On many places (Google, Yahoo, Stack Exchange... ) I found that Ajax coding (for example php+Ajax login system) is not, and cannot be secure enough. So many reserve about Ajax security, and nowhere you can find an example of secure Ajax code.
At the same time, all this sites (even Facebook, Twitter...) USES a lot of Ajax code, for registering and loging users, for commenting features etc. Seems like Top Secret matter.
So, could someone show an example of secure php-Ajax code ?
An AJAX request is just like a normal browser request, just in the background. So if you would normally have a login form that posts data to your checklogin.php, you can do the same with AJAX and its equally secure.
Another thing to keep in mind is with cross site javascript calls. This is used for example when you are creating apps on facebook to transfer data from/to your server. These request have to be signed to make sure the data is comming from a valid source. This is done by using a secret and public key. These sites use oauth to handle these request. You can also implement this in your own site, but for any regular authentication (login/post messages/etc) this will not be needed. Just code like you would if it were a regular request.
Related
I have developed a website with my friend. For the front-end we are using AngularJS, and for the backend we're using Laravel.
Whenever data has to be fetched, an API call is made from front-end to PHP.
My concern is that this API call is clearly visible in network panel. Then some bad guy can easily abuse this API. How can I avoid this?
In most cases exposing your API is not bad thing, but you need to think about this:
1. You should design your API, so only legitimate operations can be made. In example: person shouldn't be able to delete whole database using API.
2. You could provide some authentication mechanism if needed, so the person trying to call your API will have to be logged in (authentication token should be stored in session and verified in server-side with every API call).
If you want to hide POST/GET Params form console. Try to make JSONP call in angular . JSONP calls are not real ajax requests and won't be shown in Firebug. You can also clear the console using clearconsole() after you receive the response and you can also authenticate the requesting IP in your laravel backend.
It's just like regular routing. For example: Everybody knows that they can access a user's profile on Facebook on the /:username route, but Facebook prevents unauthorized clients from viewing that data. The same concept is used for REST routes.
Just like regular page requests, AJAX calls and the data passed / received can be seen by the user. JSONP can be used to prevent the API requests from being logged by regular developer tools, but that is not a good security solution your API can still be discerned by a malicious user.
Even if you encrypt the request payload and the response, it can be intercepted by a malicious user before encryption and after decryption.
You mentioned using proper authentication on your API, which is usually good enough for most cases.
I've been working on an app for IG, and was looking at other websites which use the IG API. I came across this website which allows the user to login by entering their username and password directly into the site. It is then able to access the IG API and fetch things like follower count, however without the user authenticating an IG API Client as would normally be required. The app can even perform functions such as liking pictures using your account, which as far as I know also requires you to authenticate an app with elevated privileges.
My question is, how is this app able to login users without using OAUTH which appears to be the only method of authentication?
They probably use a web automation framework like Selenium to take actions like auto-linking content by actually logging in to the Instagram web site with the accounts credentials and simulating mouse clicks, etc. to get the job done. In other words their "script" just looks like a very active user to Instagram because it's all coming from interactions between a web browser and their site.
They definitely are not using the API. Several reasons you can know this:
no OAuth flow to get an access_token
they don't appear in the authorized applications section if you log in and manage your profile
what they are doing is a violation of the API Terms of Use. See the following under "shall not"
Use the Instagram APIs to post automated content to Instagram, including likes and comments that were not initiated and entered by an Instagram user.
I'm no lawyer and I have no inside information, however it seems clear enough to me that Instagram does not want this type of "bot" activity.
They claim that they have the timing set up in a way that they go undetected, but I think it's a safe bet that there are algorithms at Instagram trying to detect and prevent this type of activity and if they do, accounts would be at risk of being disabled, etc. I have not inside knowledge here, just speculation.
The Instagram application that you use from your cellphone uses HTTP/HTTPS communication with their application server. The link that you provided on the question uses to simulate those http calls to mimic as an Instagram application.
You can redirect your cell phone's Internet connection through the proxy(your own proxy server). From your proxy server catch the web requests those are being sent by the Instagram application when you are doing login, liking, etc.
It will be easy for you if the requests are through http channel. But if its through the https, then it will be really difficult to capture those. You can try with Fidler or some sort of similar softwares for this.
