Attack

allinco1 · March 19, 2021, 11:08am

A customer reported that there is a attempt by hacker to access my webservice.
The hacker tried to send a php script to my webservice by http post and got a response 200
My IIS webservice is protected by AES encryption ROAESEncryptionEnvelope.

Should I be worried?

Also,
Is it possible that a php script is executed by my webservice?

The logging implies that the webservice accepted this script (according by the SA)

I forget to mention that only the binary channel is used.

EvgenyK · March 19, 2021, 1:27pm

Hi,

I think, you can answer to this q by yourself.
Open the Message Envelopes sample (C:\Users\Public\Documents\RemObjects Samples\RemObjects SDK for Delphi\Message Envelopes).

update the TMessageEnvelopes_ClientMainForm unit as:

add uROBinaryMemoryStream to uses section
add the ROChannel.OnReceiveStream event:

procedure TMessageEnvelopes_ClientMainForm.ROChannelReceiveStream(aStream: TStream);
var
  a: TROBinaryMemoryStream;
begin
  a := TROBinaryMemoryStream.Create;
  a.CopyFrom(aStream);
  Log(a.ToReadableString);
  a.Free;
end;

launch both projects
[optionally] remove all envelopes from client project
press Run Test Once with enabled envelope on server-side and with disabled:

Untitled482×505 15.1 KB

Note:

ROENV - header for protected stream
RO107 - header for unprotected stream

allinco1 · March 19, 2021, 3:09pm

Thanks,

I run the example, my conclusion:
yes, you can send stuff to the webservice but it’s not processed on the server if you do not have the right security AES etc.

The only thing I do not understand that according to the SA there was a response 200.

EvgenyK · March 19, 2021, 4:28pm

Hi,

Message Envelopes are designed for protecting outgoing streams only.

if you want to process encrypted requests only, you can use ROMessage.OnBeforeProcessIncomingEnvelopes event:

procedure TMessageEnvelopes_ServerMainForm.ROMessageBeforeProcessIncomingEnvelopes(aStream: TStream);
var
  a: TEnvelopeSignature;
  pos: Int64;
begin
  pos := aStream.Position;
  if aStream.Size > Length(EnvelopeSignature) then begin
    aStream.Read(a,Length(EnvelopeSignature));
    if not CompareMem(@EnvelopeSignature, @a,Length(EnvelopeSignature)) then raise Exception.Create('Encrypted request is required');
  end;
  aStream.Position := pos;
end;

pls retest this example again with included and excluded envelopes on client-side

allinco1 · March 22, 2021, 10:11am

Thanks again, I am starting to understand what is going on.

Is the url hidden when the client sends a AES call?

EvgenyK · March 22, 2021, 10:27am

Typical url is http://host:port/path .
You can change port (8099 by default) and/or path (bin by default).
also is possible to work w/o hardcoded path.
in this case, you need to implement OnCustomResponseEvent.

see more at Using OnCustomResponseEvent in a ROSDK Server.

in this event you can check incoming stream and depending on some conditional, allow/disallow to process it.

for example, you can have conditional: envelope marker should be the same as path.
you read from stream envelope marker and compare with path.

from Message Envelopes: Wire Specification, you know:

Each envelope will add the following preamble to messages as they are enveloped:

5 ASCII characters ROENV as a marker.

The envelope marker, as 1-byte binary length, followed by the UTF-8-encoded envelope name (maximum of 255 characters). The length bytes indicates the number of bytes, not UTF-8 characters.

so you can easily to implement this checking.