and encrypt Files.stream when multiupload execute, but file is already on server when i do that, because they are on Windows temp directory, and is with different name.

[irigsoft]

1 hour ago, Sherzod said:

Why do you think so?

I know that creating an archive for files (by the client) is one possible solution and is simpler than others, but:

1. The first rule of security: every user is bad !

 

2. Each JavaScript code from the customer can be compromised - for this reason I wrote about obfuscating the javascript code (and use it for some of my files)

https://stackoverflow.com/questions/28352160/javascript-client-side-security

https://softwareengineering.stackexchange.com/questions/200790/how-easy-is-it-to-hack-javascript-in-a-browser

Since it is not clear to me how the Unigui core works with the Javasript Code, I suppose some of the codes added by me may be manipulated by the client (attacker). So less code on the part of the client, then less options for attack.

 

3. Uploaded archive files can generate "zip bomb" -  

https://www.microsoft.com/en-us/windows/learning-center/what-is-a-zip-bomb

https://en.wikipedia.org/wiki/Zip_bomb

 

4. Archives may contain risk files. Assuming that the attacker has captured the file and replaced it with his own, this means that we are directly at risk due to the confidence voted to the type - A file. Good security practices avoid uploading archival files.

How to check if archive is with my password without extraction ?

Some antivirus cannot scan the content of archival files and this adds additional risk.

 

I think encrypted files give me the solution, the less I think the bad code will not be executed directly (but this has two sides, how to use a encryption file and what happens when the file is decrypted - same like archiving)

For this reason, given that the provision (encryption) must occur by the client, file encryption is not strictly necessary and applicable.
The practice I have observed on some systems that allow you to upload XML files (which also runs a risk behind it) is that a HMAC is used to secure.
If it is possible at least to apply, it may be useful to the audience

 

 

[Sherzod]

In that case, then you better have at least a VPN...

[irigsoft]

3 hours ago, Sherzod said:

In that case, then you better have at least a VPN...

Thanks, this is a possible solution for some attacks.

But even with VPN client (attacker) can upload malicious file. I know this is generally true of all software regardless of the server type.

I don't want to create problems for the team or others, let's concentrate on coding other things.

How to generate the client (or better than the server):
1. Change file names - I have a feature in attached example

2. Generation of hashes of files - I have a feature in attached example

3. how to uploading file with HMAC  - https://www.jscape.com/blog/what-is-hmac-and-how-does-it-secure-file-transfers

https://medium.com/@rosyparmar/google-cloud-storage-use-hmac-to-authenticate-requests-to-cloud-storage-aa8ed859be33

https://crypto.stackexchange.com/questions/86136/prove-that-you-have-the-data-when-hash-is-public

 

Let's make him work if possible.
Тhanks

[Sherzod]

Yes, the issue of file encryption is quite interesting, and sometimes necessary. We need to look at it in more detail.

[Fred Montier]

I honestly want to learn about this.
1- You allow the user to upload to your server with authentication provided by you
2- You use https
3- You can save in a non public folder with no access to browser
4- You can modify rights to such file
5- You can save in raw format with out decoding or absolutely removing association to a app.
6- Only who upload can download it
7- All upload to your server you have antivirus and such


Consider this:
a- If not sharing to third parties... issue is ?
b- if now allowing downloads  and any kind of access... issue is ?
c- Any options the burden of processing and things going wrong is at the client-side (delays, corruptions etc etc).

Then...

I really want to know because a recently made an app to AWS and currently working with Mega.nz new API and we´re are all very pleased for their level of security. The problem is never at the upload but in the storage and access.  Since is all contained ... I really doubt that any of your links referring security issues could bring down one of those service, that I had to learn in-depth about it.

And i cannot see how would work a "reverse" JavaScript code injection with uniGUI except done by whom made the own server/isapi !

So, again, I really want to know.

[Fred Montier]

On the problem with the IT team at that company I made the  "secure upload app" to their server was that we could make a pre validation using file hash and an API to a security service. Later, they abandoned it because were utterly unnecessary (costs were an issue) since who upload have the responsibility and is the only user that could have access to the file. But we use all the rules above.

By the way, saw you code with Magic Number (or magic bytes) and made some upgrades and adds-on because a got in depth with it.
I will post here for all users later.

Happy new year !

Edited December 31, 2023 by Fred Montier
typos

[Fred Montier]

8- You can use certificates (hard or soft). Here in Brazil we have e-card (hard solution) to validate biz and digital signatures in docs (gov, secure transactions, banks etc)  much alike a "smart" debit card.  But this is not a cheap solution. We can only send a transaction file with that authentication. But majority uses the "soft" solution, only. Widely used here. Big companies issue this to their top level staff, also.

Add to that list...

Edited December 31, 2023 by Fred Montier

[irigsoft]

9 hours ago, Fred Montier said:

8- You can use certificates (hard or soft). Here in Brazil we have e-card (hard solution) to validate biz and digital signatures in docs (gov, secure transactions, banks etc)  much alike a "smart" debit card.  But this is not a cheap solution. We can only send a transaction file with that authentication. But majority uses the "soft" solution, only. Widely used here. Big companies issue this to their top level staff, also.

Add to that list...

Yes, this is possible solution and is good practice.

If the file is signed then it is not malicious! - but not always true.

Digitally signed files know who the owner of the certificate is, but is there also certificate theft, even if signed it does not make the file safe.

"Here in Brazil we have e-card (hard solution) to validate biz and digital signatures in docs (gov, secure transactions, banks etc)  much alike a "smart" debit card" - Our government too, but that's because they want to know who owns the file and for security reasons (i think). 

