vbmark Posted May 3, 2013 Share Posted May 3, 2013 I have a game site where you press buttons and get back random words from database tables. One of the things I was working hard to prevent on my site was someone creating either a desktop application or a web app that simply calls my PHP code to pull my data. It is data that is freely available to users who are not logged in so they can play without an account, but I want them to use my site, of course, to play and access the data. I don’t want someone creating a copy and using my resources. However, someone just showed me how, by using fiddler, they can bypass all my protection schemes by simple getting the header and by resending that header they can pull the data from anywhere, desktop, or web app, as easily and quickly as they want. How do I prevent this? Thank you! Quote Link to comment https://forums.phpfreaks.com/topic/277585-how-to-overcome-this-security-issue/ Share on other sites More sharing options...
davidannis Posted May 3, 2013 Share Posted May 3, 2013 Not sure what your code looks like but could you check the user agent and restrict to known browsers (not that someone couldn't fake that too). Quote Link to comment https://forums.phpfreaks.com/topic/277585-how-to-overcome-this-security-issue/#findComment-1427953 Share on other sites More sharing options...
vbmark Posted May 3, 2013 Author Share Posted May 3, 2013 I thought I was being clever by checking the referrer but that doesn't matter since the header includes that. I am assuming the user agent is already in the header too so when you copy the first transmission in Fiddler you’ve got that too. Quote Link to comment https://forums.phpfreaks.com/topic/277585-how-to-overcome-this-security-issue/#findComment-1427956 Share on other sites More sharing options...
kicken Posted May 3, 2013 Share Posted May 3, 2013 Without some kind of authentication mechanism there is not much you can do. Even with authentication there isn't a whole lot you can do. About the most you could do is make it more difficult for someone to grab your data by using something like a token system. When a user loads up your site you generate a random token value and embed that in the page. Then when you request data you pass that token back and check it against a list of valid tokens. All a user would have to do to defeat that though is request your page first to obtain the token, then request your data. It just makes the process ever so slightly more difficult/annoying. Quote Link to comment https://forums.phpfreaks.com/topic/277585-how-to-overcome-this-security-issue/#findComment-1427962 Share on other sites More sharing options...
vbmark Posted May 3, 2013 Author Share Posted May 3, 2013 Yeah, that's the thing, you request the first page then you have everything you need. It's an interesting problem that I know isn’t just restricted to PHP. I wonder if it’s just something that everyone lives with or if there is actually is a solution. I’m going to keep looking. Quote Link to comment https://forums.phpfreaks.com/topic/277585-how-to-overcome-this-security-issue/#findComment-1427964 Share on other sites More sharing options...
davidannis Posted May 3, 2013 Share Posted May 3, 2013 If you are afraid of someone using another server you can track usage by IP and ban addresses where it clearly excessive. You might end up banning an occasional large workplace or a convention center or something that shares an external IP address (or a range). If you are afraid of somebody distributing an app that won't help. Quote Link to comment https://forums.phpfreaks.com/topic/277585-how-to-overcome-this-security-issue/#findComment-1427977 Share on other sites More sharing options...
vbmark Posted May 3, 2013 Author Share Posted May 3, 2013 It looks like this is called a replay attack. I think it can be addressed by something like this http://en.wikipedia.org/wiki/Cryptographic_nonce However, I'm going to need a lot more coffee to understand how to implement something like this on my site. Quote Link to comment https://forums.phpfreaks.com/topic/277585-how-to-overcome-this-security-issue/#findComment-1427989 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.