B4J Question [ABMaterial] Security in ABMaterial

MichalK73

MichalK73

Well-Known Member
Licensed User
Longtime User
Hello.
Recently, the client has reported strange entries in the LOG of his server which I wrote for him in ABMaterial. Exactly on the site is the DEMO version secured with a password to enter

B4X: 
page.InputBox ("demo", "The demo version is disabled", "Log", "Cancel", True, ABM.INPUTBOX_QUESTIONTYPE_PASSWORD, ABM.INPUT_PASSWORD, "", "", "", "Error", False, ABM .MSGBOX_POS_CENTER_CENTER, "")

I have added options that in the logs I have an entry for what people type. Strangely enough, there are some poor people who analyze the page code. They see some exotic ABMaterial framework and they wonder what it is. Password entries in logs are most often: abmclose, abmcancel, abmoverlay. Of course, there is no further transition without a proper password.
I am asking a question that I did not ask myself about the security level of ABMaterial. Has anybody met with any ABMaterial safety situations? I suspect that with time, everyone will collide with it and it would be good to be better prepared in time. All comments are welcome about security at ABMaterial.
 
Sort by date Sort by votes
Erel

Erel

B4X founder
Staff member
Licensed User
Longtime User
Upvote 0
alwaysbusy

alwaysbusy

Expert
Licensed User
Longtime User
@MichalK73 Are you talking about the log one the server or the log in the browsers console? If it is on the server then that should be ok. If someone from the outside can read these logs, then you have a serious security problem with your server. If you use B4JS in ABM, then you have to be extra careful not to use it with passwords because B4JS runs on the browser side and can easily be manipulated. Note that ABM is just a GUI layer. All 'intelligence' is server side and all general protection (like using encrypted passwords in your database) are up to you.
 
Upvote 0
MichalK73

MichalK73

Well-Known Member
Licensed User
Longtime User
alwaysbusy said:
Are you talking about the log one the server or the log in the browsers console?
Click to expand...
No.
In the database I have a log table to which I write important information. abmclose, abmcancel, abmoverlay are passwords entered by anonymous users in the window "page.InputBox". There are many of them. The value entered is sent backend on the server side. Hence my question. Will ABMaterial be immune to such an attack? I suspect that they are looking for some methods of circumvention in ABMaterial.
 
Upvote 0
alwaysbusy

alwaysbusy

Expert
Licensed User
Longtime User
Ah, now I think I get it :) Some passwords are literally 'abmclose', 'abmcancel' etc, no?

If so, no, it will not have any security risk and ABM should withstand it.

I think one thing you may check is if in 'demo' mode, some components are just hidden (using the .Visibility property). It is fairly simple to just 'unhide' such components. But this is not an ABM specific issue, this is possible with any html webapp.

So, only add important components AFTER the user has logged in.

I'm only mentioning this because I recently went to a webapp (not written in ABM) where this was the case and just by hiding the loginbox and showing the rest of the page, I 'hacked' their app :D
 
Upvote 0
MichalK73

MichalK73

Well-Known Member
Licensed User
Longtime User
B4X: 
Private Sub WebSocket_Connected (WebSocket1 As WebSocket)

...
...
...
    If session.GetAttribute2("IsAuthorized", "") = "" Then
        If Main.config.Get("demo") = "1" Then
            page.InputBox("demo","The demo version is disabled","Loguj","Anuluj",True,ABM.INPUTBOX_QUESTIONTYPE_PASSWORD,ABM.INPUT_PASSWORD,"","","","Błąd",False,ABM.MSGBOX_POS_CENTER_CENTER,"")
        End If
        Return
    End If
    ABM.UpdateFromCache(Me, ABMShared.CachedPages, ABMPageId, ws)
    If page.ComesFromPageCache Then
...
...
...
End Sub

B4X: 
Sub Page_InputboxResult(returnName As String, result As String)
    
    If returnName = "demo" Then
        If result = Main.config.get("demo_pass") Then
            ws.Session.SetAttribute("IsAuthorized", "true")
            ABMShared.writeLog("demo ok", result,ws.UpgradeRequest.RemoteAddress)
            ABMShared.NavigateToPage(ws, "", "../demo/index.html" )
        Else
            ABMShared.writeLog("demo fake", result,ws.UpgradeRequest.RemoteAddress)
            ABMShared.NavigateToPage(ws, "", "../welcome/index.html" )
        End If
    Else
        ABMShared.NavigateToPage(ws, "", "../welcome/index.html" )
    End If
    
    
End Sub


So the query for entry is at the "WebSocket_Connected" level. Only after fulfilling the password condition, the contents of the page in "ConnectPage ()" are loaded.
So is it ok?
 
Upvote 0
You must log in or register to reply here.

Similar Threads

JackKirk
  • Question
B4J Question ABMaterial - can not get "add to home screen" to work with my icon
Replies
6
Views
2K
JackKirk
JackKirk
MichalK73
  • Article
B4J Tutorial [ABMaterial] Several ABMaterial servers on one IP
Replies
10
Views
5K
MichalK73
MichalK73
Harris
  • Question
B4J Question [Solved] [ABMaterial] - using https (secure)
4 5 6
Replies
107
Views
12K
alwaysbusy
alwaysbusy
G
  • Question
B4J Question [ABMaterial] ModalSheet Scrollbar issue
Replies
3
Views
3K
Gustavo Retana
G
Harris
  • Article
B4J Tutorial [ABMaterial] For Dummies (beginner lessons)
2
Replies
22
Views
32K
Harris
Harris
Top