I am building an android app which is supposed to connect to a server of mine, such that the server performs OAuth2 authentication at a third-party website. In this website there is a button which submits a form via a POST request when clicked. Clicking the button is part of the authentication process.
The problem is that the third-party website's server enforces the same-origin request policy, so a simple AJAX request with application/x-www-form-urlencoded won't do the job - it will get denied due to CORS. As it stands, the only workaround is to somehow click on that button.
How do I do this in nodejs, where there is no window, DOM, etc...?
The CORS mechanism is specifically intended to regulate interactions between a browser and a server. The server sets the rules for how other origins are allowed to interact with it, but ultimately it relies on the browser to enforce these rules - and the browser actually provides the garantee that it will.
Server to server interactions on the other hand aren't subject to CORS, so you can freely interact with other origins directly from your server regardless.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Related
I'm developing a web app with React and an GraphQL API with Node.js / Express. I would like to make the API more secure so that its harder for API requests that don't come from the web app on the browser to get data. I know how to do it with registered users. But how to make the non-registered user still be able to access some basic data needed for the app?
Is it possible to put some kind of key in the web app - so the API call can't be replicated for others through sniffing the network dev tool in browser and replicating in Postman? Does SSL/TLS also secure requests in that browser tool? Or use like a "standard" user for non-registered visitors?
Its a serverside web app with next.js
I know theres no 100% secure api but maybe its possible to make it harder for unauthorized access.
Edit:
I'm not sure if this is a problem about CSRF because Its not about accessing user data or changing data through malicious websites etc. But its about other people trying to use the website data (all GET requests to API) and can easily build there own web app on top of my api. So no one can easily query my api through simple Postman requests.
The quick answer is no you can't.
If you trying to prevent what can be describe as legit users form accessing your api you can't really do it. they can always fake the same logic and hit your webpage first before abusing the api. if this is what your trying to prevent your best bet is to add rate limiting to the api to prevent a single user from making too many request to your api (I'm the author of ralphi and
express-rate-limit is very popular).
But if you are actually trying to prevent another site form leaching of you and serving content to their users it is actually easier to solve.
Most browsers send Referrer header with the request you can check this header and see that requests are actually coming from users on your own site (this technique is called Leech Protection).
Leaching site can try and proxy request to your api but since they all going to come from the same IP they will hit your rate limiting and he can only serve a few users before being blocked.
One thing the Leecher site can do is try to cache your api so he wont have to make so many requests. if this is a possible case you are back to square one and you might need to manually block his IP once you notice such abuse. I would also check if it's legal cause he might be breaking the law.
Another option similar to Referrer is to use samesite cookies. they will only sent if the request is coming directly from your site. they are probably more reliable than the Referrer but not all browsers actually respect them.
as far as i know 'Access-Control-Allow-Origin' is used as part of CORS to limit which all hosts can request data from a given api server. This flag/variable value is set by the server as part of a response.
I did happen to stumble upon this chrome extension which says:
Allow to you request any site with ajax from any source. Add to
response - 'Access-Control-Allow-Origin: *' header
Developer tool.
Summary Add to response header rule - 'Allow-Control-Allow-Origin: *'
Hint Same behavior you can get just using chrome flags [http://www.chromium.org/developers/how-tos/run-chromium-with-flags]
chrome --disable-web-security
or
--allow-file-access-from-files --allow-file-access --allow-cross-origin-auth-prompt
so that means from the client side I can change the response header. So it means that if i set on server : 'Access-Control-Allow-Origin : http://api.example.com' this setting can be overwritten by client 'Access-Control-Allow-Origin : *'. or may be I do not want to support cors - so i dont set it, but this will still show as if I do support CORS.
If that is the case, what is the point in having my server side setting?? isn't that left redundant??
May be I am being too naive here, and not getting the basics of it.
CORS is a security feature to protect clients from CORF, or Cross Origin Request Forgery. It is not intended to secure servers, as a client can simply choose to ignore them.
An example of CORF would be visiting a website, and client-side code on that website interacts with another website on your behalf, do things like submitting data to a website, or reading data that requires authentication as you, all with your active authentication sessions.
Theoretically, without CORS, it would be possible to create a website that will fetch your email from a webmail provider (provided you are logged in at the time), and post it back to a server for malicious individuals to read.
