Currently I am facing a security issue related to Website Sniper Corporation
to turn of Server Signature due to which my Server Technology is visible.
Related
Webpagetest offer a hosted service, but they dont support the countries I need to test.
I was going to setup WPT on a VPS linux server in the target country, but I cant find any installation instructions for the "client", only the server. There are some tutorials which use a local PC as a client, but this is not an option for us.
The question is can a linux server be both the server and client (so no other SW is needed) to test a page?
Found the answer here:
https://github.com/WPO-Foundation/wptagent/blob/master/docs/install.md
It DOES support linux as agent (as well as server).
I'm looking after a bit of server hardening for PCI DSS and can remove the headers from IIS no problem for standard sites but my compliance scanner is reporting (correctly) that port 8172 for MS Web deployment of packages is announcing the IIS/10 server header and that's a PCI compliance fail.
I've tried manually adding a URL Rewrite rule in C:\Windows\System32\inetsrv\config\administrator.config but that hasn't worked.
There don't appear to be any settings for controlling the WMSvc, Management Service whatever you want to call it.
Just asking in case anyone else has found the magic setting.
I know I could disable webdeploy between uses, firewall it or even not use it but I'm sure there must be an answer given how trivial it is!
Thanks
I am trying to get HTTPS/SSL to work with linux devices running on an internal network at customers.
I am developing a website that needs to communicate with a linux device running as our customers to give access to physical devices like printer and scanners. This worked fine until Chrome updated their security which means that we cannot use the application cache anymore unless we are running HTTPS. This forces us to communicate with the linux device via HTTPS also, but we only have self signed certificates for the devices and these are rejected in the browser.
I have been trying to figure out a way of getting this to work without having to manually install certificates on the customer devices. One of the ideas of our product is that it can be used on all devices without installation.
So far I have had no luck in figuring out a way to get around the security in the browser, or setting up certificates in a way where the browser doesn't reject them.
Our website is running Angular and I have tried using the Request package where it should be possible to disable rejection of invalid SSL certificates but no luck.
I have considered using websockets but as the initial handshake will be done using a HTTPS request I expect this won't work either as the handshake cannot be done without the browser failing over the certificate.
I have also been in contact with GlobalSign that just confirmed everything I have read so far, that this can only be solved by installing a chain of trust on the devices that need to access the linux devices over the internal network.
So what I am looking for is any alternative way of communicating with the linux device that will work while the website is running HTTPS. Or some way of getting valid certificates for the linux device that won't be rejected by the browser.
How do the other devices see this website? By a pubic hostname? By private non-FQDN host? If the other devices see the website as any valid FQDN hostname, then you can issue a free LetsEncrypt SSL for that host, and use internally (once issued).
I am trying to implement linking of the desktop app to the mobile counterpart for my project. The assumption is that the mobile app is secure and the desktop app simply needs to link the session to mobile for convenience.
In my research I came across the QRLjacking exploit. It is a social engineering exploit that isn’t much different from getting users to reveal their passwords.
The interesting thing is that Signal app does not appear to be vulnerable to QRLjacking exploit, despite the fact that they too link the desktop to mobile via QR code.
I am trying to figure out what is the secret sauce the Signal applies. Luckily, the code is here: https://github.com/signalapp/Signal-Desktop
Based on my analysis, here is what I think they do:
The user registers mobile device. The device sends signed pre-keys
to the Signal server
The user can chat with other Signal users using the end to end encrypted protocol, but what is more interesting to me is how they prevent QR vulnerability when linking to desktop.
User installs the desktop app. First thing to note is that it is a JavaScript app packaged using electron. This makes it difficult to use in social engineering techniques. The installation package can be signed and verified to be trusted.
Upon installation, the desktop app generates the pre-keys and sends them to the server.
The desktop uses its own public key to check with the server if it is linked to mobile. If not, proceed to step 6.
Send the public key to the server under a UUID key. The server stores it. The UUID is used for QR code.
The user lifts up his mobile device and scans the QR code with the signal app.
The mobile app uses the QR code to download the desktop app's public key.
The mobile app sends an encrypted confirmation message to the desktop app, which the desktop app verifies using it's private key.
The desktop app app asks the user to name this desktop app, typically this is the name of the host it is running on. The desktop app sends this message to the mobile (encrypted, of course).
On the mobile, the linked device now shows up. At any time the user can remove the linked device, which becomes immediately known to the desktop.
I do not believe the server is used to retain messages at all. I think the desktop synchronizes with mobile on-demand.
In summary, the QRLjacking exploit is mitigated by Signal in the following manner:
The app is not browser-based and is instead installed. The installation package can be signed and verified with a certificate.
The desktop app can also securely store keys locally, not on the server. That makes it difficult to pursue a social engineering attack since that would require physically taking over the machine the desktop app is running on.
Is my analysis correct?
Am developing a firewall application that is suppose to restrict website/protocols/webs directories system wide that i choose
for example
restrict login.domain.com, but not domain.com
restrict domain.com/passport not domain.com
restrict .tld types e.g .org
pls give me some ideas?
[edit]
Am developing on the windows plat form , from win 2000 to win7, using any vb language vb6 upwards also i want to be able to block any protocol http ftp etc.
You probably want to investigate developing a SOCKS proxy, this is capable of filtering all protocols. Other avenues you could pursue include developing a Winsock LSP or writing your own routing software (like ISA Server).
You'll be hard pressed to do it in Visual Basic 6 or VB .NET however.