Forem: Dmitry Sorokin

Bypass IP Restrictions with Burp Suite.

Dmitry Sorokin — Fri, 21 Apr 2023 14:55:14 +0000

Some web applications implement IP-based protection rules that restrict users from accessing particular pages of an application like an admin page if their IP addresses are not in the allowed list. These rules are used as an access control mechanism.

It relies on having a proxy between the client and the server for forwarding requests. The proxy forwards the client’s IP to the server; if it is allowed or whitelisted, the server will respond with the requested page; otherwise, it will block the request.

The proxy does that by adding an X-Forwarded-For header that contains the client’s IP address to the request before sending it to the application. Then, the application checks the X-Forwarded-For header to determine whether the IP address of the client is in the allowed list.

📌 The X-Forwarded header accepts two directives a client IP and proxy IP. It is possible to include multiple proxy IPs to send the requests; the traffic will bounce through the IPs successively before reaching the server.

📎 Syntax: X-Forwarded-For: ,,,

The attackers can take advantage of this and test the restriction rules by spoofing a different IP that they know is allowed by the application, like localhost address 127.0.0.1. Tricking the application into thinking the requests come from a trusted source, even though the original requests are coming from a different blocked IP.

Since it is a pain to modify requests manually in attempts to bypass these WAF restriction rules, Burp can help automatically insert the required headers into each request sent to the application.🌋

There are 2 methods to achieve our goal through Burp Suite, either through the match and replace rules, which actually what I use all the time before discovering the Bypass WAF extension.

I was unaware of the extension before working on the Control machine on HTB, and I came across it when researching for better ways to automate forwarding requests.

Even though I liked using the extension, I am going to include both methods for reference 😃 .

Let’s begin !!

Method #1: Match/Replace Rules

1- Navigate to the Proxy tab and click on Options. Scroll down to the Match and Replace section and click Add.

2- Specify the details needed for the matched Rule. We start first with specifying the Type of Rule; in our case, it is a Request Header since we want Burp to insert the modified header into all client requests.

Next, in the Match field, leave it blank to match all requests.

In the Replace field, we will enter the **X-Forwarded-For **header with the IP address we want to send requests from.

📍 Adding a comment is optional but helpful if you are using multiple rules at the time.

When done, click Ok to save the rule.

3- Check the Enabled box to enable the new Rule.

Now, we have the Rule configured, let’s test it out. Turn Foxy Proxy On or add the proxy setting to the browser, and refresh the page.

If we intercept the request with Proxy, we see Burp added the X-forwarded header in all the sent requests.

Method #2: Bypass WAF Extension

The extension can be installed and configured to send X-forwarded headers automatically each time you navigate to the application.

1- Go to the Extender tab and click on the Burp BApp Store. Scroll down to the right pane and click on the **Install **Button.

When the extension is installed, it will be added in the Extensions tab, and a new tab will be added in Burp Suite Tabs.

💡 You can remove an extension by going to the Extensions Tab and click on Remove.

2- Next, we need to add a session handling rule to make Burp perform the required actions when making the HTTP requests.

Go to Project options and click on Sessions, then click Add.

Insert the name of the Rule in the Rule Description and the action needed in Rule Actions. In our case, we want to Invoke Burp Extension that will allow us to use the Bypass WAF extension.

4- In the Scope tab, check the Proxy box to enable it.

For the URL scope, we can either choose to Include all URLs or Use a Targeted scope “User suite scope [defined in Target tab].

5- Next, we configure the extension, click on the Bypass WAF, add the IP address in the Header field and click on Set Configuration to enable the bypass configuration.

6- Refresh the page, and test the extension.

Great!! The extension works. The downside is when intercepting the requests, I don’t see the X-Forwarded-For headers are added like with the Match & Replace rule.

With a bit of research, I found that I can install the Flow extension to monitor the requests I send to the proxy and see how the Bypass WAF injects the x-forwarded header.

7- Go back to the BApp Store and install Flow.

In the extension tab, make sure the Flow extension is added under the Bypass WAF extension. (🔔 order matters when monitoring requests).

8- Now refresh the page and go to the Flow tab. We can see the headers Bypass WAF injects to the requests we send to the server.

That’s all for today, Thanks reading.

Sincerely,
Dmitry Sorokin,
403 Gone
REChain, Inc
Katya AI, Systems
Katya, Inc
Katya Systems, LLC
REChain Network Solutions

Love, technology and the new Internet. Created on the basis of Flutter.