In theory, we apply the principle: the user is malicious and we look for as many rules as possible to make it difficult for him to attack the server. Because the most dangerous thing in an attack with an infected file is the infection of the server.
When a server is infected, the consequences are not just for the server owner, but also for the users.
I recently read an article about an mobile phone company vulnerability that went undetected for some years. This has certainly given malicious individuals the opportunity for more attacks or data theft.
Ultimately, the goal is to keep the server from getting infected.

to your questions:

1- You allow the user to upload to your server with authentication provided by you - Yes, only authorized user can upload files, even I add user details in the upload process, which is verified by the server
2- You use https - Yes, not self signed
3- You can save in a non public folder with no access to browser - Yes, outer directory, protected with user rights of OS. 
4- You can modify rights to such file - not yet, but in the future I will (I work on it)
5- You can save in raw format with out decoding or absolutely removing association to a app. - Yes, I save a file with a changed name and no extension. The raw format is a good idea, thanks
6- Only who upload can download it - No, only authorized user to app can download or open files. Like example :

             1. I give rights to clients to upload advertisement files and this ad will be played on other users (such as video or image with iFrame)

             2. I give rights to clients to upload their own image/video/other files (like YouTube) and it will play on other users

             3. I grant rights to an internal user of the company to upload video files from security cameras, then only camera owners can download recordings from each day

all this can be do it from mobile device (problem with smart cards) or pc

7- All upload to your server you have antivirus and such - Yes, I have an antivirus app and an anti-malware app. But getting information that files are dangerous is not enough if no one is watching (like at 03:00 in the morning) and files are on server.


Consider this:
a- If not sharing to third parties... issue is ? -

             1. server is at risk, all work can stop.

             2. I share it, so the risk is to malicious files go to clients PC and make them bot net. 
b- if now allowing downloads  and any kind of access... issue is ? - risky files may attack clients, a Trojan horse or worm
c- Any options the burden of processing and things going wrong is at the client-side (delays, corruptions etc etc). - I prefer it to be done on the server side, and on the client side only hash files and HMAC for them.

On the server side, when they upload files, they first go to the temporary directory (with changed names), but they are not encrypted, and this creates a risk for the server, so I'm looking for a way to secure (obfuscate/encrypt) files beforehand.

[irigsoft]

12 hours ago, Fred Montier said:

And i cannot see how would work a "reverse" JavaScript code injection with uniGUI except done by whom made the own server/isapi !

I read many topics on web and all they say: The client side javascript is not secure. I don't know why, but I take it into account when I add some code to be executed on the client side.

1. https://iteo.com/blog/post/security-for-single-page-applications/

These are the most common security issues faced by this type of applications:
 - Data exposure via API
 - Cross-site scripting (XSS) attacks
 - Cross-site request forgery (CSRF)
 - Session Tracking and Authentication

2. https://jscrambler.com/blog/the-most-effective-way-to-protect-client-side-javascript-applications

The Risks of JavaScript

1. Debugging and Tampering
    "Just like anyone can use the debugging tool for legitimate purposes, an attacker can use this feature to change JavaScript at runtime. The attacker can hit a breakpoint, change the DOM, and enter arbitrary JavaScript in the console."
As OWASP puts it:
"An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application’s data and resources. This can provide the attacker with a direct method of subverting the intended use of the software for personal or monetary gain."

2. Data Exfiltration and Other Client-Side Attacks
    "Likely, you won’t notice this change, and your website will be distributing malware."

"Like any double-edged sword, you must wield this with responsibility. To protect JavaScript code, you must take into account what happens at runtime, both because attackers can target your exposed source code and because they can inject malicious JavaScript code through your third-party scripts."

https://jscrambler.com/blog/javascript-obfuscation-the-definitive-guide

"JavaScript is an interpreted language, so client-side JavaScript requires an interpreter in the browser to read it, interpret it, and run it. This also means that anyone can use a browser debugger to easily go through the JS code and read or modify it at will."

https://www.spiceworks.com/tech/devops/articles/what-is-single-page-application/
5. Security issues
SPAs are more prone to getting hacked through cross-site scripting attacks. They allow consumers to download the entire application, exposing it to more opportunities for finding vulnerabilities through reverse engineering. To fix this, developers should ensure that all web application security-related client-side logic, such as authentication and input validation, is doubled on the server for verification. Additionally, developers should provide restricted role-based access.

[irigsoft]

.

[irigsoft]

Hi.

I add here solution that maybe useful for someone:

https://www.experts-exchange.com/questions/26933022/How-to-lock-out-a-file-or-path-from-within-a-Delphi-app.html

question:

How to lock out a file or path from within a Delphi app?

 

proposal:

try this;
rename the folder you want to test to;
from:
New Folder1
to:
New Folder1.{ED7BA470-8E54-465E-825C-99712043E01C}

So, when your Delphi program rans?, it rename back to New Folder1

rename file code;
lock folder;
renamefile(New Folder1, New Folder1.{ED7BA470-8E54-465E-825C-99712043E01C});
and back
unlock folder;
renamefile(New Folder1.{ED7BA470-8E54-465E-825C-99712043E01C}, New Folder1 );

 

explanation:

{ED7BA470-8E54-465E-825C-99712043E01C} is one of several special names that the Windows systems recognize and treat in different ways.  For instance, the control panel 'folder' has a special icon and there are some things you are not allowed to do with the folder or its contents.  I think this particular folder identification was introduced in Win7.  Many writers have named it the "God" folder.
 

more info:

https://en.wikipedia.org/wiki/Windows_Master_Control_Panel_shortcut

https://answers.microsoft.com/en-us/insider/forum/all/god-mode-other-windows-10-tips-tricks/9e81e023-9179-4b59-9937-f1e9aab537b4