Hazi’s Bachelor Thesis - STOP Layer 7 attacks now!

tentor

@FlorinMarian said: May I have a screenshot, please?

FlorinMarian

@fatchan said:

At least this bot won't pass.
I also tried to use ChatGPT to generate SVG images, it's stupid from this point of view.

FlorinMarian

@tentor said:

@FlorinMarian said: May I have a screenshot, please?

This is at least strange, because it won't even redirect you to HTTPS.
Can you try to manually use https instead of http, please?

fatchan

@FlorinMarian said: At least this bot won't pass.

It won't pass with the correct answer?

FlorinMarian

@fatchan said:

@FlorinMarian said: At least this bot won't pass.

It won't pass with the correct answer?

Either I don't know enough English or ChatGPT didn't even recognize a helicopter.

tentor

@FlorinMarian, HTTP redirect works fine but not HTTPS endpoint (:443 port seems to silently discard my connection)

* SOCKS5 connect to hazi.ro:80 (remotely resolved)
* SOCKS5 request granted.
* Connected to 88.218.206.128 (88.218.206.128) port 1080
> GET / HTTP/1.1
> Host: hazi.ro
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: openresty
< Date: Thu, 16 Nov 2023 09:26:04 GMT
< Content-Type: text/html
< Content-Length: 166
< Connection: keep-alive
< Location: https://hazi.ro/
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>openresty</center>
</body>
</html>

* SOCKS5 connect to hazi.ro:443 (remotely resolved)
* Can't complete SOCKS5 connection to hazi.ro. (6)
* Closing connection
curl: (97) Can't complete SOCKS5 connection to hazi.ro. (6)

FlorinMarian

@tentor said:
@FlorinMarian, HTTP redirect works fine but not HTTPS endpoint (:443 port seems to silently discard my connection)

```

• SOCKS5 connect to hazi.ro:80 (remotely resolved)
• SOCKS5 request granted.
• Connected to 88.218.206.128 (88.218.206.128) port 1080
  > GET / HTTP/1.1
  > Host: hazi.ro
  > User-Agent: curl/8.4.0
  > Accept: /
  >
  < HTTP/1.1 301 Moved Permanently
  < Server: openresty
  < Date: Thu, 16 Nov 2023 09:26:04 GMT
  < Content-Type: text/html
  < Content-Length: 166
  < Connection: keep-alive
  < Location: https://hazi.ro/
  <
  
  301 Moved Permanently
  
  

301 Moved Permanently

---

openresty

```

This may be due of your proxy connection + our integration.
I'll investigate further but honestly I don't have too much to lose if proxied connections won't pass.

tentor

@FlorinMarian said: if proxied connections won't pass

Are you banning ASNs? https://check-host.net/check-report/13439b75keda

FlorinMarian

@tentor said:

@FlorinMarian said: if proxied connections won't pass

Are you banning ASNs? https://check-host.net/check-report/13439b75keda

No, some routes are failing all the time according to check-host.net results.
No idea which ISP in the path blocks some hosts during transit.

tentor

Finally I figured out the reason:

curl --resolve hazi.ro:443:\[2a0e:8f02:f04f::3\] -v https://hazi.ro
* Added hazi.ro:443:[2a0e:8f02:f04f::3] to DNS cache
* Hostname hazi.ro was found in DNS cache
*   Trying 2a0e:8f02:f04f::3:443...

Looks like firewall issue @yoursunny will be sad for you

curl --resolve hazi.ro:80:\[2a0e:8f02:f04f::3\] -v http://hazi.ro
* Added hazi.ro:80:[2a0e:8f02:f04f::3] to DNS cache
* Hostname hazi.ro was found in DNS cache
*   Trying 2a0e:8f02:f04f::3:80...
* Connected to hazi.ro (2a0e:8f02:f04f::3) port 80 (#0)
> GET / HTTP/1.1
> Host: hazi.ro
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: openresty
< Date: Thu, 16 Nov 2023 09:37:28 GMT
< Content-Type: text/html
< Content-Length: 166
< Connection: keep-alive
< Location: https://hazi.ro/
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>openresty</center>
</body>
</html>
* Connection #0 to host hazi.ro left intact

FlorinMarian

@tentor said:
Finally I figured out the reason:

curl --resolve hazi.ro:443:\[2a0e:8f02:f04f::3\] -v https://hazi.ro
* Added hazi.ro:443:[2a0e:8f02:f04f::3] to DNS cache
* Hostname hazi.ro was found in DNS cache
*   Trying 2a0e:8f02:f04f::3:443...

Looks like firewall issue @yoursunny will be sad for you

```
curl --resolve hazi.ro:80:[2a0e:8f02:f04f::3] -v http://hazi.ro

• Added hazi.ro:80:[2a0e:8f02:f04f::3] to DNS cache
• Hostname hazi.ro was found in DNS cache
• Trying 2a0e:8f02:f04f::3:80...

• Connected to hazi.ro (2a0e:8f02:f04f::3) port 80 (#0)

  GET / HTTP/1.1
  Host: hazi.ro
  User-Agent: curl/7.76.1
  Accept: /

• Mark bundle as not supporting multiuse
  < HTTP/1.1 301 Moved Permanently
  < Server: openresty
  < Date: Thu, 16 Nov 2023 09:37:28 GMT
  < Content-Type: text/html
  < Content-Length: 166
  < Connection: keep-alive
  < Location: https://hazi.ro/
  <
  
  301 Moved Permanently
  
  

301 Moved Permanently

---

openresty

• Connection #0 to host hazi.ro left intact
  ```

Fixed.
My nginx config missed listen [::]:443 ssl;

Thanks a lot!

tentor

You know what? I already know how to automate bypass!