Dmitry Sorokin — Sat, 11 Feb 2023 08:44:00 +0000

We have always wanted to do something unusual, something that can turn this world upside down, change it for the better. My team and I have created a product based on the foundations of privacy, branding, and user experience! And behind the creation of this product is my personal story of unrequited love. If you are interested in reading about the latter, you can go to Medium.com We recently posted the source code of the project on on GitHub on my behalf with detailed README.md , who are interested, welcome!

The client application for desktop and mobile devices is written in Dart using the Flutter framework. In this article I would like to talk about the framework itself as a whole.

So, best practices for app development with Flutter

1. Keeping the build function clean.

For the build function to work effectively, it is necessary to ensure its maximum "purity", i.e. the absence of unnecessary elements of the program code. This is because there are certain external factors that can trigger a new Widget build, below are some examples:

_- navigation in the application;

resizing of the screen, usually due to showing/hiding the keyboard or changing the screen orientation;
the parent widget has recreated its child widget;
Inherited Widget depends on changing values (Class. of(context) pattern)._

An example of incorrect code looks like this:

@override
Widget build(BuildContext context) {
  return FutureBuilder(
    future: httpCall(),
    builder: (context, snapshot) {
      // create some layout here
    },
  );
}

An example of correct code should look like this:

class Example extends StatefulWidget {
  @override
  _ExampleState createState() => _ExampleState();
}
class _ExampleState extends State<Example> {
  Future<int> future;

  @override
  void initState() {
    future = repository.httpCall();
    super.initState();
  }

  @override
  Widget build(BuildContext context) {
    return FutureBuilder(
      future: future,
      builder: (context, snapshot) {
        // create some layout here
      },
    );
  }
}

2. Understanding the principles of Flutter's constrains concept.

There is one widely accepted rule of thumb regarding Flutter layouts that every Flutter app developer should follow: Constraints decrease, dimensions increase, and the parent determines the position. Let's look at this issue in more detail.

A widget has its own constraints, which are determined by its parent widget. A constraint is a set of four pairs of values: the minimum and maximum width, and the minimum and maximum height.

The widget then goes through its own list of child elements. The widget sets its child elements in turn with constraints (which can be different for each element), and then asks each such element for information about the desired size.

Next, the widget places its child elements one after the other (horizontally on the x-axis and vertically on the y-axis). The widget then passes its own size information to its parent element (within the original constraints).

In Flutter, all widgets define themselves based on the constraints of their parent element or the constraints of their box.
** However, there are a number of limitations here.

For example, if you have a child widget inside a parent widget and you want to set its size. A widget cannot have any size on its own. The size of a widget must be within the limits set by its parent element.

3. Rational use of operators to reduce the number of executed lines.

Use the Cascades operator
_

If you need to perform a sequence of operations for the same object, then you should choose the Cascades(...) operator.

//Do
var path = Path()
..lineTo(0, size.height)
..lineTo(size.width, size.height)
..lineTo(size.width, 0)
..close();  

//Do not
var path = Path();
path.lineTo(0, size.height);
path.lineTo(size.width, size.height);
path.lineTo(size.width, 0);
path.close();

Use Spread Collections
_

You can use spread collections when existing elements are already stored in another collection. The spread collection syntax allows for simpler code.

//Do
var y = [4,5,6];
var x = [1,2,...y];

//Do not
var y = [4,5,6];
var x = [1,2];
x.addAll(y);

Use the Null safe (??) and Null aware (?.) operators
_

Always use the ?? (if null) and ?. (null aware) instead of checking for an undefined value (null).

//Do    
v = a ?? b; 
//Do not
v = a == null ? b : a;

//Do
v = a?.b; 
//Do not
v = a == null ? null : a.b;

Avoid using the as operator, use the is operator instead.
_

Generally, the as cast operator throws an exception if the cast is not possible. In such cases, the is operator can be used.

//Do
if (item is Animal)
item.name = 'Lion';

//Do not
(item as Animal).name = 'Lion';

4. Use the Streams feature only when necessary.

Although the Streams feature is quite powerful and efficient, it places a heavy burden on hardware resources.

Incorrect implementation can lead to increased consumption of memory and processor resources. But it's not only that. If you forget to stop the execution of the Streams function, this will leak memory.

Therefore, in such cases, another tool that consumes less memory resources, such as ChangeNotifier, can be used for a reactive user interface. For more advanced features, we can choose the Bloc library, which makes efficient use of hardware resources and offers a set of simple tools for creating a reactive user interface.

