I am not sure of what it is called, but what happens is that my POST method request can be captured by a tool like (burp suite) and change the POST to GET.
Afterwards the process would still continue, but now it shows the parameters and its value in the URL.
How do I defend against this kind of attack?
The website is on ASP.NET C#.
Burp suite is a "man in the middle" (MITM) proxy with injection/manipulation capability. If your site is on http (not https), then yes: you are completely at the mercy of every intermediary that the traffic passes through. Change your site immediately to use https with a valid certificate.
For this to work on https, you need to deliberately break your machine, by installing a dodgy root certificate authority that will issue fake certificates for the sites it wants to MITM. This only passes your browser's security system because you broke your machine.
An attack that depends on the client already having been compromised is not an interesting attack from a server perspective. All you can reasonably do is protect intact clients. By using https and disabling http (non-TLS). You can do things like reject GET if you're expecting POST - but this doesn't change that the GET will have happened. But note:
the MITM proxy can already read the POST variables without needing to change them to GET: it is in complete control of the data
other intermediaries between the MITM proxy and your server cannot read the data regardless of whether it is GET or POST, as long as it is https (which is why you need to disable http, not just enable https)
the only thing you're changing with GET vs POST here is what appears in your own server logs... and it doesn't matter how you respond to the request at that point: it has already been logged, even if you return 404 or 500 or whatever
Related
I'm creating a crawler which uses several IP Proxies. Whenever I tried to crawl the website without proxy, I'm able to get the html source, but when I tried to enable the ip proxy, it always fail and throws an exceptions (The remote server returned an error: (403) Forbidden.)
Upon looking at the fiddler, it seems the website stores cookies upon visit. But if the proxy is enabled, it fails at get response part.
I don't understand why the cookies was not set using a proxy? Is it the proxy server settings for cookies that cause it? or I can do something about it while still enabling proxy?
I'm using C# by the way, but the question doesn't seems language dependent.
Another thing to consider is that you set a cookie from the ip address of the non proxied machine (which worked), then when you sent another request with the same cookie from another ip address which might have gotten you blocked.
Some network level software looks at stuff like this which might have flagged you as a malicious crawler or annonymous tor browser.
Recently, We developed an application that we want it's users to pay for a monthly subscription in order to use it. So the first thing that came to our minds how to implement a secure way for our application to check for the User validity and those ideas came up
Using WebClient to enter to our website and Login using the user
provided credentials : However, this might be vulnerable to MITM
attack.
Using the first approach but using SSL certificate (to make sure
that we are connecting to our server and not the attackers') :
However, Fiddler can easily do a MITM attack and decrypt the SSL
communication, which will result in the same vulnerability as the
first approach.
Due to the internet's lack of documentation of what we need, we had to ask here for someone to explain how could we make sure that:
Our application only connects to our server and not any fake hosted
server (by the attacker).
The communication is secure. Not altered or edited some how in order to
grand unfair access to our application. (by sending a fake response
to the app or editing the original response before the application receives it).
Note: we totally understand that the attacker may just deobfuscate the application and do whatever he want to it. So we are planning to get a goodobfuscatorin order to at least make it harder for the attacker to do so.
You can use SSL Certificate Pinning.
Set the ServerCertificateValidationCallback to only accept your certificate's public key, or one of its signers. (this means you can never change certificates)
This will completely prevent SSL MITM (which works by using a different certificate and making the computer trust it).
Of course, it doesn't prevent attackers from cracking open your app and bypassing the check altogether, especially if you store local state.
I'm building out a simple C# application that integrates with a SOAP web service. I add the service reference to the appropriate WSDL and everything works out fine so far.
Occasionally, the server's firewall will respond with a 503 error before the request gets a chance to hit the web service. That 503 error also contains some HTML with an ID number (which changes each time) that I want to capture.
If I catch the exception, it doesn't give me the full message - just the re-formatted basic exception that says the server is too busy.