To avoid this, you shouldn't browse the web with such security features disabled. It's available to ease development, not for general browsing.
I'm developing a web application using Java EE and some open source components (Spring, Struts 2, jQuery, and so on). Some of my web pages require authentication (Spring Security) and other not. I write some REST APIs (Restlet) and I use them from my pages by AJAX calls (jQuery). I know that other web sites can not use my REST APIs unless I enable CORS and this is what I want.
However any non-browser client (curl, Java applications, and so on) can call my REST APIs: how can I forbid this? I can not use authentication for all REST APIs because I use some of them in web pages that should not require authentication. I know that some APIs (like Facebook SDK) require an application-id in order to enable calls, but anyone can steal the key from the Javascript code included in my web pages.
I would like to recognize from the server side if an HTTP request has been sent from a browser or other client applications in order to apply some kind of authentication only in the second case. As I concern, any client application can set any HTTP header, so I can not HTTP headers, can I? I think that my problem should be a common problem, so maybe I miss something.
There's nothing you can do.
Most folks are worried about unauthorized users using their applications. You're worried about unauthorized programs.
Yet everything that a program needs to communicate with your server, it will be told (by the server as in a token, or by the user as in a credential).
Why are you afraid of "non-browser" clients? Why do you care what client they use? How is a non-browser client different than a normal browser for your use cases?
Answer that question, and you'll find better answers.
Are you afraid they'll "screen scrape" your site, quickly download it with something like wget? Then you can put in some server side rule gating their access (if IP x.y.z.w makes more than Q requests per BLEEM of time, then discard request/sleep 10s/send content REALLY slowly).
Those kinds of measures are what you have to do. You can't "secure" the client, it's not your client to secure. You have to secure your server, and address the concerns head on.
Remember rule #1 of client/server design: "Never trust the client". On the internet, no one knows you're a bot.
Of late I have been diving deep into web application security. While browsing I found WebScarab Tool from OWASP which can inject possible attack in to your web application and make your application vulnerable.
I am using that tool to intercept any request which goes through my web application based on JSF 1.2 Framework. While using I observed that whatever values are entered in form fields are shown as it is HttpRequest in this tool.You can modify these values and it will automatically create a new request header and strikingly the modified values will be inserted into the DB.
Isn't it a potential attack? I mean anyone can intercept any HttpRequest and modify the parameter with the help of a tool and inject some malicious content,
My questions are:
Is it possible for everyone to intercept HttpRequest generating from any webpage, say stackoverflow.com?
If yes, how can you avoid these modification by an unknown user who can modify the parameter and remake the encoded URL?
If no, please explain why? I am absolutely numb?
WebScarab is a proxy:
WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.
But this requires the client (e.g. your web browser) to actually use the proxy:
In order to start using WebScarab as a proxy, you need to configure your browser to use WebScarab as a proxy. This is configured in IE using the Tools menu. Select Tools -> Internet Options -> Connections -> LAN Settings to get the proxy configuration dialog.
So only the communication of clients that use the WebScarab proxy can be intercepted.
Using WebScarab or other UI Interceptor tool, person can Change the Transaction data in between of processing of request from Client to Server.
Basically this can be avoided by applying Same Validations at both Client and Server side of the application.
eg, if Application has Change pwd functionality, and someone tries Interceptor and modifies the pwd with new intercepted Pwd., while saving it should be validated on server side , whether user entered correct password or not.
What the programing language can send http post or get from client in web brower ?
i think flash actionscript or ajax or java applet not working for cross domain security thanks
Nothing in the browser sandbox will get past cross-domain security (which is exactly the point of having a sandbox in the first place).
You'd have to write a native browser plugin or use a Java applet that asks for "unlimited system access".
Another option would be to use the one domain that you can access via XHR to act as a proxy (have some code there that fetches the result from the domain you really want to access). You can even forward cookies and such, but for the target domain it looks like the request is coming from your data center (not the end user's browser).
You can send requests with javascript using XHR (you may have heard this referred to as AJAX before) if you control the destination server, you can host a page on the second domain that does the ajax request and stores the result in a window level variable, and put that in an iframe for the first domain. After that, any time you want to make the request, you use javascript to refresh the iframe and grab the variable out of it.
Total hack, but AFAIK its the only way to do it.