Filter X-Forwarded-For Apache

The XFF HTTP field can be used to obtain the remote IP when a http server is located behind a reverse proxy. If the remote proxy does not clean the XFF field you can’t trust it. The worst is that this field can be used for injecting code in your website.

I’ve been a such issue in a security plugging logging and not filtering the remote IP field. As this one came from XFF, it was possible to inject javascript into the database remotely and execute that JS when displaying the dashboard of the “security” pluggin.

One of the option to solve this is to clean the XFF field (or reject the request when the XFF is not clean). This can be done with a simple configuration in the http config file (or htaccess)

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-For} !^$
RewriteCond %{HTTP:X-Forwarded-For} !^[0123456789.\ ,]{7,36}$
RewriteRule ^ - [L,R=404]

Here, empty XFF and XFF container anything else than numbers and some other char, lower than 7 char and higher the 36 chars will be rejected with a 404 as Last operation.

Is Sigfox really (in)secured ?

A recent publication analyzed the Sigfox protocol security, This is the most advanced work I’ve seen on this so it is interesting to go to some details about it. The author is Loïc Ferreira working for Orange Labs, Applied Cryptography Group at Caen,France. This report has been shared with Sigfox by the Author on August 2020.

In this post, I’ll not challenge any of the outcomes from Loïc as it is a serious researcher. What I want to do is to highlight this with the ability for someone to use this to make a successful attack against a device and in what conditions.

I love to say, in the security domain, that sometime, IoT attacks are like explaining how to destroy earth and humanity by changing the course of the moon to make that one crashing on its target: Theoretically it is possible, technically we could find ways to make is possible for an extraordinary cost. Practically speaking, the one doing it will also kills itself, so there is no big gain to expect.

So, let’s take a look to the different breaches reported on the publication…

Continue reading

Stop telling me Sigfox is clear payload, for real you’re just lazy ;)

The usual attack on Sigfox network is related to the “security”. Behind this large concept, for real, the only point is related to the use of clear payload over the air. As a consequence some are extending this to the possible replay after 2048 frames so regarding a standard use of Sigfox is will be about 6 month later…

That said, for real, all of this is just ignorance from these pseudo “security” experts and developer laziness. Don’t beat me for saying that, I’m part of the lazy developer, the only difference is I’m not complaining and I’m aware the solution is in my own hands.

Because, for real, the payload encryption exists as documented in the post I’ve published on May 2017 and detailed on the Feb 2017 technical security paper published by Sigfox or like in this document.

So saying the Sigfox is not proposing payload encryption is wrong and this option is also fixing any 6 months later message replay. It’s like saying WiFi is  not secured because you can create an open-network.

So now, let’s see why encryption is not the default option, why a network encryption standard is not the best option and then see how to stop to be a lazy developer and make encryption working.

Continue reading

ncrack – multi protocol password brute force attack by nmap

Ncrack is a new brute force tool made by nmap, it’s actually a alpha version but the product is really interesting to verify your password policies compliance and security. It support ftp, telnet, ssh, rdp … protocols.

Easy to use in command line, I only tested it with rdp, unfortunately with no success even knowing the password to be found. I assume it’s just an alpha bug. In my point of view the multi protocol implementation makes it an interesting tool for audit automation.


Faille WPS – nouvel outil : Reaver

Un nouvel outil permettant l’attaque de résaux wifi protégés par WPS est sorti. Son petit nom est reaver. Il permet de tester différentes clefs sous la forme d’une attaque de type brute force. La methode employé permet de résoudre cette attaque en un maximum de 11.000 tests, ce qui est très peu.

Continue reading

Installation de NeXpose et problème de langue

Quelques soucis pour installer NeXpose sous Windows et Linux… Le principal problème est que l’installeur ne fonctionne que si la langue du système est anglaise, du coup avant de lancer l’install sous Linux, tapez la commande suivante: export LANG=en_us.UTF-8
Ensuite sous Linux il faut absolument appeler la commande d’install avec ./NeXposeSetup-Linux64.bin et non sh ./NexposeSetup… Donc préalablement il faudra faire un chmod a+x ./NeXposeSetup-Linux64.bin
Enfin, pour ma part j’ai du préciser le chemin pour la jvm : ./NeXposeSetup-Linux64.bin -is:tempdir /home/xxxxx -is:javahome /usr/lib64/jvm/jre/

Bon courage !

Ref de l’erreur initiale:
This application requires a Java Run Time Environment (JRE)to run. Searching for one on your computer was not successful. Please use the command line switch -is:javahome to specify a valid JRE. For more help use the option is:help