Remembering users of websockets - cookies

Good Afternoon,
I am hoping someone might be able to help me with a concept. I have a websocket server which pushes JSON messages out to users, I have coded in a number of admin functions for pushing broadcasts out to users, as well as disconnecting users if needed.
One of the things I would like to be able to do though is to come up with a 'near' foolproof way of 'banning' users from connecting to the server if required. This is where I am a bit lost, if I go the cookie route then it is possible that the cookies get cleared and it no longer works, I can't use the session ID either as once they disconnect they get a new session ID, and the IP address is also problematic as many would be on mobile dynamic connection.
Id appreciate any tips on how to best achieve a way of remembering the users so if I ban them, when they go to reconnect I can prevent them.
The server I am running is the supersocketserver whilst the client is HTML5.

Given your current constraints, there is no "foolproof" way to ban a person from accessing your web site.
For privacy reasons, there is no permanent way to identify a given browser. There are cookies, there are IP addresses, there are even some evil "perma-cookies" that attempt to store little pieces of identifying information in lots of places (such as flash cookies and other plug-in data) to try to make it difficult (but not impossible) for users to clear them. As you're already aware, IP addresses are not permanent and are not always tied to just one user either.
And, of course a user can certainly just use a different browser or computer or mobile device.
So, the usual way to control access is to require a user to create an account in your system before they can use your service. Then, if you want to ban a user, you ban that account. Since you will want to prevent the user from just creating a new account, you can collect other identifying information upon account registration. The more info you require and can verify, the harder it is for users to create more and more accounts. This gets to be quite a bit of work if you really want to make it difficult for users to create more accounts because you need to require pieces of identifying information that you can both verify and are hard for a rogue user to duplicate (credit cards, email addresses, home addresses, etc...). How far you go here and how much effort you put in is up to you on how much you want to keep a banned user out.

Related

Finding EC2 instance ID for someone else's instance

I use a public AMI from a third party which runs an nginx web server, and it uses the EC2 instance ID for the default admin password. I'm trying to think of any vulnerabilities with this, if I do not change the default password. Since the HTTPS server is public, is there any way someone could discover the EC2 instance ID?
I know this can be seen by anyone in my company who has ec2:DescribeInstances permission, but I'm not really concerned about that. I just want to make sure no one outside can find it.
Off the top of my head and without considering any crazy specific scenarios, I do not believe it is possible for one to retrieve this information without exploiting some sort of 0-day vulnerability we presently don't know about.
Now let's stop living in a perfect world and begin to threat model about what could potentially happen.
Depending on the functionality you have going on and some other variables, I don't think it is crazy to think the instance ID could be leaked in some manner. Let's say you exposed a web application and you had some functionality which took user input and did not validate this input, then I could see the instance ID potentially being capable of being leaked.
For all intensive purposes, let's say our host is hosting a web application which analyzes users' LinkedIn profiles and offers them career advice. In addition, let's assume that the web application poorly accepts input and does not validate that a spoofed URL has been provided instead of a LinkedIn URL, and it will provide the response details after it has made a request to the URL provided by the attacker.
Considering all these, if I was an attacker trying to get the instance ID of your host, I would navigate to the part of the web application which accepts my input and I would provide the following input, and considering the scenarios I posed above, an attacker could potentially get the desired information:
http://169.254.169.254/latest/meta-data/instance-id
How I came up with that payload was I looked at:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html#instance-metadata-ex-1
I believe that if all these prerequisites were met, then this would potentially leak the instance ID.
But until all these scenarios exist, it is not likely. I have seen some web applications which allow you to add an integration to your website poorly validate input given by the user. As such, one can exploit a server side request vulnerability to attack the host.
I hope this is a good explanation of how it could potentially happen, but again, I don't think it is likely.

