Mime Sniffing, Data Sniffing, Content Sniffing, Drive-by Download Attack Protection

Home Forums BulletProof Security Pro Mime Sniffing, Data Sniffing, Content Sniffing, Drive-by Download Attack Protection

This topic contains 25 replies, has 4 voices, and was last updated by  Qtwix 11 months, 2 weeks ago.

Viewing 15 posts - 1 through 15 (of 26 total)
  • Author
    Posts
  • #21428

    AITpro Admin
    Keymaster

    What is a website Drive-by Download Attack?
    In simple layman’s terms a hacker or someone with malicious intentions or a malicious website will display a popup of some kind that is misleading and looks completely harmless.  Example:  A button that says “click to close” actually starts a download of malicious software/code to your computer.  Drive-by Downloads can also be hidden in Frames on a legitimate website that does not have malicious intentions.  Typically that website has been hacked and can infect your computer with malicious code.  By adding this code below you can protect your website and your website visitors against Drive-by Download attacks.

    What is a MIME Sniffing|Data Sniffing|Content Sniffing Attack?
    MIME Sniffing is used in XSS attacks – Cross-Site Scripting attacks.  Typically this method and type of attack is used on and only effective on websites that allow file uploads and content types are not specified or specified incorrectly.  The hacker will upload a file and then use that file in an XSS exploit/attack.  Even if your site does not allow file uploads this code below is good idea to use/have.

    1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
    2.
    Click the Save Root Custom Code button.
    3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
    3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode.

    Notes:
    • This code goes after php/php.ini handler .htaccess code (if you have php/php.ini handler .htaccess code) and before any caching .htaccess code (if you have any .htaccess caching code). The order would be: 1. php/php.ini handler .htaccess code, 2. the X-Content-Type-Options nosniff htaccess code and then 3. htaccess caching code in this Custom Code text box.
    • If you add this code in an .htaccess file in an .htaccess file in the root of your hosting account, then this code will be applied to all of your websites under your hosting account. You would not need to add this code to any of your other sites.

    <IfModule mod_headers.c>
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    Header set X-Content-Type-Options nosniff
    </IfModule>

    Note: You can combine the MIME sniffing|Drive-by Download Attack Bonus Custom Code above with the External iFrame|Clickjacking Bonus Custom Code here: http://forum.ait-pro.com/forums/topic/rssing-com-good-or-bad/

    <IfModule mod_headers.c>
    # Using DENY will block all iFrames including iFrames on your own website
    # Header set X-Frame-Options DENY
    # Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked
    # Block other sites from displaying your website in iFrames
    # Protects against Clickjacking
    Header always append X-Frame-Options SAMEORIGIN
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    Header set X-Content-Type-Options nosniff
    </IfModule>
    #26103

    alexb
    Participant

    Hi,

    Just purchased Pro today, still going through the learning curve. Site works fine except one thing: the standard WP wysiwyg editor is not working anymore. I can use the text editor fine, the visual editor is simply blank. If I deactivate root bulletproof mode, the visual editor is there again.

    I did a bunch more troubleshooting and found that this mime sniffing protection custom code is causing my wordpress visual editor to go blank. If I remove that code from the top box of the root custom file, save, create new secure htaccess and activate root bulletproof mode again, the visual editor works fine.

    Any ideas why? I assume this code is not supposed to kill the visual editor and afaik I’m the only one with this? Found one other thread in your forum but the person didn’t respond anymore, you did with a link to the troubleshooting guide, and that’s what I followed and now ended up with.

    Thanks

    #26104

    AITpro Admin
    Keymaster

    The standard WP WYSIWYG Editor should not be affected by this code so you probably have a plugin or theme installed that does something additional to the WP Editor.  Since the WP editor is based on TinyMCE, which is primarily javascript based then typically you will not see any BPS Security Log entries that log exactly what is being blocked, but check your BPS Security Log file and see if you see any Security Log entries for this.  Also post the names of any plugins that you have installed that would do anything with the WP Editor.  It is also possible that your theme has bundled plugins with the theme.

    #26107

    alexb
    Participant

    BPS Security Log file doesn’t show anything related to that.

    I switched back to the default WP theme, same issue.

