0

I have a backend that I developed on PHP/MySql which will provide some URL endpoints in order to get data or post data. I am using those URL endpoints in my application (WebGL application). Now, the problem is, the URL endpoints are public and anyone can use those URL by simply inspecting the browser. An attacker can get the URL endpoints and may post spam data or hang my server etc. So my question is that how do I save my URL endpoints? Remember there is no login option into my application. The WebGL application is public, anyone can view it. I want to use my URLendpoint form the application only.

Improve this question
4
  • 1
    The core of your issue is the "there is no login option into my application". Why not? Commented Jul 22, 2020 at 16:48
  • Also is this an application that only you have access to or is it something you distribute? Commented Jul 22, 2020 at 16:50
  • Its a project of client that will accessible publically on web. Commented Jul 23, 2020 at 5:16
  • 2
    If you don't have any method of authentication and the endpoints are publicly available then you can't distinguish between valid and invalid requests. You can take basic steps like rate limiting requests, limiting the scope of what information can be retrieved publicly, etc., but that isn't really what you're looking for here Commented Jul 23, 2020 at 14:36

1 Answer 1

Reset to default
1

An attacker can get the url endpoints and may post spam data

Do you have some means of telling an attacker from a legitimate user?

(Rate of posting, content of post, etc.). Imagine being the server app, and you see a request coming in. Can you tell whether it is legitimate or not?

If yes, then use them - move that reasoning into your application logic. Better still, add this information to your question so you might get further suggestions and insights.

If not, then unfortunately your answer is "You cannot secure your URL endpoints" (because "secure" implies "distinguish between good and bad guys") and you need to look into things like logins, cookies and/or client certificates.

authenticating an application

You need to add something to the application that an attacker can't easily replicate. This requires making assumptions against what an attacker can and can't do.

No one can defend against an omnipotent attacker. So, you cannot say "I want to defend against anyone". You can only defend against someone that cannot do something that your application can.

So, if the attacker has full access to your application source code and secrets, and therefore can learn to do whatever your application can, again you cannot defend against them.

In Android and iOS, there are "secret areas" that you can interface with, and allow doing something an attacker can't. Basically you establish a secret in the protected area, then ask whoever connects to prove they know the secret. This too is imperfect because you're only authenticating the device, not the application.

If the attacker does not have access to the source code, then you can use a classic challenge/response scheme, where the application contains (either the same for all clients or one assigned to each client) a secret string. All calls are GETs for clarity:

The app has a secret and it is "001:MySecret001". App --> "application/login?auth=001" --> server <--- "tell me the answer to: 2020-07-21-13:36:35-Qa9XtFtp" App retrieves its secret, it is "MySecret001", calculates the hash of the string "MySecret001,2020-07-21-13:36:35-Qa9XtFtp" and sees that it is `57703859adcdb4239e513dd7fe991afe`. So... App --> "application/login?auth=001&challenge= 2020-07-21-13:36:35Qa9XtFtp&response=57703859adcdb4239e513dd7fe991afe"

The server verifies that the response is indeed the hash of the challenge, and that the challenge timestamp is not too old. Then it retrieves the secret for user 001, and sees it is MySecret001. It does the same calculation the client did. If the two hashes are the same, the client is legitimate.

This, as I said, requires that the attacker cannot crack the app and see what the secret is and how it is manipulated.

The login/password scheme is identical, except that login and password are in the head of the user.

authenticating a request

We still (see above) need that the attacker cannot see the application source code. When this is the case, you can modify (maybe using a filter, which is possible with e.g. jQuery) the request, adding a header or an extra variable:

  • suppose the request is "cmd=add&text=HelloHello&subj=HelloWorld"
  • you sort the request dictionary in alphabetic order:
    • cmd = add
    • subj = HelloWorld
    • text = HelloHello
  • you take the secret, or a random string the server sent the application on the first request (called "nonce") and initialize "hash" to this value
  • for all elements in request:
    • hash = MD5(MD5(hash + key) + value)
  • you add "hash=(whatever)" to your request.

The server receives a request, saves "hash", knows the secret shared with that client, and can therefore repeat the calculation and see whether the hash value matches.

An attacker that does not know the initial "secret" value now cannot send arbitrary commands, because they don't know the appropriate value of the hash for that particular command.

Improve this answer
7
  • Sorry for unclear information.The legitimate user is only the application. Commented Jul 21, 2020 at 11:27
  • If i use a specifc encoded key on the client side then it is unsafe Commented Jul 21, 2020 at 11:29
  • Okay. So, can you tell between a query coming from the application and a query coming from anyone else? Commented Jul 21, 2020 at 11:29
  • Nope, how can I differentiate? Commented Jul 21, 2020 at 11:29
  • @MuhammadFaizanKhan if the endpoints are public, and the application runs on a device controlled by a user, you really can't. Commented Jul 21, 2020 at 12:32

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.