This is probably a very basic/introductory thing, but let me paint a scenario:
Let's say I'm using jQuery to do some sort of mini quiz game on my site. The user clicks the correct answer, and then a window pops up with a secret "winner's code" that they can redeem elsewhere.
How can I generate the winner's code so that it doesn't just appear in the HTML and in a way that users cannot reverse-engineer it (at least without considerable effort)?
I mean, if I just generated an encoded string containing their username and some sort of additional information only I know, that would work, right? Or MD5 hash or something, but how do I make it so the winner's code itself doesn't appear in the HTML, and only when the correct answer is chosen?
Thank you for any suggested reading/tutorials/assistance/advice you can offer.
If I understood you correctly, you just want the code to appear whenever the correct answer is chosen?
If so, just have a PHP page to which you send the answer the user chose in a GET/POST variable. Then, have that PHP page show the code only if the answer was correct. That way it won't be in the HTML if the answer is incorrect.
So for example, your PHP page would look like:
<?php
if ($_GET["answer"] == "correct_answer") {
echo "give the code here";
} else {
echo "sorry the answer was incorrect";
}
?>
Additionally, if you want the above to appear in a javascript popup or something, fetch it using Ajax.
There are a couple of questions there.
1) How to generate a secure code:
if you are implementing a 'winner code' you could use an hashed iv + secret + user information, or some signing mechanism. You could also implement a code expiry time on the server so that you could further raise the bar, if necessary.
2) Getting the code to the winning user:
If you don't want the code to appear in the html, then you want to use ajax to get it. Then inject the code into the DOM where you want to display it. Further, you should be using a secure SSL channel to do this so that you guard against sniffing. Even further, consider some kind of 'one-time' token so that a man-in-the-middle cannot repost your code request and receive the same win code.
Hope this gives you something to consider.
First of all, for the game to be secure at all, all evaluation of winning MUST be done on a server and all redeemable codes must be uniquely created on the server and sent to the client.
It simply cannot be done on the client in a secure fashion because ALL javascript code is available for inspection by anyone. There are means of obscuring javascript code to make it more of a pain for someone to reverse engineer, but that cannot stop a determined hacker - it can only slow them down or slightly deter them. The only place where your code/algorithms for evaluating the results of the game is safe and free from manipulation is on your server.
Even then, you probably need to do something to keep one user from getting a redeemable code and then sharing it with lots of other people or getting the right answer and then having someone else write a script that submits the right answer to your server to generate limitless codes.
Related
So I posted a question the other night and an interesting reply got me to thinking. I've always done things a certain way and I try to be as safe as possible but I'm wondering what else I could be doing. This isn't related to a specific piece of code so much as a concept.
The layout is jQuery/PHP. Standard HTML and CSS.
Scenario
I write a signup form. The form includes email, password, first name, last name, zip code.
When the user submits, jquery picks it up, prevents default and submits for validation through ajax. On the php side, I'm going to verify lengths, symbols, values, etc to try and get the best possible read on the data. If it works, I continue with the signup. If a flag is tripped, I return a JSON string that has a message, an error status and other relevant information. I'm doing it this way instead of checking the jquery because of the ability for the user to open the script and make changes.
On the php side, I can only work with the information that is received. I use POST and I only call for the variables that I'm looking for. Nothing can be added to the php this way...at least not easily. I'm also using PDO and prepared statements for inputting to the db for an extra measure of security.
My question is this. When you guys are validating data, what other steps do you take to prevent security breaches? I only know what I know so this is why I ask. I'm always looking to make my code better. Obviously there are a dozen functions I can use like striptags, strip_slashes, etc but I'm really curious what everyone else does in case there might be something I could be doing better.
I tried google but looking for validation and error checking really just returns the obvious broken scripts and code snippets but not much in the way of conceptualizing a better way of doing things. Just looking for some general feedback. Thanks!
Hi I want to collect data for my program, I want to use PHP to do this(http://site.com/php?v="0.0.1"&n="Application"), how would I make the php page only work the my program, and not somebody else has the link.
How would I make sure the
There are various ways, but I think the one really simple is
Send a parameter some kind of token that only you and the end-script knows.
http://site.com/php?v=0.0.1&n=Application&token=SDGH36THGB
Now in your php-script, you can fetch the token parameter from request and check against something that is already saved.
if($_GET['token']==$myToken){
//its my script accessing the page
}else{
//You can show error or something
}
Now that was level-1, very simple ain't it. But what if someone comes to know about that token you're using. It can easily be exploited.
Level-2 can be something like, there's a formula which you and the script knows for e.g. it always set toekn as todays date in yymmyyddHH format.
So now the script can check this against actual time-frame whether this is correct or not. So everytime you make a request there's a different token value depending on the current-time and then the script checks this token against the current-time frame.
Now if someone comes to know about a single-token, then also he can't replicate, since that token will not work after an hour. You can decide a more complex logic yourself.
Level - 3 OAuth - it's pretty difficult, but the best part is you can already find very good implementation libraries with a quick google - https://www.google.co.in/search?q=oauth+in+php&oq=oauth+in+php&aqs=chrome..69i57j0l5.4208j0&sourceid=chrome&espvd=210&es_sm=122&ie=UTF-8
Have your users register their software, and on registration give them a user ID. Send that user ID as a get arg to the php page to identify the source of the request.