    Plugins that might have anything to do with this:
    AddToAny Share Buttons (post related, but they don’t seem to do anything with the visual editor)
    Disable Comments (same as above)
    PHP Code for posts (used to dynamically insert URL and WP sitename on legal pages, should be harmless?)
    Simple Custom CSS (offers some boxes to input custom CSS that would override the theme CSS)

    #26108

    AITpro Admin
    Keymaster

    hmm maybe the PHP Code for posts plugin, but probably not.  I would like to login to this site to see what is going on.  Send a temporary WordPress Administrator user account to:  edward at ait-pro dot com.

    #26109

    AITpro Admin
    Keymaster

    Actually hold on and do not send the login information yet.  I am going to download and test this plugin.  It is actually a very likely cause of what is going on after reading what this plugin does.  And the root problem may be that admin-ajax.php needs to be whitelisted.

    #26110

    AITpro Admin
    Keymaster

    I have tested the PHP Code for posts plugin (used a very basic PHP code snippet for testing) and it appears to work fine without any issues/problems and the Editor is not blank.  So send me a login to this site to figure out what is going on.

    #26111

    alexb
    Participant

    Thanks. After turning on and off a bunch of plugins, I finally found one that is causing this. It’s a 3rd party one I purchased in the past and not available in the WP repository. Could you point me in the right direction of how to whitelist parts of a plugin or troubleshoot what needs to be whitelisted?

    #26112

    AITpro Admin
    Keymaster

    Since there is not a Security Log entry to look at to see exactly what is being blocked then I have no idea what to whitelist.  It obviously has something to do with javascript and must be hooking into the TinyMCE javascript and the other factor is the:  Header set X-Content-Type-Options nosniff code deals with Headers.  So you would either need to send me the plugin for testing to find out what needs to be whitelisted or contact the author of that plugin and find out how the plugin works exactly. ie what it is doing in the background, what dependent files it uses like admin-ajax.php, what does it do with Headers, how is it hooking into the TinyMCE Editor, etc.  Or maybe something conditional like this below would work, but I doubt it since Headers are a completely different animal. Worth a try anyway.

    # Creates a conditional check for is not post.php
    <FilesMatch "!^(post\.php)">
    <IfModule mod_headers.c>
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    Header set X-Content-Type-Options nosniff
    </IfModule>
    </FilesMatch>
    #26118

    alexb
    Participant

    You’re a champ! I tried your first code-box as is (and added the click jacking code) and it worked right out of the box – visual editor is back!

    #26122

    alexb
    Participant

    Ok I now have this custom code and the visual editor works: Am I good to go, no security concerns with this since the visual editor forms can only be accessed from the backend?

    # Creates a conditional check for is not post.php
    <FilesMatch "!^(post\.php)">
    <IfModule mod_headers.c>
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    Header set X-Content-Type-Options nosniff
    Header always append X-Frame-Options SAMEORIGIN
    </IfModule>
    </FilesMatch>
    #26125

    AITpro Admin
    Keymaster

    Wow I am actually a bit surprised that it worked, but that is great that it worked.  Yep, correct that someone would have to be logged into your wp-admin backend in order to be able to access the post.php file so it is very safe to add that condition.

    #31869

    Grant
    Participant

    Hello,

    I also just got the paid version yesterday but have been using the free version for a while. Great plugin, thanks! To install the BPS Pro, I followed the Installation, Activation & Setup Wizard Video Tutorial and added in extra some custom code. Am I correct in thinking that the custom code for this sniffing protection, Speed Boost Cache and other custom code all go in the same CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE box, like so:

    # BEGIN WEBSITE SPEED BOOST
    # Time cheat sheet in seconds
    # A86400 = 1 day
    # A172800 = 2 days
    # A2419200 = 1 month
    # A4838400 = 2 months
    # A29030400 = 1 year
    
    # Test which ETag setting works best on your Host/Server/Website
    # with Firefox Firebug, Firephp and Yslow benchmark tests.
    
