I want to send some data using GET over http. I want to decrypt or scramble it for security reasons so instead of sending: http://www.website.com/service?a=1&b=2&b=3
i want it to look like http://www.website.com/service?data=sdoicvyencvkljnsdpio
and inside the service to be able to decrypt the message and get the real data.
What is the best approach for this?
Thanks!
You can use SSL and certificates. You can see it works here: http://mattfleming.com/node/289. You can find various tutorials on how to do that based on for your specific web-server.
What laguage are you in? If php you could look up on the mcrypt functions.
But seriosly. Probably a better way for that would be to use HTTPS, which was designed for that.
I don't know about your application but it could have relevance.
Another common tequnique is the secure token teqnique where you basically generate a hash of your params and a secret token. The token is the only thing not included in the url. At the other end you re-create that hash with the same secret token and see if itmatches. This way youc an compile security methods like IP validation, time to live timestamps or signing a request by a user.
A more advanced method is the HTTP Digest authentication
SSL and POSTing the data would be a sensible way to approach this, but if you must do it with GET you can still keep it fairly secure
The MCrypt libraries for PHP are very good, then on the receiving page you would need a checksum to be absolutely sure that the string passed hasn't been tampered with.
Related
Ok, feeling dumb. I've been following https://auth0.com/blog/securing-kubernetes-clusters-with-istio-and-auth0/ to secure a flask app through an ingressgateway.
Basically, my AuthorizationPolicy is being seen (whitelisted routes are working, other routes are denied (enforced denied, matched policy none)) but anything that requires a jwt (key: request.auth.claims[...] or even source: requestPrincipals: ["*"]) fails.
Adding Envoy debug information, I don't see any Authorization header, which may be part of the problem; flask of course stores the access token as part of its session cookie (as in the linked article). And it seems as you'd need something like that for Istio to see it in the request; I tried setting an access_token cookie directly and using an EnvoyFilter to try and break it out into an Authorization header but that didn't seem to work either (I probably got the envoy filter wrong; new to them but I was trying an envoy.filters.http.jwt_authn filter with from_cookies; nice idea but I can't even tell if it's being called).
I'm baffled at this point. How do I store the user's jwt after the OIDC shuffle in such a way that the browser sends it back in a way that Istio is happy with? By default Istio really seems to want the Authorization header, but I'm not clear how to get it (or if that's desired). Seems like an obvious pattern but searching comes up surprisingly short, which makes me feel like I'm missing something Really Obvious.
I am now facing a design question. I have made a shared library which can be used to send HTTP requests to my HTTP server. It offers GET, POST, PUT and DELETE APIs, so the user can use them to send requests directly. However, someone else can also use TCP/IP to send their own HTTP requests to my server.
My question is, how can I check if a request comes from my library or not?
Can anybody give me some suggestion?
You can use any "standard" method of authentication to verify that the requester is who they are supposed to be. Once you've determined the authenticity, provide the requester with a short term cookie that they must send with all requests. Reject any request that doesn't hold a valid cookie (except attempts to authenticate).
Technically this doesn't prevent requests from coming elsewhere other than your library. It merely restricts requests from sources that don't know your secret. But if you don't share the secret with anyone else, then you can limit yourself to only using your library which achieves the limitation to the library indirectly.
I have a 3rd party service that i've configured a webhook that triggers posting data on my url address. Now i want to restrict incoming requests to be allowed only for this service. How can i do this in Django ? Is there any trick on applying some security measures?
i'd be glad if you can provide some code snippets, please
EDITED
I can't count on the ip address of the requester, it can change in any time. I should use domain name i think
EDITED 2
I have a header called HTTP_X_REAL_IP, that contains the ip address of the service. Can i count on that header by comparing the socket ip address with properly received header ?
It appears that they don't have anything set up to easily do a test, and you aren't saying exactly what you are doing with this API, but it appears that you can query their API for information regarding a bunch of things.
What I would do is to take the information they sent you and send it back in a query to see if the information they now have matches the change they are telling you they made. If they match, it is authentic. If they don't match, discard it.
That's about the best I can tell you to do.
No, you can't use the domain name, as you don't have it when processing a request (note that normally most requesters - internet users - don't have domain names, they only have IP addresses).
