Opened 3 years ago

Closed 3 years ago

#1763 closed enhancement (fixed)

I2P console security enhancement

Reported by: anonymous maybe Owned by: zzz
Priority: minor Milestone: 0.9.25
Component: apps/console Version: 0.9.24
Keywords: Cc:
Parent Tickets:

Description

there r several enhancements should be implemented inside http://127.0.0.1:7657

i will mentions the problems and the solutions and references to read further about.

1- X-Frame-Options header is not included in the HTTP response to protect against 'clickjacking' attacks

  • Solution

Most modern web browsers support the X-Frame-Options HTTP header , Ensure its set on all web pages return by the site (if you expect the page to be framed only by pages on your server (e.g its part of a FRAMESET) then you will want to use SAMEORIGIN, otherwise if you never expect the page to be framed , you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers.

  • reference

https://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

https://www.owasp.org/index.php/Clickjacking

2- turn off AUTOCOMPLETE password inside:-

http://127.0.0.1:7657/configclients

(Advanced Client Interface Configuration - Authorization)

and

http://127.0.0.1:7657/configui

(Router Console Password)

solution & reference mentioned here:- http://trac.i2p2.i2p/ticket/1762

3- Web Browser XSS Protecion is not enabled. or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

  • more info

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browsers XSS protection mechanism. The following values would attemp to enable it:-

X-XSS-Protection: 1: mode=block
X-XSS-Protection: 1: report=httpwww.example.com/XSS

The X-XSS-Protection HTTP resonse header is currently supported on the internet explorer , chrome , safari (webKit).
NOTE that this alert is only raised if the response body could potentially contain an XSS payload
(with a text-based content type, with a non-zero lenght).

  • solution

Ensure that web browsers XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

  • reference

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

4- Private IP Disclosure , A private IP such as 10.x.x.x or 172.x.x.x or 192.168.x.x shouldnt been found in HTTP response body. The information might be helpful for further attacks targeting internal systems.

  • IP founds:-

192.168.1.1

  • solution

Remove the private IP address from the HTTP response body. For comments, use JSP/ASP comment instead of HTML/javaScript comment which can be seen by client browsers.

  • Reference

https://tools.ietf.org/html/rfc1918

3- X-Content-Type-Options Header Missing

  • description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosnif'. This allow older versions of internet explorer and chrome to perform MIME-Sniffing on the response body. potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is sey), rather than performing MIME-Sniffing.

  • further info

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.
At "High" threshold this scanner will not alert on client or server error responses

  • solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

  • reference

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Subtickets

Change History (6)

comment:1 Changed 3 years ago by zzz

  • Priority changed from major to minor

We do provide the headers for 1) and 3). Are you even testing? If they are missing on a particular page, please give the url.
2) Would be a pain for users that want it. They can disable autocomplete in their browser if they like.
4) That should only happen if you are local anyway. I don't see the problem here.
5) (labeled as another 3) is the only item worth looking into.

comment:2 Changed 3 years ago by anonymous maybe

We do provide the headers for 1) and 3). Are you even testing? If they are missing on a particular page, please give the url.

(1-3-) X-Frame-Options header is not set & Web Browser XSS Protecion is not enabled URLs are:-

2) Would be a pain for users that want it. They can disable autocomplete in their browser if they like.

yeah but why i did suggested this, because in theoretical/imaginary way:-

since i2p is a unidirectional connection , so connection to happen its like me then X then Y then ..etc then website so let us put it this way:-

ME-X-Y-Z-destination (website)-G-K-ME

if we assume that Y or any point is an attacking point which is used as a password collector packet on the moving traffics = then he will collect as much emails and passwords as possible. so thats why i suggested to turn off this feature even if the user is going to suffer typing things but this is the old days style of typing passwords now there r keepassX and similar tools which can save ur 40 length password and u can copy/paste it with one click.

(but remember this is all theoretical , i dont have evidences. tho, that doesnt mean it might not happen and the only way if u want to make sure for this to happen or not then someone has experts in i2p traffics and exploitation of the same time in order to this attack)

4) That should only happen if you are local anyway. I don't see the problem here.

read the reference link:- https://tools.ietf.org/html/rfc1918

5) (labeled as another 3) is the only item worth looking into.

fixing it now , hehe sorry my mistake.

(update:- or seems that i cant edit/fix the ticket)

Last edited 3 years ago by anonymous maybe (previous) (diff)

comment:3 Changed 3 years ago by zzz

1) and 3) :

frame options and XSS are for html pages. 1 and 3-5 below do not apply. 2 is for the user to set up:

http://127.0.0.1:7657/ is a 302 redirect, not an html page
http://127.0.0.1:7658/ is the user's eepsite, to be set up as the user wishes, we can't predict what headers and options would be appropriate
http://127.0.0.1:7657/js/ajax.js is javascript, not html
http://127.0.0.1:7657/themes/console/classic/ieshim.css is css, not html
http://127.0.0.1:7657/themes/console/light/console.css is css, not html

2) None of your response addresses that it should be the user's decision in his browser setup

4) If you're insisting this is a problem, please provide URLs where this happens. It seems like you're just copy and pasting stuff spit out from some analysis tool. Anybody can do that. If you can't provide a little context, the actual URLs, and some solid justification then what's the point. The console is for administration. The person accessing it knows what the IP is and listing IPs on there, even RFC 1918 IPs, is not a security issue. Please understand what the console is for. Copy/paste of some general-purpose analyzer isn't always helpful.

comment:4 Changed 3 years ago by anonymous maybe

yeah i do agree with u , because even if all the reports where correct they r still considered minor.

4- URLs

http://127.0.0.1:7657/configclients

http://127.0.0.1:7657/confignet

and the URLs for number 5 , i dont think u gonna need them because they r almost everywhere.

comment:5 Changed 3 years ago by zzz

  • Milestone changed from undecided to 0.9.26
  • Owner set to zzz
  • Status changed from new to accepted

nosniff background: https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx

https://htaccess.wordpress.com/2009/09/22/x-content-type-options-nosniff-header/

There's a lot of places to add the header, and will need testing in several browsers.

comment:6 Changed 3 years ago by zzz

  • Milestone changed from 0.9.26 to 0.9.25
  • Resolution set to fixed
  • Status changed from accepted to closed

In 9a1afcdb60287670ec54d464eca359d05b26a39f to be 0.9.24-9

Note: See TracTickets for help on using tickets.