I am using Sencha Touch for some weeks now, and I plan to add to my webapp, a form with which users can contribute with informations. I was wondering of means of securing this form, since it will directly post entered data through an Ajax call to my server. It will not be too difficult for someone to sniff http traffic and write some script that would kill my database server sending data to my submit server side action.
I was wondering about using recaptcha, but I cannot see how to implement it or neither if someone has tried it. I am open for any other form of security that could be easily implemented in the context of sencha touch
Thx
Create some simple form of captcha if you want. Like addition of two numbers etc.
You wont prevent sniffing http traffic using a captcha, use ssl, if you send your requests using https no one can sniff your trafic.
But even that cannot prevent someone sending a crafted request to your sever trying to exploit it, since they can tell by looking at your client code what is the server expecting.
You can try to obfuscate your client code, but that wont help much either.
The only way to prevent it is by validating the requests on the server side and invalidate all the requests that can potentially harm your system.
Related
I am looking for how to to get user data and expose it in the UI without show it elsewhere in devtools - so I would like that data doesn't appear in any request response.
I considered different possibilities, as cookies or session but none of them allow to hide the data before it is displayed in the UI.
So I wonder what the usual practice is and if using socket.io would be considered a hack?
The idea is:
User is logged and visits some page, regular API requests are made and serve UI display, and is required user data for UI purposes.
As an example:
Are displayed elements to which it is possible to subscribe, so depending of user and of its subscriptions, style is different between followed and unfollowed elements.
Thank you in advance for your help.
I don't get the "why" you would want to do that. The normal user doesn't open devtools. The "hacker" user will most certainly not be prevented from getting that data. In the end there're more tools than just the browser's devtools to sniff incoming and outgoing data and since that is something you cannot prevent, there's no reason to do it in the browser in the first place.
What you can do though is encrypting the response in your backend and then decrypt in your frontend. Since you need to send the decryption password as well this will still not prevent anyone from decrypting the response messages, but obfuscating the decryption part somewhere in your code can at least make it a little more difficult (emphasize "little").
I am working on a small project where my clients will have a control panel with which they can (obviously) control their gameservers. What bothers me is them sending the request to START/STOP the server. I tend to give the buttons an onclick function that makes a call using ajax, but I don't know if this is the best way to do this.
Right now I pass the users ID and the server's ID and then perform the operation he had requested.
It seems to me that there must be a better way, but I don't see it yet.
P.S. Currently the REST API for server control doesn't need any authentication. Still not sure how I could implement this without passing their information too much.
I am building a web app wherein a user can like some choices displayed on the page.
I want to build this like/unlike system in the most efficient way possible. Does every press of the like button need to send an http request to the node.js server to modify user data in Mongo?
I'm asking since I will be having a python script as a recommender system that listens to every change happening in MongoDB.
Yes, every click should go to the server by making a callback. Someone can say that:
you can also do tweaks with this functionality like pop all the ids of posts liked by a specific user in an array and send it back at the end of its session or after a specific amount of time.
But think what if that array somehow lose the data by mistake ? Or the session is failed due to some reasons? Also, how will other users see that which post is liked or not ?
See these are the reasons we always send the response back each time. However JQuery and other frameworks are there to make it fast.
Does every press of the like button need to send an http request to the node.js server to modify user data in Mongo?
You need to get your data to the server somehow, yes. An HTTP request is generally a good choice, and doesn't have to be as heavyweight as it once was.
Firstly, your server should be enabling HTTP keep-alive, where the underlying TCP connection stays open for some amount of time once the request is finished. That way, subsequent requests can be made on the same connection.
Additionally, you should ensure you have HTTP/2 enabled, which is a more efficient protocol due to its binary nature. More importantly, headers like Cookie and what not aren't sent over and over again.
By following these best practices, you'll find that your request/responses are just a few bytes down the wire of an existing connection. And, you won't have to change anything in your code to do it!
I'm developing a web app with React and an GraphQL API with Node.js / Express. I would like to make the API more secure so that its harder for API requests that don't come from the web app on the browser to get data. I know how to do it with registered users. But how to make the non-registered user still be able to access some basic data needed for the app?
Is it possible to put some kind of key in the web app - so the API call can't be replicated for others through sniffing the network dev tool in browser and replicating in Postman? Does SSL/TLS also secure requests in that browser tool? Or use like a "standard" user for non-registered visitors?
Its a serverside web app with next.js
I know theres no 100% secure api but maybe its possible to make it harder for unauthorized access.
Edit:
I'm not sure if this is a problem about CSRF because Its not about accessing user data or changing data through malicious websites etc. But its about other people trying to use the website data (all GET requests to API) and can easily build there own web app on top of my api. So no one can easily query my api through simple Postman requests.
The quick answer is no you can't.
If you trying to prevent what can be describe as legit users form accessing your api you can't really do it. they can always fake the same logic and hit your webpage first before abusing the api. if this is what your trying to prevent your best bet is to add rate limiting to the api to prevent a single user from making too many request to your api (I'm the author of ralphi and
express-rate-limit is very popular).
But if you are actually trying to prevent another site form leaching of you and serving content to their users it is actually easier to solve.
Most browsers send Referrer header with the request you can check this header and see that requests are actually coming from users on your own site (this technique is called Leech Protection).
Leaching site can try and proxy request to your api but since they all going to come from the same IP they will hit your rate limiting and he can only serve a few users before being blocked.
One thing the Leecher site can do is try to cache your api so he wont have to make so many requests. if this is a possible case you are back to square one and you might need to manually block his IP once you notice such abuse. I would also check if it's legal cause he might be breaking the law.
Another option similar to Referrer is to use samesite cookies. they will only sent if the request is coming directly from your site. they are probably more reliable than the Referrer but not all browsers actually respect them.
Of late I have been diving deep into web application security. While browsing I found WebScarab Tool from OWASP which can inject possible attack in to your web application and make your application vulnerable.
I am using that tool to intercept any request which goes through my web application based on JSF 1.2 Framework. While using I observed that whatever values are entered in form fields are shown as it is HttpRequest in this tool.You can modify these values and it will automatically create a new request header and strikingly the modified values will be inserted into the DB.
Isn't it a potential attack? I mean anyone can intercept any HttpRequest and modify the parameter with the help of a tool and inject some malicious content,
My questions are:
Is it possible for everyone to intercept HttpRequest generating from any webpage, say stackoverflow.com?
If yes, how can you avoid these modification by an unknown user who can modify the parameter and remake the encoded URL?
If no, please explain why? I am absolutely numb?
WebScarab is a proxy:
WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser.
But this requires the client (e.g. your web browser) to actually use the proxy:
In order to start using WebScarab as a proxy, you need to configure your browser to use WebScarab as a proxy. This is configured in IE using the Tools menu. Select Tools -> Internet Options -> Connections -> LAN Settings to get the proxy configuration dialog.
So only the communication of clients that use the WebScarab proxy can be intercepted.
Using WebScarab or other UI Interceptor tool, person can Change the Transaction data in between of processing of request from Client to Server.
Basically this can be avoided by applying Same Validations at both Client and Server side of the application.
eg, if Application has Change pwd functionality, and someone tries Interceptor and modifies the pwd with new intercepted Pwd., while saving it should be validated on server side , whether user entered correct password or not.