The simplest solution is to add an authentication key as required parameter to your APIs. Then, you process only those API calls which provide valid authentication key.
Here is the situation, we have a site that is hosted and updated by a third party vendor. I am providing links to additional resources that are hosted on our servers. A client will access the vendor site and click on a link to gain access to our additional resources. To validate that the request came from our third party vendor I need to get the IP address of the vendors server.
My question is, is there a way to get the IP address of the vendors servers using ColdFusion? I can't use the clients IP address, I need the vendor server address the client is using.
You have to work with 3rd party to accomplish this goal, this is for sure.
I can see at least two more or less working approaches here.
(1) Append some kind of protection token to the links. Your vendor generates encrypted string or hash including some information only you two know, so you can decrypt (or generate same hash) and validate it.
Example with hashing:
moment = DateConvert("local2utc", Now());
token = Hash("SecretSaultYouBothKnow" & DateFormat(moment, "yyyy-mm-dd") & TimeFormat(moment, "-HH-mm"));
This token is passed with link and expires quickly to prevent sharing/leaking.
You can generate and validate it on your side.
It's a raw idea and there could be possible problems with validation, plus avoiding invalid links for clients (maybe skip "mm" mask as well).
Encrypted/decrypted string would work similarly. You both just need to now the secret key.
By the way, your vendor could encrypt their server IP address or other identifier for you to check it against your database and maybe apply some other actions.
(2) Your vendor could set up simple web-service for you to validate the incoming links (it could respond with 0/1 or something else simple).
Exact implementation may be different. Again, it could be some token in URL which you send back for validation.
This is similar to solution which Jason suggested: vendor could send the server-to-server request to your server on link click and then relocate to the resource. But this may be complicated because you have to be sure 1st request is already handled when client arrives.
Hope these ideas make sense.
No, there isn't. Not if the request comes directly from the client. If the vendor sends some sort of a message first you can use that to validate. Or if the vendor's server is the one making the request on behalf of the client then you could use CGI.REMOTE_ADDR. But if the vendor is just providing a link to your site, then no, you cannot be assured of the IP of the vendor's server.
The closest you could come is to check the HTTP_REFERER, as Jeremy said above, but that can be spoofed (very easily), so it wouldn't be very secure.
To access the CGI variables available to ColdFusion, you can do something like this:
<cfset ThisIP = CGI.SERVER_NAME>
There are many useful CGI variables available here:
http://www.perlfect.com/articles/cgi_env.shtml
try placing a page on your server that uses the cfhttp tag to fetch:
http://www.dslreports.com/whois
That will give you the IP address of the web server.
Because I don't exactly know how any auth method works I want to write my own.
So, what I want to do is the following.
A client sends over HTTPs username+password(or SHA1(username+password))
the server gets the username+password and generates a big random number and stores it in
a table called TOKENS(in some database) along with his IP,
then it give the client that exact number.
From now on, all the requests made by the client are accompanied by that TOKEN
and if the TOKEN is not in the table TOKENS then any such request will fail.
If the user hasn't made any requests in 2 hours the TOKEN will expire.
If the user wants to log out he makes a request '/logout' to the server and the server
deletes from the table TOKENS the entry containing his token but ONLY if the request to
'/logout' originates from his IP.
Maybe I am reinventing the wheel... this wouldn't be very good so my question is if there
is some auth system that already works like this , what is it's name , does it have any OSS C++ libraries or Python libraries available ?
I am not sure if finding such an auth system and configuring it would take longer than
writing it myself, on the other hand I know security is a delicate problem so I am
approaching this with some doubt that I am capable of writing something secure enough.
Also, is there a good OSS C++ HTTP library ? I'm planning to write a RESTful Desktop
client for a web app. Depending on the available libraries I will choose if I'll write it
in C++ or Python.
If you are implementing such authentication system over ordinary HTTP, you are vulnerable to replay attacks. Attacker could sniff out the SHA1(username+password) and just resend it every time he/she wants to log in. To make such authentication system work, you will need to use a nonce.
You might want to look at HTTP Digest authentication for tips.
Because I don't exactly know how any auth method works I want to write my own
How could you ever write something you don't understand? Learn at least one, the underlaying concepts are similar in every library.
Python has repoze.what.
I would highly recommend OAuth here, for which many open source libraries are available.