I am building a cloud hosted website to disseminate simple (non-sensitive) information to some users. This non-sensitive information is not more than a KB for each user (even with markup). The mechanism is this:
Each user has a unique string. The opening webpage displays a form, where the user enters this string and solves a captcha to submit information.
The user-specific information is stored as the salted sha256sum of the user string (in a HTML or JSON file). The user is then served this user-specific information.
The question I have is, what is an efficient architecture for this under load? One solution I thought of is: dump the user-specific information as static HTML files whose file names are <sha256sum>.html, and the server essentially issues a HTTP 302 to that page if the user enters the correct information. This could be a Flask server that does a table lookup to return a HTTP 302 or 404.
The other approach is to build a microservice that uses a JSON approach, where the page fetches the JSON names with the sha256sum using a HTTP query much like the above.
Which approach should I go with that's efficient? I'm happy to expand on the query if it isn't clear.
Related
I want to encrypt the query string values used in my MVC3 application. If i implement SSL certificate, whether all the parameters passed with url in encrypted form or not. The application is already completed, now its running appscan testing, so its very tough to encrypt and decrypt manually the query string.
As per answer given in this post
Yes, it is. But using GET for sensitive data is a bad idea for several reasons:
Mostly HTTP referrer leakage (an external image in the target page might leak the password1)
Password will be stored in server logs (which is obviously bad)
History caches in browsers
Therefore, even though Querystring is secured it's not recommended to transfer sensitive data over querystring.
I did a little bit of Web Programming here and there but I never quite understood what's meant by the word Session.
I've googled a bit here and there, read the Wikipedia article, but could never quite grasp the meaning of it.
So, what's a Session?
Session is a way of persisting your information across multiple pages and requests. When you visit the login page of any site and you provide your username and password, you won't need to provide them again on subsequent pages.
This is done by attaching a session id, unique to your request, and is sent back and forth as you navigate pages.
Session Id could be stored in cookies (file on your system), in the URL as part of query string or in the database
A session is a place for storing data for a particular visitor of your site.
You can store data there that is also available on the next page request from that visitor. If some data is stored 'in the session', it means that the data is stored somewhere (possibly in the database of the server or in files) which the server can then use to construct the web page.
The visitor will receive a temporary cookie which contains a session id, an identifier which is used to associate that visitor with the session data that is stored on the web server.
The session id is sent to the server with each request and the server can lookup the stored session data (which can then be used to construct the web page).
It's the concept of keeping state around over an inherently stateless protocol like HTTP.
If you want to keep track of a logged-in user, for example, and maybe some data associated with that user, you could send that data between the server and the client each time, which of course would be terribly insecure. Or you could keep it in a session store on the server, for example a file or a database, and just exchange an identifier for the storage location between client and server. That's usually done via cookies these days, but could also be a parameter in the URL.
To make it simple:
If you first visit the site, the server gives the client an identifier. With this the server can identify a client across several request from the client to the server. The identifier is deleted after a preset time.
The combination of this identifier and the timeframe the identifier is valid, is called session.
Hope that helps. :-)
Session: An interaction between user & server, which has an ID associated with it. So that server can pin-point & serve the users according to their requests. Cookies are basically used for storing the session information because by default HTTP is state-less.
Greetings SO Community!
I'm trying to think through a security issue with an ajax process in a highly cached environment, and could use some advice. My situation is this:
The users of the site are not logged in.
The site pages are highly cached (via akamai).
I have a service API that is to be accessed via AJAX from pages within my domain.
I need to protect that API from being used outside of my domain.
I can check the incoming "host" in the headers to see if the ajax request came from my domain, but that seems insecure, as such headers could be spoofed. Also, it seems to me that the usual token passing scheme will not work for me because my pages are cached, so I don't have the opportunity to inject tokens unique to the user/request (e.g. as described here: How can I restrict access to some PHP pages only from pages within my website?). Clearly, it's insecure to make a token request via ajax after page load, so I'm not sure how to make this happen. I suppose I could generate a shared use token that loads with the page and has a lifetime twice that of my maximum page cache life, but it seems like there must be a better way!