FlorinMarian

@tentor said:
You know what? I already know how to automate bypass!

I specified from the very beginning that I know this vulnerability and I will address it by randomizing both the solution ids and the name of the image offered as a solution.

tentor

@FlorinMarian said: I specified from the very beginning that I know this vulnerability and I will address it

OK but why you have pushed vulnerable and easily exploitable protection to the production?

FlorinMarian

@tentor said:

@FlorinMarian said: I specified from the very beginning that I know this vulnerability and I will address it

OK but why you have pushed vulnerable and easily exploitable protection to the production?

Because a vulnerable code is better than nothing.
Also, you guys will help me to do my best:)

tentor

@FlorinMarian said: Because a vulnerable code is better than nothing.

Well I believe you should check out nginx testcookie and use SlowAES as a form of basic PoW. It does not require any action from user and is heavy for the attacker to pass (for sure it could be automated BUT you need enormous amount of computational resources wasted for passing challenge). Alsl we have integrated it with crowdsec to automatically ban attackers IP address (temporarily for sure, 10 minutes is sufficient). For more effect, sending abuse complaints (may remove some infected devices from a proxy botnet). Things like Tor can be ultimately blocked and redirected to a .onion (it is computationally harder for an attacker to connect to a .onion than to clearnet resource both over Tor).

When our website was targeted several times these measures helped us to successfuly mitigate all attacks and no customer complained since its introduction back several month ago.

FatGrizzly

@FlorinMarian said:

@FatGrizzly said:
design is hella weird on mobile.

I will be thankful if you can attach a screenshot.

FlorinMarian

Fixed both appearance & image name

tentor

@FlorinMarian said:
Fixed both appearance & image name

Implement automatic IP address ban and wait for DDoS attempts, this is the only way to check how good this protection is

FlorinMarian

@tentor said:

@FlorinMarian said:
Fixed both appearance & image name

Implement automatic IP address ban and wait for DDoS attempts, this is the only way to check how good this protection is

That's enough for today.
Regarding PoW DoS protection, I was thinking about something simpler than SlowAES, like a recursive fibonacci + a random operation.

tentor

@FlorinMarian said: like a recursive fibonacci

VERY easily precomputed on a beefy server once and reused as many times as needed

ralf

FlorinMarian

Hey!
Feburary is fast approaching when I will have to present my bachelor thesis, so..

Bot protection was upgraded today and we increased the difficulty level with two important changes:
1. There are no more plaintext ids for possible solutions
2. The random IDs generated for the possible solutions are unique for each user, but here too there is dynamism, as the ID is only valid for 24 hours.

Wicked

Will you be selling this technology?

FlorinMarian

@Wicked said:
Will you be selling this technology?

I will ask for the copyright when I hand over the project to the faculty, but not for the purpose of direct selling.

I plan that in the future I will also offer webhosting and offer this level of security for free to my clients, but without direct access to the source code, of course, but in the form of a proxy, as was thought.

Then, whether your question was ironic or not, maybe financially what this mess does is not worth much, but for me it means a lot since I've been dreaming about it for a year but never with the motivation to put into practice what I was thinking.

sillycat

I've just spent the last hour trying to create something to solve your captcha. It's impressive how you always modify the JavaScript code and keep the challenge ID there.

I managed to make something to solve POW captchas, but making something to solve your captcha made me kill myself. Good job.

davide

@sillycat

Try 10 minutes with AutoHotKey
I was Playing PokerStars with it a decade ago.

It can recognize images, click, drag, and knock on Frorin's door at a late spooky hour. Layer 7 my dick.

tentor

A bit of challenge misunderstanding UPD. Ah, I got it - correctSolution is a color image, not a monochrome one.

However, there is still a vulnerability - images are not randomized and attacker can create array of SVG images pair

Wicked

@FlorinMarian said:

@Wicked said:
Will you be selling this technology?

I will ask for the copyright when I hand over the project to the faculty, but not for the purpose of direct selling.

I plan that in the future I will also offer webhosting and offer this level of security for free to my clients, but without direct access to the source code, of course, but in the form of a proxy, as was thought.

Then, whether your question was ironic or not, maybe financially what this mess does is not worth much, but for me it means a lot since I've been dreaming about it for a year but never with the motivation to put into practice what I was thinking.

business genius

FlorinMarian

@tentor said:
@sillycat but it is pretty simply obfuscated, and after that I can see very well formatted source code.

There are a few important lines:

const correctSolution = ...
xhttp.open("POST", "/", true);
xhttp.setRequestHeader('wc1fJRsyQ0xxR2R2gpCWQWo5b1k', draggedBoxId);

So, to bypass @FlorinMarian protection you need to:
1. deobfuscate JS (currently very easy, I seen only one obfuscation technique with decodeURIComponent(escape()), haven't checked from multiple IP addresses though),
2. find img with src equal to variable correctSolution
3. extract id of div html tag of found img
4. do POST request
5. capture cookie

UPD. Ah, I got it - correctSolution is a color image, not a monochrome one.

I could leave JS 100% clean without any impact.
You will never know what id should be used in an automatic manner.
To complicate this solution I just have to add a few more images and track how many tries you have. Like, if you have two fails => at third you're banned for a few minutes. But is not required (yet) even if simple to implement something like this.