What I THINK is happening is the following:
They are logging your PHPSESSID and using that so you have the ability to like pictures and whatnot. They are doing all of the back-end work directly in index.php.
If you track the requests that are being sent to index.php through the Network tab in Chrome, you will see that "Cookie:_ instamacro_advcontent=1; PHPSESSID=" on the index.php file "Headers" tab.
I'm doing the same with my website that uses Vine's API(not public, btw). In a PHP file I created called api.php, I use Vine's API to perform actions. I do not use OAUTH at all. I simply use the users "x-vine-session" cookie.
I have a jQuery script in a clientDomain.com/show.php page that shows some data loaded from a serverDomain.com/echo.php page using jQuery.getJSON(). I want that only allowed domains can show the data because I don't want that unauthorized people install the script in their own website without my permission. Is there any way to restrict the response of a jQuery.getJSON() only to certain domains? The solution should prevent also the use of iframe by the client. In conclusion, the data should be seen only if someone visit directly serverDomain.com/echo.php page or one of the allowed client domains. Thanks in advance for the support!
My request/response script works like the first example in jQuery.getJSON() | jQuery API Documentation
I can only code the client jQuery script (that will be ditribuited to the allowed domains) and the serverDomain.com/echo.php page (that is my property).
Don't do that. Use auth tokens instead that are updated regularly. Anybody can fake an HTTP referrer.
Here's a good answer on SO which covers resful api authentication: REST API Token-based Authentication
So I'm creating an app for a specific website, which has comments on certain articles/entities or whatever. I already know how to fetch those comments with RSS, but I'm also curious if I can implement a reply functionality from the app itself. The site doesn't have an API for that, but I know that when you write a comment, it sends a POST request with the contents of the form.
Is there a way to find out what that POST request looks like, so I can send a similar one from my app? The end goal is to be able to reply/post new comments from my app to that website.
Any thoughts? Just in theory.
Is there a way to find out what that POST request looks like, so I can
send a similar one from my app?
Use some debuger, like FireBug for FF or DragonFly for Opera.
so I can send a similar one from my app?
It would be not secure if anyone could see the nature of requests and make such requests in their apps. Apps may be bad and send spam.
There should be some Captcha or CSRF protection.
If there is - you plan will not work.
If there isn't - it is security hole.
My advice.
Better create some API an call it from your APP.
Simple HTTP, XML-RPC, or SOAP.
This will be more secure and nice usefull thing to know.
Look at the page which sends the post request. If the HTML code or javascript is simple you can understand which is the POST data sent to the server. Otherwise maybe you have access to the server and can look at the code there?
Point your browser with Chrome or Firefox (with the Firebug plugin) and open the inspector (Control-Alt-I / Command-Alt-I), then the "Network" tab. There you'll see real-time requests and responses to the server.
If you need to implement authentication from your app, google "cookie jar" and your language.
user signs up for a key and secret from my site, then they can send/receive from my REST server.
Where I need help is when a user interacts with the REST, how can I determine if they are authenticated using THEIR key and secret? Basicly this will be for a social network site app area. I have seen that many social networks have an app area and use REST and OAuth and sometimes OpenSocial but I have looked at those and they are a bit complex for my needs I think. As for authenticating with OAuth, I guess I do not really understand exactly how it works, maybe it is what I am looking for though? I don't need to authenticate the user who views the page that is running the API, I need the owner of the app's server to authenticate to send back and forth with my REST?
Any advice on how to do this the best way? I would like to do it the best method for future growth, so if I could do it like the big boys do (Facebook, myspcae, hi5, bebo) that would be the way to go I think.
when a request is sent it should pass the key in the URL to my server but they should have there Secret somewhere in there script, I am not clear how to make that work with each other?
OAuth is almost certainly the best way to go here. Using OAuth, you can provide authorization to almost any kind of web-based API that you would like (REST is fine, but so is plain ol' XML over HTTP).
There are some Stackoverflow articles on how to get started with OAuth.
I also find Google's implementation worth studying, as it's both well documented, and a very good implementation from which to take inspiration. They also have a very helpful "OAuth Playground" that will walk you through an OAuth request step by step.