caukub · SolsticeSpectrum · Oct 16, 2024 · Oct 16, 2024 · Nov 2, 2024
diff --git a/src/assets/images/resources/sawtooth-pattern.png b/src/assets/images/resources/sawtooth-pattern.png
diff --git a/src/assets/images/resources/structure-seeds.png b/src/assets/images/resources/structure-seeds.png
diff --git a/src/plugins/seedcracking.md b/src/plugins/seedcracking.md
@@ -0,0 +1,22 @@
+# Seed Cracking {#seed-cracking}
+## Basics {#basics}
+Seed cracking is a technique to discover a Minecraft world's "seed". Knowing the seed allows predicting biome and structure generation, giving a significant advantage. It can also be used to determine ore locations, potentially bypassing anti-xray measures.
+
+## Preventing Seed Cracking {#prevent-seed-cracking}
+### Changing Structure Seeds {#structure-seeds}
+1. Open `spigot.yml` in your server folder.
+2. Locate the section with preset structure seeds (e.g., `seed-village`, `seed-desert`).
+3. Change values to numbers between 1 and 2147483647.
+
+![Structure Seeds](/assets/images/resources/structure-seeds.png)
+
+### World Generation Datapacks and Plugins {#world-gen-plugins}
+Modifying world generation complicates seed cracking:
+1. Download suitable datapacks or plugins.
+2. Place in `/world/datapacks` or `/plugins/`.
+3. Restart the server.
+
+Some popular world generation plugins are [Iris](https://github.com/VolmitSoftware/Iris), [Terra](https://modrinth.com/plugin/terra) and [TerraformGenerator](https://www.spigotmc.org/resources/terraformgenerator-1-18-2-1-21.75132/)
+
+## Effectiveness {#effectiveness}
+No solution is 100% effective, but combining these methods significantly hinders seed cracking attempts.
diff --git a/src/security/proxy.md b/src/security/proxy.md
@@ -3,10 +3,22 @@ When [backend servers](~backend-server) are in [offline-mode](../general/online-
 
 In case you use Velocity, you can learn how to secure the servers [here](https://docs.papermc.io/velocity/security).
 
-For BungeeCord (Waterfall; which you should ideally not use), the security procedure is the same except that you cannot use "modern forwarding".
+For BungeeCord (Waterfall; which you should ideally not use), the security procedure is similar except that you cannot use "modern forwarding".
 
-It could be summarized as follows: If you manage the machine on which the servers run yourself, i.e. you have full access to it and no one else is using it, set the address of the [backend servers](~backend-server) to [localhost](https://docs.papermc.io/velocity/security#binding-to-localhost) (you can read what *localhost* is [here](../general/address-ports.md#localhost-address)) and configure [firewall](https://docs.papermc.io/velocity/security#operating-system-firewalls) (and on Velocity, use "modern forwarding").
+It could be summarized as follows: If you manage the machine on which the servers run yourself, i.e. you have full access to it and no one else is using it, set the address of the [backend servers](~backend-server) to [localhost](https://docs.papermc.io/velocity/security#binding-to-localhost) (you can read what *localhost* is [here](../general/address-ports.md#localhost-address)) and configure [firewall](https://docs.papermc.io/velocity/security#operating-system-firewalls).
 
-For managed hosting, on Bungee (if you don't have access to the whole machine), use a plugin like [BungeeGuard](https://www.spigotmc.org/resources/bungeeguard.79601/) instead of Velocity modern forwarding.
+For managed hosting, where you don't have access to the whole machine, be aware that traditional security plugins like [BungeeGuard](https://www.spigotmc.org/resources/bungeeguard.79601/) can currently be bypassed through vulnerability (different from [Bungee Spoofing](#bungee-spoof)) that we won't detail here for security reasons. Additionally, it's worth noting that Velocity's modern forwarding can also be bypassed with a slightly more involved version of [Bungee Spoofing](#bungee-spoof).
 
-If the proxy is in [offline mode](../general/online-mode.md#offline-mode) and you are using an authentication plugin (e.g. AuthMe), make sure that the plugin supports the proxy and that no addon or the plugin itself needs to be installed and properly configured. For example, if you use AuthMeReloaded, you need to install AuthMeBungee (do not use AuthMeBridge!) on proxy and configure both AuthMe and AuthMeBungee in the configuration properly (see AuthMeBungee documentation)!
+If the proxy is in [offline mode](../general/online-mode.md#offline-mode) and you are using an authentication plugin (e.g. AuthMe), make sure that the plugin supports the proxy and that no addon or the plugin itself needs to be installed and properly configured. For example, if you use AuthMeReloaded, you need to install AuthMeBungee (do not use AuthMeBridge!) on proxy and configure both AuthMe and AuthMeBungee in the configuration properly (see AuthMeBungee documentation)!
+
+## Bungee/Velocity Spoofing {#bungee-spoof}
+Bungee/Velocity spoofing is a method used to bypass the proxy. Here's how it works in principle:
+
+1. In a properly secured setup, backend servers are configured to only accept connections from the trusted proxy server.
+2. However, Bungee/Velocity spoof takes advantage of the fact that backend servers in "proxy mode" will accept certain types of connection data that are meant to come from the proxy.
+3. An attacker can craft a connection that mimics a legitimate proxy connection, essentially "spoofing" the identity of the Bungee/Velocity proxy.
+4. If successful, the backend server accepts this connection as if it came from the legitimate proxy, bypassing intended security measures.
+
+This vulnerability exists because the backend servers don't have a foolproof way to verify that the incoming connection is genuinely from the authorized proxy server.
+
+For Velocity spoof however, the attacker has to know the secret key which is not optional so as long as the key isn't leaked, modern forwarding stays a safer alternative to BungeeGuard which can be bypassed without knowing it's secret.
diff --git a/src/vanilla/Creative.md b/src/vanilla/Creative.md
@@ -0,0 +1,25 @@
+# Creative Mode {#creative-mode}
+Creative mode in Minecraft is a powerful tool for building, but it can pose significant security risks on multiplayer servers if not properly managed.
+
+## Hotbar Exploitation {#hotbar-exploit}
+One of the primary dangers in Creative mode is the ability to manipulate items with dangerous NBT (Named Binary Tag) data:
+
+1. Players in Creative can edit item NBT tags directly in their hotbar.
+2. This allows for the creation of items with malicious or overpowered properties.
+3. These items can potentially crash the server or give players unintended abilities when used.
+4. Players can also make these items in singleplayer and snuggle them through saved hotbars to the server.
+
+## Force OP Signs {#force-op-sign}
+A serious exploit introduced in Minecraft 1.8 involves using signs in Creative mode:
+
+1. Players in Creative can create signs with specific NBT data.
+2. When placed, these signs can forcibly grant OP to the player.
+3. This vulnerability has remained unpatched for over a decade and is still present in Spigot, Paper and other server forks.
+
+## Mitigation Strategies {#mitigation}
+To protect your server from Creative mode exploits:
+
+1. Limit Creative mode access to trusted players only.
+2. Use plugins that restrict NBT editing or item spawning in Creative.
+4. Regularly audit player inventories, chests and placed blocks for suspicious items.
+5. Keep your server software updated, as some exploits may be patched in newer versions.