How to protect the application against unwanted requests?

Asked

Viewed 59 times

2

I have an application for course management, in which several requests are made via ajax that are processed in the background: getListCurso(), findDisciplinaById(), deleteAluno(), etc.

But anyone can go via get and perform the same function as many times as they want, just type in the browser:

/meusite/travel/getListCurso/

/meusite/disciplina/findDisciplinaById/2/

/meusite/student/deleteAluno/20/

I would like these functions to be performed only if the request comes from the page built for each function

  • When I say unwanted request I’m talking about the guy type in the browser the path of a function, I wish this could only be done via the application page

  • 1

    To simplify, I would suggest you generate a token on the page that consumes the API, and check if the token in the request is valid. Or, if the service is consumed by a logged-in user, check if it is a valid session in the API itself.

  • 1

    An alternative is to let anyone order whatever they want, but with each request of the same IP increasing the interval between responses, in order to avoid abuses. The best technique depends a lot on what you’re trying to protect.

  • I’m not looking for anything complex, just make the request via the application forms

  • 1

    Always remembering that always the "attacker" will be able to simulate the user, and then use its API. These tips above only work to decrease the attack surface. Almost everything the user can do, an application can also, and practically there is no way to avoid (you could even solve Captcha in some cases). If you at least force the user to authenticate, at least it is easier to detect abuses, and/or limit the number of time operations.

  • How can it be a duplicate if you were asked before?

  • read here to understand better the idea: http://meta.pt.stackoverflow.com/questions/3874/70

Show 2 more comments
No answers

Browser other questions tagged

You are not signed in. Login or sign up in order to post.