I have a fairly simple inline IPS set up that is using Snort as the detection system. I was wondering if it is possible with Snort to redirect a user that tries to view a URL that is on a disallowed list.
I'm subscribed to the Snort live-updated/most recent database and it is working and giving me alerts, but the only thing I have seen so far on the topic of redirections is to go:
Malicious attack -> Snort recognizes attack -> redirected to honeypot, and not:
User on LAN -> snort recognized disallowed site -> redirects to xyz page
You can use Snort's replace keyword in a rule to replace the disallowed URL with a URL of your choosing. The only qualifications when using the keyword is the new text must be the same length as the previous text.
You can also use the react keyword to respond with an html page of your choice, but that will block the connection too.
Related
In March of 2018 Facebook began requiring "Strict Mode" for redirect URIs. This means any redirect URI needs to be known in advance, and added to your app's profile (Valid OAuth Redirect URIs). The problem is when the redirect URI contains a dynamic parameter, like a state variable, guid, or user id, etc.
The answer I have found on many websites is that you can hold dynamic state in a "state" parameter. So if your allowed redirect uri is "www.example.com/signin" then this will also allow "www.example.com/signin?state=12344". However, this seems to be no longer allowed. The state parameter no longer seems to be ignored by this strict rule - it fails validation (there is a valid url checker on your facebook app settings page). To test this, I simply put "a.com" in the allow uri field, and "a.com?state=x" in the Redirect URI Validator, and it fails. Without the ?state-x it succeeds. What am I missing?
So I have two questions:
1) First, how to I find out what redirect url my app is actually sending to FB? I can't sniff my traffic since it's https (also required now by fb). I think I know what it is (https://www.example.com/signin-facebook?state=xxxxxx) but I can't be sure and there is no way to verify. The logic that calls FB is wrapped up in the MS Identity library.
2) Second, if it's the state parameter that is causing my login fails, is there any way to disable that in my ASP.NET Core app, or allow it in FB?
Just to clarify, here are two images showing that without the state parameter, the url is valid, but adding the state parameter makes it an invalid URL. Clearly the 'state' parameter is not being ignored by this strict rule checker, as many people have claimed. If I add the state param url to the list of allowed urls, it works but only with that exact state value, not with any different value.
The state parameter is dynamic to begin with (or at least it should be, because its original purpose is CSRF protection), so it is not taken into account when the URL is checked for a “strict” match to the one you have configured.
If you want to use
https://www.example.com/signin-facebook?state=xxxxxx
then configure
https://www.example.com/signin-facebook
as your Valid OAuth Redirect URI.
If you have other (static!) parameters besides the dynamic state, then those must be input into the field as well. You want to use
https://www.example.com/signin-facebook?action=foobar&state=xxxxxx
then the URL in your settings needs to be
https://www.example.com/signin-facebook?action=foobar
And since, as mentioned, the original purpose of this parameter is CSRF protection, it might still be a good idea to add a “random“ component to it, if the actual value you are trying to transport via it is “guessable”, or from a limited range of pre-defined values only.
In that case, I would probably go with an encoded JSON object as the parameter value -
state={"mystate":"foobar","random":8473628}
(Don’t forget to apply proper URL encoding, if your system doesn’t do that automatically.)
In golang, is there a way to pipe a variable to part of a web form?
For example, sending "123 Random St." to the Street address part of https://www.dominos.com/en/pages/order/#/locations/search/ and so on? I found pizza_party*, but the GUI used is no longer available, I have also found pizzadash**, but this uses a credit card where I want to use cash. I even found a list of golang ones, but the links that they use doesn't work anymore.***
Therefore, my goal is so: order a pizza in golang through the dominos website API!
NOTE: Please suggest a package or function with example!
NOTE: I do not want to make a web scraper/data getter.
NOTE: Your answer must work on at least one box of my linked website.
NOTE: I want to fill out links similar to the provided link from the linux command line.