I tried the message inspectors suggestion from this post:
Intercept SOAP messages from and to a web service at the client
...and it gives me the outbound request, but it never hits the AfterReceiveReply call, so the response isn't captured.
I've also tried subscribing to all of the channel's major events (Faulted, Opening, Opened, UnknownMessageReceived, etc), and I've tried inspecting the channel when I catch the exception, but nothing seems to work.
Any thoughts or suggestions?
Why not just run fiddler on the machine your soap client is running on and intercept and inspect the traffic that way?
Turn on WCF Tracing. In particular, Message Logging.
It seems like disabling SOAPProcessing in the .config file may be a step in this direction, but I was unable to figure out how to enable this setting via code (and I cannot use a .config file in my final application because this is a plugin and the parent app's .config file is dynamically generated each launch).
I was able to work around this somewhat. In my situation, I had separate dev and production servers. The 503s errors were happening mostly on the production server (likely due to the firewall being sensitive about a different hostname in the API requests), so I ended up with a solution that duplicated the API requests and sent them over to the production server.
(This was okay, because the production server was not configured with anything that would be affected by any API requests that made it through the firewall. The requests would just be considered invalid.)
I did this by using message inspectors to generate the last outgoing request. Then for each outgoing request, I generated a new WebBrowser control, set the proper headers (SOAPAction and all that), re-injected the security credentials (the message inspector stripped them out at runtime), and then posted the request to the production server with that WebBrowser control. The WebBrowser instance's DocumentCompleted event let me dump the result and search for the ticket ID when appropriate.
Not exactly glamorous, but it works well.
I have a client application that is communicating with an ASP.NET web service using cookie-based authentication. (the clients call a login method which sets a persistent cookie that is then re-used across requests within the logon session).
This has been working fine for some time, but I have started getting error reports from a few machines used by a new client that seem to indicate that the cookie has not been successfully roundtripped. (Login requests are all successful, but all subsequent requests fail with a 302-redirect to the logon resource)
I am using a CookieContainer which I manually attach to each HttpWebRequest I am using to ensure that the cookies are preserved across every request.
Is it possible that there is some "security" software on these machines that is intercepting/blocking the cookie transmission? (I am using SSL). If so, is there anything that can be done to tell what is getting in the way?
It's highly unlike that security software can even see inside your packet if you're using SSL. SSL data should be encrypted even before they get into packet form; generally they are encrypted even before using the send() to the socket. Unless you have some awesome security software that has broken SSL encryption and can look inside the packet, this shouldn't be possible.
Are the same machines failing every time? Or are some machines failing randomly at times, and others failing at other times? If it's the latter, maybe there's something going on on the server, not the clients.
We have an HttpHandler that deals directly with binary posts over HTTP from custom client software. The client software occasionally sends data which results in IIS 7 responding with a 400 - Bad Request. Since the "400 Bad Request" is special in that HTTP.SYS transparently handles it in kernel mode without notifying user mode of anything, no errors are raised to be handled in ASP.NET. Is it possible to catch this http 400 in ASP.NET, so that I can write specific data to the Response stream in these scenarios? A redirect to another page isn't an option as it needs to be in the current Request/Response.
If you know what is causing the 400, then you may be able to customise the behaviour of http.sys via the registry to deal with it:
http://support.microsoft.com/kb/820129
However, you should be aware that there are potential security and performance ramifications of doing this.
Another option would be to use a filtering proxy before IIS, thereby capturing the request before it goes any further.
I would instead ask them to fix the custom client software. Give them a report showing the failed requests. If you are able to, run a sniffer such as Wireshark and send them the packets if they do not believe the problem is with their software.
If your custom client causes IIS to trigger HTTP 400, it's probably flawed and is not submitting valid HTTP requests according to the standard. If you can alter the client, it would be the right thing to do. Otherwise, what you're working with is not HTTP, and IIS is designed to handle HTTP requests. Therefore, you should run a custom server for your own protocol (which is a non-standard HTTP like thing).
It's not advised to use IIS/ASP.NET to handle such a request as it might cause some weird unexpected things to happen.