Web Application Fortification with ModSecurity over IIS : HTTrack Website Copier

Excessive recursion is the number one problem plaguing modern web applications and API’s. I always use the analogy of the bank where the client continues to go to the teller and try credentials in order to have his card authenticated. One of the elements I like to utilise is the module that Mads did in 2007!

 http://madskristensen.net/post/Block-DoS-attacks-easily-in-ASPNET

What 2007!, yes 2007! works wonders for customers who refuse to add Modsecurity or SNORT IDS or to have any appliances. Then whether on classic webforms / mvc / API’s we integrate this module and I can tweak it to allow only enough traffic that can mimic a human user.

ModSecurity over IIS is excellent when dealing with excessive recursion. I have seen it stop the OWASP ZAP Zed Attack Proxy in its tracks, stop Brutus from cycling its usual credential attacks, SQLMap from trying to pull databases from vulnerable SQLi sites. One element where it allowed the traffic to go through was with the HTTrack Website Copier.

What is the HTTrack Website Copier. From their site:

HTTrack is a free (GPL, libre/free software) and easy-to-use offline browser utility.

It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. Simply open a page of the “mirrored” website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.

I first utilised this when our product Manager was going to a remote part of Africa where the internet was to be scarce. I downloaded the utility and presto I had a nice offline rendition of the site.

Then it dawned on my, isn’t this a nice reconnaissance tool for sites that perhaps do not have alot of forensics and could allow us to download alot of elements and then we can do some analysis offline.

Evidently not all can be pulled and observing something live is better but we dont register hits on things that are local.

Notice that ModSecurity and IIS allow me to fire excessive recursions against the site. I had to add custom rules in order to halt the attack. 

Most likely no one is testing against it!

Happy defending!

 

Swashbuckle and the Swagger UI : Curious Case of the Invalid Data Types

Swashbuckle is a nice Nuget Package that allows for easy integration with Swagger and is qualified as  one of the defacto REST API discovery tools. This along side ASP.Net’s Web Api HELP page which can showcase a service quite nicely.

One of the falicies that I have come to observe in the swashbuckle rendition is that when you generate a sample from the REST API in what is call the Swagger UI at times you have a mismatch on the data types. Now Swagger can generate a document which is JSON with the /document/v1 payload and this is not affected as you will see in the example. However, to bypass the data type issue I had to add my own rendition of the index.html for the Swagger.UI and augment some Javascript. 

Here is the issue at hand with a tutorial on how to replicate and a nice discovery on how differnt data types are rendered.

First and foremost , we set the stage.

From Visual Studio create a new Web Application.

Select Web Api and follow the screenshot for other indicators.

The following is generated.

 

Add a class with various data types. Types that are not common through all platforms should be utilised. Nullables of double and decimal come to mind.

Add the NuGet Package for Swashbuckle

Oversee the changes

Notice the addition of this file. We can add a maptype<> in here to tell swashbuckle what to do with a double and how to convert it but it has no effect on the Swagger.UI part. Only the JSON from /documents/v1 as an example.

Fire up the service and oversee what you get with the default tooling.

Select the API which returns your class

Notice the json the douvles have a (.) DOT and so do the decimal types.

{
  "datetimeVal": "2017-05-10T15:08:06.1547306-04:00",
  "stringVal": "sample string 2",
  "integerVal": 3,
  "nullIntVal": 1,
  "doubleVal": 4.1,
  "nullDoubleVal": 1.1,
  "decimalVal": 5.0,
  "nullDecimalVal": 1.0
}

Now fire up swagger with /swagger

 

 

 Observe what is generated, notice no (.) DOT

Copy and Paste that into a classic client generator.

Also do a Java implementation as well, same issue

The docs/v1 is ok however!

The data types are format double and type number which is what we want. 

 

This said careful when generating client classes as this will have casting repercussions. 

Happy Coding!