I'm developing a project with Delphi 2010, at some point this project connects to internet and send some data to a php file via POST/IDHTTP, those parameters encrypted with aes and as you know there is no way to get source code of php files via browser. But when i use sniffer on my project sniffer software shows full path of php file and parameters. I was wondering is there any chance to hide path and parameters with IDHTTP. For example when i try on Skype sniffer only shows decimal characters on skype's transmission. Is it possible to do same or totally hide the traffic ?
Thanks in advance.
You can use HTTPS, it is supposed to be standard way to transmit HTTP traffic through SSL-protected channel. Example of code you can find for example here.
In addition to Andrei's answer, you can consider encrypting your traffic on-top of using HTTPS.
In other words,
1) Use HTTPS protocol.
2) Add your own layer of encryption to encrypt all data coming to and from your server.
In addition to HTTPs and encrypted data, you can also add security by using client certificates. See https://security.stackexchange.com/questions/3605/certificate-based-authentication-vs-username-and-password-authentication
The answers explain the advantages of using CBA, one of them is
certificate usage never involves revealing any secret data to the
peer, so an attacker impersonating the server cannot learn anything of
value that way
Related
I've searched for this a bit on Stack, but I cannot find a definitive answer for https, only for solutions that somehow include http or unencrypted parameters which are not present in my situation.
I have developed an iOS application that communicates with MySQL via Apache HTTPS POSTS and php.
Now, the server runs with a valid certificate, is only open for traffic on port 443 and all posts are done to https://thedomain.net/obscurefolder/obscurefile.php
If someone knew the correct parameters to post, anyone from anywhere in the world could mess up the database completely, so the question is: Is this method secure? Let it be known nobody has access to the source code and none of the iPads that run this software are jailbreaked or otherwise compromised.
Edit in response to answers:
There are several php files which alone only support one specific operation and depend on very strict input formatting and correct license key (retreived by SQL on every query). They do not respond to input at all unless it's 100% correct and has a proper license (e.g. password) included. There is no actual website, only php files that respond to POSTs, given the correct input, as mentioned above. The webserver has been scanned by a third party security company and contains no known vulnerabilities.
Encryption is necessary but not sufficient for security. There are many other considerations beyond encrypting the connection. With server-side certificates, you can confirm the identity of the server, but you can't (as you are discovering) confirm the identity of the clients (at least not without client-side certficates which are very difficult to protect by virtue of them being on the client).
It sounds like you need to take additional measures to prevent abuse such as:
Only supporting a sane, limited, well-defined set of operations on the database (not passing arbitrary SQL input to your database but instead having a clear, small list of URL handlers that perform specific, reasonable operations on the database).
Validating that the inputs to your handler are reasonable and within allowable parameters.
Authenticating client applications to the best you are able (e.g. with client IDs or other tokens) to restrict the capabilities on a per-client basis and detect anomalous usage patterns for a given client.
Authenticating users to ensure that only authorized users can make the appropriate modifications.
You should also probably get a security expert to review your code and/or hire someone to perform penetration testing on your website to see what vulnerabilities they can uncover.
Sending POST requests is not a secure way of communicating with a server. Inspite of no access to code or valid devices, it still leaves an open way to easily access database and manipulating with it once the link is discovered.
I would not suggest using POST. You can try / use other communication ways if you want to send / fetch data from the server. Encrypting the parameters can also be helpful here though it would increase the code a bit due to encryption-decryption logic.
Its good that your app goes through HTTPS. Make sure the app checks for the certificates during its communication phase.
You can also make use of tokens(Not device tokens) during transactions. This might be a bit complex, but offers more safety.
The solutions and ways here for this are broad. Every possible solution cannot be covered. You might want to try out a few yourself to get an idea. Though I Suggest going for some encryption-decryption on a basic level.
Hope this helps.
I'm trying to make a secure protocol between an iPhone app and an Arduino server. The goal is that the iPhone app makes a request to an Arduino server and the server only processes it if it has the proper credentials of one form or another. I'm not really sure how to approach this problem. Any suggestions are much appreciated!
