-2

Some months ago i worked on an iOS(iphone) application that allowed users to create some kinds of events and post them as XML/JSON files to a web server. Then through their device they were able to view events from different users etc.

The idea to build the whole thing was pretty basic. When the application launched for the first time , the application connected to an URL and asked for a user id (which is unique for every user). Then every time the user wanted to post something , we used HTTP Basic Authentication and sent as a header the users id and an XML file which contained all the information about the event created. I never worked on the server side , so i had no idea how secure the whole system was.

A few days ago i started working on an application of mine , which is the same idea , so i first started working on the server side(php). Before i started i wanted to see how secure the previous project of mine was and i was shocked there was no security of any kind. Just by using a simple web debugger(sniffer) i was able to see where my application connected to ask for a user id , how was the form of every xml file sent to the database and how the server answered.

So if someone just wanted to flood the database with a million user ids or a million events , it would be super easy to create a php script to do that. In this case we used HTTP Basic Authentication.

My question now is , what kind of authentication shall i use , so that is not visible what kind of files are exchanged between the server and the user (XML) , and how can i design the sign up mechanism so someone cant create a million ids with a simple script.

I don't want to build a super secure application , but one that at least has some basic kind of security. As i am very new to php , you could give me some links to check on what security mechanisms i should use or even better some tutorials. Also if you developed something like this before what kind of security did you use and what would you suggest?

donparalias
  • 1,834
  • 16
  • 37
  • 60
  • 7
    please delete three quarters of your post, and stick to actual questions. –  Jan 20 '13 at 20:46
  • The whole post , describes what kind of application i want to build and how it should work. Its just written in a "story" way if that's what you mean... Its a 300word post , read in 3minutes max.. I just wanted to explain , what i exactly need – donparalias Jan 20 '13 at 20:52
  • I was actually wrong... "The average adult reading speed for English prose text in the United States seems to be around 250 to 300 words per minute." If you are not a native speaker , like me , maybe u need 1 and a half.. http://www.keller.com/articles/readingspeed.html – donparalias Jan 20 '13 at 20:57
  • 2
    and yet i summed up your 300 words in to 25. The [FAQ](http://stackoverflow.com/faq) is clear on how and what to ask. –  Jan 20 '13 at 21:00
  • anyway i dont want to argue about that , i just wanted to make a good question. Thank you very much for your answer i am checking on it as we speak. – donparalias Jan 20 '13 at 21:00
  • 2
    Part of making a good question is making it short enough that everyone doesn't go "tl;dr". – ceejayoz Jan 20 '13 at 21:26

2 Answers2

4

" what kind of authentication shall i use , so that is not visible what kind of files are exchanged between the server and the user (XML)"

the only 'real' answer to this is to install a ssl certificate, then use https protocol

  • When using the ssl certificate and the https protocol , the url that my application is connecting to , is it visible or not? Because to obtain the user id , i dont want someone to be able to see the actual url. Of course if the xml files are encrypted i guess i could send a specific form of an xml to ask for the user id , so it should be secure , because you wouldnt get the id without it – donparalias Jan 20 '13 at 21:03
  • Yep, nailed it. @donparalias, you said it your self. You can see this all in plain text, that's the nature of HTTP Basic Auth, it's in plain text. It's not secure without an secure socket later (SSL) connection. Even that is not a silver bullet, because you still have the possibility of a [MitM Attack](http://en.wikipedia.org/wiki/Man-in-the-middle_attack) if they see that hand shake. Ask your self, [How Secure is SSL](http://stackoverflow.com/questions/951386/how-secure-is-ssl). There is no silver bullet, remember [Defense in depth](http://en.wikipedia.org/wiki/Defense_in_depth_(computing)). – Mark Tomlin Jan 20 '13 at 21:05
  • The url is visible to the one who reverse-engineered the client application. Sniffers only see the IP-address of the recipient. – Oswald Jan 20 '13 at 21:05
  • @Oswald, don't SSL certs require a dedicated IP address, making it a moot point? Also it's pretty simple to do a reverse lookup and find out what domain is tied to that IP address with a [fairly quick Google search](https://www.google.com/search?q=find+host+name+attached+to+ip+addreeses). – Mark Tomlin Jan 20 '13 at 21:07
  • 2
    @Mark, SSL certificates require a dedicated "common name", the IP address usually not part of the certificate. Also, a reverse lookup on the IP-Address yields *one* name of the host, not necessarily the one that is used in the URL and certainly not the URL itself. – Oswald Jan 20 '13 at 21:13
  • Thanks for clearing that up :). +1 – Mark Tomlin Jan 20 '13 at 21:14
  • do i need a dedicated server for the http over ssl ? – donparalias Jan 21 '13 at 00:13
  • also why do i need the http over ssl for this? I mean all the sites that use http like facebook , gmail etc , if i use my debugger i can see the files/passwords exchanged? I dont think so.. So what kind of security is this? – donparalias Jan 21 '13 at 00:19
  • @donparalias because that's exactly what you asked for. Also gmail uses both https and http and you can tell gmail to only use https (foolish if you don't), don't use fecebook so don't know about them. –  Jan 21 '13 at 01:20
1

Just by using a simple web debugger(sniffer) i was able to see where my application connected to ask for a user id , how was the form of every xml file sent to the database and how the server answered.

Use SSL to prevent man-in-the-middle attacks.

So if someone just wanted to flood the database with a million user ids or a million events , it would be super easy to create a php script to do that.

That's the nature of network communication. Use heuristics to limit the amount of unwanted data. Some examples:

  1. A single user_id can create at most one event per second.
  2. Let the client sign the request for a user_id and verify the signature on the server.

These are not sure-fire ways to prevent abuse, but there is no total security. The suggested methods will keep out most of the script kiddies, though.

Oswald
  • 31,254
  • 3
  • 43
  • 68
  • i dont understand what you mean on 2.Let the client sign the request for a user_id and verify the signature on the server. ? – donparalias Jan 20 '13 at 21:05
  • See [Wikipedia: Digital signature](http://en.wikipedia.org/wiki/Digital_signature). This is usually not an option for web-services that should be accessed via a browser, but can be used if you provide a designated client (such as a smartphone app). – Oswald Jan 20 '13 at 21:07
  • @Oswald If he blindly trusts any SSL certificate, it won't stop any man-in-the-middle attacks. – JustSid Jan 20 '13 at 21:13
  • It looks a bit complex to understand and deploy and don't think i need that level of security but thank you for explaining me. Well my application will be accessed by browser too. – donparalias Jan 20 '13 at 21:14
  • do i need a dedicated server for the http over ssl? – donparalias Jan 21 '13 at 00:13
  • also why do i need the http over ssl for this? I mean all the sites that use http like facebook , gmail etc , if i use my debugger i can see the files/passwords exchanged? I dont think so.. So what kind of security is this? – donparalias Jan 21 '13 at 00:20