Jump to content

Recommended Posts

I have a game site where you press buttons and get back random words from database tables.

 

One of the things I was working hard to prevent on my site was someone creating either a desktop application or a web app that simply calls my PHP code to pull my data.  It is data that is freely available to users who are not logged in so they can play without an account, but I want them to use my site, of course, to play and access the data.  I don’t want someone creating a copy and using my resources.

 

However, someone just showed me how, by using fiddler, they can bypass all my protection schemes by simple getting the header and by resending that header they can pull the data from anywhere, desktop, or web app, as easily and quickly as they want.

 

How do I prevent this?

 

Thank you!

Link to comment
https://forums.phpfreaks.com/topic/277585-how-to-overcome-this-security-issue/
Share on other sites

Without some kind of authentication mechanism there is not much you can do. Even with authentication there isn't a whole lot you can do. About the most you could do is make it more difficult for someone to grab your data by using something like a token system. When a user loads up your site you generate a random token value and embed that in the page. Then when you request data you pass that token back and check it against a list of valid tokens.

 

All a user would have to do to defeat that though is request your page first to obtain the token, then request your data. It just makes the process ever so slightly more difficult/annoying.

Yeah, that's the thing, you request the first page then you have everything you need.  It's an interesting problem that I know isn’t just restricted to PHP.  I wonder if it’s just something that everyone lives with or if there is actually is a solution.

 

I’m going to keep looking.

If you are afraid of someone using another server you can track usage by IP and ban addresses where it clearly excessive. You might end up banning an occasional large workplace or a convention center or something that shares an external IP address (or a range). If you are afraid of somebody distributing an app that won't help.

It looks like this is called a replay attack.  I think it can be addressed by something like this http://en.wikipedia.org/wiki/Cryptographic_nonce 

 

However, I'm going to need a lot more coffee to understand how to implement something like this on my site.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.