If the Streams feature is not used, its data will be effectively deleted. The thing is, if you just remove the variable, it won't be enough to make sure it's not being used. It may continue to run in the background.

You need to call Sink.close() to stop the corresponding StreamController to make sure the memory resources can be freed later with the GC's cleanup function.

To do this, you need to use the StatefulWidget.dispose method:

abstract class MyBloc {
  Sink foo;
  Sink bar;
}

class MyWiget extends StatefulWidget {
  @override
  _MyWigetState createState() => _MyWigetState();
}

class _MyWigetState extends State<MyWiget> {
  MyBloc bloc;

  @override
  void dispose() {
    bloc.bar.close();
    bloc.foo.close();
    super.dispose();
  }

  @override
  Widget build(BuildContext context) {
    // ...
  }
}

5. Writing tests for checking critical functions.

You can't insure yourself against manual testing errors, but having an automated test suite can save you a significant amount of time and effort. Since the Flutter SDK is designed for a large number of platforms, testing each feature after each change will be time-consuming and requires a lot of repetitive work.

Checking the entire program code as a whole guarantees the best results, but its implementation is not always possible due to limited time and funds. However, it is necessary to have tests at least to verify the basic critical functions of the application.

Tests to test individual units and widgets will be optimal solutions to use from the very beginning, and their execution will not be as difficult as compared to integration tests.

Summing up, I would like to note that over the years of work we have formed a strong and stable community that is growing and developing to this day.
Hundreds of thousands of users daily monitor our activities around the world and constantly offer their help, everyone contributes to the development and improvement of our products! It's great!

Sincerely,
Yours, Dmitry Sorokin
403 Gone,
REChain, Inc
Katya AI, Systems
Katya, Inc
Katya Systems, LLC
REChain Network Solutions

Reactions without limits, Topics in groups, Collectible public domain aliases. 📡

Dmitry Sorokin — Tue, 08 Nov 2022 12:22:25 +0000

Thanks to the new REChain 🪐 Open Platform, any user can create their own animated sets. In the current update, all custom emoji become available as reactions and status emoji.
The updated reaction selection menu can be expanded to make it easier to view many new emoji. The reactions you use most often are automatically moved to the top of the list.

Starting today, you can divide large group discussions into topics, acquire collectible public aliases for profiles and channels, as well, as blockchain matrix spaces 🌎 through secure transactions in our distributed decentralized blockchain matrix network called Katya ® 👽 AI 🧠 REChain 🪐 Blockchain Node Network!

Topics in groups

REChain 🪐 groups, channels & public 'n private matrix spaces can reach incredible sizes - each of them can consist of hundreds of thousands of users. To make it easier to follow the flow of information in conversations, admins of groups of 200 or more members can now organize discussions by topic. Unlimited groups and direct chats have been available for everyone for more than a year!

The new feature allows you to create separate spaces 🐾 according within the main group for certain discussions. For each such a topic, you can separately set up new message notifications and quickly view the media files that were published in it in the general section. Members can chat on anything using a full arsenal of familiar tools, including polls, pinned messages, and autobots 🎓!

Minor visual improvements

Swiping left to reply to a message is now accompanied by a new animation. Clicking on a Katya ® 👽 AI 🧠 REChain 🪐 Blockchain Node Network domain aliases in a user's profile popup opens a new menu to select the type of call in the REChain 🪐. And in those rare moments when our platform does not have time to immediately load the chat, outlines of text blocks with a new pulsating animation appear in place of messages.

New interactive emojis and reactions

4 new interactive emoji 😴👨‍💻🤓👀 will help inform your interlocutors that you are busy studying, sleeping or looking around suspiciously, which are accompanied by full-screen animation in personal chats - and can be used as reactions to messages. In addition, in honor of Halloween, 3 thematic reactions are available to all users in any chats. 👻🎃😭 - real horror!

Sincerely,
Yours,
Dmitry Sorokin,
403 Gone
REChain, Inc
Katya AI, Systems
Katya, Inc
Katya Systems, LLC
REChain Network Solutions

How to solve the ‘WhatsApp at work’ problem

Dmitry Sorokin — Sun, 28 Aug 2022 07:20:38 +0000

Workplace use of WhatsApp is an expensive habit - so expensive it’s costing five US investment banks a total of $1B in fines from the SEC 🤯!