Django - Detect unique users. Ignore/Ban Fraud Users

I've a web portal where user comes in and post his/her images. Now there's a contest running where people can pool in their photos and whoever has maximum likes on its image wins the contest.
So, the problem that I'm facing is one user can register as many accounts as he/she wants and like his/her own image. This will increase the number of likes on the image and the user will win, not legally but its a fraud.
So, is there any way in which I can restrict a only 1 signup from one computer. OR is there any other better way of handling this, even if I can minimize this behaviour it will be of good help.
One method I thought of is I can ask for user's phone number and can verify using an OTP. What cab be other ways of finding the fraud accounts?
Is there any way in which I can get the unique identity of the system(probably MAC address) in Django request variable via which I can allow only 1 user registration per system?
There's no foolproof way, but you can make it harder for fake users with the following steps:
Show a captcha to prevent automated sign-ups.
Track IP address when users sign-up and try to find patterns e.g. too many sign-ups from a single IP could signal fraud. It's also possible that the IP belongs to an organization and the users are genuine.
Check for suspicious IP addresses (e.g. those through VPN or cloud service providers e.g. AWS). You'll have to use a service that identifies VPN specific IP addresses. Also see : https://security.stackexchange.com/a/85416
If you want to get more technical, you could look at the highest liked photos and see if the users who liked it also liked other pictures. Look for tell tale signs. This could give you a pattern to distinguish fake & genuine likes.
Browser fingerprint
P.S. Phone number verification is also a good option since getting a disposable phone number usually isn't free. There are a few disposable free numbers that you could blacklist (search for free disposable phone number).
It is important to focus your effort on the problem. The problem that you want to solve is that people can like their own images to artificially increase their own score.
To be most effective, target the problem (multiple likes) instead of the side-issue (multiple registrations).
Here are some simple suggestions:
Prevent multiple likes from a single IP on a single image
Set a cookie when a like is given; if the cookie is set, do not accept more likes
Add a CAPTCHA. (This won't prevent multiple manual submissions, but will limit automated ones.)
There is nothing wrong with limiting registrations, but be sure to take steps first that address the core problem.

Tracking users on internet

We want to track users when they visits our competitor websites.
Suppose the user visits a.com(our site) and then visits b.com and c.com (our competitors) , we want to know the user has visited those sites. Is there a way to track this without using plugins like chrome extensions.
I know there is limitation in cookies. Is there a way to do this?
Thankfully, no.
From time to time accidental mechanisms to leak such information become known (such as, at one time, it was possible to inspect link styles to see if it's visited). Such things are regarded as serious security breaches and are swiftly eliminated by browser vendors.
Basic web security principles isolate the interaction with unrelated domains, unless both web pages willingly try to talk to each other. Furthermore, if a user visits your site first and the closes it, their interaction with you is finished - in no sane scenario would you be able to know what they do atferwards.
Not to mention the obvious fact that what you're asking is just plain highly unethical.
Unless you can get your competitors to give you access to their websites, either through include scripts or indirectly if you manage to track users through ad-networks or Facebook pings, it's not possible. You cannot access (should not be able, in any case) cookies set by another domain.
Some browsers allow access to the previously visited URL through document.referrer -- but that is not guaranteed to work, nor is reliable. In short, there's no way of doing it targeted.
Not being able to easily track people is a good thing; but it makes constructions like the on you are wanting a lot harder.

role-based methods for one web service?

I am trying to set up a (for now) really simple web service. By simple, I mean it only has a small amount of actual work to do on the code-side. It only really has one method/function: the client sends a user login, and the service responds with an otherwise very secure detail about the user (for the purposes of this question, let's say the user's birthday).
I have a lot of questions, but for now I'm wondering:
I am considering having two versions of this method. In version one, the client can only make a generic request with no variable information. The service will respond with birthday of whoever is authenticated in the client's session. In version two, the client is allowed to query any user name (so really, anything they want) and get back either the birthday or "Nothing found", etc.
The application of offering both would be so that most developers would get the birthdate of the current user so that it can be applied to that session. To extend my example: A user logs in, the developer wants to be able to have "Happy Birthday" if it is applicable. The owners of the service/data don't want the developer's client to have any access, real or conceptual, to anything about the user, even their log in, they just want to accommodate the developer's goal, as it is really nice. The developer doesn't want to be responsible for potentially having access to anything, he just wants to be nice.
Version two is available for some user-support groups. They actually need to look up birthdates of users who call in so that they can confirm that the user's are old enough to, let's say, rent a car. They may even have to look up multiple user's to see who is most eligible out of the group to get the best deal.
So I guess the big question, finally, is whether or not these two methods can exist in the same service?
The protocol, at this point, is more likely to be SOAP-based, then RESTful, so simply having URLs that both resolve to the same service but simply offer different methods is probably not an option.
What I need, ideally, is a way to reveal operations in the WSDL based on role. Obviously the documentation given to either group would reflect only the operation appropriate for the role, but ideally the developer/client would a) not see any operations they shouldn't and b) receive the same type of response for trying to use a forbidden response as they would a non-existent one and c) most ideally, receive the former-mentioned error because for their role the operation really DOESN'T exist, not because the service took extra precaution in case the client did try (which it will, FYI, but I don't want that to be the first and only level of obfuscation).
Am I dreaming the impossible dream?
Quick Addendum
I should have been more specific about this, I realize. When I say "role-based" I am referring to service-accounts, not user-accounts. So in my hypothetical situation above, the user-service app that would all for querying any user ID would be using one service-account with the privs to do so, not checking the role of the agent logged in to the session (which would be done to get to the app, obviously, but not to the service).
Why not have two methods:
GetMyBirthday();
GetBirthday(string userName);
Any user can call the first method; only privileged users can call the second method. You use role-based authorization and reject calls to the second method from unauthorized users.
I don't see why you'd want to hide methods in the WSDL based on roles. In many cases you'll be accessing the WSDL only to build a proxy in a development environment, and won't need it at runtime.

