I have developed a website with my friend. For the front-end we are using AngularJS, and for the backend we're using Laravel.
Whenever data has to be fetched, an API call is made from front-end to PHP.
My concern is that this API call is clearly visible in network panel. Then some bad guy can easily abuse this API. How can I avoid this?
In most cases exposing your API is not bad thing, but you need to think about this:
1. You should design your API, so only legitimate operations can be made. In example: person shouldn't be able to delete whole database using API.
2. You could provide some authentication mechanism if needed, so the person trying to call your API will have to be logged in (authentication token should be stored in session and verified in server-side with every API call).
If you want to hide POST/GET Params form console. Try to make JSONP call in angular . JSONP calls are not real ajax requests and won't be shown in Firebug. You can also clear the console using clearconsole() after you receive the response and you can also authenticate the requesting IP in your laravel backend.
It's just like regular routing. For example: Everybody knows that they can access a user's profile on Facebook on the /:username route, but Facebook prevents unauthorized clients from viewing that data. The same concept is used for REST routes.
Just like regular page requests, AJAX calls and the data passed / received can be seen by the user. JSONP can be used to prevent the API requests from being logged by regular developer tools, but that is not a good security solution your API can still be discerned by a malicious user.
Even if you encrypt the request payload and the response, it can be intercepted by a malicious user before encryption and after decryption.
You mentioned using proper authentication on your API, which is usually good enough for most cases.
Related
I have an android app and a php server. I send some requests, say for login and other request parameters as required by my app; and the server sends back json which is displayed in the app.
My question is how could I prevent other users from accessing the urls via the browser and getting the results?
Also most of the requests should only execute if the user is logged in. That is taken care of in the app but how in the apis? I can send an auth token to be sent along with further requests, but the same can be get by calling the login api via browser and then sending that login token with other apis. How to handle these situations and prevent access via methods other than the app to get the data?
And also does it matter in case of android apps whether I send the login password encrypted or not from the app? Or should they be encrypted at the server and then stored in the database?
This might be a very naive question, but I couldn't find an existing one here on SO. P.S. I know php apache server is not the best option but the client has an existing php server ready with the apis and he wants to use the same in the app.
With my experience in writing a JAVA REST API here are the few suggestions I can make,
1> My question is how could I prevent other users from accessing the urls via the browser and getting the results
ans: If you want the API to respond to only the requests sent by App, You can sign the request with a unique key which is known only to the app and no body else.
For example: You can generate a string by appending all the parameters you send in a specific order like username+password+param1+param2 and then apply SHA 256 or any of the hashing on that string to generate a unique string and send this string as a Authorization header value :)
At API end because you know the oder of the parameter to join, once you recieve a request regenerate the string using parameter that you have received and apply same hashing on the string and check whether the string you generated matches the request Authorization header value or not and respond to only one with proper Authorization value :)
How it works : Being un-aware of Authorization header whenever browser makes a request this vallue will not be there in request hence your APU wont respond.
On the other hand if somebody deliberately tries to track the request and realizes that Authorization header needs to be sent, still wont be able to get response from your API because he will not know the Algorithm used to generate the value nor the sequence of parameter used.
Use Cases:
All Outh API's makes use of same pattern. Read OAuth specs for clarity (Though they use ot for different purpose, you can use it to benifit your situation:) )
Example of API's : Facebook,Twitter,Google,Linked In and so on :)
2>also does it matter in case of android apps whether I send the login password encrypted or not from the app?
Ans:
It does not matter wheteher you use android apps or web browser to make request :) If you are using POST request all your parameters will be encrypted by default :) So dont worry about it :)
3>should they be encrypted at the server and then stored in the database
Ans:
Saving a password in a plain text at your data base can lead to many consequences :) So its always better to save encrypted passwords at data base :) As far as usernames are concerned its ok to save them in plain text :)
Extra peice of Info : Make sure all your api's makes use of Secure channel :) I mean make sure your API's are https :)
Hope my suggestions helped :)
So I'm working on a project that I'll provide information feed to specific business partner. There's no login required because the business partner's front-end have to pass an preallocated apiKey along with any request to the my REST API. The api only responds to requests that contain a valid apiKey, and its access level has already been predefined when we generate the apiKey.
Currently I'm using CakePHP, with curl, passing the REST request method, and the hardcoded apiKey as param. Security hasn't been an issue so far. But our team is thinking that, what if our business partner want their website to be done in recently trending JS front-end frame work such as AngularJS.
For the same scenario, such a simple task cannot be done in JS framework. I obviously cannot simply give them the client secret (apiKey) and let them include it in their client side code. Anyone can view the secret and have access to the our REST API.
Now we're talking about security, which my team really do not know much. What are the ways to overcome this issue? How to pass a client secret along with http request from AngularJS, securely, obscurely? Any suggestion or could anyone point out something that I can study into?
I had some ideas though, but they just sound not so right.
I'll just put the AngularJS in CakePHP's webroot. That would be a really dirty hack though... Just introduce unnecessary complexity.