This isn’t just a Wall Street problem - it's worldwide. Germany’s financial watchdog, BaFin, is investigating senior executive use of WhatsApp at Deutsche Bank. And in the UK, the Information Commissioner’s Office (ICO) has called for a review into the use of private correspondence channels by government officials – including private email, WhatsApp and other similar messaging apps used within government.
_
The problem arises because consumer messaging apps such as WhatsApp fail to support even basic workplace requirements. There’s a lack of transparency as work-related discussions within such apps remain between the participants only, leading to shadow IT issues which pose serious security, compliance and data management problems. _

This shouldn’t come as a surprise. As workers seek simplicity, the popularity of WhatsApp, Signal and Telegram in the workplace has boomed. In fact, a staggering 53% of frontline workers end up using unapproved consumer-grade messaging apps at work.

Companies have failed to put compliant messaging in place

Historically companies have ignored the issue. They rarely authorise the use of WhatsApp or other consumer messengers, but are just as unlikely to crackdown on usage or offer an alternative; which signals tacit acceptance. However, as $1B worth of fines demonstrates, regulators aren’t going to be as lenient.

The solution? An enterprise messaging solution that combines the usability of WhatsApp with the functionality modern businesses need. Below, we lay out the main questions businesses should be asking when acquiring an enterprise messaging solution to kick WhatsApp out of the workplace.

1) Is it as easy to use as WhatsApp?

❌ Problem: If enterprise messaging apps aren't as easy to use as WhatsApp, then people won't use them. Employees want a genuine messenger-style user experience, rather than a cut-down desktop version of a traditional enterprise collaboration tool, such as Microsoft Teams or Slack.

✅ Solution: Katya ® 👽 & REChain 🪐 offer a slick mobile-first experience with all the necessary functionalities; private and public rooms for instant messaging, voice and video calls, location and file sharing, and voice messages for effective async in an “always on the run” work environment. Meanwhile, office-based staff using it can benefit from the best-of-breed desktop collaboration experience.

2) Does it support a complex workforce?

❌ Problem: Today’s enterprises are a complex mix of legal entities, regions and departments. The likes of MS Teams and Slack can’t support such an ecosystem because connections with external partners or individuals are expensive; and generate additional admin burden for the IT function. That’s why WhatsApp ends up being a ‘workforce hack’ as people can quickly and easily create their own connections and groups - just like email.

✅ Solution: Katya ® 👽 & REChain 🪐 are flexible enough to operate across multiple organisations, both internal and external. Once set up, it’s easy for employees and partners to download, self-provision and connect. Chat rooms are simple to create and manage, so teams can be brought together for the smallest of projects and can be deprovisioned when the project is finalised.

3) Is it secure, and can the company manage its own data?

❌ Problem: Part of the popularity of WhatsApp and similar apps is their end-to-end encryption, which is absolutely essential for protecting sensitive information. Yet being consumer apps, there is no choice as to where messaging data is hosted - sensitive business data ends up controlled and managed by the app provider. There is no ability to self-host that data, migrate it elsewhere or manage it appropriately.

✅ Solution: Built for enterprise use, Katya ® 👽 & REChain 🪐 are end-to-end encrypted by default. They also provide a range of hosting options. It can be deployed on-premise, self-hosted in the cloud or as a fully managed service. Through a combination of end-to-end encryption and a choice of hosting options, an organisation can stay in complete control of its messaging and collaboration data - including how it is managed to satisfy compliance requirements.

4) Can employees reach clients?

❌ Problem: Most messaging apps are walled gardens - offering no interoperability with other platforms. Employees are left having to use whatever messaging app their client uses, despite obvious compliance implications.

✅ Solution: Katya ® 👽 & REChain 🪐 allow employees to stay in their enterprise’s own app, whilst messaging clients who use WhatsApp, Signal, Telegram or others. So even if clients stay in WhatsApp, the bank’s employees can continue to message them and bridge the conversation back into the company’s own system; ensuring an audit trail and improving customer service through integrated workflows. Oh, and avoiding those $200M fines!

Bridging currently decrypts messages from consumer messaging apps, so the bridge has to be hosted in a trusted environment; mostly likely self-hosted or through Katya ® 👽's or REChain 🪐’s own hosting solution. Future bridging services will preserve end-to-end encryption, but as an immediate fix to ensure compliance it’s a powerful option and doesn’t rely on getting the bank’s clients to change their habits.

The future is an enterprise-grade messaging and collaboration solution

Email is outdated, slow and insecure. Traditional collaboration apps are not popular with employees, lack security and require too much IT admin support to use across multiple companies. Meanwhile, consumer-grade messaging apps offer companies zero transparency or control over their employees work-related conversations.