In a website with no users, are cookies the only way to prevent people from repeating actions?

I'm creating a website and I don't want to have user/membership.
However, people using the site can do things like vote and flag questionable content. Is the only way to identify and prevent users from doing this repeatedly by using cookies?
I realize a user can just clear their cookies but I can't think of another way.
Suggestions for this scenario?
Well you could map a cookie + ip-adress in a datarecord in your database. To identify the user. So if the ip exists in the database, you simply just add the cookie, but check the cookie first to avoid unessesary database calls.
This is not optimal though, since schools etc might have the same ips on a lot of computers.
You can always just adapt openid!
Marko & Visage are correct,
Just to add though, you might want to store each vote with the timestamp,IP, etc... so at least if someone does try to "game" your site, you'd be able to rollback sets of votes made from the same location or within a very short amount of time (i.e. from a bot)
+1 To all that others have already said. Here's another middle-way idea:
Use cookies as primary means of limiting voting. If a cookie is not found, check the IP address. Allow no more than, say, 1 vote per 5 minutes from the same IP.
Cookies are not enough, as you said it could be cleared/expired.
IP address tracking is also not an option because of DHCP and firewalls.
The only thing that is ~100% sure is users, but then again, one person can register multiple accounts.
I'll go with cookies, as the simplest ant least obtrusive way. If someone really wants to play the system, he will find a way whatever you try to prevent it.
Even with membership a user can register multiple times and vote.
Cookies are one way to handle this but people who know that they can delete cookie can vote again.
You can catch the IP of the voter and restrict based on that. But many people will have same IP.
Sadly there is no other way.
Yes, you are right.
HTTP is stateless, so there is no way of determining if the origin of a request you receive now is the same or different to the origin of a request you received, say, 5 minutes ago.
Cookies are the only way around this. Even server side sessions rely on cookies to maintain session identity across requests (ignoring the security nightmare of passing the sesison ID in the URL, which anyone with malicious intent can sidestep trivially).
There will always be people gaming the system if it suits them. Moreover, if you make it such that you don't need cookies at all you'd be open to very simple attacks.
I think you'll want to consider ways to increase the economic cost of users operating under a cloud of suspicion.
For example, if a user with the same cookie tries to re-submit the vote, that can obviously be stopped easily.
If a user with a different cookie but from the same IP does the same thing, it could be coming from a proxy/firewall so you may want to be cautious and force them to do something extra, like a simple CAPTCHA. Once they've done this, if they behave properly nothing new is required as long as their new cookie stays with them.
This implies that people without cookies can still participate, but they have to re-enter the letter sequence or whatever each time. A hassle, but they're likely used to sites not working without cookies. They'd be able to make an exception if required.
You really won't be able to deal with users sitting over a pool of IPs (real or otherwise) and exploiting new and dynamic attack vectors on your site. In that case, their economic investment will be more than yours and, frankly, you'll lose. At that point, you're just competing to maintain the rules of your system. That's when you should explore requiring signup/email/mobile/SMS confirmation to up the ante.
You can add GET variables and URL parts to serve as cookies - some sites do that to allow logins and/or tracking when cookies are disabled. Generate the part using source IP and user agent string, for example.
site.com/vote?cookie=123456
site.com/vote/cookie123456