Generate hash with the a combination of constraints such as Origin Domain / IP / Public Secret and timestamp, and on my API side, I compare the hash and return an access token for each request... something like that...
There are different options
JWT (see my article)
OAuth (pick one)
A proxy to your API
First two will require an initial authentication request, you'll get a token back that is passed in every future request to your site.
You can create a proxy, the site calls the proxy which then makes another call to the real API and adds your API key.
I've been working on an app for IG, and was looking at other websites which use the IG API. I came across this website which allows the user to login by entering their username and password directly into the site. It is then able to access the IG API and fetch things like follower count, however without the user authenticating an IG API Client as would normally be required. The app can even perform functions such as liking pictures using your account, which as far as I know also requires you to authenticate an app with elevated privileges.
My question is, how is this app able to login users without using OAUTH which appears to be the only method of authentication?
They probably use a web automation framework like Selenium to take actions like auto-linking content by actually logging in to the Instagram web site with the accounts credentials and simulating mouse clicks, etc. to get the job done. In other words their "script" just looks like a very active user to Instagram because it's all coming from interactions between a web browser and their site.
They definitely are not using the API. Several reasons you can know this:
no OAuth flow to get an access_token
they don't appear in the authorized applications section if you log in and manage your profile
what they are doing is a violation of the API Terms of Use. See the following under "shall not"
Use the Instagram APIs to post automated content to Instagram, including likes and comments that were not initiated and entered by an Instagram user.
I'm no lawyer and I have no inside information, however it seems clear enough to me that Instagram does not want this type of "bot" activity.
They claim that they have the timing set up in a way that they go undetected, but I think it's a safe bet that there are algorithms at Instagram trying to detect and prevent this type of activity and if they do, accounts would be at risk of being disabled, etc. I have not inside knowledge here, just speculation.
The Instagram application that you use from your cellphone uses HTTP/HTTPS communication with their application server. The link that you provided on the question uses to simulate those http calls to mimic as an Instagram application.
You can redirect your cell phone's Internet connection through the proxy(your own proxy server). From your proxy server catch the web requests those are being sent by the Instagram application when you are doing login, liking, etc.
It will be easy for you if the requests are through http channel. But if its through the https, then it will be really difficult to capture those. You can try with Fidler or some sort of similar softwares for this.
What I THINK is happening is the following:
They are logging your PHPSESSID and using that so you have the ability to like pictures and whatnot. They are doing all of the back-end work directly in index.php.
If you track the requests that are being sent to index.php through the Network tab in Chrome, you will see that "Cookie:_ instamacro_advcontent=1; PHPSESSID=" on the index.php file "Headers" tab.
I'm doing the same with my website that uses Vine's API(not public, btw). In a PHP file I created called api.php, I use Vine's API to perform actions. I do not use OAUTH at all. I simply use the users "x-vine-session" cookie.
On many places (Google, Yahoo, Stack Exchange... ) I found that Ajax coding (for example php+Ajax login system) is not, and cannot be secure enough. So many reserve about Ajax security, and nowhere you can find an example of secure Ajax code.
At the same time, all this sites (even Facebook, Twitter...) USES a lot of Ajax code, for registering and loging users, for commenting features etc. Seems like Top Secret matter.
So, could someone show an example of secure php-Ajax code ?
An AJAX request is just like a normal browser request, just in the background. So if you would normally have a login form that posts data to your checklogin.php, you can do the same with AJAX and its equally secure.
Another thing to keep in mind is with cross site javascript calls. This is used for example when you are creating apps on facebook to transfer data from/to your server. These request have to be signed to make sure the data is comming from a valid source. This is done by using a secret and public key. These sites use oauth to handle these request. You can also implement this in your own site, but for any regular authentication (login/post messages/etc) this will not be needed. Just code like you would if it were a regular request.
I have made a custom ajax script to parse the JSON returned from the facebook graph API feed.
I have come to terms with the fact that the access token expires, so in order to get another one I can make a request to
https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id=APP_ID&client_secret=APP_SECURITY
where APP_ID is the app id and APP_SECURITY is the app security values registered with my facebook app development account.
However I'm worried, because I'm making these requests via ajax, therefore anybody with basic chrome/firebug knowledge could access my app_id, app_security and access_token variables (from now on known as 'The Variables') held within my javascript file.
I am unsure as to what users can do this this kind of information?
Does the access token provide purely a read-only JSON output of my facebook page? Or can this information be used for more malicious purposes?
Now: before anybody replies saying that I should use php to get fetch the JSON and parse etc... I cannot, because the customer requirement is to use ajax, for the obvious asynchronous benefits.
If the variables pose no threat to my facebook account and can be only used for read only purposes, then I'll get on with my programming!
If however they must be kept secure... How can I securely pass the variables to javascript in order to keep the variable hidden?
PS. I already have pre-written php scripts to attain the variables. Just after a method to keep them secure when passing to the javascript (if necessary)
Thanks
Alex
As Commented, Never Display APP_ID and APP_SECRET publicly.
Read This. You will find out a way to automatically find your access token using php.
Using this php file, make an ajax call to it, and it will return your new access token.