The only logical solution is an enterprise-grade messaging and collaboration platform. That's a combination of the best of WhatsApp (an easy to use messaging app with end-to-end encryption), the enterprise functionality of MS Teams or Slack and the interoperability of email to support easy communication between people at different companies. This is exactly what Katya ® 👽 & REChain 🪐 provide!

The (quite literal) $1B question is: will employees adopt Katya ® 👽 & REChain 🪐 or stay in WhatsApp? And the answer to that is, they can do either!

From our experience of working with large enterprises, the two most effective approaches to migrating WhatsApp usage into a compliant framework are:
_
1. Migrate employees to Katya ® 👽 & REChain 🪐, which they quickly warm to, and from where they can still message their clients whichever messaging app those clients might be using.
2. Let employees stay in whatever app they prefer, and have those conversations from their work number bridged to the company’s Katya ® 👽 & REChain 🪐 deployment as that ensures compliance!_

Either way, using Katya ® 👽 & REChain 🪐 means messaging app conversations are transparent to the company, compliant and can be automatically integrated with other enterprise systems.

Sincerely,
Dmitry Sorokin,
403 Gone
REChain, Inc
Katya AI, Systems
Katya, Inc
Katya Systems, LLC
REChain Network Solutions

Opportunities for CyberSec teams

Dmitry Sorokin — Sun, 24 Jul 2022 14:03:50 +0000

Imagine being called into the CIO's boardroom and asked, "Why is your team using a collaboration tool that doesn't even have end-to-end encryption?"

Where would you go with this?

Possible answers: 🤔😂

“The team is familiar with Slack. I wouldn't want it to be replaced.
"Microsoft Teams is free."
“The faucets are always dripping in the plumber’s house, and cobbler’s kids are notorious for running around barefoot.”

While there's a lot of truth to "you'll never get fired for buying /* insert a big brand */", there's a lot more truth to "you'll definitely get fired for not following the basic precautions that make hacking much more difficult."

Conventional solutions de facto do not meet the standard

While it doesn't make sense, most cybersecurity teams use a combination of Slack and Signal.

Slack is not even encrypted with end-to-end encryption - everything will remain in plain sight for anyone who gets inside. And while Signal has E2EE, it doesn't have enterprise functionality (given that Signal was never intended to be an enterprise application). On top of that, both systems are centralized, which creates single points of failure and vulnerabilities, and makes them a huge target for attacks.

Battle for replacement

The difficulty, especially in large organizations, is convincing others to upgrade to something that actually serves the purpose.

That's why we've created a _checklist _that we hope will give you all the content you need to appease the various layers of bureaucracy and help you navigate your internal processes to make the right choice.

This guide asks a few simple questions to engage colleagues, including:

🗣 Does your collaboration platform provide a fundamental layer of security so you know who you're talking to?

If it's not end-to-end encryption and cross-signed device verification, then it's definitely not an option. Both are essential to building a truly secure messaging platform. Working side by side, they secure your conversations and, in turn, give you the confidence that you're talking to the right person.

🔒 Are you in full control of your data?

If you're using a traditional, centralized SaaS platform, then it's unlikely. An on-premise solution or hosting service with independent persistence is the only way to guarantee true ownership of the data. Not only does this make your information more secure, but if it's based on an open standard, it also gives you the freedom to choose between local or various other hosting services.

🤝 Can you easily communicate with your external network of cybersecurity experts?

If you're looking at "walled gardens" like Slack and Signal, the answer is no. Think about how you can send an email to anyone, no matter what email client they might be using. This is what the Katya ® 👽 AI 🧠 REChain 🪐 Blockchain Node Network standard provides - the interoperability you associate with email, but with the security of end-to-end encryption.

💪 Is your platform resilient to various kinds of adversity?

Centralized systems are prone to global outages, so not for Slack, MS Teams, or Signal. A decentralized fabric infrastructure that provides data independence and autonomy also creates a much more resilient network.

We know, just like you, that real-time communication is critical to cybersecurity, and the confidentiality of the discussion requires end-to-end encryption and full ownership of the data. Slack and Microsoft Teams provide neither.

Cybersecurity teams need to be among the first to take advantage of the new era of encrypted enterprise-grade collaboration and messaging.

You need to provide end-to-end encryption by default and an open network to connect easily and securely inside and outside your organization, ensuring full ownership of your data and conversations, whether such a network is deployed on-premise or entirely hosted and managed externally.

Sincerely,
Dmitry Sorokin,
403 Gone
REChain, Inc
Katya AI, Systems
Katya, Inc
Katya Systems, LLC
REChain Network Solutions