Unfortunately there are no truly secure communication options available on Arduino. The basic problem is that SSL libraries have not been ported to this platform, partly owing to the fact that the 8-bit processors the platform is built around are not very powerful. Having said that there are some things you can do, but you'll have to do them yourself:
Basic access authentication is a very insecure method of controlling access to HTTP pages so it isn't recommended. Digest access authentication, on the other hand, employs one-way cryptographic encoding (hashing). It only requires MD5 library, which, is actually available for Arduino. What you'll need to do is modify the source code for the Web Server class to support digest access authentication: AFAIK it does not support it out of the box.
If this seems to difficult, you could implement something fairly basic (and not very secure, but better than nothing) yourself. It might look like this:
The first GET request comes in from a client
The server responds with "not authorized" response, embedding in the response a token which is related to (perhaps a hash of) the requesting IP address. You could make the original timeframe part of the hash as well, and give such tokens a limited lifetime.
If the next request from the same IP address includes a hash based on some secret code + the token sent, the next request is honored.
Now this will not protect you from IP address spoofing, and many other things I probably haven't thought of. However, it will give you a modicum of security (and a tiny bit of security through obscurity, if you believe in this sort of a thing). You could ask for (slightly) more elaborate schemes on superuser
You might be able to just use authenticated messages built on shared secrets. The message will contain [at minimum] a message type, message body, timestamp, and message digest. You create the digest by HMACing the other stuff with a shared secret. (Type HMAC Arduino into Google for libaries and code.) The message is sent over TCP or UDP (i prefer it). The Arduino computes digest of message, checks it, validates data, and then acts on message.
One thing I like to do is implement port-knocking or something at the network layer in front of the application server. This prevents unwanted traffic from reaching the custom (and possibly vulnerable) command server. This can be done stealthily (see Silent Knock) or obviously. The network protections can also be implemented by a dedicated device that does the heavily lifting and disqualifies much rogue traffic before it reaches the Arduino.
I'm working on a Firefox add-on. At one point in the add-on, it needs to contact my server, give it a URL, then the server will process the URL (it's not a quick or easy process) and send back a link to the resulting file (on Amazon S3). However, since Firefox add-ons are mostly open-source by nature, how can I protect that one call to the server from being discovered by malicious people and then abused? (I only want users of my add-on to be able to make that call to the server...)
I was thinking about using some sort of key or something, but since Firefox add-ons are all open-source that wouldn't really work. I also thought about writing a binary component, but I have almost no experience in C++ (but maybe for something simple like this I could learn) - but then how could I protect calls to the binary component? Also, how could I protect from network sniffers and such? Would it be possible to somehow include encryption of some sort in that binary component so network sniffers cannot detect what is being sent to the server? (I found this question: Client-Server security and authentication but it was a bit over my head.)
When you distribute an extension you are basically giving people the car keys, so it's hard to stop them from taking the car for a joyride. The most secure solution is the one you suggested: use a binary component and authenticate the connection with username/password or PKI certificates. If you use HTTPS then the connection will be encrypted. This isn't totally secure (the binary component could be reverse-engineered by a determined hacker) but it will certain deter casual attacks. Note, however, that implementing, building and maintaining a binary component is significantly harder than the JavaScript equivalent.
An alternative would be to put the user through a one-time registration process when they install the extension. This could even happen in the background, and the user would get some credentials (e.g. a PKI key pair) at the end that they would use for subsequent communication with the server. If you're worried about people overusing the server, then presumably doing so via the extension wouldn't be great either. This way you can track the usage of each user (via the extension or not) and limit it as necessary.
In the end I don't think that there is much you can do. You could have a binary library in your add-on and call it via js-ctypes (it is easier to implement and maintain than a binary XPCOM component). But nothing will stop people from taking your extension and changing its JavaScript logic in any way that they like. You can make it harder by using some logic like this:
Client to server: "Extension version 1.2.3 wants to make a request."
