USB token for Java Desktop Application

I would like to integrate the use of a USB token in a JavaFX application that my customers use on a computer I send them. This JavaFX application interacts with a Java/Spring back end. (client-id/secret) I need this secure element for a few reasons, but mainly because I want to avoid the situation where a user would clone the application into an other computer and use two occurrences at the same time.

Is there a way to integrate the secure element without interfering with the current client/server communication ? Basically I would rather not change anything to my Spring back end, and integrate this authentication method separately. I started my research and I am thinking of hosting a WebAuthn server and make my app communicate with it. What do you think about that way of doing ? Thanks a lot for your help !

Which has to handle certificate, a website, a web server or a web application?

In web, what is a certificate issued to, a website, a web server or a web application?

Which has to handle certificate, a website, a web server or a web application?

For example, when I run a web application on Nginx, an article shows to configure Nginx to support HTTPS and certificates.

  • I was wondering if a web application has to be implemented to support HTTPS and certificates? (I hope not, because that will make web application development simpler)

  • A web server can host multiple websites, so I was also wondering if the configuration of Nginx and the certificate are at the web server level or web site level?

Thanks.

Internal use of application

I’m developing an application over a intranet and is used only by internal employee. There wouldn’t be any external parties involved here and no external communication would be used by the application.

Question: Does it need secure software design in this case? If so, will it be enough to follow the guideline of OWASP?

SQLMAP with single URL application

I have a local application which will be accessible only after login. Its single URL application, URL of application won’t change, just it use ‘XMLHttpRequest’ to refresh the content of screen based on action and other parameters.

Database used as below

[root@localhost ~]# mysql -q Welcome to the MariaDB monitor.  Commands end with ; or \g. Server version: 5.5.64-MariaDB MariaDB Server  Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.  

One of the ‘XMLHttpRequest’ having SQL injection issue and ‘sorters‘ field is having this issue, for example if we add (‘) in ‘ASC’ field then page is showing 500 error. To reproduce it, I am using burp suite community edition to intercept the request and feed this to SQLMAP using file.

SQLMAP is not able to inject the SQL in this api call, what I am doing wrong here?

Request details

Name    Protocol    Method  Result  Content type    Received    Time    Initiator http://10.20.100.200/test/api/?aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q&action=management&which=overview&_dc=1580104578032&sort=account_name&dir=ASC&sorters=%5B%7B%22field%22%3A%22account_name%22%2C%22direction%22%3A%22ASC%22%7D%5D&start=0&limit=18    HTTP    GET 200 application/json    1.29 KB 677.42 ms   XMLHttpRequest  Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US Connection: Keep-Alive Cookie: client_time=1580129655.074; check=1; aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q; bid=4memnc2vdi7pj7i56q5sopu5gbspba99; cid=daSGjWTD0bQ8ZLCNRG4tA1090ddBYYPatzexNHrf4qy4FwB4CcvymjISadYw9Quh Host: 10.20.100.200 Referer: http://10.20.100.200/test/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko X-Requested-With: XMLHttpRequest Connection: close 

request.txt to feed SQLMAP (placed astrick (*) at ASC of sorters field )

GET /api/?aid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q&action=management&which=overview&_dc=1580104578032&sort=account_name&dir=ASC&sorters=%5B%7B%22field%22%3A%22account_name%22%2C%22direction%22%3A%22ASC*%22%7D%5D&start=0&limit=18 HTTP/1.1 Accept: */* X-Requested-With: XMLHttpRequest Referer: http://10.20.100.200/test/ Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 10.20.100.200 Cookie: client_time=1580129655.074; check=1; uid=E5xr3iOOg8sI1o4Zl1URZ4ytFlAdVTy9AMEiVjC6HhMBVwCkQgee160WtRYidV8Q; sid=4memnc2vdi7pj7i56q5sopu5gbspba99; vid=daSGjWTD0bQ8ZLCNRG4tA1090ddBYYPatzexNHrf4qy4FwB4CcvymjISadYw9Quh 

SQLMAP command for SQL injection

sqlmap.py -r C:\Users\Documents\request.txt --dbs --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,percentage,randomcase,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes 

SQLMAP output

[00:34:56] [WARNING] URI parameter '#1*' does not appear to be dynamic [00:34:57] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable [00:34:58] [INFO] testing for SQL injection on URI parameter '#1*' [00:34:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [00:35:06] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [00:35:06] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [00:35:08] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [00:35:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' [00:35:13] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [00:35:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [00:35:16] [INFO] testing 'MySQL inline queries' [00:35:17] [INFO] testing 'PostgreSQL inline queries' [00:35:18] [INFO] testing 'Microsoft SQL Server/Sybase inline queries' [00:35:18] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [00:35:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' [00:35:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' [00:35:33] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [00:35:39] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [00:35:46] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)' [00:35:52] [INFO] testing 'Oracle AND time-based blind' it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y [00:37:07] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [00:37:20] [WARNING] URI parameter '#1*' does not seem to be injectable [00:37:20] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests [00:37:20] [WARNING]  HTTP error codes detected during run: 403 (Forbidden) - 1 times, 400 (Bad Request) - 578 times, 414 (Request-URI Too Long) - 235 times 

Am I doing anything wrong here and why SQLMAP is not able to inject the SQL vulnerabilities ? I have tried with –level 3 –risk 3 options as well but no use.

