A customer reported that there is a attempt by hacker to access my webservice.
The hacker tried to send a php script to my webservice by http post and got a response 200
My IIS webservice is protected by AES encryption ROAESEncryptionEnvelope.

Should I be worried?

Is it possible that a php script is executed by my webservice?

The logging implies that the webservice accepted this script (according by the SA)

I forget to mention that only the binary channel is used.


I think, you can answer to this q by yourself.
Open the Message Envelopes sample (C:\Users\Public\Documents\RemObjects Samples\RemObjects SDK for Delphi\Message Envelopes).

update the TMessageEnvelopes_ClientMainForm unit as:

  • add uROBinaryMemoryStream to uses section
  • add the ROChannel.OnReceiveStream event:
procedure TMessageEnvelopes_ClientMainForm.ROChannelReceiveStream(aStream: TStream);
  a: TROBinaryMemoryStream;
  a := TROBinaryMemoryStream.Create;
  • launch both projects
  • [optionally] remove all envelopes from client project
  • press Run Test Once with enabled envelope on server-side and with disabled:


  • ROENV - header for protected stream
  • RO107 - header for unprotected stream


I run the example, my conclusion:
yes, you can send stuff to the webservice but it’s not processed on the server if you do not have the right security AES etc.

The only thing I do not understand that according to the SA there was a response 200.


Message Envelopes are designed for protecting outgoing streams only.

if you want to process encrypted requests only, you can use ROMessage.OnBeforeProcessIncomingEnvelopes event:

procedure TMessageEnvelopes_ServerMainForm.ROMessageBeforeProcessIncomingEnvelopes(aStream: TStream);
  a: TEnvelopeSignature;
  pos: Int64;
  pos := aStream.Position;
  if aStream.Size > Length(EnvelopeSignature) then begin
    if not CompareMem(@EnvelopeSignature, @a,Length(EnvelopeSignature)) then raise Exception.Create('Encrypted request is required');
  aStream.Position := pos;

pls retest this example again with included and excluded envelopes on client-side

Thanks again, I am starting to understand what is going on.

Is the url hidden when the client sends a AES call?

Typical url is http://host:port/path .
You can change port (8099 by default) and/or path (bin by default).
also is possible to work w/o hardcoded path.
in this case, you need to implement OnCustomResponseEvent.

see more at Using OnCustomResponseEvent in a ROSDK Server.

in this event you can check incoming stream and depending on some conditional, allow/disallow to process it.

for example, you can have conditional: envelope marker should be the same as path.
you read from stream envelope marker and compare with path.

from Message Envelopes: Wire Specification, you know:

Each envelope will add the following preamble to messages as they are enveloped:

  • 5 ASCII characters ROENV as a marker.
  • The envelope marker, as 1-byte binary length, followed by the UTF-8-encoded envelope name (maximum of 255 characters). The length bytes indicates the number of bytes, not UTF-8 characters.

so you can easily to implement this checking.