Have a multistep process for registering stats. Application requests a code from the server, application hashes code with a secret salt, and then application sends this salted hash back to the server along with all the usage data.
In both of these methods, you still can't tell if some user is manufacturing the requests. You're writing the client in Java, which means that no matter how complicated you make the verification process your end application will be decompilable and your methods will be reproducible. The first solution has the advantage of isolating stats from individual users, so if a user does end up trying to screw with your system you could prune all entries from that user.
I was wondering how to set up a system in which an authenticated user could send, with a simple graphical interaction (cliccking a button or so) a non-replayable request/message to the server from an application or a web page.
It's crytical there's must not be a way to set up an automated system that replaces user interaction automating the request as this would totally break up my entire project.
Moreover, as this action must be frequently repeated, it should not implement boring stuff like chaptas or so.
A pratical example: let's say the web page, shown after the login, displays a button that sends the server a request. How can I be sure the request was sent because the user actually clicked the button and it wasn't some sort of bot that forged the message?
Is that even possible to check? I'm sure it is and I'm quite sure there's must be some simple implementation I'm missing, and I'm sorry if this is a trivial question.
Also, if the solution is hiding ('cause I already searched a lot!) out there, please point me to it.
Thanks for your attention.
You could use a non-graphical captcha like a simple question.
Generate a simple addition of two random integers between 0 and 10.
Add a text field to ask for the result.
The result is very easy to find (for a human being), and very quick to type.
Example:
What is the result of 7+5? Write your result here: [_]
It should only block robots and very young or very stupid people.
I have a classifieds website...
Each classified is displayed in a php page called show_ad.php
I am working on a "tip a friend" function, where users enter their own name, the friends email and a short message to the friend.
The above is no problem, however, I need to make sure bots don't use this form for "spam" etc...
One way is captcha, but I was thinking about creating my own captcha, so here is my plan, and I need you to tell me if it has any flaws:
1- On load of the show_ad.php file, I generate a random number, say 5 digits.
2- I output the number to the user, and tell users to enter this number in a form text input.
3- The number is also put into a hidden input.
4- User presses "send" button.
5- I use ajax to call a php file called send_tip.php, and I fetch the value of the hidden input, and compare it to the text-input the user entered, and see if they match, and then send the email.
Nothing is ever safe enough, but is the above enough for a classifieds website?
Thanks
UPDATE:
6- I add a table to mysql, which records ip adresses of the user who sends email, and if it exceeds more than say 3 emails per minute AND 30 emails per day, I stop them... Although then maybe just the email is enough, and I should skip the first steps with the random number? What do you think?
You might want to consider using reCAPTCHA instead of reinventing the wheel and making your own CAPTCHA.
As a nice side effect, you're helping to digitize books!
One could easily write a bot that looks at the hidden field and submits the right data.
So no, it's not secure.
No CAPTCHA's are 100% bot-proof, but 99% bot-proof is enough.
AJAX will be a huge roadblock to bots, which is secure enough.
You should give misleading names to form fields. For example, you hidden field of your "number" will be named "message", so your bot will misfill it.
However, if your site is big enough, bot programmers will re-program their bots to cope with your site...
See also: Practical non-image based CAPTCHA approaches?
It's not very safe. A better solution would be to generate that 5-digit number and store it in the session. Then generate an image that shows the number. Any bot that needs to hack this captcha needs to be able to OCR the image, which is far more complex.
Another slight advantage to this approach is that it works without the need for AJAX, although that might be a disadvantage as well, because AJAX is an extra obstacle for bots. You can, if you want, still use AJAX to request the image.
[edit]
One very great advantage of writing your own captcha, is that someone needs to write a specific bot for it. Common captchas can be hacked by generic bots that just look for signs. I've had success with protecting some of my forms by replacing a complex captcha with a simple custom made one that shows just plain text and even always requires the same answer!
Currently I'm wondering if there is a way to post to a website using captcha for a human-check. The following question is asked, ofcourse this is done with random numbers:
Type this number in digits; 'twohundredandfive': [ input ]
The form is sent using AJAX. So when reloading the website the number to be typed changes.
A way to get pass this is reading and converting the number, then post some data, but at the second request the number already has been changed (which is good). But IS there a way to avoid this?
Don't think I'm using this for bad intensions, the described form is used in one of my applications. It is just a check to get sure bots can't get pass.
Thanks so far :-)
A CAPTCHA should test whether the entity solving it is human. To my eyes, the problem you are setting looks like it would be fairly trivial to solve algorithmically.
Given that a human can pass the test, then it's certainly possible to write an automated bot which will pass it too. As to whether there is a "back door" which allows access without solving the CAPTCHA, only you can decide that by analysing your source code.
I hate CAPTCHAs. More often than not, they are unreadable to humans as well :)
I heard one Microsoft researcher offer the following scheme: put 4 pictures up, 3 of little puppies, one with a kitten. Ask the user to click the kitten. With a large enough sample base, you can create a random picture/question any time the page refreshes. No one will bother developing an algorithm to analyze photos to that degree.
read this post for another interesting idea.
Converting strings to numbers has already been discussed in another question where many references to the google calculator were given, which does a great job in such conversions, so your approach is not suitable for testing whether your user is human.
As for an alternate solution, I can only link to another great answer.