I am new in network security area, now I am designing a REST web api.
The question is that could http response and request be eavesdropped?
If it is impossible, then I don't need encrypt the response json file and the request parameter.
It is easy to eavesdrop an http request and even tamper and modify it before reaching the server.
http sends/receives data in clear text, use https (ssl) if you want it to be encrypted
Related
Simple question. I would like to know when request headers are sent. Before or after an HTTP to HTTPS redirect? My security concern is our 3rd party vendors contacting our API with a auth-token request header if they carelessly make requests with HTTP.
Thanks for your expertise in this matter.
You cannot prevent that the your 3rd party vendors are sending a token over HTTP. Well, you should change the way you use the token. It shouldn't be necessary to even send it, encrypted or not.
Use the token as a pre-shared-secret. Then the authentication works as follows:
3rd party vendor sends request to server, provides username or something else which identifies him to the server
The server sends a challenge. This is usually the application of a one-way function - a hash-function. So, the server asks the client to send a SHA1-Hash of auth-token.
The client solves the challenge by calculating the SHA1-Hash of auth-token. Then he sends the result back to the server.
The server checks the result by calculating the same SHA1-Hash of the auth-token.
Supposing that you're using a secure hash-function an attacker has no chance of stealing the token as it is only transmitted as a hash-value.
Further reading:
https://blog.restcase.com/restful-api-authentication-basics/
There are various ways the web applications can be attacked using the vectors in HTTP request itself. Attacks like the HTTP response splitting make use of modifying the request headers itself to exploit the vulnerable applications. Apart from input validation and sanitization at the server side, the question came to my mind if one can make the request headers immutable.
Is it possible to make it immutable?
Request headers are sent from the client to the server.
The browser itself constructs an HTTP request to send. A user with control over the client can of course change the HTTP request, including headers to anything that they want.
Therefore, making them immutable is impossible. Remember, as a general rule, anything on the client-side is up for grabs.
You can prevent headers from being altered during transit. That is, while the HTTP request is on the wire from the client to the server. For this, a technology called TLS is used (used to be called SSL, and most of the time it still is). This encrypts and authenticates the connection, making it immutable.
You can see if TLS/SSL is being used because the browser address bar will display HTTPS at the very beginning of the URL.
Suppose I have an client/server application working over HTTP. The server provides a RESTy API and client calls the server over HTTP using regular HTTP GET requests.
The server requires no authentication. Anyone on the Internet can send a GET HTTP request to my server. It's Ok. I just wonder how I can distinguish between the requests from my client and other requests from the Internet.
Suppose my client sent a request X. A user recorded this request (including the agent, headers, cookies, etc.) and send it again with wget for example. I would like to distinguish between these two requests in the server-side.
There is no exact solution rather then authentication. On the other hand, you do not need to implement username & password authentication for this basic requirement. You could simply identify a random string for your "client" and send it to api over custom http header variable like ;
GET /api/ HTTP/1.1
Host: www.backend.com
My-Custom-Token-Dude: a717sfa618e89a7a7d17dgasad
...
You could distinguish the requests by this custom header variable and it's values existence and validity. But I'm saying "Security through obscurity" is not a solution.
You cannot know for sure if it is your application or not. Anything in the request can be made up.
But, you can make sure that nobody is using your application inadvertently. For example somebody may create a javascript application and point to your REST API. The browser sends the Origin header (draft) indicating in which application was the request generated. You can use this header to filter calls from applications that are not yours.
However, that somebody may use his own web server as proxy to your application, allowing him then to craft HTTP requests with more detail. In this case, at some point you would be able of pin point his IP address and block it.
But the best solution would be to put some degree of authorization. For example, the UI part can ask for authentication via login/password, or just a captcha to ensure the caller is a person, then generate a token and associate that token with the use session. From that point the calls to the API have to provide such token, otherwise you must reject them.
I'm sorry if this is a daft question.
I'm developing an application that uses oauth2 to integrate with a 3rd party api via a server-side flow in node.
The one thing I'd like to confirm is that when I make the final post request to the 3rd party api to retrieve the access token using the node https module is whether or not the connection is encrypted.
From what I gather, when an https request is made from a browser, the browser handles encrypting the data on the client side. Does node encrypt the data in a similar way, or is this something that I need to implement myself?
If there is some background info that I've somehow overlooked in this regard, please let me know.
Thanks
To answer your question: if the OAuth API service you're querying is served over HTTPS, then your HTTP library (most likely request) is already handling encryption transparently for you. Any time you make a request to an HTTPS endpoint, your request WILL FAIL if the client is not handling encryption properly.
This is a newbie question.
Using HTTPS the whole time taxes servers since everything has to be encrypted/decrypted.
In case I only want to protect the session ID sent to the browser and saved as cookie to avoid man-in-the-middle sniffing the session ID, I was wondering if HTTPS can be enabled only when the browser sends the session ID along with the HTTP query, while the reply is sent by the server in plain HTTP?
Thank you.
No, this isn't possible -- the browser and server collaborate to set up a two-way channel and will use it for both directions.
In any case, a large part of the overhead from using SSL comes when setting up the connection, rather than using the connection, and you wouldn't be able to save on this overhead.
You could write a filter which took every request and redirected to non-https equivalent URLs?
That way every request would be request https, then responded to http?