What are you trying to accomplish? Are you trying to prevent cross site request forgery or someone\something from using your API that is not the javascript you served to the user?
The former is accomplished via tokens that are stored in the source of the page. You can make it hard to conduct an XSRF attack by having tokens in the source ( or some code that creates tokens). Unfortunately, unless you can get unique data per user/request into the source, someone can always just grab your source and reverse engineer the token. Then they can forge requests. The general rule is don't worry about it unless the user is loged in because the attacker could just go to the page themselves.
The later(preventing unauthorized use) is impossible in anycase. An attacker can always make an account, strip the tokens/keys/credentials she needs, and then use some API on their server.
Let's say you were building a multi-step ( 5 part ) booking engine that had a fully working backend but had a layer of ajax, where you can go through all 5 steps in the initially loaded page. The steps would be:
input dates and specify availability information
availability results where you can choose rooms
input your information including credit card information
confirm information and availability
confirmation information to print
I'd assume you'd want to keep the whole site on an https protocol, I'm not quite sure what types of measures I need for encrypting or securing ajax calls while I'm loading in data and submitting the form that contains the credit card information.
To your server, AJAX requests are identical to regular HTTP/HTTPS requests. An attacker can purposefully browse to any AJAX URL and see the result. So, the primary answer is: any security mechanism you'd use for a non-AJAX website, you must also enforce on AJAX-driven requests. This includes all the authentication and authorization steps to prevent session hijacking, forceful browsing, and CSRF.
Beyond that, with extensive use of JavaScript and AJAX you are more susceptible to JavaScript injection. Encapsulating and escaping JavaScript and JSON is trickier than standard HTML.
Lastly, there are a few XML-driven attacks to be wary of when using XML based AJAX, notably the Billion Laughs Attack and XML injection.
The Web Security Testing Cookbook has a chapter on securing AJAX:
http://books.google.com/books?id=VmrSJ3V-s_MC&lpg=PP1&dq=web%20security%20testing%20cookbook&pg=PA197#v=onepage&q=chapter%2010&f=false
read this - it's excellent http://www.amazon.com/Ajax-Security-Billy-Hoffman/dp/0321491939/ref=tmm_pap_title_0
I'm working on developing a page that pulls data down only via ajax:
http://itprojectguide.org/projectmatrix/itprojectguideprojectmatrix.html
the page currently pulls a status json data file.
To authenticate I'll be adding a preliminary signin (user name/password) and I'm thinking about doing the following to ensure a valid logged in user is present:
when signing in, send the user ID, and md5 hased password - the server will return a encrypted string containing User ID, signin date, level
I will pass this encrypted string to all pages, each page will send the string and page type to the server - the encrypted string will be validated to ensure valid user and that the user has signed in within the last 24 hours (based on the date). Data will be returned based on the user's level and the page that the user is on + any page specific data (say date range or company ID depending on the date)
Will the use of the encrypted User ID, signin date, level ensure proper security? I'm looking not to use cookies...is there a better way?
Part of this effort is to use ajax/json only interaction to retrieve data for each page instead of rendering it on the server..
Since you are rolling your own session management logic, you need to ensure the following:
The string returned by the server after authentication is not guessable. You might be encrypting it to prevent tampering, but you also have to account for replay and hijacking attacks. It is for this purpose that most session IDs are generated using PRNGs.
The string is protected during transmission. It depends on what value you (or rather your customers) assign to the data in the application. If the string can be snooped from the wire leading to significant business damage, you should look at HTTPS.
Sessions eventually should expire. The longer the session is active, the greater the chance for it to eventually be discovered.
You might consider using a One Time Password:
http://en.wikipedia.org/wiki/One-time_password
Also, if you can't run things over https you might piggyback on top of various OpenID providers' HTTPS, at least for the initial login to get the session cookie.