How to overcome this security issue?

[vbmark]

I have a game site where you press buttons and get back random words from database tables.

 

One of the things I was working hard to prevent on my site was someone creating either a desktop application or a web app that simply calls my PHP code to pull my data.  It is data that is freely available to users who are not logged in so they can play without an account, but I want them to use my site, of course, to play and access the data.  I don’t want someone creating a copy and using my resources.

 

However, someone just showed me how, by using fiddler, they can bypass all my protection schemes by simple getting the header and by resending that header they can pull the data from anywhere, desktop, or web app, as easily and quickly as they want.

 

How do I prevent this?

 

Thank you!

[davidannis]

Not sure what your code looks like but could you check the user agent and restrict to known browsers (not that someone couldn't fake that too).

[vbmark]

I thought I was being clever by checking the referrer but that doesn't matter since the header includes that.   I am assuming the user agent is already in the header too so when you copy the first transmission in Fiddler you’ve got that too.

[kicken]

Without some kind of authentication mechanism there is not much you can do. Even with authentication there isn't a whole lot you can do. About the most you could do is make it more difficult for someone to grab your data by using something like a token system. When a user loads up your site you generate a random token value and embed that in the page. Then when you request data you pass that token back and check it against a list of valid tokens.

 

All a user would have to do to defeat that though is request your page first to obtain the token, then request your data. It just makes the process ever so slightly more difficult/annoying.

[vbmark]

Yeah, that's the thing, you request the first page then you have everything you need.  It's an interesting problem that I know isn’t just restricted to PHP.  I wonder if it’s just something that everyone lives with or if there is actually is a solution.

 

I’m going to keep looking.

[davidannis]

If you are afraid of someone using another server you can track usage by IP and ban addresses where it clearly excessive. You might end up banning an occasional large workplace or a convention center or something that shares an external IP address (or a range). If you are afraid of somebody distributing an app that won't help.

[vbmark]

It looks like this is called a replay attack.  I think it can be addressed by something like this http://en.wikipedia.org/wiki/Cryptographic_nonce 

 

However, I'm going to need a lot more coffee to understand how to implement something like this on my site.