A customer reported that there is a attempt by hacker to access my webservice.
The hacker tried to send a php script to my webservice by http post and got a response 200
My IIS webservice is protected by AES encryption ROAESEncryptionEnvelope.
Should I be worried?
Also,
Is it possible that a php script is executed by my webservice?
The logging implies that the webservice accepted this script (according by the SA)
I forget to mention that only the binary channel is used.
I think, you can answer to this q by yourself.
Open the Message Envelopes sample (C:\Users\Public\Documents\RemObjects Samples\RemObjects SDK for Delphi\Message Envelopes).
update the TMessageEnvelopes_ClientMainForm unit as:
add uROBinaryMemoryStream to uses section
add the ROChannel.OnReceiveStream event:
procedure TMessageEnvelopes_ClientMainForm.ROChannelReceiveStream(aStream: TStream);
var
a: TROBinaryMemoryStream;
begin
a := TROBinaryMemoryStream.Create;
a.CopyFrom(aStream);
Log(a.ToReadableString);
a.Free;
end;
launch both projects
[optionally] remove all envelopes from client project
press Run Test Once with enabled envelope on server-side and with disabled:
I run the example, my conclusion:
yes, you can send stuff to the webservice but it’s not processed on the server if you do not have the right security AES etc.
The only thing I do not understand that according to the SA there was a response 200.
Message Envelopes are designed for protecting outgoing streams only.
if you want to process encrypted requests only, you can use ROMessage.OnBeforeProcessIncomingEnvelopes event:
procedure TMessageEnvelopes_ServerMainForm.ROMessageBeforeProcessIncomingEnvelopes(aStream: TStream);
var
a: TEnvelopeSignature;
pos: Int64;
begin
pos := aStream.Position;
if aStream.Size > Length(EnvelopeSignature) then begin
aStream.Read(a,Length(EnvelopeSignature));
if not CompareMem(@EnvelopeSignature, @a,Length(EnvelopeSignature)) then raise Exception.Create('Encrypted request is required');
end;
aStream.Position := pos;
end;
pls retest this example again with included and excluded envelopes on client-side
Typical url is http://host:port/path .
You can change port (8099 by default) and/or path (bin by default).
also is possible to work w/o hardcoded path.
in this case, you need to implement OnCustomResponseEvent.
Each envelope will add the following preamble to messages as they are enveloped:
5 ASCII characters ROENV as a marker.
The envelope marker, as 1-byte binary length, followed by the UTF-8-encoded envelope name (maximum of 255 characters). The length bytes indicates the number of bytes, not UTF-8 characters.