*https://github.com/coryarcangel/Pizza-Party-0.1.b
**https://github.com/bhberson/pizzadash
***https://golanglibs.com/top?q=pizza
This is how you post any form values onto an online form. Provided you know the POST endpoint of the service.
func main():
resp, err := http.PostForm(targetPostUrlHere,
url.Values{"Service_Type": {"Delivery"},
"Address_Type_Select": {"House"},
"Street": {"123 E 24th St"},
"Address_Line_2": {"4D"},
"City": {"New York"},
"Region": {"NY"},
"Postal_Code": {"10027"}})
}
**Note: The field keys and values are guesstimates. You must inspect the actual key names expected in the form.
In your case, https://www.dominos.com/en/pages/order/ is an endpoint for the form page. Once the form is filled and submitted, the information is submitted using POST method akin to the code afore-mentioned to a dedicated CREATE endpoint (C in the CRUD), which normally can be found in the <form> html tag.
<form action="posttargetendpoint" method="POST">...</form>
Once the POST operation is successful, usually a web service would redirect you to another page. In your case, it is https://www.dominos.com/en/pages/order/#/section/Food/category/AllEntrees/
However, any good web service wouldn't expose the POST endpoint in the clear since it is the vulnerable point of attack. You're welcome to find out by inspect he Domino's page source and adjust the field values in the Go code accordingly.
Now to make a command line prompt to wrap around the PostForm code, I suggest you look into https://github.com/codegangsta/cli which is a very nice package for creating quick command line app.
I assume you mean pipe information originating from your backend to another site on behalf of a user?
The standard way of passing information between domains is via HTTP params, usually via a GET request, but this capability would need to be supported by established protocols the remote site. You can also use an iframe to embed the page of another site onto your page, however, you wouldn't be able to remotely interact, call JS code, or even query the page at all. Cross-domain security safeguards justifiably prohibit such capability, and generally speaking, interacting on behalf of the user via their browser is also restricted for security reasons.
However, if you're looking to emulate user behavior such as with a bot or web scraper from your own host or browser then that's a different story. There are tons of frameworks provide rich capability for interacting with a page. I'd recommend checking out Selenium, which acts as a virtual browser. There are also tons of libraries in Python for processing data from HTML and structured data. You might want to check out Beatiful Soup and Scrapy.
Hope this helps.
As part of a session security feature I am checking $ENV{REMOTE_ADDR} to make sure the users IP is the same during the whole stay on a website.
Some parts of the website show a waiting screen, if for example the rendering of a file takes some seconds, and I redirect the user to a result screen by the use of a meta tag <meta http-equiv="refresh" content="$time; URL=…">.
Unfortunately after this redirect the $ENV{REMOTE_ADDR} variable does not return the users IP but the one from the server.
Is there something I am missing to get this to work properly and/or are there alternatives I could use to redirect the user?
For various reasons htaccess or http-header redirects are not an option and I don't want to use JavaScript for this.
I am already using a 'click me' button to allow the user to manually skipping the wait.
You could try to alter between temporary/permanent type of redirect. Check in server logs, the the http code is 301 or 302?
I misread the accesslogs … it was actually a different script executed on the server, therefore having the servers IP, which caused all this.
My main javascript (and so all the static content) is included from https://static.anuary.com. The URL that user is browsing is https://dev.anuary.com/somepath/.
Where does the channel file need to be, dev.anuary.com or static.anuary.com? At the moment it is http://static.anuary.com/channel.html.
I am asking because I am still getting the error that says:
Unsafe JavaScript attempt to access frame with URL
https://www.facebook.com/dialog/oauth?access_token=[..]&api_key=[..]&app_id=[..]&client_id=[..]&display=popup&domain=dev.anuary.com&locale=en_US&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D6%23cb%3Df3ac7a0544%26origin%3Dhttp%253A%252F%252Fdev.anuary.com%252Ff373e908a8%26domain%3Ddev.anuary.com%26relation%3Dopener%26frame%3Df312def42c&response_type=token%2Csigned_request&scope=email%2Cuser_birthday%2Cuser_likes%2Cuser_interests%2Cpublish_stream&sdk=joey
from frame with URL
http://dev.anuary.com/658fe23c24564ac978c31d167549c4ce8b36686d65a78ad99bfb38765d46e232/.
Domains, protocols and ports must match.