Server to client: "Take your chrome://... file, bytes M to N, what SHA1 checksum do you get for them?"
Client to server: "SHA1 checksum is ..., please process URL ... now."
But this is also everything but fail-proof, it merely makes abusing your service somewhat harder. Same goes for automatic registration - if your extension can register then an attacker can create an account as well.
I want to write an application in Delphi which filters requested URLs in the OS (not only web browsers) and if it matches - blocks it or changes the URL's content to blank. The problem is - I don't know where to start looking. Could you help me with some informations?
I think you're talking about a DNS service. usually, DNS services live outside, on your router, your ISP, or a 3rd-party like www.openDNS.org
But you could write your own, run it on your PC, and set your internet settings to use that as your DNS server.
I suspect that a lot of malware works like this....
Also, this sort of thing can be done with no programming at all - just edit your hosts file in C:\WINDOWS\system32\drivers\etc\hosts (it's a text file with no extension).
Anything in there should trump.
Also, before you start writing an application to do this, have a look at OpenDNS. If it's an app for personal use, you may find that you don't need it. If it's going to be a commercial offering, this is the bar for usability and usefulness that you need to meet or beat.
http://www.mail-archive.com/delphi-talk#elists.org/msg01558.html - text by Francois PIETTE quoted bellow(in case link will become unavailable):
"There are several way to achieve your goal. The two main I see are:
1) Write a LSP (Layered Service Provider)
2) Write a proxy server
The first is not possible with Delphi (At least I think so. If anyone know
how to write a LSP using Delphi, I would love to get the code).
The second - writing a proxy - is more or less easy with Delphi using ICS
components. See "usermade" link at ICS website (http://www.overbyte.be).
With this option, you have to configure IE to use the proxy: IE Menu / Tools
/ Internet options / Connections / Network parameters / Use a proxy and then
enter the IP address (127.0.0.1 if proxy run on the same computer) and port
number (pick anyone you like, for example 8080). Once IE is configured to
use a proxy, it will send all requests to the proxy. Then the proxy will
make the real request to the target server and return data back to IE. What
is important there is that you get all URL entered in IE or indirectly use
(clicking on links), and you can either really rely them to the target
server or forge and answer your self to say the page access is denied.
At ICS website, on the usermade page, you'll even find a HTTP proxy
component. If you need help with this component and/or the entire ICS,
please use ICS support mailing list (same server as this list). See
"support" link at ICS website for support details."
LE: it seems that this question is possible a duplicate
Using delphi to block websites
use GetExtendedTcpTable api locate if there are any connexions to the remote server you want to block on port 80 if there is a connection use SetTcpEntry to terminate that connexion is pretty simple
i am watching a video stream from a proprietary app and i want to know the URL it's connecting to. note that in this case, i know the URL that it connects to but am curious how i'd determine it using wireshark.
i have wireshark open and i let it scan for a few seconds. i looked at the results, and all i was able to determine was the url and port of the site that's providing the stream. there's a series of URL parameters that are important as well. is there a way with wireshark to see the whole url that the app is connecting to?
A full URL is the concatenation of 'host' and 'path' ('path' is URI in wireshark's jargon).
The concatenation of these strings usually does not pass on wire - you will not see it in wireshark - and it is not required by HTTP.
Therefore, you have to concatenate them on you own, either manually or using some software as the one proposed by the writer of the lua dissector.
Example:
GET /path HTTP/1.1
Host: www.amazon.com
thus, the full URL is: www.amazon.com/path
There is no such thing as a "whole" url. An application may connect to many servers during it's lifetime.There could be different servers for authentication, configuration, logging, data, etc.
Wireshark is a low-level monitoring tool. You can choose to watch the packets of a specific osi-layer and add filters to limit the output. But I don't think it can aggregate all the incoming connections of a specific application.
Please, check out following custom dissector written in Lua, that helps showing full URL in wireshark HTTP captures
Feel free to ask any questions regarding it, upvoting is preferred as well ;)