I am concerned that the data that is being sent from our remote database to the java based client software is not being sent securely as it is using http tunneling with RMI rather than https.
The problem is I need to prove the vunerability to my boss before he takes it up with the IT company.
How can I send and receive data to an RMI cgi serverlet to test this theory?
I have used wireshark to see the packets and I can see the url that the data is POSTed to but have no idea of an easy way to replicate the RMI protocol (without writing a whole Java app).
I believe that you can create special method with simple signature like
String foo(String);
Now try to call this method with your mechanism and user wireshark to catch packets. I think that if the data is not encrypted you will be able to see the parameter and return value in clear text.
Related
Is it possible to read datastream sent from C++ server program to C++ client over socket connection in java? I have details like port number and server IP.
Or do I need decompile the whole C++ client into Assembly and then somehow translate it into java to do that?
I'm really not sure what kind of data it's transforming, though.. Somebody told me to code HTTP server and run it on my Router but I'm not really sure if that would work?
Here’s the diagrammatic way to look at it.
Server generates data.
it puts it in a packet.
it encrypts the packet.
and sends it over the wire.
It gets to a user’s Computer (= client). (I should be in the control now on..)
(If I could somehow read data at this part?)
The client reads the encrypted packet.
(If I could somehow read data at this part?) (The later, the better :D)
The client decrypts the packet.
(If I could somehow read data at this part?) (The later, the better :D)
The client does something.
As said, the client is .exe file and it's coded using C++. And I don't have source code of it.
All you have to do is define well your application protocol. This is, the format of your data stream. As long as you are using the same format in both ends, it doesn't really matter what language or program you are using. Imagine your browser and the web server. They are both using the same application protocol (HTTP) but they are completely different programs. Even more, there exists different web servers and different browsers.
Then, all you need to do is use the java sockets to listen to some specific port, and use your c++ sockets to write to the specific port. Just make sure you know how the information is "organized".
As we now, a .jar file, we can open it and see the code and classes with any decompiler. Now suppose the following situation:
I developed a Client-Server application under JAVA, in both Client and Server, i used AES-256 for encrypting the data sent over internet. So, i give the "Client" to my friend. Now.. The question is... can he hack my Server knowing how are the packets received in the Client, treated, and sent back? I mean... encrypting the data when you have a revealed code, it's.. in vain, doesn't it?
The question is... what can i do to have the best security possible in the Server? does encryption work in this case ?
Thanks !!!
Don't use encryption just to hide how your client-server protocol works. If you want your server to be secure, make it secure even when the client is in full control of what goes on.
As you've mentioned, it's easy to control the client: not just via decompilation, but also by running the client in a debugger (which can modify the contents of any object, modify control flow, etc.).
My points, then, are:
It's important to identify where the potential attack vectors are in your server, and address those. For example, if you want to be able to send a cookie to a client, which you want them to send back unaltered, you don't need encryption for that; just use HMAC.
If you actually really want to encrypt traffic between client and server, don't use straight AES (especially because it sounds like you're using a fixed key, which is insecure). You want to use a protocol designed for wire encryption, like TLS (SSL). Yes, really use TLS (including acquiring a certificate from a certificate authority); don't take shortcuts.
The nice thing about TLS is that there are no shared secrets (such as keys) that you have to embed into your jar. So there is nothing you have to worry about hiding.
If by him hacking your server you mean him meaning figuring out the protocol and contents of the packet that goes in, and then sending funky packets to make your server do unexpected things at unexpected times, the solution seems to be not as much encryption but strong validation. That is, your server should expect only a limited set of values in the incoming packets at each step of your protocol, and if some of the incoming packets do not conform to this/attempt to do something unexpected, they should be discarded.
Your encryption is not going to allow you to hide the protocol/API/etc. that the client and server use to communicate with each other. By encrypting the data flowing between the client and server, you are preventing someone that is observing this traffic as it passes across the wire (presumably the internet) from snooping on the data.
One issue to keep in mind is that AES requires a password that is know by both the client and the server. If your password is hardcoded in the jar, then anyone that has the jar can snoop on any traffic between your server and anyone's client that connects to it. So, you need a secure way for the client and server to agree on the password to use for a given connection.
I suggest using an SSL-based technology for encrypting the data going on the wire (e.g., maybe you can simply use HTTPS as your protocol). Or perhaps use public key encryption.
It is hard to make a specific recommendation, given the lack of information about the communication pattern between client and server.
I'm building an android application which uses a PHP web service (I am building this also).
My question is, how do I prevent unauthorised users using my webservice? For example, could someone get the address of my web service and use it outside of my app (e.g. sending post variables to my service)?
Another related question is how do I prevent spam requests on my webservice? Would it be a case of logging the IP address and limiting the amount of calls?
You can use an HTTPS connection between the Android device and your webservice API endpoint.