In response to #dtbarne:
Well, that's the thing – I still don't know, because I've tried bowth ways and any in case it produces the same error:
Unsafe JavaScript attempt to access frame with URL
https://www.facebook.com/dialog/oauth?access_token=[..]&api_key=[..]&app_id=[..]&client_id=[..]&display=popup&domain=dev.anuary.com&locale=en_US&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D6%23cb%3Df1ee31b93%26origin%3Dhttp%253A%252F%252Fdev.anuary.com%252Ff9359b2f%26domain%3Ddev.anuary.com%26relation%3Dopener%26frame%3Df18e94f9c4&response_type=token%2Csigned_request&scope=email%2Cuser_birthday%2Cuser_likes%2Cuser_interests%2Cpublish_stream&sdk=joey
from frame with URL
http://dev.anuary.com/658fe23c24564ac978c31d167549c4ce8b36686d65a78ad99bfb38765d46e232/.
Domains, protocols and ports must match.
As you said yourself, this error is not fatal, and is meant is a warning to the user that something fishy might be happening.
Facebook also marked this issue as By Design in their bugs system: Bugs > Unsafe JavaScript attempt to access frame with URL....
Also, there are plenty of threads here on stack overflow about this, for example: Facebook Authentication - Unsafe JavaScript attempt to access frame with URL.
Now that we know that this "error message" is unavoidable, use the channel as you wish, as long as everything works for you.
You don't even need to use the channel, as it states in the documentation:
The channelUrl parameter is optional, but recommended. Providing a
channel file can help address three specific known issues. First,
pages that include code to communicate across frames may cause Social
Plugins to show up as blank without a channelUrl. Second, if no
channelUrl is provided and a page includes auto-playing audio or
video, the user may hear two streams of audio because the page has
been loaded a second time in the background for cross domain
communication. Third, a channel file will prevent inclusion of extra
hits in your server-side logs. If you do not specify a channelUrl, you
can remove page views containing fb_xd_bust or fb_xd_fragment
parameters from your logs to ensure proper counts.
But it also states that:
The channel file addresses some issues with cross domain communication
in certain browsers.
So it's up to you to decide.
I personally recommend to use the channel and to serve the file from your regular server and not from the static servers.
You should however set the output to have a long caching expiration date so that your server won't get a lot of requests for this file, as they mention in the JS SDK documentation page:
<?php
$cache_expire = 60*60*24*365;
header("Pragma: public");
header("Cache-Control: max-age=".$cache_expire);
header('Expires: ' . gmdate('D, d M Y H:i:s', time()+$cache_expire) . ' GMT');
?>
<script src="//connect.facebook.net/en_US/all.js"></script>
(php example, but can be done with any language).
Hope this answers clarifies things for you.
Sounds like you know the answer already. It has to be on dev.anuary.com. The purpose is to allow for communication between FB and the URL the user accessed.
The channel file should be places on the server / address the user visits, as the channel file is used to fix some cross-site javascript errors. If the user is always accessing your website using HTTPS, then you should reference the channel file using HTTPS as well as any other content.
The channel file itself should stay as <script src="//connect.[..], but make sure all your static content and JS Includes all have https in them.
I want to post some data to the server, and in response, I want to create a CSV file, with application/excel as the MIME Type (recently recognized as Internet Media Type), to force the browser to open the generated CSV file in Microsoft Excel. However, I also want to prevent user from re-submitting the same info (re-posting the form) by any accident as the result of refreshing the page.
With simple CRUD operations, I use Post/Redirect/Get pattern, so that any further refreshing will only send HTTP Get Request to the server, without any parameter, thus not changing server's state (Idempotence).
What is the recognized pattern for stopping user from re-submitting (re-posting) the same info to the server, when the response is not a page, but a file?
Any idea?
The Post/Redirect/Get pattern is an answer to a browsing event.
Here, there is no browsing action (the form submission only open a 3rd party app, i.e excel), and so any kind of browsing related pattern will be useless.
I suggest you use both a server side trace of the initial submission (with a unique token maybe), so you can prevent the file generation, and an easy to write client side script like <form onsubmit="this.onsubmit = function(){ return false ; }">
I can offer you one other solution.
Take hash (MD5/SHA256 ..) of your submitted data. The hash will be [fairly] unique.
Put it in list in a session with a time limit, say 5 minutes.
Even your user submit same data. Hash will be same and you can give error message to your user.
If different users can post same data, you can also hold user information in the list. And give error message according to user.