    # Create the ETag (entity tag) response header field
    # This is probably not the optimum choice to use.
    #FileETag MTime Size
    
    # Remove the ETag (entity tag) response header field
    # This is most likely the optimum choice to use.
    Header unset ETag
    FileETag none
    
    
    ExpiresActive on
    # ExpiresByType overrides the ExpiresDefault...
    # cache expiration time of 2 days|A172800.
    ExpiresDefault A172800
    ExpiresByType image/jpg A4838400
    ExpiresByType image/jpeg A4838400
    ExpiresByType image/gif A4838400
    ExpiresByType image/png A4838400
    ExpiresByType image/bmp A4838400
    ExpiresByType image/x-icon A4838400
    ExpiresByType image/svg+xml A4838400
    ExpiresByType text/javascript A4838400
    ExpiresByType text/x-javascript A4838400 
    ExpiresByType text/css A4838400
    ExpiresByType text/html A4838400
    ExpiresByType application/x-font-ttf A4838400
    ExpiresByType application/x-font-woff A4838400
    ExpiresByType font/opentype A4838400
    ExpiresByType application/x-shockwave-flash A4838400
    ExpiresByType application/x-javascript A4838400
    ExpiresByType application/javascript A4838400
    ExpiresByType video/mp4 A4838400
    ExpiresByType video/ogg A4838400
    ExpiresByType video/webm A4838400
    
    
    
    <FilesMatch "\.(js|css|flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|gif|jpg|jpeg|png|swf|webm)$">
    Header append Cache-Control "public"
    
    <FilesMatch "\.(txt|html)$">
    Header append Cache-Control "proxy-revalidate"
    
    <FilesMatch "\.(php|cgi|pl|htm|xml)$">
    Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
    Header set Pragma "no-cache"
    
    
    
    
    AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css text/javascript
    AddOutputFilterByType DEFLATE application/javascript application/x-javascript
    AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp
    AddOutputFilterByType DEFLATE application/xml application/xhtml+xml application/xml-dtd
    AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml
    AddOutputFilterByType DEFLATE font/otf font/opentype application/font-otf application/x-font-otf
    AddOutputFilterByType DEFLATE font/ttf font/truetype application/font-ttf application/x-font-ttf
    AddOutputFilterByType DEFLATE image/svg+xml
    
    # Drop problematic browsers
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
    
    # Make sure proxies don't deliver the wrong content
    Header append Vary User-Agent env=!dont-vary
    
    # END WEBSITE SPEED BOOST
    
    
    # Using DENY will block all iFrames including iFrames on your own website
    # Header set X-Frame-Options DENY
    # Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked
    # Block other sites from displaying your website in iFrames
    # Protects against Clickjacking
    Header always append X-Frame-Options SAMEORIGIN
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    Header set X-Content-Type-Options nosniff
    

    Also, I have a site that allows and encourages users to login with their social media accounts and contribute content. Is there anything on BPS Pro I should/n’t activate?

    Thank you.

    #31870

    AITpro Admin
    Keymaster

    @ Grant – The MIME sniffing|Drive-by Download Attack Bonus Custom Code, the External iFrame|Clickjacking Bonus Custom Code and the Speed Boost Cache code all go in the CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE text box.  The order of the Bonus Custom Code is important in this particular Custom Code text box – see below.  Other Bonus Custom Code may go in other BPS Custom Code text boxes.  Each Bonus Custom Code forum topic has exact setup steps for where you would add the Bonus Custom Code in BPS Custom Code.

    This code goes after php/php.ini handler .htaccess code (if you have php/php.ini handler .htaccess code) and before any caching .htaccess code (if you have any .htaccess caching code). The order would be: 1. php/php.ini handler .htaccess code, 2. the X-Content-Type-Options nosniff htaccess code and then 3. htaccess caching code in this Custom Code text box.

    Regarding your Social Media Login plugin or theme feature: You can either test things yourself to make sure they work correctly or post a link to your website and I will test things or email me a link to your website and I will test things. If/when BPS blocks something legitimate in another plugin or theme, whatever legitimate thing that is being blocked, will be logged in your BPS Security Log file and a whitelist rule can be created based on the Security Log entry to allow whatever is being blocked by BPS. See this BPS Pro troubleshooting link for more information on BPS Pro troubleshooting help information and troubleshooting steps: https://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

    #32540

    Qtwix
    Participant

    Hi,

    I just set up my first site with BPS Pro. If I include the code here “Header set X-Content-Type-Options nosniff”, it breaks the layout of the backend pages of the BPS Pro plugin itself, so all the readme text boxes extract in full text in between the other backend page elements. Hence, it results in a huge backend BPS backend page. If I comment the code out, all the BPS backend pages look correct.

    Any suggestion?

    Thanks!

Viewing 15 posts - 1 through 15 (of 26 total)

You must be logged in to reply to this topic.