Limit you webservice so that it accept only HTTPS connections. You can easily do this using Apache (perhaps using the SSLRequireSSL directive) or directly in your PHP connection handler.
While using an HTTPS transport stream, you can pass specific arguments when making an API call to your webservice to ensure the request has been sent from your application. Nobody will be able to know what specific data are transmitted and will not be able to reproduce an acceptable connection to your remote service.
Regarding your second question, you can indeed limit the number of requests for a given amount of time. Either in PHP or by using specific tools such as fail2ban.
PHP can receive data via POST or GET out of your site and even the internet browser. One of the methods used to do this is by curl.
To what are you referring to this question is known as Cross-site request forgery.
If you are able, you should implement the use of HTTPS in your app and this could solve many security problems.
In case you can not use HTTPS (whether it is expensive or any other problem):
You must verify the information received by POST or GET in your PHP, this language has much ability to solve these "problems"; Take a look at this part of the PHP official documentation.
Suppose you're building a login system:
Also you can add in the login page place a hidden element with secret unique code that can happend only once, save this secret code in session, so, the loging script look in session for this code, compare with what was posted to the script, should same to proceed.
And, if you want to get the IP address of your visitors:
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
Finally, read this.
EDIT
If you can't pay an HTTPS certificate, (as Halim Qarroum says) you can use:
Self signed SSL certificates,
which are free.
Of course this has its advantages and disadvantages
Here is the situation. There are server and client in network. They communicate like this:
Client sends request for some function.
Server sends to client function parameters.
Client trying to perform function and sends answer to server.
Server sends to client data which it should show.
But sometimes client can't perform function and sends error. I want to catch all packets from step 2, analyze them (I've already have tools for that), prevent some of them to reach client, process them with my program and form packet like in step 3. This must be done on client side. I have no access neither to server nor to client.
So, the question is: Is there libraries for changing, injecting and removing tcp/ip packet in c++ or java? The solution should be working in both Win and Linux systems.
Also, may be you have better ideas to expand client functionality?
Thanks for any help!
I tried to google how to change packets, but all I got were unanswered questions and sniffers=(
Edit: Actually, I don't really need injecting and removing packets, I can manage it with only changing packet data. Also, there is no multiple requests in the same packet, and a single request across multiple packets is not a problem.
You have to build a Proxy for your server. The client connects to the proxy, and the proxy itself connects to the server. It just routes all the packages between client and server.
BUT it is now able to intercept specific messages and to modify them. Imagine a filtering HTTP proxy, it works the same way.
I have personal experience with libpcap on linux and freeBSD, a kind of lowlevel library that helps to catch or inject packets. I did use it in an IPV6 network bridge project... But i know there is a windows port for it.
http://sourceforge.net/projects/libpcap/
You can let the library to:
catch packets using a filter
extract data from packet
you can process the data (modify them)
reinject it again using the same library
But you would have to work with internal data in a quite raw matter. Best documentation for this library are comments inside its header file, that is the most up to date info. Maybe there are some more comfortable highlevel libraries.
I'm trying to implement a Web Anonymizer (like ktunnel) in java, but I really could not get the idea, I need some information about how a web anonymizer works. I really do not need the source or a sample application, just the idea or a tutorial explaining the anonymizer idea.
Thanks.
A basic anonymizer just acts as an encrypted proxy, creating an encrypted "tunnel" between a proxy server and a client, where all traffic from the client goes through the proxy. This accomplishes 3 things:
The client cannot* be determined by looking at traffic between the proxy and endpoint. Hosts on the other end just see the proxy server.
The content of a client's traffic is hidden from monitoring, because the connection to the proxy is encrypted.
It is impossible* to determine the endpoint for traffic originating from the client, because all of it appears to go to the proxy only.
*In reality, a simple anonymizer doesn't provide full protection, because if you look at the amount of traffic between client and proxy, and the traffic between proxy and various sites, you can associate a specific client with their traffic. This is called traffic analysis.
Fancier anonymizers, such as Tor, provide protection against traffic analysis and a lot of other techniques to break anonymity, BUT that's really beyond the scope of the question.
From your point of view, all that matters is writing the proxy software. Your program should be able to create and manage encrypted connections to clients. This means it needs to be able to (securely) initiate an encrypted connection to a host, pass on connections to external hosts, and then pass traffic back and forth. Basically, it needs to act as a router.
There are protocols in place for how to accomplish this -- I suggest you read up on the SOCKS protocol, or Tor. Your best bet if this is a learning project is to write basic SOCKS proxy software. If this is for actual use, there should be libraries in Java that provide the necessary services.
EdiT:
Ktunnel is a less fancy proxy -- it uses a CGI script to redirect information from a URL back and forth. Basically, you enter an address, it fetches the page for that address, and sends it to you. Fairly simple, actually.
I don't know ktunnel, but for basic information about anonymity networks have a look at Tor at wikipedia.