How to resolve the Format String Error alert in OWASP ZAP for a web application (ASP.NET C#)?

I have a web application with a log in page. In the log in page, I’ve set maxlength for the username input and the password input, which looks like the code below.

@Html.TextBoxFor(m => m.Username, new { @maxlength="30"}) 

When I run OWASP ZAP, it gives me an alert with the following description.

A Format String error occurs when the submitted data of an input string is evaluated as a command by the application

Potential Format String Error. The script closed the connection on a /%s

But when I remove @maxlength="30", the alert goes away.

I’ve been trying to find the remediation for this alert, but I’ve read that Format String vulnerability doesn’t really exist in C#: Do format string vulnerabilities exist in C# or Java? .

Is it just a “potential” error and nothing to worry about because it’s in C#? Or.. if this is something that needs to be taken care of, what can be done to resolve this alert from OWASP ZAP? (I’d believe removing @maxlength is not a solution).

Does a DDOS attack on an application using CDN have to first bring down all the involved CDN servers to affect the application’s availability?

CDN are said to absorb and mitigate the Denial of Service and DDOS attacks. Consider an application that uses a CDN provider to deliver its content. So if an attacker tries to bring down such an application using DOS or DDOS, the flood of requests made during such an attack will go to the CDN servers. Will such a DDOS attack have to completely bring down all the CDN servers serving this application’s content before impairing the origin server completely?

.NET application protection technique against cracking

I’m trying to protect my software against cracking. Protection against cracking is crucial before listing the product on market.

Info about the software:

  • Built using .NET C# (Framework 4.5.2)
  • WinForms
  • 32 bit

I have made a several protection layers:

  • Obfuscation, Renaming, anti-debugging
  • Encrypted communications between software and API server (RSA) public key hard-coded
  • The client will generate a temporary AES keys and encrypt it with server public key then sends it to server, The server will decrypt the data with his RSA Private key and respond with a new AES keys encrypted with the ones provided by the client at first request. Then any communication from client to server will be signed by server RSA pub key and encrypted by AES Keys provided by the server.

  • Verify libraries integrity by requesting libraries checksum from API and compare it.

And the most important part is, the application will once request “custom data” from API server and store it in memory, to be used by internal software functions. When a function in the application called it will use the “custom data” as input, so there’s no way for the software to operate correctly without having the “custom data”

The API server provides the “custom data” after verifying software activation code and machine unique ID.

The question is:

  • With all of these layers, can the software cracked?
  • Can the custom data layer bypassed?
  • If a cracker bypassed the protection layers until the “custom data” part, it’s possible to clone the software with the “custom data” meaning the software can operate without need to request the custom data from the API?

What i mean by custom data is making the software hybrid, always needs data from API to function

I am counting on the “custom data” protection layer.

Please let me hear your recommendations. thanks a lot

Required a simple guide for secure messaging application

For my personal research i have to create a messaging app, but security is only important part of application, security from MITM (man in the middle attack), at device end, and at server level. (note : this will not end to end encryption, as i want to backup messages on server for cross device access like telegram).

Right now i created following model :

  1. Server creates RSA key pair first time at installation and keeps private key in a file on server, and broadcast public key with its clients, (A,B)
  2. A&B also creates RSA key pair at first time login, and stores private key at device level and send public key to server.
  3. Now A want to send message to B, A will do, following steps:

    create a random salt_key;
    encrypt message with this salt_key (AES)
    encrypt salt_key with server’s public key (RSA)
    send RSA encrypted key, and AES encrypted message to server
    now server can decrypt salt_key with RSA private key and than message
    now server will do same as A did, but with B’s public key
    and B will decrypt salt_key with private key than decrypt message.

Is this a secure way, or any another way to secure my messaging app.

thanks,

jaikey

OpenID Connect with Authorization code flow and PKCE – How shoud we get a new access token in a SPA application?

As answered in this question, Single Page Applications shouldn’t be given a refresh token with the OIDC Authorization Code Flow.

Can you indicate some way of getting a new access token when it expires (without interrupting the SPA UX state (no redirects…)?

If the use refresh tokens were the only solutions, what are the ways we can minimize the risk of leakeage? E.g: is storing it in the browser’s session storage safe enough? Do IdPs provide a some form of refresh_token expiration, etc.

Prevent an application from making any network access on macOS

I want to run an application on macOS, but preventing it from making any type of network access, or any type of internet access.

I have seen the following possibilities:

  • Use the built-in firewall. Unfortunately, this blocks only inbound connections, not outbound.

  • I have seen Little Snitch. However, it feels uncomfortable from a security standpoint to install a closed-source software on my system that has so deep an access to everything I do.

Ideally, I would like to do that myself. Is it possible to restrict an app’s access to network ressources on macOS ? Maybe start it in a sandbox mode somehow?

Thanks!